Managing Business Risk

April 23, 2017 | Author: Den Pamplona | Category: N/A
Share Embed Donate


Short Description

Download Managing Business Risk...

Description

5th edition

Managing

Business Risk A Practical Guide to Protecting Your Business consultant editor: Jonathan Reuvid

OPPORTUNITY

m

the power of financial management in business

CIMA Professionals drive some of the world‟s most successful organisations. CIMA professionals work as an integral part of multi-skilled management teams and carry out a range of activities:

• the generation and creation of value through effective strategic decision making and deployment of resource

• formulating business strategy to create wealth and shareholder value

• plan long, medium and short run operations

• determine capital structure and fund that structure

• measure and report financial and non financial performance For further information about CIMA, the Chartered Institute of Management Accountants visit www.cimaglobal.com

the power of financial management in business

Managing

Busines s Ris k A Practical Guide to Protecting Your Business 5th edition

consultant editor: Jonathan Reuvid

London and Philadelphia

Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and authors cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the editor, the publisher or any of the authors. First published in Great Britain and the United States in 2003 by Kogan Page Limited Second edition 2005 Third edition 2006 Fourth edition 2007 Fifth edition 2008 Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licences issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned addresses: 120 Pentonville Road London N1 9JN United Kingdom www.kogan-page.co.uk

525 South 4th Street, #241 Philadelphia PA 19147 USA

© Kogan Page and Contributors, 2003, 2005, 2006, 2007, 2008 The right of Kogan Page and Contributors to be identified as the authors of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act 1988. The views expressed in this book are those of the authors, and are not necessarily the same as those of the Institute of Risk Management. ISBN 978 0 7494 5059 5 British Library Cataloguing-in-Publication Data A CIP record for this book is available from the British Library. Library of Congress Cataloging-in-Publication Data Managing business risk : a practical guide to protecting your business / [edited by] Jonathan Reuvid. – – 5th ed. p. cm. ISBN 978-0-7494-5059-5 1. Risk management. I. Reuvid, Jonathan. HD61.M26 2008 658.15‟5– –dc22 2007052112 Typeset by JS Typesetting Ltd, Porthcawl, Mid Glamorgan Printed and bound in Great Britain by Cambrian Printers Ltd, Aberystwyth, Wales

The Institute of Risk Management The Institute of Risk Management (IRM) is risk management‟s leading professional education and training body. It is a not-for-profit organisation owned and governed by its members who are all practising risk professionals. Whether you see risk management as your profession or as a key skill, IRM membership can support you throughout your career.

Membership provides you with information, networking opportunities and recognition. Become an IRM member and you get all the following included in your subscription: Information • InfoRM, the institute‟s bi-monthly magazine containing news, articles and job vacancies • A free subscription to Strategic Risk magazine • Discounts on relevant activities such as conferences and events from third parties • A free subscription to CIR (Continuity, Insurance and Risk) magazine • Access to the members‟ only section of the website which includes the members‟ discussion forum Networking opportunities • Membership of any of the special interest groups you want to join • Membership of your local regional group • Free Annual Lecture focusing on the topical issues in risk management • Discounted entry to the Risk Forum, the Institute‟s annual conference and dinner Recognition • Designatory letters (depending on your membership grade) • The opportunity to study for an internationally recognised risk qualification

There are six grades of membership starting with Affiliate which has no entry requirements and is open to everyone with an interest in risk management. To become a member all you need to do is simply complete and return the application form from our website (www.theirm.org) or phone us on 020 7709 9808. The IRM provides a broad range of courses to help you build your knowledge and skills. The two-day awareness course on the Management of Risk and Uncertainty is taught across the world and throughout the year. The International Certificate in Risk Management is an introductory qualification, with no entry requirement, which is studied through distance learning. The International Diploma in Risk Management is a postgraduate qualification for the risk management professional. It is designed to equip today‟s practitioners to become the risk managers of tomorrow, through the development of a solid, progressive and practical set of skills which in turn enhance career portability, personal status and reward. Institute of Risk Management 6 Lloyd‟s Avenue London EC3N 3AX +44 (0)20 7709 9808 [email protected] www.theirm.org

Achieving Competency in Risk Management Individuals, businesses and economies all need better skills than ever before. The Leitch

Review of Skills published in the UK in December 2006 concluded that world class skills would be the key to economic success and social justice in the new global economy but also warned that too many of us have little interest or appetite for improved skills and that employer and individual awareness must increase.

Improved skills and competencies are needed at every level and in every business area, including risk management. Organisations are becoming more aware of the complex risks that they face and are starting to put into place the processes to address them. Stakeholder expectations of effective risk management are also rising. Yet there is still a long way to go: Aon‟s 2007 Global Risk Management Survey1 found that over 25% of firms were not ready to handle the key risks identified – they had not undertaken any form of formal review and had not formulated a plan to deal with them. When it came to reputational and market risks up to 65% of firms were unprepared.

So we all know that there is much to be done – but, back to Leitch, do we have the skills to do it? A 2005 study2 by Lloyd‟s concluded that whereas global business leaders were taking risk much more seriously (in just three years the time spent by boards on risk management had risen four-fold), there was a need for better education and training – less than a third of boards were training their staff in risk management skills and only 18% of board members had obtained such training themselves.

So how can an organisation improve its competence in risk management? Here are some pointers: • Get trained – it‟s right to say that all good managers are instinctively managing risk but there is a limit to how much you can make it up as you go along. There are specialist risk management skills and techniques that can be learned that will make life easier and improve results. Short courses in risk management include the two day Management of Risk and Uncertainty course offered by the Institute of Risk Management (IRM) – this is available either as a public course or can be brought in house and tailored to your organisation.

1 AON Global Risk Management Survey April 2007, Aon Corporation. www.aon.com 2 „Taking Risk on Board‟, Lloyd‟s in association with the Economist Intelligence Unit, 2005, www.lloyds.com

advertisement feature

• Get educated – look out for the internationally recognised qualifications CIRM, MIRM and FIRM (Certificant, Member and Fellow of the Institute of Risk Management respectively). There are also an increasing number of specialist MSc courses in risk related subjects being offered by Universities. Other professional bodies may also have a risk management module available as part of their qualifications. • Get in the experts – if you decide to seek advice from consultants or other professional firms then check that they also have relevant professional qualifications • Get the right tools – there are a number of risk management standards in circulation that will help you develop a systematic and organised approach. These range from the IRM/ALARM/AIRMIC Risk Management Standard , which is a simple plain language guide for the average business manager through to the COSO standard from the USA which has a strong regulatory/audit focus • Get yourself a network – strengthen your risk management contacts and access to information resources. Link into other risk professionals via attendance at risk conferences or through membership of a professional body such as the IRM which provides local and specialist groups and an online community and resources. IRM offers affiliate membership to anyone with an interest in risk who wishes to plug into the international network. • Get your act together – organisations that aren‟t good at communicating, managing or relationships won‟t be much good at managing risk either. Successfully embedding effective risk management across your organisation requires a healthy management competence overall.

Carolyn Williams Development Manager The Institute of Risk Management December 2007

advertisement feature

New Confidence in your business continuity BS 25999-1:2006 Business continuity management. Code of practice

BS 25999 Business Continuity Self-assessment Online Tool

BS 25999-1 is a code of practice that takes the form of guidance and recommendations. Developed by practitioners throughtout the global community it establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.

This new web-based tool contains 191 questions, following BS 25999-1, clause by clause, so that you know that you are assessing your organization‟s performance against this recognized standard, giving you confidence in your BCM policies and procedures.

It is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce, and to be used by large, medium and small organizations in industrial, commercial, public and voluntary sectors. BS 25999-1:2006 replaces PAS 56:2003, which has now been withdrawn.

Price £100* Member Price £50

Order Now! Price £225 + VAT This price entitles one user (one user ID and password) to unlimited use of BS 25999 Business Continuity Self-assessment Online for the period of their annual subscription.

Multi-user licences are available, see www.bsi-global.com/BS25999online for details. Please contact +44 (0)20 8996 7555 or email [email protected] for a quote to give access to more than ten users in your organization.

JUST PUBLISHED

FREE DEMO

BS 25999-2:2007 Business continuity management. Specification

A free demo of the BS 25999 Business Continuity Self-assessment Online tool is now available.

BS 25999-2 specifies requirements for setting up and managing an effective Business Continuity Management System (BCMS) in the following areas: • • • •

Planning Establishing Implementing Operating

• • • •

visit www.bsi-global.com/BS25999online Sponsored by

Monitoring Reviewing Exercising Maintaining and improving

The BS 25999 series is applicable to all types of businesses, regardless of type, size and nature of business.

Price £90* Member Price £45

To order please contact BSI Customer Services quoting marketing reference code BCMB-SP

Tel +44 (0)20 8996 9001 Fax +44 (0)20 8996 7001 Email [email protected] www.bsi-global.com/Businesscontinuity

raising standards worldwide ™ Standards and publications may also be ordered via the BSI shop at www.bsi-global.com/shop *P&P £5.95 UK (inclusive of VAT); £9.95 Rest of the World (+VAT if applicable) – one-off charge added to your order of 10 items or fewer. FREE P&P to BSI Subscribing Members. Pre-payment is required by non-Members. VAT is applicable to all purchases of PDF downloads, CDs, DVDs, other electronic products and Conferences and Training Courses. All prices, content and publishing dates may be subject to change. For details of BSI Membership, call +44 (0)20 8996 9001. © BSI 2007

At GJE we specialise in supporting start-up

Our commitment to a partnership approach

and early stage companies and we are

with our clients has benefited many of them

recognised by the Legal 500 as an industry

through several rounds of funding, leading to

leader in this area. By working with our clients

trade sale or IPO.

and understanding their business objectives we

deliver professional and

pragmatic

If you want your IP advice in plain English from

advice on the development of cost-effective

a firm with a true business perspective, then

IP strategies and their role as an essential

please visit our web site or contact Peter Finnie

element of any successful business plan.

or Arnie Clarke on +44 (0)20 7377 1377.

Keep the focus upon your reputation management

Amsterdam



Brussels



Copenhagen



Stockholm



Oslo



Vilnius

Analysing your exact position in the market is easy with the right tools and experience. CISION, the world‟s market leader provides

in

communications

management,

you with actionable insights and enables you

to make more informed decisions. We are just a phone call or a click away. Contact your CISION representative in London.

Media Intelligence. Communication Insights.

Cision UK Cision House 16-22 Baltic Street West London EC1Y •







0UL Phone 0870 736 0010 Phone +44 (0) 20 7251 7220 •

Fax +44 (0) 20 7689 1164 [email protected]



www.uk.cision.com



London



Stuttgar t



Lisbon



Chicago



Toronto



Hong Kong

XL INSURANCE companies are chosen by the world‟s leading firms for the strength of our capital and the depth of our experience, in addition to the quality and variety of our solution-focused products created to precisely meet your insurance requirements:

- Property - Casualty

- Professional - Specialty Experience our strength:

www.xlinsurance.com

The XL Insurance companies have one or more of the following ratings: A+ by A.M. Best, A+ by Standard & Poor‟s, Aa3 by Moody‟s, AA- by Fitch.

The strength to cover business risks worldwide.

«XL Insurance» is a registered trademark of XL Capital Ltd. XL Insurance is the global brand used by member insurers of the XL Capital Ltd group of companies. Ratings accurate as of 7th June, 2007.

XL Insurance – intelligent risk solutions “XL Insurance” is the global brand used by member insurers of the XL Capital Ltd group of companies. As a global leader in its field XL Insurance helps industrial and commercial businesses manage their risk by offering comprehensive, cost-effective and integrated insurance solutions. XL Insurance has the expertise to cover risk exposures ranging from world-wide property/casualty insurance to professional lines, fine art & specie, environmental, marine, energy and product recall insurance. Dedicated client relationship mangers work with underwriters and risk engineers to offer flexible tailor made solutions. XL Insurance companies offer a global network of owned operations and partner relationships that allow us to provide service to the world's insurance markets with local knowledge and expertise in 80 plus countries. XL Capital Ltd, through its wholly owned subsidiaries, is one of the world‟s largest providers of insurance, reinsurance and risk engineering solutions with around 4000 staff globally.

advertisement feature

Contents Foreword: managing the future, by Steve Fowler, Chief Executive, The Institute of Risk Management (IRM) Contributors‟ notes Introduction

xxxiii xli 1

Part 1: Risk Management Strategy

3

1.1

Enterprise risk management: breaking down the risk silos James Dickson Leach and David Breden, HSBC Operational Risk Consultancy Enterprise risk management 9; Conclusion 15

5

1.2

Strategic business risk 2008: the top 10 risks for business Fiona Sheridan, Ernst & Young LLP The top 10 risks for business 18; The next five 24; Conclusions 25

17

1.3

Enterprise risk management and the role of technology: the answer to and cause of all our business problems Bart Patrick, SAS UK & Ireland What is enterprise risk management? 30; Regulation and process 31; Systems 32; Risk systems 35; Conclusions 35

1.4

Using management systems for risk management and corporate governance Nicki Dennis, BSI British Standards Management systems 40; Risk as the „new‟ quality 41; ISO 31000: an international risk management standard 42; Implementing management systems 42; Best practice 43; Certification 44; Competitive advantage 44; The future 45

27

39

porate and ntity frauds are reasing significantly

st common cases of corporate fraud involve forms ent to us showing changes to a company's details, subsequently prove to be false. Fraudsters then use len identity of the company to order goods and s based on that company's creditworthiness. Here ee ways to prevent your company being next

bFiling

ROOF

I9$.f onitor

WINNER

Webfiling - safe and simple Using WebFiling, our online filing service, is a far safer and more secure way to send us statutory information than using paper forms sent by post. You need to register for a security code (issued by email) and an authentication code (issued by post to your registered company office) and then you can give us much of the information about your company electronically. It's also 50% cheaper to file your annual return online.

PROtected Online Filing Once you have received your authentication code to file electronically, you can then sign up to our new protected online filing service known as PROOF which is designed to reduce fraud still further. We will then only accept forms relating to changes of address and directors' details from you electronically. We will not accept any of these documents on paper unless the company and directors authorise it.

Monitor - get the bigger picture The Companies House Monitor service enables you to keep an eye on your competitors, business collaborators and your own company and 'monitor' which documents have been filed into Companies House. You know that certain company information lies within the public domain, so what could be more efficient than information that could help or protect your business being available to you the moment it is filed?

ype of'fraudis on the increase,. you may want to visit our www.companieshouse.gov.uk lb learn more about u can prevent your company being next.

DEPARTMENT FOR BUSINESS ENTERPRISE & REGULATORY REFORM

CONTENTS xv •

1.5

Embedding risk management – practically Lee Tricker, Thomas Miller Risk Management Introduction 46; Understanding the organization‟s structure 47; Building on existing foundations 47; Risk assessment workshops 47; Identifying champions 48; Carrots and sticks 48; Communication, communication, communication 49; Conclusion 50

46

1.6

New perspectives in strategic risk Scott Hartop and Allan Robinson, UMU, Appleyards Practical tools for thinking and planning with uncertainty designed-in 51; Two views of uncertainty 52; Risk Dynamics 57; In summary 60

51

Part 2: Corporate Risk Concerns

63

2.1

Political risk James Smither, Control Risks Political risk is not recognized as unique 66; Business planners fixate on certain types of risk 67; Risk managers fixate on certain mitigation tools 68; Risk management initiatives are fragmented 68; Political risk management is misaligned with business planning process 69; Towards best practice political risk management 70; Conclusions 71

65

2.2

Reputation and emerging communications technology Paul Miller, Cision Inside the attention economy 73; The long tail of digital content 74; Mapping the landscape 76; Search engine optimization and measuring search 76; Social upheaval 77; We the gatekeepers 77; The future of news 79

72

2.3

Corporate reputation Gillian Lees, Chartered Institute of Management Accountants (CIMA) Introduction 81; Reputation 82; Causes of reputation risk 84; Identification of reputation risk 85; Measurement of reputation risk 85; Management of reputation risk 86; Reporting of reputation risk 86; Future trends 86

81

2.4

Contract risk Robert Chapman and Dominic Healey, Siemens Insight Consulting Introduction 89; Board accountability 90; Identifying the board‟s appetite for risk management 90; Identifying responsibility 90; Risk management applications 91; Contracts 91; Delivering a service or product 93; Procuring a service or product 95; Conclusion 97

89

Meerkats post a lookout to watch for imminent threats. They can’t predict when danger is on the horizon. But you can. With proven risk management software from SAS. www.sas.com/meerkats

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. © 2008 SAS Institute Inc. All rights reserved. 474668US.0108

CONTENTS xvii •

2.5

Managing reputational risk as a PLC William Cullum, Corfin Communications Reputation: your licence to operate 98; Learn what is expected of you 99; The internet: a frontier moves closer 101; Never speculate 101; What does the world say about you? 102; Conclusion 102

98

2.6

Terrorism: rehearsing crisis management plans Roy Ramm and Neil Miller, Commercial Security International Limited (CSi) Introduction: the evolution of terrorism 105; Objectives 106; Current threat and motivations 106; Crisis management planning 107; Testing the crisis management plan 108; Rehearsing and training exercises 108; Conclusions 110

105

2.7

Conflicting priorities – best practice in conflict management Graham Massie, Centre for Effective Dispute Resolution (CEDR) Preface 111; A universal condition 112; The cost of conflict 112; Is there any good news? 114; Developing a conflict management strategy 115; How to get there 115; Conclusion 118

111

2.8

Latent risks in commercial property damage and business interruption insurance Ian Drewer, Strategic Risk Partnerships Ltd Insurance as a factor in corporate risk management 121; Traps for insurance buyers 122; Tailored cover for industrial/commercial entities 123; Regulation and simplification 125; The principle of trust 126

2.9

Managing litigation risk: lost in translation Sean McGahan, McKinty & Wright The language of law 129; Mistakes to avoid 130; So what should you do? 131

119

128

Part 3: Risk Issues in Operational Management

133

3.1

Managing risk through management systems Mike James, Lloyds Register Quality Assurance (LRQA) The management of major risks outside the management system 135; Adopting management systems 139

135

3.2

Using scenario analysis and stress testing to quantify and manage operational risk David Breden, HSBC Operational Risk Consultancy Defining stress tests and scenario analysis 143; Methodologies for

142

Reduce Risk with Synergi®

All in one risk management solution Reduced risks mean reduced costs. Synergi® is a complete business solution for risk and non-conformance management. Synergi® manages all non-conformances, incidents, risk, risk analyses, audits, assessments and improvement suggestions. Synergi® covers all workflow processes such as reports, management, analyses, corrective actions, communication and experience transfer. www.synergi.com

Synergi Solutions AS www.synergi.com detecting risk

CONTENTS xix •

developing scenarios 144; Sources of information 145; Advantages of scenario planning 146; Shortcomings of scenario analysis 147; The use of scenario analysis in the quantification of operational risk 148; Conclusion 148 3.3

Critical engineering and risk management: avoiding complacency Paul Saville-King, Norland Managed Services Limited Introduction 149; The five pillars 152; Culture and behaviours 155; A new model 156

3.4

The role of strategic purchasing and supply management in risk management Emma Brooks, Chartered Institute of Purchasing & Supply (CIPS) Value generators and value protectors 157; The business risk environment 160; The right tools for the job 160; Summary 162

3.5

Carrot and stick: why BS 25999 is set to change the way the UK does business Keith Tilley, SunGard Availability Services (UK) Limited Misconceptions lead to complacency 165; BCM set to move up the corporate agenda 165; What‟s the answer? 166; Gazing at the crystal ball 167

149

157

163

3.6

Risks in the supply chain and how to manage them Tim Kitchin and David Lawson, Lloyds Register Quality Assurance (LRQA) The changing nature of risk 172; The changing nature of supply chain management 173; Principles of supply chain assurance: the four Cs 175

171

3.7

Product recall: assessing risk in the food industry Ed Mitchell, XL Insurance Company Limited Regulatory risk 177; Assessing the loss exposure 180; Mitigating the loss 182; Securing the brand 183; Conclusion 184

177

3.8

A shared business continuity challenge: protecting SMEs and the supply chain 185 Mike Osborne, ICM Computer Group Disaster Cover Direct 187; The implications of BS 25999 for the supply chain 188; Helping the supply chain 188

Part 4: Intellectual Property Risks

193

4.1

195

Intellectual property or poverty? An IP risk guide for business Peter Finnie and Arnie Clarke, Gill Jennings & Every LLP Introduction 195; What risk? 196; A structured approach 198; IP due diligence 199; Conclusions 200

leet Risk Profiler™ prise-wide comprehensive fleet risk assessment

Make a real step change in fleet risk management:

uce risks and improve efficiency to save time & money Risk profile & risk assess your sites and suppllchain Benchmark your performance internally & externally

How do you make that step change? Use a comprehensive real time online Fleet Risk Profiler TM

ol to access business focused & commercially relevant risk management methods Call today for details of an online demonstration Fleet Risk Profiler'. Innovation Centre, College Lane, Hatfield,Herts, AL10 9AB 456 4136 Fax: 0845 456 4137 Web: www.fleetriskprofller.com Email: [email protected]

Fleet Risk Management John Stevens, Managing Director, Fleet Risk Profiler™ Fleet risk management is now a major risk to be managed in a consistent and holistic manner. The use of fleet and related operations to satisfy organisational and supply chain needs has substantially increased over the last fifteen years. The procurement of goods from overseas has grown significantly, with increasing outsourcing to overseas production. Land based alternatives to road transport have almost disappeared, coastal sea transport has not stepped in to fill the gap, so road based transport methods have become the automatic choice. Additionally, the supply chains of many organisations require the use of fleet and related services to deliver „just-in-time‟ fulfilment. The growth of the internet and general consumer spending has created a demand for „instant customer fulfilment‟, both home based delivery and local retailer availability. As a consequence, traffic volumes have grown significantly and congestion is a top-ten concern and reality for many organisations. In turn this has raised concerns about environmental impacts and an increasing discussion about viable alternatives. So, where does fleet risk management sit in this scenario and how can it contribute to valid solutions that maximise opportunities for an organisation, whilst minimising risks. Fleet risk management is often viewed as a pure operational level activity, while other organisational functions – production/operations, finance, commercial, procurement, human resources and quality are only considered in their departmental silos and not fully integrated with fleet activities. Rarely does fleet management receive a high level of management attention and very rarely is it considered as a strategically important corporate risk to be consistently managed as a key aspect of the business. Yet with the importance of fleet transport, ever increasing, this risk area is one that can not be ignored. Initiatives typically deal with driver recruitment and training, human resource issues, vehicle purchasing and allocation, fuel consumption, accident data and post accident management. Resulting control measures normally only relate to the core focus of the initiative. Pressures are increasing to think of new ways to reduce and manage risks and exposures and maximise organisational benefits from improved risk management. Organisations are therefore looking for new ways to identify how they are creating risks across their total operations, whether directly or indirectly managed and how risk management can add new value to business success. Enterprise-wide fleet risk management Fleet risk management should involve an enterprise-wide process for integrating the risk management of fleet and related risks at strategic, management and operational levels. One that covers risks across a full range of business, commercial, operational and support functions. It needs to identify and assess risks across the whole organisation and its supply chain, within organisational aspects, management support, vehicles, drivers, loads, sites, journey and delivery. The integration of fleet risk management within an overall ERM process will provide an opportunity for an organisation to set a risk appetite for the management of its fleet and related risks and manage improvements and opportunities accordingly. It will also elevate fleet risk management to a strategic level activity, with resulting benefits. Research Our research showed that organisations with fleet and related operations need a sustainable reduction in overall fleet risks and costs, vehicle and personal injury accidents, insurance claims and premiums and diverted management time and resources. They also need tools and techniques to improve the management of a broad range of fleet and related risks and to assist the process of integration with normal business processes. The ability to benchmark internally and externally is a key requirement, plus it is

advertisement feature

important that any approach identifies the underlying causes of risk and also opportunities to improve controls to benefit the business. We identified that current interventions are mostly compliance based, operationally focused, dealt only with a specific fleet management process and often use a „tick-the-box‟ approach. Some organisations do have management systems, but in the main these are focused on a compliance approach e.g. health & safety and they vary greatly in effectiveness, business relevance and added value. There is clearly a need for a holistic approach to cover a full range of fleet and related operations that could be part of an organisation‟s ERM system. In addition any approach has to include a full range of risks at strategic, management and operational levels, cover a full range of business functions, be linked to the overall business performance measurement process and provide benchmarking functions. Fleet and related operations Fleet and related operations cover a very broad range of organisational and business activities in virtually all sectors of the economy – private, public and not-for-profit. Fleet and related operations are used in a wide variety of road transport circumstances, across widely variable organisations. These types of organisation produce greatly different risk profiles, different risks and risk management needs, both in type and level, requiring the application of a specific mix of strategic, management and operational risk managing activities. Corporate risk assessment A logical starting point to create a valid and effective methodology is to build on an existing proven process. Our approach was developed using a combined total of over 100 years of international experience in the development and implementation of fleet, health & safety, fire and business continuity risk management systems. It was developed in response to the need for a process with a business wide focus that is comprehensive, commercially relevant and risk based. The approach has been used successfully for over 15 years. A model shows the key points:

Fleet risk profiling concept and application The corporate risk assessment process provided significant benefits over traditional risk assessment methods, but to meet a complete range of needs further development was required. The primary development objective was to produce an online comprehensive risk profiling, risk assessment and benchmarking process which used valid risk management methodologies, produced consistent

advertisement feature

outputs and covers all types of fleet and related operations and risks at all levels. The process needed to be flexible, adaptable, usable for corporate level reviews, for site-by-site and multiple sites and organisations‟ supply chain. With the growth in multi-national organizations the process had to use generic risk-based content, not related to specific legal requirements, so it could be used worldwide. Organisations that can most benefit from the application of Fleet Risk Profiler™ are:  Logistics, road freight/haulage transport users and suppliers of such services  Those with diverse operations in respect of load types, vehicle types, service offerings, site sizes and operational profiles  Those with multiple sites and multi-national coverage  Those who use/rely on an extensive supply chain and 3rd parties  Those with no organisation wide, risk-based consistent method of identifying and assessing a full spectrum of fleet and related risks. Fleet Risk Profiler™ methodology The online real-time Profiler uses the following methodology: 1. Users‟ responses generate an Operational Risk Profile Level (ORPL). 2. The ORPL allocates risk ratings to each of the 250 + risk elements. 3. Risk ratings are based on a specially designed 3-D risk matrix. 4. Total value of risk ratings for an ORPL generates an 'Initial' Site Target. 5. User selects „Relevant‟ risk elements. Those not relevant re-adjust the „Initial‟ Site Target. 6. User enters responses to risk managing status questions, using over 900 data elements. 7. The total value of User responses generates a Site Achievement. 8. „Final‟ Site Target is compared with Site Achievement to generate a Site Performance. 9. User confirms responses and generates reports and benchmarking data. Fleet risk profiling™ benefits Fleet Risk Profiler™ is an enterprise-wide process for integrating the risk management of fleet and related risks at strategic, management and operational levels. Risks are covered across a full range of business, commercial, operational and support functions, and across the whole organisation and its supply chain. The process provides a wide range of benefits and enables an organisation to set its own risk appetite for the management of fleet and related risks, giving proof internally and externally of proactive risk management. It adds value to client and supply chain relationships by risk assessing and undertaking due diligence of supply chain partners. It can be used as an internal standard, including customisation of the content to meet specific organisational needs, especially as the content is applicable worldwide. The setting of a relevant risk managing target, rather than an artificially imposed target, enables an organisation to focus on its relevant risks. Automatic reports provide a strategic overview, management information, detailed analysis and flexible non-prescriptive action planning guidance. Benchmarking options provide internal and external comparisons (including with fleet industry sectors) to enable an organisation to set a risk managing control level and resulting resource allocations. The development of a risk-based focused action plan based on the organisations' risk appetite leads to reduced risk exposures and costs, resulting in major benefits for an organisation and its insurers. Fleet Risk Profiler™ can also reduce the cost and improve efficiency of internal auditing, as all sites can be assessed on a consistent and regular basis with results reviewed centrally online. John Stevens is Managing Director Risk Frisk Ltd – [email protected]; www.fleetriskprofiler.com and 0845 456 4136. John is Chairman of the IRM Transport & Logistics

Group and a member of the IOSH National Consultants Committee.

advertisement feature

Managing business risk

Here’s how. Consulting Environment Maritime Property Transportation Water Power

At Halcrow we‟re driven by the desire to find innovative solutions to life‟s challenges. Employing over 7,000 people in more than 70 offices worldwide, we have an enviable breadth of skills and expertise at our fingertips.

In tune you Our detailed knowledge of risk means we can appropriate risk management frameworks to support our clients‟ businesses. Working closely with our enables us to ensure controlled, objectives are successfully delivered opportunities are maximised. Satisfied clients Our clients keep coming back to us for our experience. We apply a systematic and integrated approach to managing risk that involves the whole of the enterprise and delivers value. We offer informed, balanced and unbiased advice on how to manage business risk. The best team for the job With an impressive track record in delivering 'best in class' risk management solutions, Halcrow's specialists are experienced in addressing the complete range of risks that face an organisation, including strategic, operational, compliance, market, financial and project. Whatever the issue, we can bring together the best team to help you reach your goals. To find out how we can make a difference to your business, please contact: Tenia Chatzinikoli or William Toner on 0207 602 7282, email [email protected] or visit our website. Halcrow. Here‟s how.

halcrow.com

CONTENTS xxv •

4.2

Securing key business decisions with strong IP rights Eric Achour and Jean-Louis Somnier, Novagraaf Intellectual property: a short overview 203; „When business meets IP‟ 203; Conclusion: IP is an „insurance‟ that mitigates business risks 207

201

4.3

Risk-free branding Keith Loven, LOVEN Patents &Trademarks What is a brand? 209; What makes a good brand? 210; Who owns the brand? 210; Protecting a brand 211; Maintaining the value of a brand 211; In summary 212

209

4.4

IP risk estimation and management: the example of patents and patent portfolios William E Bird, Bird Goën & Co The commercial risks 217; The patent portfolio 220; The small and medium-sized company 221; The future: patent auctions 222; The spectre of third-party patent infringement 222

4.5

Intellectual property litigation Jacqueline Needle, Beck Greener The cost of patent litigation 227; UK litigation procedures 228; Is the cost of enforcement a reason to avoid protection? 229; Effective use of IP 229; Avoiding litigation 231

216

226

Part 5: The role of IT in Providing Risk Solutions

233

5.1

How IT can mitigate continuity risks Alistair King, ICM Computer Group Introduction 235; Recovery point and recovery time objectives defined 236; The causes of downtime 237; How IT and business continuity can work together 238; Virtualization as a tool for business recovery 239; Technology and the business continuity plan 240; Summary: achieving optimum business availability for IT-dependent processes 240

235

5.2

The real-time enterprise: the need for NOW! 242 Bart Patrick and Mark Elkins, SAS UK & Ireland Introduction 242; The need for NOW! 243; Real time: a partnership approach? 246; Real-time maintenance 248; Developing on the real-time platform 249

5.3

Creating a risk management software solution Andrew Birch, Symbiant Introduction 251; The task in hand 253; The groundwork 253; A better way 255

251

ellectual Property Office ••••

THE UK INTELLECTUAL PROPERTY OFFICE

The UK Intellectual Property Office is the United Kingdom's principal authority on ellectual property (IP) with responsibility for granting patents, registering trade marks and designs, and leading on policy for all IP including copyright. ROLE OF IP IN INNOVATION K's economy thrives on ative products and services, and ectualproperty rights protect, e and reward creativity. ents protect new technology both products and processes. ent owners can enjoy exclusive ts to their inventions for up to years, enabling them to strike nsing deals or keep rivals at bay lst they establish their brand.The lic benefits from seeing details of entions when published, and can that information as a springboard their own innovations. de marks can be registered to tect the distinctive names,logos, gans or other signs of a trader's ducts or services.The marks can licensed or franchised to others, or d exclusively by the brand owner istinguish themselves from rivals retain the goodwill and reputation ted in their name. igns for products or graphic bols can be registered so as rotect the distinctive outward earance of a new product. Where roduct's 'look' gives it market re. e.g. in fashion,domestic liances or furniture,protecting the ign is essential for dealing with pycats'.

pyright is free and automatic- no istration is required.This right tects the core property of the 's Creative Industries, which are ponsible for 8% of our economy's ss domestic product. Books, ers and magazines, music, work and photographs, films, vision and radio programmes, ware and computer games are protected by copyright. The owner opyright can licence copies daptations of the work (e.g. slations; movie rights to a book ).

SUPPORTING INNOVATION IN THE UK British businesses prosper when they make informed decisions about intellectual property. When they understand which rights they already own automatically, which they can acquire by registration,what they can licence in or out and where to seek advice, they can greatly increase their profitability.Businesses also need to be aware of related issues like trade secrets,know how and confidentiality. The UK Intellectual Property Office helps businesses to understand the risks and opportunities which intellectual property presents, through seminars and our website for instance. We also raise awareness of intellectual property in schools, colleges and universities- stressing its importance as a vitalbusiness asset for the entrepreneurs of the future. The UK Intellectual Property Office also provides commercialsearching services to access the vast amount of technical information available in published patents of which over 30 million exist worldwide. This avoids wasted effort and duplication of research,and can provide solutions to technical problems.Trade Marks search services and advice on registration are also available.

WORKING WITH PARTNERS The UK Intellectual Property Office works with other government departments and agencies which have a role in supporting British business, and with non governmentalbodies too. We are also committed partners with: • The European Patent Office {Head Office in Munich,Germany). A single patent application to the EPO can result in patent rights in over 30 European countries. ·The Office for Harmonisation in the Internal Market {in Alicante,Spain). Registrations for trade marks and designs binding throughout the European Union are made here.

• The World IntellectualProperty Organization (in Geneva, Switzerland). This is the UN agency for global IP matters,and provides simplified application procedures for patents, trade marks and designs which facilitate the acquisition of rights in many countries.

PEOPLE AT THE UK INTELLECTUAL PROPERTY OFFICE The UK IntellectualProperty Office is based in modern premises on the edge of Newport, South Wales, and employs about a thousand staff.Over 300 of them are technicalexperts working as Patent Examiners, primarily graduates in science, engineering and maths. Training is provided in law and on the wider aspects of intellectual property. Patent examiners scrutinise both the technical and legal aspects of a patent application, comparing the new invention against those found in patent databases,before considering whether or not to grant a patent. Graduates in a variety of other disciplines are employed, for instance in the Trade Marks Registry,IT Services and Finance. The UK IntellectualProperty Office has been recognised both for its high levels of customer service and the way it trains and develops its staff. All staff enjoy the opportunity to develop professional and personalskills. The UK IntellectualProperty Office offers family friendly policies, flexible

working hours, part-time working and generous annualleave.

www.ipo.gov.uk 08459 500505

••

UK Intellectual Property Office is an operating name of the Patent Office

CoNTENTS xxvii •

Appendix: Contributors' contact list Index Index of advertisers

258 265 269

You’ve quantified your personal injury litigation risk. Now let us help you control it. Before it happens: By maximising the evidential function of your risk management process. During an incident: By creating a powerful evidential function in incident management procedures. After the event: By ensuring that claims are handled in alignment with your reputation and integrated into your risk management processes. For further information contact our Head of Litigation Risk Management, Sean McGahan LLB CIRM on +44 (0) 2890412820 or email [email protected].

www.mckinty-wright.co.uk

Managing Litigation Risk-Lost in Translation Sean McGahan, McKinty & Wright Does this scenario sound familiar? You apply the tools and techniques of risk management (RM) and gain a deeper understanding of the costs of claims and litigation, especially the predictable exposure to personal injury claims. You then see apparent profits of business units decreased or even wiped out over the medium to long term because of claims against your organisation. What can be done about this? Since 98% of personal injury claims in the UK succeed, a standard recommended response is to increase health and safety measures. Unfortunately this does not automatically translate into more successful outcomes when claims are made. This response can be counterproductive. That can be because of a misunderstanding on the part of an organisation as to the health and safety measures the law expects of organisations and an inability of organisations to communicate effectively their choices on risk to courts. Put simply, messages that are there to be communicated are being lost in translation. The purpose of this Article is threefold: 1. To show you how the language of RM is a different language to the language of law. 2. To explain to you Compulsive Risk Assessment Psychosis (CRAP1) and Conpiratorial Risk Aversion Policy (CRAP2) mistakes you can make by misunderstanding the language and processes of law. 3.

To provide a steer on how to create a better capability to defend decisions on risk taken by your organisation and communicate more effectively in court.

THE LANGUAGE OF LAW The law uses language similar to the language of risk management but that language is interpreted in a different way. Understanding this difference is a key to unlock controls that may reduce your residual risk If you have ever picked up a legal text book, talked to lawyers or been in Court, you will have encountered language on the issue of risk that sounds vaguely familiar. There is an entire body of law, called “tort”, which sets out how much risk is acceptable and when you will be held liable if a risk materialises and causes damage to others. Tort law sets lays down that in certain circumstances, you are deemed to owe a “duty of care” to others. An employer‟s duty to employees is an example. How much care you have to exercise is determined by an objective “standard of care”. If the “standard of care” you exercise is lower than a court would expect, and this contributes to someone sustaining a loss, then a court will hold you liable to pay compensation for the damage caused. Compensation for personal injury is the classic example. In order to determine the “standard of care” courts are meant to look at the “magnitude of the risk”. The greater the risk the greater the “standard of care” will be. An example will let you understand this. Take a zoo. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. If a visitor was attacked by a lion serious injury or death is the likely result. On the other hand, an attack by a penguin is likely to result in the victim being more embarrassed than anything else. So the law requires a higher “standard of care” applied

advertisement feature

to lions than penguins. So if you think about it, this idea of setting a “standard of care” on the basis of the “magnitude of the risk” looks like part of an RM process, of establishing the “probability of an occurrence and possible consequences.” In setting this “standard of care”, the law takes into consideration the “costs of preventative measures” and the “social value” of the activity being engaged upon. Again, this is language which you can place a meaning on as its sounds pretty much like, “cost benefit analysis” and “defining your context” or “setting strategic objectives” in an RM process. Taking all of this together, in theory the law has a means for determining what a given organisation‟s risk appetite should look like. So in theory if you use a sound methodology for setting a risk appetite for your organisation the law should be capable of coming to roughly the same conclusions using its process. A court should recognise that if the “magnitude of the risk” posed by an activity is tolerable, the “social value” of the activity should overrides concerns about the magnitude of the risk. Unfortunately it does not quite work out like that. The standard of care set by the courts in individual cases can vary greatly. For instance, in the leading case of Tomlinson v Congleton, the House of Lords overturned the decision of the Court of Appeal on the “standard of care” that a council should exercise towards people who choose to swim in a lake. This is because the overall process by which the issue of risk is considered by courts is very different from an RM process. The Courts make decisions on risks without using the methodologies generally recognised in RM as key elements of high level decision-making. RM utilises a whole range of analytical tools to make decisions about risk tolerance and you can also rank risks by creating a risk profile. A court cannot use any of these methods and is wholly dependant upon the evidence presented to it during a trial. Also, courts do not use quantitative analysis. Although monetary values are placed on injuries in the form of an award of damages to a successful party, these monetary values are not used to counterweight the monetary cost of precautions to prevent injury. The law turns its back on using quantitative analysis in deciding the “standard of care”. Instead semantic tests; such as “reasonableness” and “practicability” are utilised. There is also no audit of decisions to ensure a level of uniformity of decision making. All this means there is scope for differences in interpretation of the “standard of care” imposed by different courts. Written judgments of courts are full of examples of variances in the “standard of care” impose by courts. The result is that in the absence of good evidence on risk being given to a court, judges cannot be blamed for sometimes taking a fairly basic approach to risk, which sits well with the fact finding capabilities of a trial. Was there a risk? And was there anything that could have been done about it? Faced with an accident resulting in injury, especially catastrophic injuries, there is a natural tendency to take the view that some additional precaution should have been taken. Courts have a naturally tendency to set a low risk tolerance. In the absence of contrary evidence on risk the legal process therefore has an inherent process bias in favour of setting a high “standard of care”.

CRAP MISTAKES TO AVOID The failure to recognise that courts have a basic approach to risk means you can easily adopt an approach to controlling the risk of claims and litigation, which actually increases the effect of this

advertisement feature

process bias in favour of setting a high standard of care. The biggest mistake is to adopt CRAP risk management. This takes two forms. Compulsive Risk Assessment Psychosis (CRAP1). This phrase was first coined by John Adams. You generally see this in organisations that do not have an overall RM process in place. Elements of an RM process are introduced that are not part of an overall process. The result is an organisation gets flooded with documents identifying risks, and suggesting things that could be done about them, without overall evaluation. These documents give the impression to a court that the risks identified should be guarded against. If you identify something as a risk in isolation from a risk profile, the law interpret this, not as you would, as something to be ranked, but generally as something that is above your risk appetite, or below the “standard of care”. The result is you are found liable. Courts are not there to rank risks for organisation. If an organisation has not ranked its own risks and set a risk appetite, courts are not going to do it for them. Courts will generally err on the side of causation and find the organisation liable. Conspiratorial Risk Aversion Policy (CRAP2). In this form of CRAP, practices and procedures become increasingly risk averse. The intention behind this process is to reflect the perception the organisation has of the “standard of care” expected in law. Often the perception is gained from the results of a few cases that have went to trial or even stories in the media. If an organisation becomes risk averse then this will simply encourage a court to reflect this risk aversion in its decision making. The other problem with this approach is it creates divergence between an organisations objects and its RM. Policies and procedures become risk averse and conflict with operations. As a result individuals and operational units depart from policies and procedures in order to achieve objectives, which are hampered by the policies and procedures that do not fit the organisation. As those breaches occur the policies and procedures then become the basis for showing a breach of the “standard of care”. You see this behind many of the most criticised rulings on risks by court. If a school bans children running during break time and a child is injured while running because staff on the ground disagree with the rule and so do not enforce it, the school may be found liable because it failed to follow its own “standard of care”. It is worth noting that in the leading case of Tomlinson v Congleton, the House of Lords decided on a lower “standard of care” than the council itself proposed to exercise, and dismissed the claim.

SO WHAT SHOULD YOU DO? Plan ahead to take part in the trial process before incidents occur and claims are made. This is the essence of litigation risk management. It sounds straightforward but few organisations actually do it. The following are just some of the steps that can be taken. 1. Adopt a recognised RM standard and apply that to your riskscape, while still complying with the law. If there is clarity of what the objectives of an organization are and clear assessment, analysis, evaluation, reporting and treatment of risk based upon quantitative analysis, then a court lacks any inherent tools to base a rejection of the risk tolerance set. In terms of decision process for a Judge to do so would be like one doctor attempting to second guess another doctor‟s diagnosis based in an MRI Scan by using a CT scan. The MRI scan is objectively the superior methodology. It would of course be open to the Plaintiff to call evidence to attack the risk tolerance set but if the process is robust there may be little to attack.

advertisement feature

2. Do not allow your health and safety practices to diverge from the risk tolerance set for an organisation. There are health and safety absolutes and other issues that involve balancing risk and opportunity. 3. Use your risk appetite as a means of determining which claims you will fight. If you don‟t, then there may be little logic to the selection of claims to accept and claims to reject. 4. Align objectives for defending claims with business goal otherwise your claimshandlers may adopt an approach to claims that creates risks to your objectives. 5. Form a litigation team for handle claims with roles clearly defined, rather than having a silo mentality 6. Translate your message on risk into language that the law can understand. If you don‟t your message may be misunderstood by a court. This can be done without undermining the risk process and makes the process court friendly. You will then be able to speak to a court in language it can hear and understand. 7. Get a memory for the organisation. Often a message on risk cannot be communicated as processes have not been put in place to recall what an organisations‟ attitude to risk was at any given time in the past. 8. Create a voice for your organisation. Communicating in court is not a straightforward process for organizations. The system by which evidence is introduced to Judges ina trial grew up before you had large corporate organizations. Trials are designed to allow individual personalities a voice. Witnesses are called by lawyers to give evidence in a witness box. Lawyers cannotgive evidence and so cannot be the voice of an organisation at a trial. Without the voice of a witness in the first place they can do very little. In most litigation you are sued by an individual personality, the plaintiff. They sit inthe witness box and can actually speak passionately to a Judge. They can also recall evidence from memory or simply make evidence up. An individual starts with an advantage over organisations as a result. Organisations need to be able to deliver a message on risk loud and clear in a courtroom. Most organisation have little or no voice that can be channelled into a trial process. 9. Check that your organisation has the ability to capture events as they occur in a manner that will not be counter-productive in court. Too often it is assumed that the processes of health and safety investigations, such as route cause analysis, translate into effective evidence for court. Often they don‟t. 10. Upon resolution of a claim, record all lessons learned by applying a managed approach to ligitation in a systemised way so that lessons are learned and the litigation capability of your organisation can improve over time. 11. Debriefing should be held regularly, to ensure that no unit or individual in an organisation comes away from participation in dealing with a claim with the wrong lessons learnt. Failure to do can foster CRAP RM. If you have not thought about litigation risk management before now then think about it. Winning in court requires effort. To quote Samual Goldwyn. “The harder I work the luckier I get.”

SEAN McGAHAN LLB CIRM is head of Litigation Risk Management at McKinty & Wright Solicitors

Direct Dial 02890412820 E-mail: [email protected]

advertisement feature

Foreword: managing the future As adults, our approach to dealing with future events tends to draw strongly on our past. For children, however, the future is a new, exciting and shiny world with fresh experiences around every corner. Therefore, children commonly tend to be more open to new ideas and concepts than adults. So is this a good thing, and what relevance does it hold for the management of business risk? It is true that many musical artistes produce their best work in their early years – at a time when they can both look back to experiences but also forward to an unknown but exciting future. Equally, technological innovation tends to be driven by the young in a way where experience and education can be married to openness about what possibilities the future might allow. In business, it is too easy to look solely to previous results to predict what might happen in coming years. This approach to management is becoming increasingly discredited. Imagine someone who, for their entire life, had only seen white swans: it would be natural for that person to predict that the world might only contain white swans. Yet one day a black swan might cross their path, completely counter to all their experience. So called „black swan syndrome‟ is becoming an increasingly important issue in this, the information age. Whether it be the risks and possibilities posed by social networking technology, a warming planet or global terrorism, such changes are introducing quantum shifts in the world in which we live. Today‟s successful business managers therefore have to be as open to the risks and possibilities of the future as they are to the experiences of the past. British Petroleum‟s clever rebranding as „beyond petroleum‟ and Apple Computing‟s product extension into mobile entertainment and communication devices are but two cases that illustrate this trend. Change is therefore never predictable and the past is not always a good guide to the future. Two further examples illustrate this apparent lack of predictability, possibly even more dramatically.

• xxxiv FOREWORD

In New Zealand, the colonists tried to create a brave new world of opportunity in the image of the one they had left behind in Europe. Rabbits shipped in as a source of food ran rampant in the absence of natural predators and diseases. Stoats, brought in to deal with the rabbits, instead turned their attention to local ground-nesting birds, helping to drive several species to extinction. Today, most of New Zealand‟s native species are gone. In eastern Germany, the incidence of childhood asthma, once lower than that in the west, is now at the same level as that of western Germany. The reason? Following German unification, cleaning materials hitherto unavailable in the east became available, but this improved sterilization had the effect of making children more susceptible to developing asthma because their immune systems were not fighting infection to the extent they had before. Such unintended consequences of actions provide invaluable case studies of how adverse effects can flow from actions taken to mitigate completely different risks, as in the two examples above: the risk of hunger (in the case of New Zealand) and infection (in East Germany). A risk-free world is impossible to achieve, neither is it desirable. Safety is found partly in experience, but also in learning to live with and exploit the risks around us. The greatest risk for any individual or business is to seek a completely safe and benign world and so miss the very opportunities that should be staring us in the face. There are no simple rules to getting this right, but businesses can aid their survival and growth by: • placing a high premium on sustainability, with as much attention given to the side effects of internally or externally driven change as to intentions; • building resilience and safety nets, through governance, insurance and strong human-resources and stakeholder-engagement strategies; • cultivating people networks and hence a broader understanding of both the nature and scope of likely changes in social, political, geographical and technological factors, using our own „risk radar‟ to determine who, as well as what, to believe; • understanding, but not being diverted by, media bias that might induce us to focus on any one element of risk to the exclusion of all others; • conducting scenario analysis within our approach to strategic planning, thus developing organizational flexibility; • using one of the many commonly available risk management standards, such as that available to download for free from www.theirm.org. Management of risk and reward is an integral part of good corporate strategy. It needs skills and experience to execute well, and education and training to facilitate this is available from a range of organizations across the world. Indeed, in a worldwide survey of 400 senior executives carried out late in 2006 by a major global consultancy, „managing risk‟ ranked first out of 10 current business issues for those surveyed. The message therefore is loud and clear; effective risk

FoREWORD xxxv •

management is fundamental for business performance. This book provides a range of insights into this immensely broad, fascinating and vital subject. Steve Fowler Chief Executive The Institute of Risk Management

covered We understand what is really important to people. Which is why we specialise in innovative, flexible insurance products that protect your customers’ most valuable assets – their home, possessions, income and health. Mortgage payment protection Loan protection Credit card protection Income protection Warranty and service contracts Personal accident Credit card price protection Credit card purchase protection

Focused on being the leading insurer of niche protection solutions we design, develop, manufacture, underwrite and market flexible insurance products tailored to your customers’ needs. Assurant is a Fortune 500 company working with some of the leading banks, building societies, mortgage and insurance brokers as well as retailers. We are committed to delivering innovative products and services that work for your business. Talk to us today to see if you can benefit from a partnership with Assurant Solutions

0870 152 6000 [email protected]

UK member companies: Assurant Group Limited (registered in England no. 3264846); Assurant General Insurance Limited (registered in England no. 2341082) and Assurant Life Limited (registered in England no. 3264844), authorised and regulated by the Financial Services Authority. The registered office of all UK member companies is 117-119 Whitby Road, Slough, SL1 3DR

Enterprise Risk Management Framework I think of risks as being threats to achieving your overall objectives, whatever they may be. For example a pedestrian faces the threat of being knocked down by a car when he crosses a road. He may well cross the road safely without checking the traffic, but he has a far greater likelihood of success if he first looks left and right to check whether cars are coming. Similarly, if a business ploughs ahead trying to achieve its objectives without considering possible disruptions, it may well succeed. However, over time, it will be more likely to succeed if management understands what could go wrong and what steps can be taken to minimise the probability of this occurring. An enterprise risk management framework (ERM) is a process that enables the management of a business to understand all the risks it faces, quantify them, assess the adequacy of controls and report on the current risk profile of the business. The premise is that a greater understanding of the risks facing a business significantly increases the probability of meeting their overall objectives. The knowledge also enables the management team to better decide which avenues of business it should explore as it will have a much better understanding of the risk/reward profile. A key measure of a successful business is whether the ERM framework being used on a day to day basis is actually helping the business meet its overall objectives and whether there are measurement tools in place to evaluate the ERM framework's effectiveness. In many ways the key principles of an ERM framework are being utilised by many businesses and managers almost without thinking. The difference that a framework adds is that it ensures that all key managers are thinking of risks in a similar way and that the business itself has a higher chance of concentrating on the key issues that may prevent it from achieving its objectives. The benefits to the business therefore improve as the business gets larger.

Simple ERM Framework As I have mentioned before, the success of any framework depends on how it is utilised by the management team. Therefore, it is essential that the framework is tailored to the size of the business. For example the scale and complexity of a framework used by a large multinational financial institution will be different from that used by a small start-up business with fewer than 10 employees. Any risk framework should provide value to the business by enhancing the likelihood of the business meeting its objectives. A framework

advertisement feature

that is so complex and time consuming to operate actually becomes a risk to the business itself. However regardless of the size of the business an ERM framework should involve some basic principles and cover key information such as the key risks facing a business and who owns them. I would summarise these key principles as follows: 1. It is essential that a risk management framework cover all the risks facing the business as opposed to concentrating on a selection of risk types. It is best to do this in a structured way and consider all the threats to success both internal and external. Be mindful of the size of the organisation and try and group risks into natural risk types that fit the business. 2. Owners should be identified for each risk facing the business. It may be that only one or two individuals own the risks given the size of the business. But in practice I would expect the risks to be shared out amongst the managing director‟s senior leadership team. My suggestion is to allocate ownership of a risk to the individual who is managing it on a day-to-day basis rather than simply lump everything with the managing director. 3. Assess the impact of each risk crystallising on the business. This can be done in a number of ways, assessing either the financial cost or damage to your reputation. The key is that the impact is linked to overall targets and objectives of the business and that each risk is judged in a consistent manner. This assessment should ensure that the business has a clear idea of its top risks that may impact the business. 4. Consider the likelihood of the risks occurring. How often you do this depends on the size and complexity of the business. The key is that you decide how often completing the exercise would add value to the business (e.g. annually, quarterly or monthly) rather than arbitrarily deciding on a timeframe. For example a medium sized business in a relatively stable market may decide that quarterly is sufficient for its needs whereas a large multinational may decide monthly updates are required. Management are best placed to decide. 5. Identify potential improvements to control the framework. As part of the consideration of each risk and the likelihood of it crystallising time should also be spent considering what additional actions should be taken to reduce the possibility further. This could take the form of introducing additional controls or

advertisement feature

strengthening the existing control framework. 6. Report the outputs of the findings to the appropriate management committee. Obviously this will depend on the structure of the business and it may well drive the timing of the updates. The reporting should also consider what the committee needs to know (e.g. that it is happy with a simple top 10 of key risks, does it wish to know what actions are being taken to reduce the likelihood of the risk crystallising and if these are on track, are they looking for a more comprehensive picture). Again, the overall management within the business will be able to give a strong steer on this.

Integrating into the Business For the benefits of an ERM framework to be realised, the framework needs to be integrated into the day to day workings of the business. Otherwise there is a danger that the roll out of any framework will only provide some initial value to the business during the initial roll out but then sit in the cupboards of management gathering dust and not being used.

A useful way to start the embedding process is to link the outputs into the overall governance framework of the business. This helps ensure that the overall reporting from the risk framework is tailored to the appropriate levels within the organisation and helps to embed the framework into the business (therefore significantly increasing the probability that it is used by the management as opposed to being a one off exercise that has some value which then fades away over time). One way is to ensure that the latest risk hotspots are a standing agenda item at key management meetings. Another way would be to highlight the key risk mitigation actions being taken by the business to the relevant Board or Audit Committee meeting and providing comfort as to whether they are on track. Ensuring the framework fits the size of the business is key here as, for the output to be useful, it needs to be up to date and relevant and therefore the business needs to be able to support the production of the required data. Finally it is essential to check that the data is being used by the business and is in an appropriate form. I would suggest treating the individual management team as customers in this regard. Their suggestions on frequency and format, what they find useful and superfluous are very helpful. Put simply they are more likely to use the framework to help them achieve their overall business goals if its output is in a straightforward format

advertisement feature

that they find easy to use. Remember the purpose of an ERM framework should be to add value to the business and help the business achieve its objectives. The presentation of the results is important to helping achieve this. The other major driver to help ensure the framework is embedded within the organisation is to ensure the credibility of the data within the framework. Consideration at the start as to what is the appropriate level of detail required is important but all data should be independently reviewed to ensure that it is sensible and credible. There is a danger that if this is not done then the outputs of the framework will be skewed in one direction or another and when presenting to a formal management team the key messages will be lost. Key to this is to assess the risks and their likelihood of occurring consistently and ensure that everyone fully understands the impact of the risk crystallising. The benefits of ensuring the framework fits the size of the business are key here as there is a danger that the risk manager, or whoever is responsible for rolling out the framework, will simply become drowned in the amount of data provided. The result being that instead of analysing the output, identifying emerging risks and making suggestions on how to resolve these risks, the risk manager simply regurgitates existing information in a slightly different way to the management team thereby severely diluting the value of the framework. A potential way to resolve this is to ensure the risk manager has regular meetings with the key owners of the group, either in a workshop form or a standing meeting, to discuss what they see as the key risks and compare these to the results of the overall framework.

Summary The benefits of an enterprise risk framework are that it should significantly increase the probability of a business achieving its objectives. To do this the framework needs to fit the size of the business, link into the overall governance of the business and present the output in such a way that they easily add value to the business. If this is done successfully and regularly across the business then the threats to objectives may be identified far earlier than would otherwise be the case therefore helping the business go on the front foot rather than react to events.

advertisement feature

Contributors‟ notes Eric Achour holds an MSc in computer sciences from Paris Dauphine and Paris VI University, and an MBA degree from the HEC School of Management. Eric has nearly 20 years experience in management consulting and services companies. As a senior consultant at McKinsey, and as a partner for CDC Peat Marwick, he has worked for a large range of clients in a wide variety of sectors. He has also held senior management positions at ACNielsen in France (Market Research consulting and services) and at corporate level, specializing in consumer goods and retail. He is currently Managing Director of Novagraaf in France. William E Bird is a founder partner of the IP law firm Bird Goën & Co. During the last 20 years he has worked as both a corporate and a private practice patent and trademark attorney in Germany and Belgium. He has expertise in both common law and codified legal systems, in IP law, technology transfer, IP licensing and setting up of spin-off companies. He is a European, British and German patent and trademark attorney, a tutor of CEIPI and a lecturer at the Vlerick School of Management. Andrew Birch started his first business when he was 19 and moved into software in 1989. He established Symbiant in 1999 with the aim of providing affordable web solutions for small businesses. The company now has a client base of over 20,000, which includes some of the world‟s biggest companies and major financial institutions. David Breden is Managing Director of HSBC Operational Risk Consultancy and the architect of OpRisk Modeller, a scenario-based commercial risk-mapping tool developed by HSBC to meet the needs of the Basel II AMA quantification requirements. He has been involved in operational risk management since 1995 and is a director and fellow of the Institute of Operational Risk. Emma Brooks is senior procurement specialist at the Chartered Institute of Purchasing & Supply (CIPS).

• xlii CONTRIBUTORS‟ NOTES

The Centre for Effective Dispute Resolution (CEDR) is the thought-leader for dispute resolution in Europe and an internationally acclaimed trainer in mediation and conflict management skills. An independent non-profit organization supported by multinational business and leading professional bodies, CEDR‟s mission is to encourage and develop mediation and other cost-effective dispute resolution and prevention techniques in commercial and public-sector disputes. Robert Chapman has supplied risk management services to over 40 companies. He holds a PhD in risk management, has provided services in Ireland, Denmark, Holland, France and Dubai, as well as the UK, and has published two books on the subject of risk management as well as numerous journal articles and papers. The Chartered Institute of Management Accounting (CIMA) is the only international chartered accountancy body with a sole focus on business. It is a worldleading professional institute that offers an internationally recognized qualification in management accounting, focusing on accounting in business in both the private and public sectors. It is the voice of over 158,000 students and members in 161 countries. CIMA was nominated as a UK superbrand for a second year running in 2007. According to independent research conducted by the University of Bath School of Management, CIMA‟s syllabus and examination structure are the most relevant to the needs of business of all the accounting bodies assessed. The Chartered Institute of Purchasing & Supply (CIPS) is the leading international body representing purchasing and supply management professionals. It is the worldwide centre of excellence on purchasing and supply management issues. CIPS has approximately 44,000 members in 134 different countries, including senior business people, high-ranking civil servants and leading academics. The activities of purchasing and supply chain professionals can have a major impact on the profitability and efficiency of all types of organization. Arnie Clarke is a European patent attorney and senior associate at Gill Jennings & Every LLP. He works in the life sciences department and has considerable experience of drafting patent attorneys‟ reports for IP due diligence exercises in this area. Commercial Security International Ltd (CSi) is a London-based company providing discreet and professional investigation and corporate security solutions for companies, institutions, governments and private individuals. Control Risks is an international business risk consultancy whose aim is to enable clients to take risks and accelerate opportunities in hostile and complex business environments. Since its foundation in 1975, Control Risks has worked in more than 150 countries for more than 5,300 clients, including 86 of the US Fortune Top 100 companies. It offers a range of integrated political risk, investigative, security,

CONTRIBUTORS‟ NOTES xliii •

reputational and forensic services to corporate, government and non-profit clients worldwide. Corfin Communications specializes in media, corporate and financial public relations. The firm delivers a high level of contacts, inside knowledge of how news organizations work, and campaigns of sustained media coverage around the financial calendar, crisis management, merger and acquisition (M&A), independent public offering (IPO) and general reputation management, together with a long-term and direct experience of senior business and financial journalism. William Cullum is Director of Corfin Communications and a very seasoned adviser. He joined the public relations (PR) industry in 1999 and over the last eight years has worked with businesses large and small on a variety of issues ranging from conventional financial calendar work to multimillion-dollar mergers and acquisitions through to highly sensitive corporate change and restructuring activities. Prior to joining the PR industry, William was a top-ten-rated investment analyst. Nicki Dennis is a publishing and information consultant to BSI Global. James Dickson Leach is a risk consultant with HSBC Operational Risk Consultancy (HORC), where his main focus is on the quantification of risk. He has been working on the recent qualitative upgrade to HORC‟s software tool for modelling and combining different risks. James graduated with a first-class honours Masters degree in physics with astrophysics from the University of Bristol. Ian Drewer is now a consultant, having held senior risk management appointments in the pharmaceutical, telecommunications and transport and leisure sectors. A former chairman of AIRMIC, he is the author of various articles and other published material on commercial and industrial risk management and insurance subjects. Ian Drewer holds a Master of Science degree and is a fellow of the Chartered Insurance Institute of Risk Management. He is also a designated member of the Chartered Institute of Arbitrators and of the Institution of Fire Engineers. Mark Elkins is the Head of Strategy for financial services, SAS UK. His role involves working with the financial services sales and alliance teams to define the strategic direction of SAS in the UK financial sector. Mark‟s responsibilities are to raise the awareness and understanding of SAS‟ solutions in the financial services market and to develop the role of SAS as a thought leader in the space. He has more than 20 years‟ experience in the financial services industry, beginning his career as a retail bank manager. Since then he has worked in a marketing capacity for various technology and banking organizations including Lucent Technologies, Telewest Communications, Logica and HSBC. His most recent role was with Market-Smart Ltd as director developing strategies and marketing programmes targeting the financial services sector. Mark has an MBA from Southampton University Management School.

Meeting the needs of individual clients and insurance brokers, Rushton International provides insurance valuations for virtually anything. We assess robust plant and machinery structures through to the delicacies of fine art. Rushton International is recognised worldwide as an expert force in insurance valuations. We work inclusively with Times Top 1000 companies and smaller, privately-owned businesses in the UK and abroad. Our highly-specialised valuers operate in all the main sectors including industry, public, education and health. Don‟t leave it to chance. Correct insurance cover is critical to business success

Our expertise in valuations enables us to tackle virtually any assignment, across every sector: • • • • • • • • • • • • • • •

Accountancy & Banking Aerospace & Defence Agriculture Automotives Chemicals & Pharmaceuticals Communications Construction Distilleries & Breweries Engineering & Machinery Finance Food Health & Education High Net Worth Household Goods & Textiles Insurance

Rushton International Ltd Sinclair House 11 Station Road Cheadle Hulme Cheshire SK8 5AF UK Tel: +44 (0)161 486 6611 Fax: +44 (0)161 486 6622 Email: [email protected]

• • • • • • • • • • • • • •

Listed Buildings Local Authority Manufacturing Services Mining Oil, Gas and Energy Public Administration Public Sector Printing, Paper & Packaging Real Estate Ship Building Sports Facilities Transport Utilities Wholesale & Retail

Insurance Valuation and Risk Management Directors of a company have a duty to shareholders to ensure that their company‟s assets are adequately insured, and can be prompted into seeking a valuation for a number of reasons. It could be that their insurance broker found discomfort with the existing cover, or that the company has suffered a fire or other damage which has alerted them to the fact that they are under insured (either because they didn‟t get a full pay out or that the amounts didn‟t add up when studied after the incident). Equally, they may have constructed a new factory, building or installed a plant and been surprised at the cost, which has forced the company to consider everything else they own. Whichever way they have reached this stage, the client will sit down with a broker or other adviser and between them decide to have a professional valuation. The client will then act on a recommendation from either the broker or a third party as to who should undertake this work.

Frequently, companies make the mistake of consulting one of the big name Chartered Surveyors. Whilst their firms handle general property matters and may be skilled at valuing for market purposes or undertaking other building-related works such as lease renewals or rates discussions, it should not be assumed that they have the capability to deal with insurance valuations. It is essential to consult a practice that predominantly carries out insurance valuations and is conversant with the type of assets relating to the business. It is also imperative that the firm chosen should not only be an expert in their particular asset base and able to value the contents as well as the buildings, but be capable of working in the geographical areas covered by the insured business assets. This leads to another fundamental difference, as a traditional Chartered Surveyors practice is usually centred on location. A firm based in Cambridge is most likely to do work in and around the Cambridge area, whereas an insurance valuation practice divides its work by specialisation. For example, during 2007, leading UK insurance valuers Rushton International travelled to most countries in the EU, and further field to place such as the US, Pakistan and Bangladesh.

Once the client selects who he or she considers to be a competent valuer, it is necessary to agree a fee, normally on a fixed price basis.

In the case of valuing buildings, the process involves surveying the assets to assess what they are made of in addition to sizes and general construction details. From this information, the surveyor is able to calculate the reinstatement costs of those assets on a like-for-like basis

advertisement feature

#18850 Rushton ED

24/1/08

6:48 AM

Page 2

rather than with substitute materials. Buildings containing a great deal of steelwork have recently been susceptible to radical price fluctuations as the value of this metal can swing by the day. Currently, China is the world‟s primary consumer of steel and its guzzling dictates this volatile market, but international events can also have a profound effect. Metal prices in general rose sharply a couple of years ago owing to world capacity not being able to keep up with demand. The combination of soaring metal prices and the downfall of the dollar lead the US government at the end of last year to increase the penalties for melting down pennies and nickels for their copper and zinc content as a deterrent. While, only this year it was discovered that millions of Indian coins were being smuggled into Bangladesh and melted down to make razors, with one rupee accounting for 35 rupees when made into five to seven blades. Bearing in mind these unpredictable international news stories and their impact on the market, obtaining an accurate valuation is a complicated process and requires a knowledgeable practice to undertake it.

There are plenty of other anomalies for a client to be aware of. Listed buildings often have very strict requirements as many have to be reinstated in exactly the same form, very often down to the materials used. For instance, a roof made out of a specific tile or slate might be much more expensive to put back than a substitute manmade equivalent. There are also local authority requirements to consider and a wealth of health and safety issues. It may be necessary to fit fire alarms or detectors in buildings that had previously failed to install them, or indeed accommodate wheelchair access into an either fully or partially destroyed property that had originally lacked these provisions. But while a property can often be built to a higher standard than before it was burnt down, rebuilding a property in a better way is a whole new matter. If an improvement is made, then the client has to foot the bill.

The principle of valuing contents for insurance purposes differs very little from that of buildings. Again clients can‟t insure for betterment, but this isn't always so straightforward given advances in technology. Contrary to popular belief, plant & machinery valuations don‟t merely involve making lists and looking up prices in a catalogue, as there are still the same issues as buildings regarding health and safety and installation costs.

Putting all this information into practice, the valuer will do what is termed in the industry as a „day one‟ valuation. The valuer will envisage the whole factory and all its machinery being rebuilt on that one day and reach a figure. It is at this point that two things have to be considered.

Firstly, an insurance policy as a rule is for a 12 month period, and although the valuer is

assessing the assets on day one, he or she would need to have a view to what it would cost in just under a year‟s time in case a fire or other disaster strikes on the last day of the policy. Secondly, even the most efficient of builders couldn‟t put a factory up in a day, so it is also necessary to consider the period of rebuilding. Forecasting what may occur to metal prices and indeed labour costs over the next two years while construction is underway, the valuer makes an informed decision on the replacement cost of the assets. Needless to say, the eyes and knowledge of an expert in this field can't be recommended more highly.

Insurance valuation firm Rushton International employs a number of valuers that specialise in both plant & machinery and buildings and can offer many examples of asset miscalculation in the industry. One recent case involved a well-known sports stadium that had just been rebuilt. This particular client of Rushton‟s had been using inflation indexing as a means of assessing the business but the client‟s broker had become increasingly concerned and suggested a professional valuation. Because of the high steel content in the structure, the overall value increased dramatically, so much so that the client queried it. But Rushton International could prove that the figures were indeed correct, saving the company a colossal sum should the stadium suffer major damage.

Additionally, detailed knowledge is especially vital in the area of Fine Arts. Even the most knowledgeable of insurance valuers call upon independent specialist to put a price on a piece of craftsmanship. Fine arts, of course, go way beyond pictures on the wall. Leaded glass windows, Grinling Gibbons fireplaces and, in one case, an entire boardroom lifted from the company's previous offices all fit under this particular umbrella.

Rushton International thoroughly recommends that companies seek a professional valuation every three to four years depending on any changes in the asset profile. During the intervening years a “desk top” approach is recommended ensuring values are kept up to date but without the need for a return site visit.

The best reason to consult a specialist valuation practice such as Rushton International is to avoid the perils of under insurance. The company has witnessed many jaw-dropping errors of judgement that could have cost businesses millions of pounds. One potent example is a valuation performed on a Victorian mansion house, originally a private dwelling but now home to an independent school. The fine red-brick structure with stone mullion, towers and turrets was Grade II listed but the owners had mistakenly insured the building on a modern materials

advertisement feature

basis. Shockingly, the reinstatement cost was three times the price that they originally placed on the property and in the event of serious damage would have been disastrous.

Not entirely as damning, but surprising, is the amount of businesses that over insure their properties and fritter away huge amounts of money on annual premiums. This is especially true of large companies that own a number of factories in various locations. Rushton International‟s encounter with an international manufacturer with plants worldwide is a particularly notable example. Huge overestimations for annual inflation and failure to allow for decommissioned plant meant that a reduction of approximately one third of the original sum was recommended, signifying a staggering drop in insurance premiums.

However, 2007 provided the most telling reminder as to why correct insurance cover is vital to protect businesses. The devastating floods that blighted the north and west of the country earlier this year underlined the fact that insurance is not a luxury but a necessity. In addition to the 300% rise in homeowners frantically taking out policies when the water levels were rising, many companies were not prepared for the disaster. In many cases, this was not due to lack of insurance but to incorrect valuation of the business which augmented the length of time taken to access rebuilding funds. Or, if they had no insurance to start with, relying on handouts that have been too little too late. Had these companies sought a more detailed valuation of their assets then the process would have been much slicker and speedier.

More often than not companies will realise that they have significantly underinsured their business too late. They may have had one of their locations flooded and will suddenly realise that they own a substantial amount of kit that is difficult to replace. Old machinery can go on doing the same jobs for years, but the cost of replacing it is likely to have increased dramatically. Equally the time taken to replace it, leading to a loss of revenue, also has to be taken into account.

Insurance valuing is a risky business on many levels. With so many factors to consider, it is imperative that a company protects itself by choosing a specialist valuation practice to analyse the cost of its assets. What is riskier still is for a business to believe that it has the capabilities to undertake such an assessment themselves. Essentially, insurance is only as good as the valuation placed on the assets covered in the policy. Some setbacks can be predicted, but all too often an unexpected disaster suddenly highlights the deficiencies in the valuation process. It is the responsibility of the business owner to do the right thing.

advertisement feature

CONTRIBUTORS‟ NOTES xlix •

Ernst & Young is a global leader in professional services, committed to restoring the public‟s trust in professional services firms and in the quality of financial reporting. Its 114,000 people in 140 countries pursue the highest level of integrity, quality and professionalism in providing a range of sophisticated services centred on its core competencies of auditing, accountancy, tax, transactions, risk and business advice. From its network of member firms around the world, Ernst & Young‟s 14,000 risk advisory professionals provide services that help clients assess, improve and monitor their business risks. The UK firm Ernst & Young LLP is a member practice of Ernst & Young Global. Peter Finnie is a European patent attorney and partner in the London-based firm of Gill Jennings & Every LLP. He is a recommended patent attorney in the latest edition of the Legal 500. The core of his practice is represented by UK start-up companies, for whom he advises on the development of IP strategies as an integral part of business planning and fund raising. Scott Hartop is a specialist in strategic risk. He has worked with UK and US banks, UK Government departments and European organizations in technology, R&D and infrastructure. Scott leads the Strategies & Crisis group of UMU, a division of Appleyards, helping organizations bring to life the futures they can shape and outperform the ones they can‟t. Dominic Healey is a consultant at Siemens Insight Consulting. Dominic holds an MSc in risk management from the University of Southampton. He has in-depth knowledge on various risk management processes and techniques, including the Office of Government Commerce Management of Risk, of which he is a certified risk practitioner. He has extensive experience of enterprise risk management and project risk management. HSBC Operational Risk Consultancy is a division of HSBC Insurance Brokers Limited, one of the largest international insurance broking, risk management and employee benefits organizations in the world. It is the only major insurance broker that forms part of a global banking group. As members of the HSBC Group, HSBC Insurance Brokers Limited shares an international network with offices in countries and territories in Europe, the Asia-Pacific Region, the Americas, the Middle East and Africa. ICM Computer Group delivers optimum business availability in a way that is tailored to its customers‟ needs through a unique combination of managed availability and business continuity services. With a product and services portfolio that is unrivalled in the UK, no other company can do more to ensure clients‟ operational availability. Mike James joined LRQA in 1992, initially being responsible for marketing and planning its operations throughout the international network. In 1996, he was appointed General Manager of LRQA UK, and in 2000 also became responsible for

• l CONTRIBUTORS‟ NOTES

Lloyds Register UK Industry and Lloyds Register Inspection. In 2006, he became Vice President of EMEA, and is directly responsible for managing LRQA‟s regional operations. Alistair King is Technical Director of ICM Computer Group. Tim Kitchin is a partner at corporate consultancy Glasshouse Partnership, specializing in value-chain integrity and security. Tim has edited the Journal of Brand Management, is co-author of Managing Corporate Reputations and Beyond Branding, and is a member of the Institute for Social and Ethical Accountability and ethical marketing think tank „The Media Group‟. David Lawson is a management systems expert currently developing LRQA‟s assessment approach for business assurance. Previously, David was Training Development Manager responsible for designing, developing and delivering bespoke client training packages. David joined LRQA in 1991, is an IRCA-registered QMS lead auditor, an EFQM Excellence Model assessor and a member of the CMI. Gillian Lees is one of CIMA‟s technical specialists with a focus on corporate and enterprise governance, including risk management. Over the last couple of years or so, she has been heavily involved in the development of the CIMA Strategic ScorecardTM, a tool designed to help boards to engage in strategic issues effectively. Lloyds Register Quality Assurance (LRQA) is a member of Lloyd‟s Register Group and is a leading provider of business assurance services. Through its business insurance methodology, LRQA delivers a broad range of integrated services, including assessment and certification to international management systems standards and verification of environmental data and corporate reports. Keith Loven set up his own practice, after training and post-qualification experience in private practice and in industry, with a Yellow Pages advertisement and fingers crossed. Fortunately, clients did call and 18 years on he is still enjoying the diversity of the work, from patent drafting through to trademark disputes. LOVEN Patents & Trademarks is a small firm with a spread of clients from SMEs and individuals to larger corporations in the UK and overseas, and with attorney contacts throughout the world. LOVEN aims to provide a personal service, understanding the client‟s business and seeking practical strategic business solutions for clients. Sean McGahan LLB CIRM is head of Litigation Risk Management at McKinty & Wright Solicitors. Graham Massie is a director of CEDR (Centre for Effective Dispute Resolution) and a practising accredited mediator. He is a qualified chartered accountant and has spent 10 years with KPMG in Chicago and London. He has been a company director

CONTRIBUTORS‟ NOTES li •

in the United States and has established his own business consultancy practice, with extensive experience of multinational corporate consultancy. Neil Miller is a director at CSi (Commercial Security International Ltd), a company specializing in all aspects of corporate security, including surveillance, fraud and intellectual property investigations. Paul Miller is a senior consultant at Cision. In addition to providing support and consultative advice to our clients on their media communications strategy, Paul is also a regular speaker at international events and conferences in the communications industry where he has gained recognition for his original thinking on new media topics. Ed Mitchell is Senior Underwriter for Product Recall at XL Insurance. He has many years experience in product recall insurance both as an underwriter and broker. Ed specializes in coverages for the food and drink sector and leads the Product Contaminated and Recall Insurance team at XL Insurance in London. Jacqueline Needle is a partner of Beck Greener and a graduate in electrical and electronic engineering. Jacqueline has an LLM in advanced litigation and is a patent attorney litigator. Thus, she is one of a handful of British patent attorneys who are able to undertake IP litigation in the English courts. Norland Managed Services Ltd is the UK‟s leading and fastest growing independent engineering services provider. Established in 1984 with three core principles that remain true today – quality customers, quality staff and quality service – Norland chooses to work with customers who accept no compromise in quality standards. The business has grown to an annual turnover of £86 million on the foundation of high customer-retention rates, with over 950 employees at Norland offices in London, Birmingham, Bristol, Leeds, Manchester, Newbury and Slough, and in Scotland. Mike Osborne is Managing Director of Business Continuity at ICM Computer Group. Bart Patrick is the Head of Risk Intelligence, SAS UK. Bart‟s role involves managing SAS‟ UK risk practice, and working with the market experts, clients, analysts and professional bodies to deliver the strategic direction of SAS in the UK risk sector. His remit covers credit risk, market risk, operational risk, enterprise risk management, anti-money laundering, market abuse, fraud and compliance across all sectors. Bart is an experienced financial services, risk and technology professional. He has held a range of high profile roles in the past for some of the most respected software vendors operating in the financial services industry. Bart has an MBA and diploma in management from the Open University.

DO YOU ALWAYS COME BACK WITH EXCESS KNOWLEDGE?

sn't half the enjoyment of travel going home with stories to tdl? At InterContinental we use our local knowledge of a place to hdp you truly enjoy it.By arranging in London, for example, the opportunity to ook through Britain's largest telescope at the Royal Observatory, home to the Greenwich Meridian. Here you can explore Saturn,Mars and the wonders of our awe-inspiring universe;a genuinely authentic and enriching experience that will provide captivating tales for years to come.

For more details or to make a reservation, please call 0800 1800 1800 or visit ntercontinental.com

Do you live an InterContinental life?

INTERCONTINENTAL. HOTELS & RESORTS

Managing hotel risk around the world John Ludlow, Senior Vice President, Global Risk Management, IHG Introduction InterContinental Hotels Group (IHG) is the world's largest branded hotel group by number of rooms. We own, manage, lease or franchise over 3,650 hotels, 543,775 guest rooms, in nearly 100 countries and territories around the world. The Group owns a portfolio of well-recognised and respected hotel brands, including InterContinental, Crowne Plaza, Holiday Inn and Holiday Inn Express. We also run the world‟s largest hotel loyalty programme, Priority Club Rewards, with more than 31 million members. With so many guests and staff, and so much business and property, in so many countries, across so many cultures and time zones, it follows that risk, especially fire, H&S and security, is a major factor in the group‟s day-to-day operation, and strong and effective risk management is fundamental to the success of each hotel and the group as a whole. So what specifically are we talking about?

It shouldn’t happen to a hotel manager. . . but it does  A young child drowns in a pool.  An outbreak of Legionella forces the hotel to close, hospitalises guests and generates adverse publicity for the hotel and the brand.  An employee runs back into a burning hotel to try to extinguish the fire, and nearly dies.  A young family is killed by fire caused by a discarded cigarette.  A contractor is killed on site while servicing the lifts.  An employee is killed while working on electrical plant that was not insulated.  50 guests fall seriously ill after a banquet.  Terrorists fire a rocket at the hotel.  A celebrity guest is arrested for the possession of drugs and resists arrest.  An Internet child abuser uses a hotel room to ply his vice.  The night manager takes £25,000 from the safe.

The objectives and challenges of Risk Management in IHG The objective of Risk Management in IHG is to make ~ and keep ~ our hotels safe for all of our stakeholders, guests, staff, hotel owners and managers. This means:  Championing the proactive management of fire, safety and security risks.  Mitigating the impact of serious incidents by careful planning and preparation.  Giving operators the confidence to focus on great customer service in the knowledge that they know how to handle a crisis.  Ensuring the Company can deal effectively with any crisis.  Maintaining the continuity of operations at all times.  Providing swift and professional claims-handling and adjustment. One of the challenges we have is to achieve these objectives when operating in less well-developed countries, where background legislation and standards are generally weaker than in more developed countries. Cultural differences, too, are significant, not just between regions and countries, but also between types of hotels. Mid-scale hotels are more used to being part of clusters of units acting as one,

advertisement feature

whereas large hotels more often act independently, and may not readily agree to follow a corporate strategy. Our other main challenge comes from our business model. Clearly in the managed estate we can mandate how things are done; however, our control is much more limited with our franchisees, whom we rely on to adopt our good practices. What we do in risk management has to meet four important criteria: RELEVANT

 Meet legislative requirements, international, national and local.  Minimise the financial impact, and maximise the benefits, of risk financing.  Address the operational impacts of hostile environments, and the benefits of preparation.  Address the strategic impacts of risk, and the benefits of linking risk planning with the Company‟s Corporate Social Responsibility (CSR) strategies.

REPEATABLE

 Use a systematic approach that can be rolled out across the estate but is adapted to meet differing regional and cultural needs.  Embed knowledge from top to bottom throughout the operation.

DISTINCTIVE

 Apply custom-built strategies and methods across all risk groups to give an integrated risk strategy.  Focus on the risk issues that apply to the hospitality industry and our business focus within that.  Provide evidence of our care and safety standards to persuade companies to choose our brands for their employees.  Give owners and investors confidence in our brand with a solid risk management programme that reduces perceived investment risk and enhances our growth.  Build a system that is low cost to adopt and run, is truly global, and copes with all the geographical and cultural boundaries that are inherent in our business.

CONSISTENT  Provide common policies and standards that apply throughout the estate.  Establish and communicate roles and responsibilities rolling out „Best Practice‟ procedures and guidelines, and shared tools and platforms.  Establish common ways of working that the whole operation understands and uses.  Roll out comprehensive and inclusive training programmes.  Establish a culture of robust but controlled self-assessment of progress within every hotel.  Carry out regular reviews and evaluation of progress throughout the estate.

Our strategy The IHG Risk Management team has developed a culture and approach in which we work and learn collaboratively, to ensure that everyone in the IHG community does the right thing to protect the long-term interests of the majority of our stakeholders.

advertisement feature

First: Build a global team Together, we are stronger. Bringing the regional Risk Management teams together into a global team has proven to be a powerful and effective weapon in the battle to manage risk and meet our objectives and challenges:  The team of teams: The Risk Management function is now organised in a matrix, with three aligned regional teams supported by global teams dealing with global security issues, corporate risks and risk financing. The regional and global teams are now so closely aligned and collaborate so freely, that we have become one team across the world.  Specialist knowledge: Team members are tasked with developing specialist knowledge in different risk areas and with sharing this knowledge globally. The different specialists work together in workgroups of related risks to ensure that all materials are understood and valid globally. Second: Identify the assets It is vital that we regularly refresh our understanding of what we are trying to protect. Assets include guests, staff, systems, processes, buildings, relationships, future cash flows, and reputations. Over time the assets change and their relative importance can reposition as the business evolves. Third: Understand the impacts you are trying to avoid or reduce “Stuff happens”, they say, and you must have procedures to react to events, get back to business and compensate for loss and damage . . . But this is NOT a complete strategy! Successful risk management establishes procedures to AVOID “stuff happening”. The impacts of a disaster, natural or man-made, or of an accident or human error, can be wide-ranging and risk management must prepare for an array of potential impacts.

Figure 1 The impacts of risk

Fourth: Take a common systematic approach We have developed a common systematic approach structured around risk groups and a system of operational risk mitigation activities.

Figure 2 The Risk Groups and Operational Activity cogs

advertisement feature

Risk Groups, represented by the Risk Groups cog in Figure 2, focus everyone on Crisis Management, Fire Safety, Security, Food Safety, Guest, Child and Staff Safety and Leisure. Each operational risk mitigation activity, represented by the Operational Activity cog, is designed to reinforce the others; it is important that no one discipline is weaker than the others. The operational activities function within a cycle in which we:  Identify and profile the risks for the business, and establish the policies and standards that will protect them.  Implement common ways of working, and develop supporting tools.  Communicate the policies and standards, and the ways of working, through hands-on training, learning tools and resources.  Audit progress in individual hotels and provide feedback and more information as required.  Review and evaluate progress up the operational chain of command and update and improve our methods and our tools as necessary to meet changing risk demands and situations.  Address the issues of risk financing which normally take the form of insurance and claims, retained or contractually transferred risk. The result is a comprehensive, all-encompassing system with a value that is much greater than the sum of its parts. It can deliver a single powerful and clear message, and a consistent risk management mindset in every hotel throughout the Company. Fifth: Roll out the strategy Once the system has been built, the next task is to roll it out. However, there is much more to it than telling people what to do. A strong risk management culture is required, and this demands great communication, passion and consistency of purpose. It isn‟t just about running a workshop and printing some handouts. In order to get the message across and to embed it deeply into everyone's daily working life, and indeed into their psyche, proactive and imaginative communication is required. Key elements in the rollout are:  Communication: The team has developed the ability to communicate clear responsibilities and accountabilities to all stakeholders. We use story-telling, like “It shouldn‟t happen to a General Manager – but it does”, and try to help people discover what really works by reflecting upon the impacts of poorly managed risk and by celebrating success stories. We are also there for them in times of need or crisis: we communicate, respond and co-ordinate.  Teaching people to fish rather than handing out fish: The cornerstone of our training activity is our Risk Management workshop, where we aim to teach people the value of our work, give them a structure and approach to use to become self-sufficient, and supply them with user-friendly tools to help them do a great job. Training is deep and at all levels: induction, skills, knowledge and leadership, to build the teams‟ capabilities.  Maturity matrix: Hotels are not just assessed for compliance to our standards; we also assess them against a maturity matrix to evaluate how proactively they are managing their risks against a number of competencies, culminating in an assessment of the safety culture of the hotel.  Measurement: We record incidents and claims from all the managed hotels and these enable us to see trends and issues across the estate. Hotel reviews and Area reviews provide feedback on progress and identify common issues and needs. We aim to celebrate success but we will also hold people to account if necessary.  Review: Reviews with operators are, however, only half the story. Each Risk Group must review and

advertisement feature

report back centrally, so that we can all learn from our own and others‟ experiences. By doing this we are able to learn together and build balanced capability across the business, driving a proactive culture towards risk. Sixth: Underpin the system with user-friendly tools The strategy is underpinned by tools that support the activities, which are engaging, easy to use and readily accessible. The Risk Management intranet contains a wealth of information to enable hotels to understand and manage their risks, including:  Policies, standards and guidelines.  Forms and documentation to help hotels record and monitor events.  Risk assessments, crisis planning tools and tests, the Risk Management Action Plan, self-assessments and checklists.  Many different kinds of training and promotional materials that can be used and reused in both workshop training sessions and on an individual basis. These include „10 Minute Trainers‟, risk awareness posters, checklists, tests, activities to run in the hotels, awareness events and a suite of e-learning tools. The Fire Life Safety Calendar is one of the most successful, and highly regarded, tools in IHG‟s risk management armoury. The calendar runs on the hotel‟s departmental PCs and is linked to the Risk Management intranet, and it enables the hotel to co-ordinate all its risk management activities and training programmes.

Figure 3 Fire Life Safety Calendar

Some of the reasons for the Calendar‟s success are that it:

advertisement feature

 Reflects all brand standards and operating standards.  Saves on the printing costs of wall charts.  Provides five languages in a single version (we have three Regional versions).  Addresses the needs of everyone in the hotel because it is managed by heads of departments.  Provides immediate access (via the intranet) to all the other tools and information that a hotel needs, including the awareness activities, checklists and self-assessments, and the training materials.

Figure 4 One of a series of ‘10 Minute Trainers’

The strategy works! It is not hard to see the success of our strategy and methods. We can measure success by:  The high take-up of our workshops (and of our Strategic Risk Management Training award).  The number of hits on the Risk Management Intranet.  The popularity of the Fire Life Safety Calendar.  The number of hotels using the system well, judged by the maturity of their use of it.  The improvement in managing dynamic risks such as terrorism and organised crime.  The ability of the teams to prevent very serious incidents becoming crises and the effective management of any that do.  The dramatic increase in the number of incidents being reported.  The reduction in both claims and the cost of claims.  The reduction in our insurance premiums and the improvement in coverage negotiated.  Improved sales for IHG from corporate buyers and risk and security managers. However, we are not complacent. Some of the challenges remain, including extending our reach in less developed parts of the world and bringing our franchisees along with us. But we have come a very, very long way. Our strategy is working; our team of teams and our common approach are a success and will only strengthen with time.

advertisement feature

CONTRIBUTORS‟ NOTES lix •

Roy Ramm is Chairman of Commercial Security International Ltd (CSi) and a former Commander of Specialist Operations at New Scotland Yard. As a widely experienced career detective, during his service he commanded the Serious and Organized Crimes Branch, the Flying Squad, the Fraud Squad and the Firearms Response Units, and also established the Met‟s Undercover Operations Unit. Roy was the Director of Scotland Yard‟s Hostage Negotiators‟ Training course and led the Hostage Response Team. He has advised the United Nations, national governments and police forces globally on policing, extortion, crime and security-related issues. He has worked extensively in Europe, including Eastern Europe, and in Africa, the Russian Federation, the United States, Asia and the Caribbean. Roy has lectured extensively on law enforcement issues and is a regular and experienced contributor to the media on crime, terrorism and security related issues. He is a graduate of the Special, Intermediate and Senior Command Courses and the Federal Bureau of Investigation (FBI) National Academy Course in Quantico, Virginia. Allan Robinson is a natural scientist with expertise in the use of quantitative and qualitative techniques to support decision makers facing complex problems. After starting his career as a glaciologist with the British Antarctic Survey, he now leads the Project and Programme Risk group of UMU, a division of Appleyards, embedding and integrating risk and value management to ensure success. Paul Saville-King is a Divisional Managing Director of the Critical Services Division for Norland Managed Services Limited. Paul has a robust background in all aspects of building services, electrical engineering, fire and security, and building management systems. He is pioneering the reduction of risk in engineering services through a unique Critical Engineering and Risk Management (CERM) business model in collaboration with key account clients, technical experts and consultants from the industry. Paul has qualifications in engineering, business and finance, holds an MBA with distinction from Ashridge and is a full member of the Institute of Incorporated Engineers (IIE), a fellow of the Chartered Management Institute and a member of the BIFM. Fiona Sheridan is the leader of Ernst & Young‟s Risk Advisory Services practice in London. She is a chartered accountant with more than 14 years of experience in internal audit and risk management, including a period as a Business Risk Manager in a telecommunications company. Her team of 100 risk and control professionals advise and assist companies and public sector bodies on how to understand and manage risk and assurance efficiently. Siemens Insight Consulting is the specialist security, compliance, continuity and identity management division of Siemens Enterprise Communications Limited. From the development of policy, strategy and awareness through to the delivery of complete solutions comprising identity management, smart cards, testing, training and managed security, Insight Consulting helps organizations to identify and manage risk in their IT operations. James Smither joined Control Risks in 2000 and manages its global political risk consulting projects. He has led a variety of consulting projects across sectors including

Objectives.

are

1982.

t re .uk

lications dation Services is ces ices ervices

er wart-software.co.uk

Implementing a Risk Management System – What’s the problem? 1.0

Introduction

A frequent perception with Risk Management Systems is that they are a „Faith Based‟ purchase. If you believe that Risk Management (RM) is the right thing to do, you invest in an RM System. If the Auditors threaten to qualify your accounts, you buy an RM System; failing these two conditions you are inclined to „make-do‟. There are undoubtedly benefits in adopting an RM System . . . • In 2007 a Global Survey by Ernst & Young concluded that „Improved Communication on Risk with Shareholders may Increase Share Price by Reducing the Risk Premium they otherwise impose‟‟. • Experience shows that employing RM considerations prior to any major project can produce insights that substantially improve the quality of the decision taken and the robustness of resulting actions. • With an RM process in place residual risks can be better defined and in so doing can create a platform to reduce multi-million pound Insurance Premiums or to reduce the capital tied up in Self Insurance Funds. . . . and there are many sources of a Risk Management Standard advising you how you should manage risk. However, we at Stewart Business Software wanted to take a different approach. We felt that if we better understood the difficulties Enterprises were having in deploying the RM Standards then maybe we could design an RM System that went an extra mile, and better supported any financial justification. In so doing, Stewart Business Services spoke with around 60 Finance Directors and Risk Managers in both Corporate Businesses and Local Authorities. This article shares some of the key findings: 2.0

Corporate Business v Local Authorities

Whilst the difficulties expressed within both groups were largely similar it was evidenced that the Local Authority population appeared to be slightly more advanced in the deployment of widespread (embedded) RM Processes. This is probably due to regulation and, particularly, inspection routines that have been in place, via the Audit Commission, since 2002. Known as Comprehensive Performance Assessment (CPA) Local Authorities are regularly scored against a set of criteria that denote „what good Risk management looks like‟. Conversely, whilst there is much advice to Corporate Business there does not appear to be such a uniform inspection regime. We were at one point advised by a leading plc that “We have RM Policies and Strategies for the Annual Report but, if you scratch the surface, there is not much underneath”. 2.1 In 2009 CPA will be replaced by CAA – Comprehensive Area Assessments. This will require Local Authorities to work even more closely with their Key Partners to develop joint Local Area Agreements – incorporating improvement objectives – and thereafter to manage risk co-operatively. It may be that any Corporate Business still looking for a Risk Deployment Model could do worse than starting with a visit to their Local Council. 3.0

Risk Management should help to achieve Objectives

This self evident truth was endorsed by just about every Risk Manager we spoke to yet, amazingly, there were major organisations that, although looking to deploy a Risk Management System, were unable to assess Risk

advertisement feature

against Departmental Objectives. Whilst they had agreed a set of Corporate Goals there were no Objectives recording the contribution that individual departments were to make, therefore identifying a pertinent set of risks, at a detailed level, was rendered impossible. 3.1 There are many Risks that can prevent an organisation from achieving its Objectives but probably the greatest is the failure to articulate what those Objectives are and to clearly communicate to each departmental team how they will contribute to the Objective‟s accomplishment. 4.0

Determination of the Risks to be Managed

We discovered quite a few Risk Managers with a Military back-ground and whilst this equips them with an admirable set of qualities for such a job, there was a tendency for them to equate a Risk to a Threat rather than, for example, an accident or failure. The formula “Threat x Vulnerability = Risk” is quite commonly used and maybe is entirely suited to a Data Centre or Information Technology intensive operation – where hackers and constantly evolving viruses are a persistent menace. Whether or not this formula transfers to all arenas is debatable. We came across one Local Authority that cocooned a dozen or so of its most Senior Executives in a Risk Workshop for a whole day during which they used the formula to identify more than 300 theoretical Risks. Subsequent analysis determined that only about 25 could impact their Objectives and were worthy of inclusion in their Risk Register. 4.1 Consider an alternative approach; simply ask the individual Objective Holders “What could stop you from achieving your Objectives”? They are the people with the greatest knowledge and it is highly likely that the Risk Register will fill quite quickly. The time of the Risk Managers (and Senior Executives) can then be directed to moderating the Risks and Supporting the Objective Holders in executing the necessary Controls to diminish the chances of the Risk Occurring. 5.0

Embedding Risk Management

This is the area where most enterprises were having difficulty. It is comparatively simple, and very satisfying, for a Risk Manager to arrange for the Key Executives to meet and agree a reasonably short list of Strategic Risks but rolling-out the process to include deeper organisational levels causes problems. It is frequently the case that the Risk Matrix (assessing the Impact against the Probability of the Risk) used to assess Risk at a Strategic Level is also used throughout the organisation. However as the process rolls deeper into the organisation and the delegated authority levels become smaller, the Impact of Risk also tends to lessen. When placed into the Risk Matrix, these Risks often fall into the Group of Risks that will be „Tolerated‟ rather than „Treated‟ (actively managed). Such an approach can cause an adverse reaction to the roll-out of RM as it is seen as generating additional work without any resultant action or support, for line managers, from senior levels. 5.1 An alternative approach could be to recognise that – as RM moves deeper into the Organisation, and the level of delegated authority reduces, then the Impact Scale on the Risk Matrix should be adjusted accordingly. This will lead to a full range of action outcomes being produced at every level of the organisation – thereby ensuring that even smaller risks are actively managed. This has the added advantage that serious problems are frequently caused not by a major Risk Event but by a collection of smaller yet simultaneous risks. The better these smaller risks are managed, the lesser the chance of a „collective risk event‟. 6.0

Capturing the Risks – Multiple Risk Registers

This is an area where the make-do approach to Risk Management was in greatest evidence. The majority of persons we spoke to employ an RM System based on Microsoft Excel and Word. This works well within a

advertisement feature

tightly knit company (one with narrow geographical dispersal and short lines of communication). However, in larger companies, there is a tendency for the spreadsheets “to multiply and evolve as though they have a life of their own”. 6.1 The hours spent cutting and pasting risks from, often disparate, multiple Risk Registers in order to produce regular reports is one of the biggest frustrations of many Risk Managers. In this environment any short notice, ad hoc reports can cause major disruption and the results may be sub-optimal due to a lack of common risk recording standards. Whatever medium you choose to record your risks, some form of ongoing central management of the Risk Format will pay dividends in the longer term. 7.0

Types of Risk esp. Strategic and Reputational

Most companies have a range of risks headings that are appropriate to their business (e.g. Financial, Legislative, Competitive) however the risk-type that creates the most discussion is „Strategic‟. Strategic Risk is frequently confused with either a Large Risk or a Long Term Risk. The author would contend that a Strategic Risk should be one that adversely impacts any of the Competitive Advantages or Major Assumptions on which the enterprise has based its Corporate Plan. Whilst such Strategic Risks may often be large, Large Risks are not necessarily Strategic. Strategic Risks may also have a Long Term Impact but they can occur, and should be managed, at any point in time that they arise. 7.1 Strategy is the remit of the Executive Team and, if they fully consider the relevant risks when developing Strategic Plans and Determining Corporate Objectives then, in normal conditions, everything impacting any subsidiary Objective should be an Operational Risk. However no plan is perfect and all levels of personnel should be able to „blow the whistle‟ if they are in any doubt that they have identified a Strategic Risk. Such an approach can also be applied to Reputational Risks. This is because although some Reputational Risks are clear cut – like anything relating to Child Abuse – any market facing risk, if badly handled, has the potential to cause a reputational impact. Some such risks however, are clearly more Tabloid-Worthy than others; these risks need to be advised to your PR departments in order that they may develop appropriate media management plans. 8.0

RM relationship with Business Continuity Systems

When given a choice between an RM system and a Business Continuity (BC) System, it seems that the BC system is easier to justify. This is because, whilst many business cases exist on the benefits of rapid recovery from disruptive events; it is impossible to prove that an RM system is the reason that no disruptive events were experienced. However closer inspection of the RM standards and the latest BC dictum from British Standards (BS25999) shows that there are more similarities than differences between the two processes. The chief differences are that RM assesses Risk against Impact and Probability whilst BC also factors in Time and that RM plans for pre-event Mitigation whilst BC plans for post event Recovery. 8.1 Integrating the two processes has several advantages. Firstly it eases the financial justification for the System and reduces the overall expenditure incurred. Secondly, including RM lessens the likelihood that BC plans will need to be deployed. Thirdly it supports the BC Managers by using the RM process to identify potential BC risks from every Objective Holder in the enterprise. Finally by encouraging each manager to consider whether or not a risk, to their individual objectives, could also impact a Key Business Process is likely to lead to a greater sense of Teaming and shared responsibility.

advertisement feature

9.0

Substantiating Control Measures – Following up Actions

At the heart of how well RM works are the Control Measures deployed. Such measures need to be well designed and properly executed. It is best practice if these Control Measures are subject to Audit – either by a formal internal team or by the Senior Risk Managers. Clearly any Audit may give rise to improvement actions to add to those already identified by the line management teams. Following up such actions is one of the greatest problems cited by Risk Managers as they have no direct line responsibility and, as RM is further embedded, the span of control becomes increasingly difficult. Frequently Risk Managers try to overcome these difficulties by using Workshops in order to isolate groups of managers from their “day jobs” in order to focus on Risk Issues. One Risk Manager described such Workshops as „like Groundhog Day‟ – the same people meeting regularly to discuss the same issues and agreeing the same actions, but nothing ever changing. 9.1 One concern with the Workshop Approach is that RM is an imperative part of the “day job”. As such it needs to be managed within a process that allows this. Evidently, if such a process starts by assessing Risks against individual objectives (at all levels of the Organisation), incorporates Process Continuity, includes Risk Based Internal Auditing and helps to assure action-follow up designed to bring about Continual Improvement then, such an RM process clearly underpins and demonstrates Good Corporate Governance and surely warrants prioritisation for Investment. 10.0 Conclusion As well as MIMS RM, from Stewart Business Software, there are many other good systems available from independent suppliers. We trust that, by sharing our insights, we have given you some assistance in making your selection and in building your business justification.

Article Contributed by Kelly Lehmann, General Manager Stewart Business Software.

E: [email protected] W: 01295 712955 M: 079 1025 4288

advertisement feature

CONTRIBUTORS‟ NOTES lxv •

energy, pharmaceuticals, mining and defence, and has developed bespoke products in areas such as supply chain management, business security and human rights. An African specialist, he has had articles published on regional and country-specific risks, is regularly interviewed by journalists on business risk development in Africa, and has appeared several times on BBC World Services radio to provide regional expertise. Jean-Louis Somnier is an engineering graduate of the Ecole Nationale Supérieure de Techniques Avancées (ENSTA), Ingénieur du Génie Maritime, Ingénieur de l‟Armement®, and holds a degree of the International Institute of Industrial Property Law (CEIPI). Furthermore, he is a qualified French and European patent and trademark attorney. Jean-Louis has 16 years experience in industry as an engineer and operational manager and 19 years as a patent attorney, including seven years as Managing Director of Novagraaf Technologies. He also teaches IP strategy classes at universities and secondary technical schools. Strategic Risk Partnerships Ltd (SRP) specializes in the design, development, implementation and management of insurance and risk management (including corporate governance) programmes for industrial and commercial clients. SRP provides consultancy and operational services as support for in-house risk management units and/or as a wholly outsourced facility, according to client preference. SunGard Availability Services is the pioneer and leading provider of Information Availability services, helping to ensure that nearly 10,000 clients worldwide have access to their business-critical information systems. Having supported more than 2,500 invocations over the past four decades with 100 per cent success, SunGard has an unrivalled track record in the industry. Keith Tilley is Managing Director and Senior Vice President Europe of SunGard Availability Services (UK) Limited. Keith joined SunGard in November 2001 when it acquired Comdisco. He is responsible for the company‟s profitability and all aspects of sales, marketing, delivery and development. A well-known industry figure, he has over 30 years of business expertise and is widely quoted on information availability issues in the press. Lee Tricker is Director of Thomas Miller Risk Management (UK) Ltd (TMRM). Part of the Thomas Miller group of companies, TMRM is an independent risk management consultancy that provides objective advice to public and private sector clients in respect of risk management, risk identification and assessment, loss control and risk financing (including captive insurance company feasibility studies). XL Insurance Group’s companies help leading industrial and commercial businesses manage their risks by providing comprehensive, cost-effective and integrated solutions. The XL Group offers a broad portfolio of high-quality insurance products and related services, including property, casualty, professional and specialty coverage. The Group is committed to five key values: ethics, teamwork, excellence, development and respect.

Fisk AD2 24/1/08 7 15 AM

Page

Use a strategic approach to manage your risks

ke a real step change in health & safety risk management

do we do things differently to manage your health & safety risks? using a Corporate risk assessment to identify potential

management failures. Then implementing business integrated risk management processes.

..

..

Health & Safety Risk Management John Stevens, Managing Director, Risk Frisk Ltd Health & Safety needs to step out from the shadows and become a strategic business facing corporate function. The health & safety (H&S) professional needs to embrace enterprise wide risk management to ensure that their input is framed using the „correct‟ language, is riskbased, business focused, commercially relevant and integrated with organisational policies and systems. Without this approach H&S risks will not become an enterprise wide process. In a UK context the introduction of the Corporate Manslaughter and Homicide Act in April 2008 will require organisations to identify „how‟ they are creating risks and identify any current or potential „management failures‟ that could lead to a death of a person to whom the organisation owes a duty of care. Whilst, no „new‟ regulations are introduced by the Act, it is clear that organisations will have to look afresh at the way they manage theirH&S risks at strategic, tactical and operational levels. We use the term “Health & Safety Risk Management” because we believe that the risks to be managed or supported by the H&S function are much broader than typical H&S activities at a tactical and operational level. The H&S function can make an enhanced contribution to the organisation‟s overall management of risk if it looks both outward and inward from its current position and contribution. The emerging method for managing the organisations „total‟ risks is “enterprise risk management”, sometimes called enterprise-wide risk management. Enterprise-wide fleet risk management Enterprise Risk Management (ERM) looks at risks that can occur right across the enterprise. The process should take a risk-based approach to the balancing of risk minimisation verses opportunity management and not a risk averse legally compliant approach. Running any enterprise will always involve risk – commercial, financial, operational risks etc., and the key to maximising the opportunities for the enterprise from any new initiative, which involves 'taking a risk', must be balanced by the minimisation of risks wherever possible, but not to the extent that the new initiative is stifled or controlled to such a degree that any opportunity is reduced. An essential element of the ERM process is to ensure that the identified risks and their control processes are closely monitored. By adopting effective ERM tools and techniques, organisations and in particular H&S professionals, can help to improve the management of the business and business performance. These two factors are key to the achievement of the organisation‟s strategy, goals and objectives. By changing to a risk based approach, H&S professionals will be able to enhance their contribution, be increasingly seen as organisationally relevant and make a significant contribution to organisational development and the achievement of the organisation‟s strategy and objectives. Any management system for managing H&S risks needs to be business focused and commercially relevant, appropriate to an enterprise but at a minimum legal requirements must be taken into account. The H&S professional therefore must have the professional and personal skills and competencies to make a strong and valid business case for an appropriate level of resources and not just using legal compliance arguments. Making a case on the basis of legal compliance alone, is unlikely to establish a valid business case, but many H&S professionals still believe that the legal compliance argument is all that is needed.

advertisement feature

Health & Safety Risk Management The best way to build a strong business argument is to use a process that identifies how the enterprise is creating H&S risks and evaluating the implications of those risks. This will enable a case to be made as to how the risks could be better managed to benefit the business and as a consequence all stakeholders. Our approach was developed using a combined total of over 100 years of international experience in the development and implementation of H&S, fleet, fire, manufacturing processes and business continuity risk management systems. It was developed in response to the need for a process with a business wide focus that is comprehensive, commercially relevant and risk based. This approach has been used successfully for over 15 years. A model shows the key points:

In order for H&S professionals to make a more effective contribution, they need to build a strong justification for their involvement at a strategic level. It is clear that where H&S professionals operate at a strategic level within the organisation‟s strategic, business and operational processes, they are ideally placed to make a significant and effective contribution to enterprise wide risk management. Risk management succeeds or fails based on altering managers and employee‟s perceptions, attitudes, behaviour and performance with regard to risk. Success will depend on effective training, performance management, reward and sanction systems an developing work practices and procedures that limit human error, increase job satisfaction and reduce stress. The above mechanisms are cross-functional and interrelated hence the need for the H&S professional's involvement at the strategic level, with a cross-functional remit. The management of risk is a vital part of managing any organisation. However, H&S risks are not fully taken into account during typical „insurance/financial‟ focused business risk management processes. It is clear that if an ERM programme is based on meaningful risk decisions, rather than merely making decisions on an arbitrary cost basis, then many losses could be foreseen and preventive actions taken. So-called high-level „cost only‟ decision-making is symptomatic of many board decisions taken without much thought for the risk side of the equation. However, an ERM programme should highlight the importance of risk assessments to the board/senior management and ensure that both cost and risk are taken into account when management decisions are taken and implemented. An ERM programme helps to elevate the profile of H&S within an organisation‟s corporate governance

advertisement feature

(CG) and corporate social responsibility (CSR) systems and identifies the need for the „safety net‟ to be extended to include all potential organisational stakeholders e.g. customers and a supply chain. Effective CG processes within an organisation must include a Health & Safety Risk Management process and business decisions must consider all risks and consequences of a business strategy and its implementation. It is traditionally difficult for H&S professionals to participate in CG and CSR processes, as the H&S function often only operates at the „operational‟ level. Additionally, the H&S function often approaches its role in a risk averse, non-business focused manner. H&S professionals who seek to increase their influence „up the management chain‟ will be more often asked to contribute at a „tactical‟ and „strategic‟ level, where CG, CSR and ERM are „on the agenda‟ of senior management. In this way H&S professionals can help the organisation to manage its opportunities in a more complete manner, whilst minimising the risks. This gives the H&S professional an increasingly important role to play at board level in order to ensure that organisations fully adopt the ERM/CSR/CG principles and processes. In so doing, organisations will find themselves moving towards the ultimate goal of continual improvement in all their business performance indicators, including continual improvements in their H&S management systems. It is clear that a „tickthe box‟ legal compliance approach will no longer suffice and will no longer „protect‟ the organisation from its duty of care responsibilities. It is imperative that H&S professionals understand and talk the language of the boardroom so that H&S management systems are accepted as part of normal business and operational processes. This ensures that H&S considerations are taken into account on a cost versus risk basis, so that the business case for H&S risk management is made using both sides of the cost versus risk equation. H&S professionals must be able to quantify both the cost of loss (i.e. the risk actually resulting in a loss) and the cost of risk prevention (i.e. the control measures) in economic terms. This is approach is much more effective than just stating „we have to comply with what the law says‟ which, inevitably, is a poor motivator, especially at board level. They need to view their organisation, or client organisations, as a complete system so that business processes that are implemented complement one another and are designed to ensure an integrated, consistent and non-duplicating approach. This approach is appreciated and welcomed by organisations as most are looking for flexibility, added value and not uncoordinated „ red-tape‟. Organisations respond much better to the use of business and commercial focused interventions, and can see the added value of good/best practice if it is explained in business terms. Summary H&S professionals need to work with an organisation to implement business processes that are integrated with normal organisational processes. If H&S processes are established as part of the way that the organisation operates, then H&S will be managed as a normal part of management and employee activities. Management and employees must be involved in the design, implementation and ongoing monitoring of these processes. The organisation‟s H&S professional should not be required to be the management systems policeman, but should focus on advising management and employees. This minimises the need for constant „fire-fighting‟, thereby resulting in proactive resource allocation to ensure continual improvement. John Stevens is Managing Director Risk Frisk Ltd – www.riskfrisk.com and 0845 456 4136. John is a member of the IOSH National Consultants Committee and Chairman of the IRM Transport & Logistics Group.

advertisement feature

This page intentionally left blank

Introduction While every edition of Managing Business Risk reflects the growing pervasiveness of manageable risk in all aspects of business, each successive edition finds a new emphasis on topics of key concern that have emerged more recently. Previous editions have focused on the risks arising from the application of IT systems and software, and the threats to identity, databases and information security arising from the ever more intrusive internet, or from the failure to observe best practice in corporate governance, or environmental management risks. This fifth edition of Managing Business Risk is organized around the core risk areas of management strategy, corporate concerns, operational management issues, IP management and the role of IT. In each of these areas the focus of concern has changed from the fourth edition. In Part 1, the first three chapters are concerned with the identification and use of strategies for the management of key risks for business in 2008. I am grateful to the authors from HSBC Operational Risk, Ernst & Young and SAS UK & Ireland for their definitive contributions. They are strongly supported by contributions from BSI Standards, Thomas Miller Risk Management and Appleyards. Part 2 focuses on corporate risks in the two areas of political risk and terrorism and reputational risk – both of critical concern today. On the latter topic there are two new contributions in addition to a chapter on corporate reputation from CIMA, who have written for the last two editions: one is from Cision on reputation and emerging communications technology, and the other from Corfin Communications on reputational risks for PLCs. Political risk is addressed by Control Risks and terrorism by Commercial Security International (CSi). Also in Part 2, on topics of corporate risk, there are important chapters from Siemens Insight Consulting, the Centre for Effective Dispute Resolution (CEDR) and Strategic Risk Partnerships. Part 3 covers a spectrum of issues in operational risk management from eminent risk practitioners ranging from Lloyds Register Quality Assurance (LRQA), HSBC Operational Risk Consultancy, ICM Computer Group and SunGard Availability Services to CIPS, Norland Managed Services and XL Insurance Group. These topics are all of interest to the senior management of operating companies, particularly those engaged in manufacture and manufacturing services.

• 2 MANAGING BUSINESS RISK

Part 4 is devoted exclusively to intellectual property risks and the five chapters are authored by experts from specialist firms practising in the field. Similarly, the three chapters of Part 5, which is focused on IT as a source of risk solutions, are provided by ICM Computer Group, SAS and Symbiant. As always, my thanks are due to each author personally. The publishers and I also express our appreciation to the organizations that have sponsored this edition or taken advertisements in the book. Their participation makes high-quality publication possible at a competitive price. Jonathan Reuvid

1

Risk Management Strategy

This page intentionally left blank

1.1

Enterprise risk management: breaking down the risk silos James Dickson Leach and David Breden, HSBC Operational Risk Consultancy*

Risk management is as old as business itself. The basic principle of taking risk in order to gain reward is a fundamental tenet underlying all commercial undertakings. Over time risk management has evolved, and expertise has grown, from humble beginnings where the term „risk‟ simply applied to losing money that was lent or invested by a firm, up to today‟s market where there are as many definitions of risk as there are risk practitioners (perhaps more). Businesses have meanwhile moved from basic „common-sense‟ approaches used by employees every day up to an approach that can utilize large central risk teams or strict centrally controlled policies, in some cases with highly specialized modelling and forecasting teams working from thousands of points of data. In this move, however, companies have come across the same problems of scale that have had to be dealt with in many other areas (cash flow, reporting lines, etc) of *The views expressed in this chapter are the authors‟ personal views and do not necessarily represent the views of the HSBC Group.

Putting your risk management needs at the centre of our world. At HSBC Insurance Brokers we strive to provide our clients with the confidence and certainty to pursue their objectives. As one of the largest insurance broking organisations in the world, HSBC Insurance Brokers has the depth of knowledge to analyse complex situations from multiple perspectives and develop innovative solutions that proactively meet the specific needs of our clients. The Intelligent Alternative Call: +44 (0)20 7991 2233 Email: [email protected] Web: www.insurancebrokers.hsbc.com

Issued by HSBC Insurance Brokers Limited. HSBC Insurance Brokers Limited is a Lloyd‟s broker and is authorised and regulated by the Financial Services Authority, Firm reference number 310240.

• 8 RISK MANAGEMENT STRATEGY

business, whereby the specialist knowledge held in a specific team, or centrally derived rules and procedures designed to minimize risk, may not have the same relevance or acceptance in all areas of the business. This has led to segregation of risk management into several different areas. There are now areas of responsibility for different types of risk: generally day-to-day operational risks are managed by business units, with guidelines and written statements of practice from a central risk management function; strategic risk is handled by the board or strategic teams; special forms of risk such as market risk or credit risk in banking, or risks like the price of oil, or other products or supplies critical to the business, are handled by specialist analysts and software programs. This separation is a by-product of increasing sophistication; there is not the time or ability to train all employees, managers and directors in all forms of risk and risk management, at least not to the level needed by large or sophisticated companies today. Whilst this is not a problem in itself, issues do arise when the complete picture of the risks a company is running is not available to senior management as a result of this segregation. The next step in sophistication is to gain the ability to recombine these risk management practices and forecasts into one complete risk picture that can be communicated easily around the company, and allow balanced decisions about the overall risk profile to be made. This process of sophistication is illustrated in Figure 1.1.1 and is the philosophy behind enterprise risk management (ERM). We can look at the banking industry to provide an example of this trend. We do not have to go far back in history to find a race of bank managers for whom risk meant lending money to clients and a time when most decisions were taken by a branch manager who would also decide on commercial strategy for his branch within loose

Sophistication of risk management

Full integration into business management with input into corporate strategy

Locally managed with central oversight and/or specialist teams

Locally managed

Figure 1.1.1 Growth of business and increasing sophistication of risk management

ENTERPRISE RISK MANAGEMENT 9 •

guidelines provided by head office. Only very large decisions would be taken by the specialist lending units responsible for affairs for geographic regions. Market risk was the preserve of a specialist treasurer whose responsibilities centred on ensuring that liquidity ratios were maintained and matching the maturity profile of deposits and loans. The result of this localized and unplanned management of risk was that banks became exposed to geographical and industry concentrations and in an economic downturn all clients could be expected to suffer because there was no central control on the industry sectors to which money was lent. Since that time, lending has moved away from the local manager to a central function that can control the level of exposures to market sectors or geographical concentrations. It has developed credit scoring systems that reflect risk appetite in granting loans and remove individual judgement from such decisions. Market risk experts will control all aspects of company investment and operational risk, whilst managed by all staff, will be controlled by central policies, procedures and guidelines. Risk has therefore been centralized into silos within the banking industry and is managed individually, but – as the 2007 sub-prime issue shows – the different types of risk interact. A problem in the credit risk market in the United States exposed a weakness in the strategic funding position of a UK building society and led to a Swiss bank declaring a loss in its market portfolio. This leads us to question whether we should not be taking a holistic view of the capacity for risk across the firm, and asking how much risk the firm is willing to take in each area of its risk profile, always considering how these risks are likely to overlap or aggregate. The flow of risk management from local and reactive action to centralized control in specialist silos is now moving towards a situation where risk has centralized management and is treated as an overall exposure.

Enterprise risk management Enterprise risk management is a combination of, as well as an evolution from, traditional risk practices. In its highest form it is integral to the strategic and everyday practices of the company.

Components Enterprise risk management goes by a lot of names, and has a variety of applications and methodologies, but whatever name it goes by, the idea contains certain key elements. These will usually include some form of framework for comparing and contrasting different risk types, a system for identification and assessment of risk, a method for risk quantification and mitigation and transfer options, as illustrated in Figure 1.1.2. Together these allow a clear risk profile of the organization to be compiled, which can be presented to senior management in order to prioritize management of those risks that the company feels need the most attention. Once that has been done, sophisticated risk solutions can be adopted, utilizing the strengths, capabilities and

• 10 RISK MANAGEMENT STRATEGY

Identification and assessment

Framework and monitoring

Mitigation and controls

Modelling and quantification

Figure 1.1.2 Key elements of ERM financial positions of both the company and third parties in order to optimize the risk profile of the firm.

Identification and assessment When identifying the risks that the company runs, and especially those that are considered to be material, there is a lot of variation between different risk types. More importantly, risks can slip through the gaps. In much the same way that business units will not identify as significant some risks that might have a large impact on a parent group, separate risk teams may miss risks that, while unlikely or minimal in their field, can combine with others to cause major losses. For instance, a hedged position being left open overnight may not register to an operational risk team, but if it is combined with a volatile market or a market shock, the impact could be significant. Meanwhile the market risk team may not include this risk in their projections, as they assume that positions are all fully hedged in line with standard procedures. Equally, spills of non-flammable liquid at an oil refinery might not take a high priority, but in the same company‟s head office where members of the public might slip and fall, such incidents might be more serious. Often the key challenge of setting up an ERM framework is making it possible to count the risks that are more difficult to quantify alongside those whose impacts and likelihoods are easier to measure. This often essentially boils down to what a company or unit will find „acceptable‟ as a risk, and what it will find „unacceptable‟ in terms of both likelihood and impact. Such a concept is easily understandable when referring to losses occurring as a result of a risk that is assumed voluntarily – such

ENTERPRISE RISK MANAGEMENT 11 •

as an investment or a decision to grant credit terms; for operational risks, which are assumed as a result of conducting normal business, however, the decision is more complex. How many internal frauds are „acceptable‟, or what risk of employee fatality is beyond the „appetite‟ of the organization? In such cases it is often helpful to speak in terms of risk tolerance and consider what scale of losses you are prepared to accept and at what level such losses begin to exceed what is tolerable.

Quantification and modelling To evaluate the wisdom of investing in the mitigation or control of risks, or of assessing the cost effectiveness of this spending, effective measurement of risk is a vital step. Without effective measurement, prioritization of risk management efforts is a much more hit-and-miss affair. Different areas of risk employ different modelling methods and different levels of data are available. These methods might range from mathematical forecasting to scenario analysis. Internal sources of expertise, such as insurers‟ actuarial teams, energy firms‟ risk management experts and financial firms‟ market experts, should all be consulted as to the part they can play in generating meaningful analysis of the identified risks. Expanding the expertise, utilizing it and combining it with specialist consultancy or extra training for risk staff can reap huge benefits when planning responses to risk. ERM includes running larger scenarios of potential market downturns that can affect several business areas, and determining the inter-relations and correlations that might be found between different risks under the conditions described in the scenarios. These correlations should then be allowed for in modelling the complete risk profile. Equally there will be levels of diversification available, and these should be recognized. Finally, the creation of scenarios forces the breakdown of risk silos as we consider the impact of an event across the boundaries of risk management responsibilities.

Mitigation and controls A large part of ERM is the implementation and monitoring of the actions taken in the company to control either the likelihood or the impact of the risks it faces. This can range from internal controls such as health and safety procedures, fire prevention equipment, business recovery plans and backup facilities to the cost effectiveness and suitability of insurance programmes taken out by the company. The benefits of placing all of these disparate areas into an ERM programme is that not only is there a single point of risk management that is responsible for the integration of the identified risks with their treatment; there are also possibilities for risk treatment optimizations, by recognizing that possible synergies can be identified in the treatment of risk around the company. Having a clear picture of the risks faced by the company as a whole can also allow more sophisticated approaches to risk controls and mitigation. This can include solutions both on and off balance sheet: access to products such as dual trigger insurance, captive insurance companies, equity and bond issues, subordinated debt or organizational risk management.

• 12 RISK MANAGEMENT STRATEGY

It is important in ERM to get behind the risks identified in the different areas to see what really drives the risk exposure of the company. For example, the actions of Nick Leeson (the Barings Bank rogue trader) would not have proved fatal for the bank if the Nikkei index had not moved violently against his positions due to the Kobe earthquake. Whilst the Barings‟ case effectively highlights the need to ensure that essential control frameworks are enforced, the fatal market movement illustrates the need to identify and monitor such drivers, rather than taking a simple blanket approach. Controls and mitigants targeted at material risks are always more effective uses of capital for a company than unfocused approaches that may result in an overconcentration on frequently occurring risks that are well understood whilst potentially fatal difficult risks are ignored.

Framework and monitoring Risk silos exist for a reason, and expertise in these areas should not be wasted or diluted by the ERM message; rather it should be utilized where necessary to help the ERM manager. The running of a successful ERM programme may well depend on the ability to bring these disparate groups together, and gaining a knowledge of their work will be vital for the aspirant ERM manager. Communication between those responsible for managing each silo can facilitate the sharing of experience and good practice in terms of risk identification and the selection and execution of risk mitigation. Risk reporting allows all risks to be on the right people‟s agendas, together, rather than being reported in separate silos. In other words the risk management framework and process is consistent across risk types but the way you manage and measure the risk will vary in line with the characteristics of the individual risk.

Combined risk profile Once the risks in a company have been evaluated, a full risk profile can be generated. Using the compatibility established by using a common framework, there is easy visibility across the risk types to those that are most significant for the company. Such a report should also concentrate on areas where future action can be taken, along with costs (opportunity and realized) that can be associated with risk reduction activities. The combined approach should ensure that no major sources of risk are overlooked, as well as allowing double counting to be eliminated, if risks are being covered by more than one set of controls. This should allow significant streamlining of the risk and control functions of the business as well as encouraging business unit buy in, as the report can be a transparent view of the units‟ risks. It can also encourage the elimination of needless controls. Risk management is not always about increasing levels of control, and the risk assessment should enable firms to identify redundant or excessive control structures. Used in this way, ERM forecasting from the risk profile can outline options for the future direction of the business, as well as recommending the „red flags‟ or areas where large amounts of risk are being run, possibly for little gain.

ENTERPRISE RISK MANAGEMENT 13 •

Every organization has an appetite for risk; some are very risk averse, while others choose to run risks in order to maximize profits. The risk appetite will be affected by many factors unique to each organization, and matching the risk appetite to risk exposure is the principal aim of enterprise and operational risk management. The key step here is that before the risk exposures can be matched to levels of risk tolerance, both must be measured. Companies may be holding more risk than they realize, if they do not have a robust system of risk identification and measurement in place. Risk tolerance is often the easier of the two areas to measure, as it can be based upon guidance from the board. Alternatively it can be derived from analysis, for example by stress testing the balance sheet to find out what size of loss could cause a crisis in the company, or whether a ratings downgrade would force the company into a much more expensive level of debt servicing. Culture and reputation also have their own effects on risk appetites, with few large companies these days willing to run the risk of negative press exposure, no matter how small the initial monetary cost may be. An organization‟s risk appetite should be informed by and respond flexibly to risk management, identification and modelling, as all of these together form the enterprise risk management philosophy of the company. This philosophy cannot be set in stone, as changing internal and external situations vary the risks being run, and in turn the response to these risks. A large part of this is the comprehensive understanding of the risks run by a company. Identifying and managing these risks allows the organization to better understand its own structure, and the derived management benefits can be remarkable.

Enterprise-wide scenarios Earlier, the use of scenarios in ERM was mentioned; three examples are given below. When scenarios like these are used, the ERM manager or unit should look to their previously established processes and experts in the business to bring together a group of experts from within the business who can identify, assess and quantify both the risks faced by the company in the scenario and the effectiveness of the controls, mitigants and proposed plans for dealing with them. Scenarios can also be run in non-extreme risk situations, as forecasts for possible future strategies, covering future variation that might be expected in key markets or the launch of a new product range or area. These scenarios, along with those more focused on traditional risk exposures, can help shape the future direction of the company, thus ensuring ERM benefits the company and is not simply seen as a needless expense.

Mergers and acquisitions Enterprise-wide scenarios might be run in the situations outlined in below. When dealing with new purchases or bringing two or more companies into line there is increased risk to the firm from sources as diverse as increasing operational risk exposures from the changing of systems between the companies, loss of key personnel, and increased liquidity and debt risk as funding for the deal is paid down (see below). If such losses

• 14 RISK MANAGEMENT STRATEGY

Synergy building

Financial risk Non-financial risk

Bedding in Spreading best practice

Future Acquisitions

Net risk capacity

Merger or Acquisition

Total risk capacity

Negative Risk Capacity exposes the business to Catastrophic Consequential Losses from even small loss events

Figure 1.1.3 Changes in risk exposure brought on by mergers and acquisitions

are frequent or substantial, stakeholders may begin to question management‟s ability to handle the merged entity so tolerance of such losses is likely to be reduced. This is illustrated in Figure 1.1.3 which shows the changes in the risk exposure of a business during a merger or acquisition.

Worsening market conditions When margins are under pressure, the ability of a company to sustain losses will be compromised, leading to the need to reduce the risks being held in the company.

After a large loss After the occurrence of a large loss in the business, the recovery process will often place strains on the remaining business resources, increasing the likelihood of other risks occurring at precisely the point when a company can least afford another loss. The avoidance of these consequential catastrophic losses is vital; a ratings downgrade triggered by a large loss can increase the liquidity risk of a company, as more cash is required to service any debt. Taken on top of the effects of the first loss, these events can prove devastating. As such, risk management and mitigation should be a major focus in all areas of an organization following a loss.

ENTERPRISE RISK MANAGEMENT 15 •

ERM addresses this by making someone in the company aware of all the risks that are being run by the company, and those that are recognized and being controlled by the different areas. Once this has been done, uncovered areas of risk or areas that could be covered more effectively can be investigated in order to make the best use of the capital invested in risk mitigation. This can also include surveys of current insurance programmes, business continuity, or disaster recovery plans and control systems.

Conclusion ERM is only as effective as the willingness of senior management of the company to embrace it. That said, there is no single methodology that must be adhered to; rather the approach taken must be customized for each company. In this way it can easily be seen that there is a definite philosophy behind the willingness of a company to treat its risks in a coherent and joined up manner, and allow these risks to influence the actions of the company, from an individual process right the way up to board level. ERM can offer serious insight into the risk universe faced by a company, as well as the approaches currently being taken to manage those risks, future plans for management, and possible risks associated with the company‟s strategy.

When climbing a mountain, you don‟t always have time to admire the view. Managing risk is a challenge at the best of times. But it‟s even harder in the context of a rapidly changing global marketplace where the risk profile of a business is continuously evolving. But the advantages of getting it right are significant. Businesses with a systematic and controlled approach to risk can confidently make decisions on both the threats and opportunities that risks present. Their companies are better prepared for the unexpected and the unintended. At Ernst & Young, we help clients to adopt a cost-effective approach to enterprise risk management that makes best use of what they already do well. We work collaboratively with them, by asking the right questions and helping to develop a comprehensive view of risk and risk management in their organizations. Don‟t risk risk. To find out what can be done, talk to Ernst & Young. Our strategic risk relationships with 48% of the BusinessWeek Global 1000 companies have made us the global leader in risk advisory services. ey.com/risk/letstalk

# © 2007 EYGM Limited. All Rights Reserved.

1.2

Strategic business risk 2008: the top 10 risks for business Fiona Sheridan, UK Leader, Risk Advisory Services, Ernst & Young LLP

Risks are inherent in every forward-looking business decision, be it expansion into new territories, buying and integrating a new business, re-engineering a supply chain, or adopting new staffing models or technology. Successful risk management, therefore, should be an integral part of an organization‟s strategy planning and operational delivery capability, and is an important dimension of good business management practice. But strategic risk is often considered at such a macro-economic level that its implications for action by management can be missed and not acted upon, which may have devastating effects. A great deal of work has been done in the area of risk management in recent years, partly in response to legislative and regulatory pressures, and to operational failures. Many companies have invested significant resources globally in risk and compliance initiatives, with much of the focus on financial and regulatory risk. Our experience suggests that there is a growing awareness that strategic risk can be a dangerously quick and permanent destroyer of corporate value (think, for example, of some of the recent

• 18 RISK MANAGEMENT STRATEGY

large corporate failures or severe losses in stock market value). Equally, strategic risk management has not benefited from the investment and developments in other areas of risk management. This could mean that an organization is unintentionally exposing itself to strategic threats – and missing an opportunity to drive competitive advantage by taking strategic risk-based decisions. Many large organizations have multiple risk-governance processes and infrastructures amongst various corporate and business units. These have sprung up over time, as needs dictated, and often operate in silos, leading to substantial inefficiencies. How many of these risk processes provide real insight to leaders to support their decision making as they develop and sign off their strategic aspirations? How many of these ensure that short-term and further off risks are considered, that risk-adjusted decisions are made and that measures are put in place to ensure that initiatives deliver to promise? These processes may prove insufficient to meet the demands placed on them by: • global competition; • increasingly broad and demanding stakeholder expectations; • the need for real-time comprehensive, enterprise-wide risk insight for management and the board. We have coined the term „risk performance‟ to assist organizations to both keep out of trouble and make their business better.

The top 10 risks for business To assist companies in challenging their view of, and approach to, strategic risk, Ernst & Young have worked with Oxford Analytica, an international consulting firm, to interview more than 70 analysts from around the world and from more than 20 disciplines, including business strategy, law, finance, the sciences, geopolitics, regulation, medicine, economics and demographics, to develop a picture of the main global strategic risks for 2008. In addition, we have identified specific strategic risks for 12 different sectors: asset management automotive (auto) banking and capital markets biotechnology (biotech) consumer products insurance

media and entertainment oil and gas pharmaceuticals (pharma) real estate telecommunications (telecoms) utilities

Industry panels rated the severity of each risk issue on the basis of the likelihood that a risk issue would either lead to severe financial loss, or undermine the competitive standing of the leading firms in the sector. We consolidated the findings from the industry sectors to produce a ranking of the 10 most important strategic risks across all sectors.

STRATEGIC BUSINESS RISK 2008 19 •

The Ernst & Young Strategic Risk Radar is the result, and it is designed as a key tool to assist management in identifying and prioritizing strategic risks, and rating the loss impact and the competitive impact. The risks at the centre of the radar are those our panels believed will pose the greatest challenges to businesses globally. Those on the outer edge are of slightly lower priority, but this may change over time. We also report on the five risks that did not appear among the top 10 (though only by narrow margins), but may emerge at the top of the risk tables in years to come. The Ernst & Young Strategic Risk Radar (see Figure 1.2.1) monitors three key components of strategic risk: • macro threats that emerge from the greater geopolitical and macroeconomic environment; • sector threats that emerge from trends or uncertainties that are reshaping the industry; • operational threats that have become so intense that they may impact the competitive performance of leading firms. Using the Ernst & Young Strategic Risk Radar, it is possible to challenge your view of and approach to strategic risk, for example: • • • •

How does your company identify, assess, manage and monitor strategic risk? Who has accountability for managing these risks in your business? How visible is their active management? Are senior management able to identify their strategic risk radar? What would it look like for your business? • What is the quality of information being shared in the business and with those in an oversight role, such as the Audit Committee on strategic risk? • Who keeps an eye on the risk „horizon‟? • How is risk assessed in relation to strategic option evaluations? The remainder of this chapter explores the top 10 risks in more detail and their implications. The 12 sector reports can be found by visiting www.ey.com.

Regulatory and compliance risks: the greatest challenge The industry analysts we polled selected regulatory and compliance risks as the greatest strategic challenge facing leading global businesses in 2008. This risk‟s top position was driven by an escalating regulatory burden in many markets, and compliance challenges as companies extend their value chains well beyond Europe, North America and the BRICs (Brazil, Russia, India and China). The possibility of regulatory intervention in sectors such as pharma, biotech, insurance, telecoms and utilities is further increasing this risk. Such intervention could shape the competitive environment and drive fundamental changes in business models. One telecoms analyst wrote: „Regulation has a tremendous effect on the competitive landscape, not only between incumbents and new entrants, but between countries.‟

• 20 RISK MANAGEMENT STRATEGY

Macro threats

Energy shocks

Global financial shocks Inability to respond to industry consolidation/ transition Regulatory and compliance risks

Poor execution of strategic transactions

Inability to capitalize on the emerging markets‟ rise

Sector threats

Operational threats

Ageing consumers and workforce

Radical greening Cost inflation Consumer demand shifts

The Next Five

• War for talent • Pandemic • Private equity‟s rise

• Inability to innovate • China setback

Figure 1.2.1 The Ernst & Young Strategic Risk Radar: the top-10 strategic threats for global business in 2008

Compliance challenges are particularly strong in highly regulated industries such as banking, insurance, pharma and biotech, with a continually increasing regulatory burden. One banking panellist noted: „Banks are experiencing significant fatigue around managing the myriad of often redundant compliance and regulatory reporting activities, the cost of which is massive and burdensome.‟ As a result, we believe companies may seek risk-convergence initiatives that allow them to coordinate the various risk and control processes, reduce redundancy and so drive down costs, and perhaps most importantly, achieve more comprehensive enterprise-wide risk reporting to senior management and the board.

STRATEGIC BUSINESS RISK 2008 21 •

Other industries, notably auto, oil and gas, and the utilities sector, are experiencing increasing compliance requirements driven by global warming concerns. Global warming is also driving tighter compliance through supply chains, notably for retailers. As companies become more and more global, compliance is becoming a greater challenge, forcing them to manage diverse regulations in different markets. A specialist in business strategy noted: „Managing regulations in 10 jurisdictions is one thing. What happens when a firm has significant markets in 30–40 countries at varying levels of development and with very different regulatory traditions?‟ The importance of understanding local regulations as well as major global industry regulations is crucial to those companies expanding their global reach.

Global financial shocks: a risk experienced The second greatest risk to emerge from the study is the risk of global financial shocks, with the 2007 worldwide credit crunch providing a real-life demonstration of how highly contagious such shocks can be across sectors and, indeed, globally. Other analysts were worried about crises spreading from alternative investment vehicles such as hedge funds or private equity, where high-profile failures of some investee companies could lead to a loss of confidence among investors and lenders. Analysts were concerned that the sustainability of financial sector growth was more fragile than markets recognized, with a potential for dramatic fallout from excessive leverage. In the future, continued financial innovation – which tends to disperse risks, and as a consequence makes the detection of potential shocks more difficult – is likely to increase the potential for financial shocks.

Ageing consumers and workforce: the quiet surprise The third-greatest strategic risk for leading global firms is the threat posed by workforce and consumer ageing. A number of industries are experiencing dramatic shifts in consumer demand – often dramatic growth – as a result of rising average ages in Europe, North America and Japan. Sectors most affected by these shifts include pharma, biotech, consumer products, insurance and asset management. Leading companies could lose their competitive edge if they cannot effectively respond to these new opportunities, and many will need to have an aggressive approach to key competitors that may increasingly come from outside their sector. The other strategic challenge posed by an ageing population is the need to replace ageing workforces, which can present a challenge to firms seeking to maintain their skill bases. And the woes of the US auto industry, weighed down by pension and healthcare costs, illustrate a third risk aspect associated with ageing workers and retirees – the human resources challenge.

Emerging markets: the risk of failure The fourth strategic risk is a threat to competitive standing: the inability to capitalize on the emerging markets‟ rise. While many companies have been in these key

• 22 RISK MANAGEMENT STRATEGY

emerging markets for some time, emerging markets remain dynamic for developed market companies. Companies are entering these markets in search of opportunities for market growth, or are being driven to them by the saturation of existing markets. An analyst in consumer products commented: „Over the next few years nearly all the increase in world population will take place in developing countries. In the meantime, other established markets will reach maturity.‟ Strategically, global firms are finding a source of competitive advantage in their supply chains, where value is added from using countries with a lower cost base. On the downside, global expansion into foreign and/or emerging markets has always carried with it traditional threats, such as currency, operational, regulatory, language and cultural risk. Recently, the risk of falling foul of worldwide anti-bribery and corruption legislation whilst operating in emerging markets has intensified. More active worldwide enforcement of the Foreign Corrupt Practices Act (FCPA) by the US authorities has resulted in large numbers of investigations and fines, which are only exacerbated by damage to reputation and broader corporate financial health.

„Only 41 per cent of developed market companies have a risk strategy for emerging markets, with more than half (56 per cent) saying that no strategy is in place.‟ Ernst & Young, Risk Management in Emerging Markets study, October 2007

„In the near future, banks will not be able to say they are global unless they are a major presence in China, India and a few other countries, because these emerging markets are going to be a major source of financial sector revenue and profit growth on a global basis.‟ Keith Pogson, Partner, Global Financial Services Team, Ernst & Young

Consolidation and transition: a constant refrain The fifth strategic risk is the inability to respond to industry consolidation and/or transition. Part of the consolidation phenomenon has been driven by the global M&A boom, which several analysts believe may be slowing down. However, transition is likely to continue, with sector influences shaping the nature of the transitions: an example is auto manufacture, where the location of production capacity is shifting closer to the location of demand growth in new markets. In asset management, large firms that drive down costs and target mass markets are countered by smaller „boutique‟ firms targeting better than market returns. Other industries, notably banking and telecoms, may continue to merge.

STRATEGIC BUSINESS RISK 2008 23 •

Energy shocks: more than just keeping the lights on In ranking the risk of energy shocks in sixth place, the analysts recognized that no leading global company is immune. Fluctuations in energy prices and access to supplies pose a clear challenge to the energy industry, including oil, gas and utilities. However, beyond the energy industry, a large swing in prices could also trigger economic shocks that could impact sectors such as insurance, consumer products and real estate. Various potential causes of such energy shocks were noted, including a US strike on Iran, a breakdown in relations with Russia, contests for control of „strategic‟ energy supplies, or action to disrupt shipping through one of several key maritime choke points.

Executing transactions: the risk of a plan failing Transactions undertaken in response to industry consolidation or transition may fail to deliver, not because they are poorly conceived, but because operational challenges are not met. This risk of poor execution was ranked in seventh place by our analysts, particularly in the auto, asset management, media and telecoms sectors. Stakeholders expect M&A to deliver rapid bottom line benefits as a result of synergies, but postmerger integration is often slower than expected in respect of people, process and technologies. And, although mega-mergers dominate the headlines, excellent execution and integration of small, highly strategic mergers, can have just as great a competitive impact: for example, acquiring innovation or highly specialized personnel.

Cost inflation: a centrepiece of competitive strategy Renewed volatility of raw material prices has helped cost inflation re-emerge as a strategic risk, ranked eighth by our panel. In consumer products, companies are being squeezed between these rising costs on one hand and a base of retailers with strong buying power on the other. In oil and gas, cost inflation has impacts all the way through the value chain, from exploration to pipeline construction costs and refinery build. Other industries are seeing cost become a centrepiece of competitive strategy, where the best performing companies are those that control costs by achieving overall scale, or scale of products via specialization.

Radical greening: competing to meet consumer demands The pace and extent of the new „green revolution‟ in consumer behaviour and regulation is hard to predict – some firms will get the right fuel mix, real estate portfolio, or carbon footprint, while others will go either too radically green or, more likely, not green enough, with substantial competitive impacts. This brings radical greening onto the risk radar in ninth place. In the short term, going green is expensive, but could pay dividends if consumer tastes and regulation shift quickly.

• 24 RISK MANAGEMENT STRATEGY

„This issue of climate change extends beyond just managing regulatory risk. Climate change and the regulatory and consumer response must be seen as a fundamental strategic challenge. We can expect a future of carbon labelling on products, carbon trading worldwide and tight regulation and heavy taxes on carbon‟. Jonathan Johns, Partner, Infrastructure Advisory – Renewables, Waste & Clean Energy Group, Ernst & Young

Consumer demand shifts: a challenge to all A demand for „green‟ products or services is one example of a shift in consumer demand, but there are many others trends that have already been mentioned, including those driven by demographic shifts, such as growing consumer ageing. The general theme across all sectors was the strategic challenge posed by consumer empowerment, and so our final strategic risk for business is the failure to anticipate and respond to consumer demand shifts. For instance, in media, consumers are controlling the decisions about the content they receive and how they receive it, driving the content and distribution channels. In autos: „Increased interest in customization of products requires a shift away from mass-production philosophies.‟ Factors such as the web, deregulation of markets and globalization will lead to a rise in demand for individualized and customized purchase experiences. As technology continues to expand, this challenge may well move up the radar from current tenth place.

The next five Following these 10 top threats to global business comes a long list of risk issues with impacts that are – although perhaps less strategic – nonetheless crucial in a number of sectors. Any or several of these „next five‟ could easily rise into the top 10 in the near future.

War for talent The well-publicized war for talent is already having serious impacts in some sectors, notably oil and gas, asset management, real estate and pharma. Analysts are worried that growth in emerging markets would mean companies may no longer be able to draw talent from those markets. And it was noted that talent tended to concentrate and cluster, leading to increased wage costs, property costs and competition for expertise.

Disease pandemic The lingering risk of a disease pandemic with market, economic and operational impacts is still significant and would have dramatic impacts in nearly every sector. There would also be more subtle consequences, including a dramatic shift in consumer demand that could have large competitive impacts on the pharma and biotech sectors.

STRATEGIC BUSINESS RISK 2008 25 •

Private equity’s rise The third threat of the „next five‟ is private equity‟s rise. Its impact has already been felt in many sectors, driving restructuring and accelerating the rate of change. Companies have had to re-evaluate their competitive positioning in the light of this wave of M&A activity. But as alluded to in the second „on the radar risk‟, a global financial shock might act to curtail private equity activity.

Inability to innovate Less well-known but equally critical is the inability to innovate. In a number of sectors, long-standing patterns of innovation are changing, leading firms to replace internal innovation with an acquisition-based strategy. As markets mature, innovation becomes a greater challenge; however, the risk of failure is high, with 9 out of 10 new products failing.

A China setback Finally, there is a lingering risk of a China setback. Like concerns about the stability of the US dollar, concerns about the stability of China‟s rise reflect the country‟s increasingly central position in the global economy. A growth slowdown in China would impact on oil, gas and mining companies. A Chinese financial crisis could bring turmoil to markets and banks and insurance companies with large China exposures. Political instability in China or regions bordering it could seriously threaten global supply chains. Like some of the other strategic risks identified, this risk can present some opportunities for substantial financial and competitive gains if anticipated and managed effectively.

Conclusions The top 10 risks on the Ernst & Young Strategic Risk Radar and the five just below it are not predictions, but considering them can help companies to challenge their own capability and be better prepared. Many of them also offer significant opportunities, where companies have the potential to reap large rewards by addressing the risks better than their competitors. Properly approached, the process of strategic risk management can add value, even when the event, fortunately, never happens. For example, Ernst & Young worked with a client concerned about the impact of avian ‟flu on their business. Working through scenarios and impact analysis, it identified numerous opportunities to tighten processes, and controls that have built sustainable protection for them. Nevertheless, while some global companies are addressing these risks, another recent global Ernst & Young study1 found 42 per cent of global companies still had identifiable gaps in their risk coverage. The risks on the Strategic Risk Radar are a snapshot in time, but risks constantly change. In a global economy, company leaders need to keep an open mind about

• 26 RISK MANAGEMENT STRATEGY

where risks can come from. To cope with the changing risk landscape, the leading practices we see suggest a risk assessment should be conducted at least annually and should cover strategic risk, as well as operational, financial and compliance risk. However, our research 1 shows many companies carry out these assessments with insufficient frequency and in many cases without the right people considering strategic risk. The risk assessment should also evaluate the organization‟s ability to manage and respond to the risks identified; relevant factors include the existence of effective early warning indicators, decision-making processes that explicitly balance risk and return, robust programme delivery of strategic initiatives and, in case the risk does materialize, scenario planning and operational response plans to mitigate the loss. All of these need to be wired into management‟s „performance dashboard‟ to ensure realtime monitoring of events. A radar is a key tool for protecting one‟s position, as well as for advancing it, but only if it receives the right inputs and is then acted upon. Companies will be better placed to reap the benefits of global opportunities if they: look outside their daily operations to predict potential strategic threats and opportunities; understand the inter-relationships of risk around their operations, markets, finance, trading, suppliers and customers; take a global view of their enterprise risk management capability; and look to truly manage the strategic risks to their business.

Note 1. Ernst & Young Global Internal Control Survey: From Compliance to Competitive Edge, New Thinking on Internal Control) Copyright 2007, Ernst & Young LLP. All rights reserved Information in this publication is intended to provide only a general outline of the subjects covered. It should neither be regarded as comprehensive nor sufficient for making decisions, nor should it be used in place of professional advice. Ernst & Young accepts no responsibility for loss arising from any action taken or not taken by anyone using this publication.

1.3

Enterprise risk management and the role of technology: the answer to and cause of all our business problems Bart Patrick, SAS UK & Ireland

How risk should be viewed means different things to different people. On a basic level we are either risk seeking or risk averse. Very few people are risk neutral, which is the state between risk seeking and risk averse. This goes for many businesses: some are seen as conservative, others as groundbreakers; few would be seen as neutral. But with the change in economic climates the drive is for risk neutrality where an organization should have neither too much nor too little risk. Research into enterprise risk management trends, conducted by SAS and Chartis, highlighted a number of factors that are driving the desire of organizations to be risk aware and thus reach the ultimate goal of being a risk-based enterprise. Table 1.3.1 lists the factors identified in the research.

Egyptian Plovers aren’t picky about where they find food. They can’t resist taking perilous chances. But you can. With proven risk management software from SAS. www.sas.com/plovers

SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. © 2008 SAS Institute Inc. All rights reserved. 474668US.0108

ENTERPRISE RISK

AND THE

ROLE OF TECHNOLOGY 29 •

Table 1.3.1 Factors driving risk aversion Driver

Reason

Corporate governance and regulatory compliance

Regulatory, government Increasing local and and professional bodies regional regulation is continue to press for more leading to a fragmented transparency and consumer global understanding of risk. protection.

Risk trading

You can trade nearly anything now with the massive growth in the derivatives markets.

Financial crime

Risk is all about managing There has been a huge growth in fraud liquidity effectively, using assets to their best management systems, sophisticated modelling advantage. In order to and a demand for speed and maximize this, losses accuracy. and leakages need to be minimized. It is also the case that reputation is the most precious commodity of any business, and minimizing the risk to this is of paramount importance.

Risk-based performance management

Increased use of There is greater investment performance measures in methodologies, processes is needed to drive the and systems. business away from just being compliant into riskbased performance.

Breaking the silos

The traditional silo-based approach does not deliver value to the business. This needs to take into account changes to people, process and systems.

SAS and Chartis Research – June 2007

Impact

Risk management is not just about protecting the existing value of the company but also about implementing systems to help risk shape value.

There is a drive to a joined-up approach to risk management and a retooling of existing systems to achieve this.

• 30 RISK MANAGEMENT STRATEGY

This research identified the key drivers for companies seeking to achieve enterprise risk management. More and more the multi-vendor, multi-geography and multi-programme approach is seen as unsustainable. So how do firms get to achieve this enterprise risk management goal? This chapter discusses the elements requiring attention to succeed in achieving true enterprise risk management.

What is enterprise risk management? The definition of what comprises „enterprise risk management‟ (ERM) has been discussed by leaders in the risk management field for a number of years, yet little progress seems to have been made in achieving this elusive nirvana. The definition we will use here is: an activity that „creates a risk-based approach to managing an organization‟s operations, strategy and controls‟. To achieve enterprise risk management a company must work across three dimensions simultaneously, as illustrated in Figure 1.3.1. This is an overlapping picture as all these factors have an influence on the others.

People

Systems

Process

Figure 1.3.1 The tri-dimensional approach to ERM

People People are the most critical dimension of enterprise risk management. Without the support of staff and a general understanding of risk, no enterprise risk management programme can succeed. These changes need to occur across: • Culture: How does your business function? Is it conservative or risk seeking in nature? Are change management programmes an accepted norm in the operation? How will staff respond to moving to a more risk-based approach? Do they see and understand the benefits of changing activities to working in a risk tempered environment? Are your employees used to change?

ENTERPRISE RISK

AND THE

ROLE OF TECHNOLOGY 31 •

• Competencies: There is a shortage of good risk professionals in the market. Does your business have sufficient expertise internally to cope with a move to a risk-led business? Do the current staff have the understanding of risk and how to use the tools available to leverage risk in delivering business decisions? Can you train staff or outsource the risk management discipline? • Creativity and entrepreneurship: Risk is not just downside. It must be used to deliver returns, so once risk levels are ascertained, the question to ask is: „Do we have the creativity and the entrepreneurial skill to take advantage of this opportunity?‟ For instance, it could be said that the leveraged buyout (LBO) of many companies has occurred when financiers have realized that a target company could support additional risk in terms of credit, and have then used this credit to buy the company. Crucially, they have also realized that the management of the company has the capacity to be more entrepreneurial/creative in driving additional value from the company. • Cost: How much will it cost you to re-skill people or to buy in the necessary skills? Will the cost of change and new staff outweigh the benefits? People are the first element of risk appetite, defining the culture of a company and how this culture views risk. This includes all stakeholders, but in particular shareholders and senior management who control the destiny of the company.

Process Does your business process cause, alleviate or compound risk levels? Many organizations have grown organically over time, and many risks can be found in the daily morass of process. Processes remain unchanged over time because unless a process is challenged by people, regulation or financial considerations it will remain in place. Individuals will uncover areas where process can change, if only the right balance of risk personalities exists.

Risk personality and process As Figure 1.3.2 demonstrates, each business needs to have a balance of these risk and process types in order to function. Process will influence the ability of a company to manage risk, defining, along with people, the dimension of corporate risk appetite.

Regulation and process Over the last decade the rate of change in terms of regulatory scrutiny has accelerated. Everything now seems to be subject to some form of regulation and many companies have struggled to keep up with this. As such, regulation has been a prime mover in accelerating process change across industries, sectors and geographies. The issue here is not the individual regulations themselves but the ability of companies to use them as catalysts for change.

• 32 RISK MANAGEMENT STRATEGY

Risk seeking

Risk averse

Individuals who may be seen as disruptive and outwardly ignoring process may be the best indicators of good process (ie, the ones they use).

Individuals who wish to use process to achieve their own ends, and will pick and choose which processes to follow.

Individuals who are conservative and feel existing processes are risky, and so are unwilling to follow them, are the best indicators of bad process.

Individuals who always follow procedures as they see them as a protective shield are the most difficult people to get to adopt new procedures.

Process averse

Process seeking

Figure 1.3.2 Balancing risk and process types

The regulation continuum The reaction of companies can be positioned on a regulation continuum (see Figure 1.3.3). This influences the ability of the company to change and can drive long-term stagnation or competitive advantage. This is not to say that regulation should be the sole driver of entrepreneurial activity, but it can be used as a catalyst to drive through a change process. With the ever-increasing tradability of all types of debt, commodity and business, the potential to dynamically adjust the risk mix of any company has never been greater. All that is required is the ability to measure risk in a quantitative manner. This is where systems come in.

Systems Supporting people and process are systems. During the review of a firm‟s portfolio of risks, existing systems can aid or hinder the process. While enterprise risk management coverage can be considered expansive, the Risk Systems Pyramid in Figure 1.3.4 below presents an overview of the key building blocks and a road map for the enterprise risk management journey. The technology process to achieving enterprise risk management starts at the base of the Risk Systems Pyramid. The basic building blocks are data that is managed by a robust extract, transform and load facility to obtain, cleanse and store the required data regardless of where it resides now.

ENTERPRISE RISK

Stage:

Denial

ROLE OF TECHNOLOGY 33 •

Compliance

Advantage

“Our current processes cover us for this regulation”

“We have made changes to our process to follow the letter of the compliance regime – it is an expensive necessity”

“We view compliance as a key driver of change and use this to create competitive advantage”

•None

• Practical systems enhancements to meet the “letter of the law” •Siloed processes by geography/ business unit put in place

•Complete review of people, process and systems •Early change programs designed to maximize revenues opportunities

•Panicked late changes to become compliant •Loss of market share •Process friction leading to higher compliance costs •Poor process and system selection leading to long term disadvantage •Difficulty to make up lost ground on market leaders •Poor staff relations as the onus of achieving the panicked changes fall on them

•Cost minimization approach •Siloed changes •Process friction •Stagnation •Increased long term costs to catch up with market leaders who used compliance as a change catalyst

•A better perspective of cost/ benefit •Linked up systems and opportunities to create process efficiencies •Ability to trade across platforms and markets •The ability to generate superior returns from trading efficiencies •Better way of clients and markets

Attitude:

Actions:

AND THE

Outcomes:

Figure 1.3.3 Risk appetite + liquidity = risk capacity

Business focus

MARKETS/SECTORS Stakeholder ERM EPM Internal & external reporting

CFO,CRO

CEO, CFO, CRO, all

Economic & regulatory capital management

Roadmap

CFO,CRO

Ins. Credit Market Op. risk risk risk Claims • CRMS • Risk • fraud Credit dimen• Ratescoring sions making • Loss reserving •

CRO, actuaries, compliance. money laundering officer CRO,CIO

Monitor Loss data VaR • Fraud • • •

- FMCP - Internal - Criminal networks

Enterprise intelligence platform – DI, Storage, Analytics, BI XIS (for banking, insurance, comms), Audit, Data quality

Key ABM - Activity-based management AML - Anti-money laundering BI - Business intelligence CRMS - Credit risk management solution DI - Data integration EPM - Enterprise performance management ERM - Enterprise risk management HCM - Human capital management Ins. - Insurance IRR - Integrated regulatory reporting KYC - Know your customer MiFID - Markets in Financial Instruments Directive Op. - Operational SOx - Sarbanes-Oxley SPM - Strategic performance management TCF - Treating customers fairly VaR - Value at risk XIS - Cross-industry solutions

Technical focus

Figure 1.3.4 The risk systems pyramid

At this level, the emphasis is on understanding from a business perspective the right sources of data and ensuring the quality of the data. Without ensuring data relevance and accuracy, the higher levels of risk management cannot be achieved. As shown in the Risk Systems Pyramid, firms will typically operate separate credit, market and

• 34 RISK MANAGEMENT STRATEGY

operational risk silos. Building on the risk silos to meet the next level of economic and regulatory capital management is often the stage that most firms stall at, as in the end this requires new techniques and breakdown of the silos to succeed.

The siloed risk approach The first historical stage of enterprise risk management involves the tactical insertion of local and regional operational, market and credit risk systems. Typically these systems are installed for a number of reasons: • compliance; • loss reduction; • reputation. Compliance is by far the most powerful driving force, as the threat of fines, or in extreme cases custodial jail sentences, has the effect of focusing the minds of senior executives. Compliance drives regional silos. In the United States, compliance is state led, with Federal regulation over this. In Europe, governments make their own regulations, which are again overlaid by EU regulatory requirements. Local jurisdictional variations will lead to local solutions being deployed. Loss reduction concerns all types of losses, financial and physical, and each sector is subject to its own loss types. Operational losses can be reduced by having a robust management system for operational risk. Many losses occur due to local or regional conditions. Again, no one solution can be applied globally to this, with the regional nature of business leading to a range of approaches. As companies have consolidated, the regional solutions have, to a large extent, remained. Reputation protection is a potent driver for risk management. The long-term viability of a firm can be damaged more by the cost of losing its reputation than by the direct, obvious financial losses it may suffer. For instance, an investment bank recently declared one of its funds „worthless‟ and another fund „vulnerable‟. The bank has suffered a fall in share value of 15 per cent since these announcements. All of this is related to reputation, and the bank‟s reputation was damaged by a surplus of credit and market risk that was not managed.

The outcome of a siloed approach Over time, these driving forces create a myriad of risk systems, processes and capabilities that create inertia within an organization, obscuring an enterprise view of risk. At this stage organizations have migrated to the second level of the Risk Systems Pyramid, having a number of complex market, credit and operational risk systems, none of which are designed to be integrated with each other. Importantly, a siloed approach to risk can deliver regulatory compliance in a „tick in the box‟ manner, without ever providing an understanding of the overall levels of risk an enterprise runs. The siloed approach also prevents companies using risk as a tool to guide investment strategies, in three different situations:

ENTERPRISE RISK

AND THE

ROLE OF TECHNOLOGY 35 •

• when excess liquidity exists that can be used to create returns; • when insufficient risk is being taken by the business in support of its business goals; • when an investment decision is guided by the risk profile of this investment.

Risk systems Risk systems have increased in popularity as a solution to compliance issues for several reasons: • IT now has the power to run millions of calculations across huge volumes of data. • Accessing data is less of a problem than it has ever been before, and most databases can be read by third-party systems. • We are on the edge of usability of first-generation risk systems; this is driving the investment in and development of second-generation risk systems that can cope with increased product and data complexities. • Second-generation risk systems offer the power to deliver an enterprise-level view of all risks.

What areas need to be covered? When considering the range of risk systems that supports the business, a complex picture emerges of data capture, analytics and reporting. Figure 1.3.5 shows a picture of the range of risk systems typically available to a company. These cover qualitative (question and answer) and quantitative (data-crunching) analysis across a range of scenarios, aggregated into an accessible and understandable view of risk intelligence available to the various levels of executives and staff involved in the measurement, management and monitoring of enterprise risk.

Where risk systems impact the business Table 1.3.2 below reviews each of the five impacts identified in Figure 1.3.6, which as a whole influence the ability of the organization to deliver risk driven performance improvements. Systems can have a beneficial effect overall. However, this is only achievable in context of the changes to people and process that support the move to enterprise risk management.

Conclusions IT systems perform a significant role in supporting the goal of enterprise risk management. They bring together qualitative and quantitative data into a cohesive and understandable format. This data can be used in a number of ways: • to influence the future strategy of the business; • to change business processes for the better; • to aid the management of the risk profile of the business.

• 36 RISK MANAGEMENT STRATEGY

Risk intelligence

Risk governance Performance management

Market risk

Operational risk

Credit risk

Compliance

Fraud

Stress testing

Credit risk

Operational risk Qualitative

Anti-money laundering/ terrorism

Internal fraud

Scenario analysis

Credit scoring

Operational risk Quantitative

Industry specific regulation

External fraud

Operational risk Consortium data

Financial regulation

Health and safety

Figure 1.3.5 Range of risk systems available

Financial impact

Optimize Capital Increase profits Integrated view

Early warning system Visibility, foresight & agility

Consistent, transparent, auditable Risk-driven performance

Risk-aware business process

Risk-aware culture

Figure 1.3.6 The impact of risk systems on business

Data management & analytics

Robust infrastructure

ENTERPRISE RISK

AND THE

ROLE OF TECHNOLOGY 37 •

Table 1.3.2 Review of risk systems business impacts Feature

Early warning Financial system impact

Integrated view

Robust Risk-aware infrastructure culture

Outcome

Visibility, foresight and agility.

Consistent, transparent and auditable process.

Risk-aware Better data management business and risk-based processes. analytics.

Creates a common mapping and understanding of the risks being run by the business so everyone can participate in the change. This requires modelling of the business and data mapping, and a series of systems to make risk visible. Auditors can see where data came from and went to in a transparent process. Integrating a diverse set of systems and processes.

Clean and accurate information is a basic requirement for any risk management process.

Decentralized responsibility for risk management essential. This requires systems to bring risk to the desktop.

Understanding where data resides and integrating this into a single view of risk.

Changing culture is the hardest transformation a business can undertake.

Notes

Challenges

Optimized capital allocation and increased profits. Strategies are Achieves a 360° view of optimized the business along with and gives it investment the ability choices, liquidity usage to identify problems early and asset on in their allocations. All investments lifecycle so can be appropriate modelled and actions can be taken stress tested against market to achieve optimum risk conditions. levels. Using IT to surface and measure risk can give management foresight to make the right decisions. Adequate Understanding models to what optimum assist the level of risk business in the business needs to carry scenario and in order to stress testing. perform.

Getting a common definition of risk in the business.

• 38 RISK MANAGEMENT STRATEGY

There is a wide range of manual and automated systems available to support firms‟ existing risk management structure, at various levels of operational and management structure and across business units and business functions. In bringing together this disparate approach to risk management a firm will embark on a long road that will mix tactical solutions with long-term strategic thinking. Today, enterprise risk management remains elusive as the underlying benefits will only be realized once the necessary people, processes and systems are aligned, which can only be accomplished within a strategic plan. The SAS and Chartis enterprise risk management survey, carried out amongst 410 risk professionals across the financial industry, stated that just 26 per cent of those surveyed have a well-structured plan for implementing enterprise risk management. The struggle to get to an enterprise view of risk is reflected in the complexity of the strategic roadmap that needs to be laid out to achieve it. Enterprise risk management is a massive corporate change management programme impacting the core of a business, and the low percentage of companies that have indicated that they are planning to move to an enterprise risk management environment is a reflection of the complexity faced, rather than an indictment of the potential benefits of an enterprise risk management strategy.

1.4

Using management systems for risk management and corporate governance Nicki Dennis, BSI British Standards

Management systems have had a bad press; to some they cost too much, they stifle innovation and they are merely a guarantee of repeatability rather than quality. Despite these criticisms, there are also thousands of organizations that successfully use management systems to save them time and money, to improve their internal processes and procedures and to prove their competency to their customers. The reality for your organization is likely to be somewhere between these two extremes. This chapter will show you how using management systems alongside new risk management standards can help in two vital areas: risk management and corporate governance. Corporate governance is the way in which corporations and other organizations are directed and controlled. The subject has been around for a while, ever since the problems arising from the separation of ownership and control of organizations has been recognized. Organizations such as Enron and WorldCom acted as catalysts

• 40 RISK MANAGEMENT STRATEGY

for corporate governance reforms; industry in both the UK and the United States has since become more focused on managing corporate governance appropriately and safeguarding stakeholders‟ interests. A spate of regulation has followed that has brought compliance issues to the very top of the corporate agenda. A loud fanfare accompanied the introduction of the Higgs and Turnbull Reports in the UK, which aim to strengthen the role of risk management and clarify the relationship between auditors, boards and regulators. Within the United States, a juxtaposition of the Sarbanes–Oxley Act and the personal crusade led by Eliot Spitzer (Attorney General for the State of New York) to prosecute firms and individuals who break rules has led to one of the most significant changes in US Business Regulations in recent years. Even with the introduction of new regulatory measures, it is clear that no firm is immune to the problems of poor risk management and corporate governance, and that initiatives introduced by the regulatory bodies such as the FSA should be viewed only as a base-line preventative measure. With the stakes so high for both senior management and board members needing to take a grip on corporate governance, it should be in their best interests to implement additional initiatives that safeguard both their organization and their own futures. Thus, it is recognized that there is a need for greater corporate responsibility and accountability than exists currently. This chapter aims to demonstrate the need for corporate governance and good risk management and includes a systems approach to adopting effective arrangements, in particular through the use of appropriate management systems.

Management systems A management system is a way of running an organization that embraces its overall structure, its planning activities, responsibilities, practices, processes and resources for developing, implementing, achieving, reviewing and maintaining the policies of that organization. In short, it is everything about an organization. Thus when you are looking for a way of improving your risk management it makes sense to ensure that governance is at the heart of your chosen management system. Central to all of this is the idea of „risk‟. An organization‟s top management should commit to establishing systems that will ensure that their strategic risks are identified and effectively managed. This system needs to operate at a strategic level and should encompass all of the organization‟s activities and the impacts they may or may not have on all stakeholders. The obvious conclusion is that the most innovative organizations wishing to get ahead of the marketplace should embrace additional measures that safeguard their business and create a „change-orientated‟ culture. Globally recognized „Management Systems‟, such as ISO 9001(for quality) and ISO 27000 (for IT security), can offer a unique combination of risk management and cultural change that encourages dynamic thinking and business improvement.

USING MANAGEMENT SYSTEMS 41 •

Within the context of corporate governance, the concept of using management systems as an effective risk management tool has been apparent for some time. Prominent examples include the Turnbull Report, which advocates the use of management systems as a mechanism to manage risk with regard to both the decisionmaking process and the day-to-day running of the organization. As it pointed out: „The system of internal control should be embedded in the operations of the company and form part of its culture.‟

Risk as the „new‟ quality It is perhaps appropriate to draw parallels between the development of a quality culture in business throughout the 1980s and beyond with the current situation in risk management and corporate governance. This section describes how businesses have used standardization as the main process to drive through change and suggests how they might do so again. Think back to how the so-called quality revolution happened. It was slow at first and then gained momentum as companies pushed „quality‟ back through their supply chains. It became necessary to have a quality certification in order to even tender for some government projects – such was the confidence in the systems. Now we live in a very different world where our expectations are for products and services to „do exactly what they say on the tin‟ as the advert says. The support structure for this embedded quality was impressive, accompanied by new job titles: quality managers, quality control analysts etc. A new language was built with its own jargon of Pareto analysis, root causes and TQM. A formal structure of institutes and societies were founded for continuing professional development – The Institute of Quality Assurance and the American Society for Quality amongst them. Quality arrived and dug in. So how is „Risk‟ similar to this? It is similar because I believe that in 20 years‟ time our successors will look back aghast at the way we treated risk management at the start of the 21st century. In 20 years time risk management will be as embedded into our systems and processes as quality is today. The trick is to discover and describe how we get from where we are today to that position of truly embedded risk management. One way would be to copy the route taken by Quality. After all both quality and risk have their roots in statistical science. Quality developed from manufacturing as a part of the efficiency drive of the 1980s, when statistical process control charts helped operators to optimize control and improve on quality. Risk has its background in the mathematics of insurance risk. Both have strong links to probability, with the language of „expected outcomes‟ and „Monte Carlo simulations‟ being used at the academic end of both subjects. Quality has its own language and so does risk; the latter is one with which all will soon agree. The ISO Guide 73 (new edition, due 2009) on risk management vocabulary is a good start in this tricky area. It defines risk as the „effect of uncertainty on objectives‟ and risk management as „an organization‟s culture, process and structures that are directed toward realizing potential gains whilst avoiding or limiting losses‟. If all the various risk-related organizations around the globe could agree to use these two definitions, then that would certainly be a start towards a shared concept.

• 42 RISK MANAGEMENT STRATEGY

ISO 31000: an international risk management standard For risk management the time is ripe for agreeing on the „shared concept‟, and it needs to be a widespread agreement that includes governments, businesses, consultancies and trade associations. The International Standards Organization (ISO) is working on ISO 31000 which will be the first international example of this shared concept. The document is due to appear in early 2009, and I would urge interested readers to contact their national standards body (BSI in the UK, ANSI in the United States) and get involved in its consultation phases. The British Standards Institute is also working in this area, but was not the first to become involved. Most readers will be aware of the Australian and New Zealand Risk Management Standard and also of the IRM/AIRMIC/ALARM Risk Management Standard (taken up and supported by FERMA, the European organization for insurance risk managers), although neither of these has yet caught the imagination of business in the same way as ISO 9000. None of these could be termed a complete Management System Standard in that they do not have any accreditation linked to them, but they will certainly support organizations that use them. Similarly if your organization does not use management systems the new standards will still be of use. BS 31100 will publish early in 2008 and will be the UK‟s first attempt at combining good risk management guidance in the form of a standard. ISO 31000 will be much broader based than anything that is currently available. It will, at least, include business ethics, corporate governance, reputational risk, IT risk, business continuity, operational risk and insurance risk as well as risk assessment techniques. Pulling all these themes together into a future formal management system standard may be unnecessary. Even as guidance, the rewards in terms of increased confidence both in and for business will be great. Other gains will surely be more stable insurance premiums, as after implementing the standards the better management of risks will lead to lower levels of risk transference to insurance providers. Certification schemes may help too (see later in the chapter). A good example is in the area of business continuity plans and the schemes that are available for BS 25999. A business will want to work with suppliers that have „good‟ business continuity plans, but how should it define „good‟, especially when it cannot get access to those plans as they contain competitively sensitive information. An independent accreditation to a formal standard is the perfect solution. Everybody can agree that they are all working to the same levels.

Implementing management systems Management systems such as ISO 9001 require buy-in from senior management, but also require every employee to have an appropriate understanding of the policies and procedures relevant to them. Over time, this encourages a cultural change of open and honest communication that is led by example from the top. The process of embracing internal control in this manner not only provides an organization with an accurate

USING MANAGEMENT SYSTEMS 43 •

overview of the risks associated with its business operations, but will also help identify opportunities in areas such as reducing costs and increasing efficiency. There are many different management systems available to help organizations manage operational risks. A combination can also be embraced to offer the organization a more holistic level of protection. The following is a selection of those management systems currently available: • • • • •

ISO 9001:2000 addresses the quality of products and services; ISO 14001 focuses on the environmental controls within an organization; OHSAS 18001 deals with health and safety within an organization; ISO 27000 deals with information security within the business; BS 25999 focuses on business continuity management and resilience.

All of these standards and specifications have one thing in common: risk management. They are also based on the „plan, do, check, act‟ („PDCA‟) model. The model is consistent throughout the new generation of management systems and allows for organizations to integrate more easily their management systems to achieve the holistic risk management model mentioned above. This is particularly relevant as many of the existing corporate governance solutions in the marketplace have a financial orientation. In addition to easier integration with other management systems, the PDCA model encourages a culture of „continual improvement‟ within an organization. This can help to improve efficiency and unleash the firm‟s entrepreneurial spirit, whose potential was held back by the „tick box‟ mentality created by the desire to comply with new legislative reforms.

Best practice So what is it that organizations should be aiming for? What would constitute best of breed in this tricky area? In my opinion there should be a strategic policy at top management level to focus on managing risk for corporate governance. This should lead to specific policies and arrangements to deal with specific risks. In particular, the policy should encourage a positive culture within the organization to make certain that strategic risks are identified, removed, minimized, controlled or transferred. Specifically the policy should: • • • • • •

reflect the nature and size of the organization and the strategic risks it faces; commit to ensuring that management competence is established to control risk; commit to ensuring that a culture is established to control or exploit the risk; commit to internal control audits to verify the systems and policy implementation; commit to regular review of the strategic risks; commit to reporting annually to shareholders, auditors and stakeholders as appropriate.

• 44 RISK MANAGEMENT STRATEGY

Certification Third-party certification of a recognized management system can give internal confidence that appropriate measures have been implemented to prevent acts of poor corporate governance. Certification also gives external stakeholders (that is, regulatory bodies and potential investors) evidence of a sound management structure. This achievement could be the final requirement to attract investment or to satisfy the London Stock Exchange‟s criteria for a share listing. Both the act of certification and the exit reports generated during the certification process can be used to produce an organization‟s corporate governance report. Furthermore, with revisions in company law and corporate manslaughter, certification to one or more of the management systems mentioned can be used by senior management in a legal scenario to show that appropriate policies were in place and adhered to.

Competitive advantage A combination of legislative compliance and third-party certification to a formalized management system may be viewed as a burden, but it can also be a source of competitive advantage. First of all, compliance with legislation is not viewed typically as a unique selling point (USP). Addressing the law of the land should be taken as the norm and any organization that shouts from the rooftops that it complies with relevant legislation is not really going to have any more credibility than their competitors. While compliance with legislation should almost be taken as a norm, it is undoubtedly a good baseline from which to implement additional recognized methodologies. It is these additional risk management methodologies and solutions that will offer organizations a USP within the marketplace. Implementation of one or more globally recognized management systems demonstrates to all stakeholders that the management of risk is taken seriously, and gives confidence for both trading and investment purposes. Implementing and achieving certification to a globally recognized management system is an aspirational achievement: it is a way for a company to benchmark itself against its peers and know that it is doing well. Potential investors can also take confidence from the fact that firms with certification to management systems such as ISO 9001:2000 will be focused on controlled growth and continuous improvement. Typically, financial investments are made on the basis of growth, and third-party certification can help give confidence to would-be investors, both individuals and corporate. This is particularly important in this more cautious 21st century. Furthermore, if the much-rumoured Corporate Governance Index is introduced, ISO registration would make a logical addition to the index‟s rating criteria. Trust is a significant business driver, and selecting those who manage risk appropriately is often difficult. A combination of a good corporate governance index rating and third-party certification can help demonstrate good governance and maintain trust.

USING MANAGEMENT SYSTEMS 45 •

The future Following the actions of organizations that have caused a radical reform in legislation for corporate governance, firms have been forced to look closely at their risk management practices. While many of the reforms have been effective, it is clear that with scandals still hitting the headlines their introduction is not enough to protect stakeholder interests appropriately. With firms being expected to become great at ticking boxes to demonstrate compliance, perhaps the question should be asked whether this will leave enough resource for companies to be creative and drive themselves forward. Management systems and, more specifically, a combination of management systems and the new standards to create an integrated system, offer a holistic level of risk management unsurpassed in the marketplace. While many board members within organizations that are not yet registered to a formal management system are debating how many boxes they have ticked, those that are registered are moving their organizations forward with the confidence that they have robust risk management in place. With further reforms to corporate governance legislation inevitable, the only box that organizations will be required to tick in the future will be answered with a simple „yes‟ or „no‟. The question will be: „Do you have risk appropriately managed?‟

Further reading M Robbins and D Smith (2000) Managing Risk for Corporate Governance, BSI, London

1.5

Embedding risk management – practically Lee Tricker, Thomas Miller Risk Management

Introduction This chapter is intended to describe techniques that an organization can use to embed a risk management culture throughout its business. It is aimed at heightening awareness and interest in risk management throughout the organization; promoting the benefits of risk management; and using champions who will keep risk management at the forefront of their co-workers‟ minds, thereby making sure that the risk management process can grow organically (with minimal pain) to meet the organization‟s developing and changing needs. Of course, there is no single templated process that will deliver all things for all purposes, but practical experience of repeating and refining these techniques with clients across the years has produced a methodology that is sufficiently disciplined and flexible both to expose problems within an organization and then provide appropriate solutions.

EMBEDDING RISK MANAGEMENT – PRACTICALLY 47 •

Understanding the organization‟s structure If risk management is to be successfully embedded within an organization, that organization‟s structure must be clearly understood and defined. An organizational structure chart should be used (or drawn up as necessary) to delineate responsibilities right down to individual business unit level, which is where a practical and enthusiastic „buy-in‟ to the risk management process is one of the most basic building blocks of the whole process. From the beginning, the process of embedding must be driven by the board with the CEO being an ideal champion. The output from the analysis of organizational charts is vital in identifying potential strengths and weaknesses in the structure of the organization. Are areas of responsibility clearly defined and separated? Are lines of communication, delegation and authorization clear? Is there scope for confusion, conflict or duplication? This exercise lays foundations for the task of embedding the risk management process throughout the business, and consequently into the minds of all its employees.

Building on existing foundations It is often difficult to embed new processes, mindsets and cultures into an organization „from scratch‟. It is often more effective to build upon systems and processes that are already in place, widely used and generally accepted. To this end risk management can be effectively embedded within an organization if it is used as part of (and seen to be part of) existing processes. One example is the business planning process. The identification of risks (and opportunities) should be an inherent part of this. Business managers (and the board itself) should formally assess risk each time a plan is formulated or revised. After all, there is little point in setting out objectives that are not realistic in terms of the risks that could threaten them.

Risk assessment workshops One popular and successful means of assessing risk is by holding risk assessment workshops. If the organization decides to go down this route, it becomes necessary to select (with as much detail and forethought as possible) the individuals from within each business unit who should be attending risk workshops. There are no hard and fast rules with regard to selecting workshop attendees. The simple act of involvement does, however, help to embed risk management in the minds of attendees, particularly if the workshops become a regular part of an established process (such as the business planning process). Workshops can also throw up important cultural issues. For example, conflict can arise where a business unit manager refuses to accept or concede that there may be risks attached to his or her business operation that are not properly recognized or adequately controlled. It is not unheard of for middle-level managers to overrule their subordinates, as they are mistakenly concerned that the recognition of risk within

• 48 RISK MANAGEMENT STRATEGY

their business units somehow impugns their abilities or performance. This in itself is a culture risk, which needs careful management if it is to be overcome. In order for the organization to maximize the benefits of risk assessment workshop sessions, it is important that a „no blame‟ culture is encouraged throughout the whole exercise and into the ongoing business. This is a vital component of an embedded risk management process in which all staff are proactively managing risk. For example, when staff members spot an unseen or untreated risk that exceeds their business unit/ division‟s risk tolerance, or is outside their field of expertise, the prevailing culture should encourage reporting of such risks without fear of retribution of any sort. The primary objective of a workshop is to gain consensus from inside the business as to the real risks that it faces. This then makes it possible to consider the effect that such risks can have on the organization and its plans, and identify how these risks should ultimately be controlled.

Identifying champions As noted above, the ultimate „champions‟ of the risk management process should be the board and the CEO. In larger organizations, however, the direct influence of the board will not impact on day-to-day operations and it will be necessary to identify others within the organization who will actively (and voluntarily) promote the virtues of risk management and „spread the gospel‟ amongst others within the business. Suitable individuals can be found from a number of sources. The review of organization charts will locate points where „champions‟ can best be placed so as to operate with maximum effect. The review will also identify individuals whose roles make them natural „champions‟ by virtue of the fact that risk management is already an inherent part of their job. Examples include heath and safety and business continuity managers, investment managers and treasurers, corporate lawyers and insurance managers. Similarly, risk assessment workshops will uncover business managers and other individuals who have an innate „feel‟ or passion for risk management. Where willing (and if appropriate), these people can be enrolled as the risk management champions for their respective business units. All such individuals can be used as the core of a wide-ranging and potentially influential group of risk management „champions‟ who can help move the organization towards adopting a culture where risk management is treated as a fully-embedded part of the organization‟s daily activities.

Carrots and sticks „Champions‟ can help create a positive environment for risk management, but is this sufficient? Unfortunately, the short answer is invariably „no‟. Something more tangible is often required and an organization‟s performance management system can be a very effective way of delivering it.

EMBEDDING RISK MANAGEMENT – PRACTICALLY 49 •

The performance appraisal system should make managers and staff clearly aware of what the organization expects of them in terms of risk management. If a manager or member of staff is responsible for controlling a risk, or taking an action that is expected to enhance the control of risk, then this should be clearly spelled out as part of that person‟s duties and responsibilities. Managers and staff should be actively rewarded for doing good work and displaying positive attitudes towards risk management. After all, by so doing, they are helping the organization to reduce and control its overall cost of risk. Conversely, the performance management system should be able to deal effectively with individuals who display no regard for the necessity to manage risk. The failure to manage risk effectively can often lead directly to an increase in the organization‟s cost of risk. The consequences of any such increase should be reflected within the individual‟s performance appraisal and, ultimately, remuneration package. Use of the performance management system again helps build risk management into an organization on the back of an established and recognized system. Again, we are working „with the grain‟ of the organization, rather than attempting to impose something new and different, which is, almost by definition, inherently vulnerable to being rejected or ignored.

Communication, communication, communication Risk management will not be embedded unless an organization regularly promotes the discipline in its communications with stakeholders. Newsletters, risk reports, circulars – all can successfully spread the risk management message and demonstrate to managers and staff that they are working in a risk-aware organization that prizes its people‟s ability to manage risk exposures proactively within their own working environment. The establishment of risk management committees and working groups can be of great value. Equally effective (and possibly even more so in line with our theme of building on existing processes) is the inclusion of specific risk items on the agendas of existing committees and working groups throughout the organization. The maintenance of risk data is often sorely neglected in many organizations and this can only be to the organization‟s detriment. Analysis of such data can be a valuable way to provide early warning of adverse trends and developments. Sharing such data across the organization can allow different parts of the business to share best practice and learn from each other. Developing openness, transparency and the communication and sharing of information throughout the organization is a powerful way of promoting the benefits of risk management. The positive experience of giving managers and staff risk information that will actively assist them to perform their jobs more effectively, and thereby increase the prospect of their achieving their objectives, is one of the most effective ways of ensuring that risk management will become embedded within the organization.

• 50 RISK MANAGEMENT STRATEGY

Conclusion We have briefly reviewed some of the techniques that can be used to embed risk management within an organization. Understanding and, where necessary, refining the organization‟s structure; building on existing systems and processes; holding risk assessment workshops throughout the organization (including at board level); identifying and appointing „champions‟; using „carrots and sticks‟; and communicating effectively – all can play their part in embedding risk management within an organization. Ultimately, when it can be demonstrated that risk management can provide real, tangible value to individuals within the organization, those individuals will actively want to continue to use it. Once this point is reached, the task of embedding is all but done.

1.6

New perspectives in strategic risk Scott Hartop and Allan Robinson, UMU, Appleyards

Practical tools for thinking and planning with uncertainty designed-in Are the following statements true or false? • Minimizing uncertainty supports growth in the organization‟s bottom line. • Focusing the organization‟s view of „what might happen‟ into a set of well-defined outcomes increases the capacity to successfully respond to future events. A new perspective on strategic risk suggests that these may only be half-truths at best. This article explores another side to the conventional story that challenges many organizations‟ tendencies to build strategies purely on the kind of thinking that manages out uncertainty and simplifies complexity. To use only tools that make neat and tidy assumptions about the shape of the future when approaching strategic risk could create a false sense of security and a narrow view of opportunities upon which organizations then base their biggest decisions.

• 52 RISK MANAGEMENT STRATEGY

There are two reasons for this: firstly, poor support and failure to employ tools that are more suited for approaching the „messiness‟ of real-world strategic risks may be partially to blame; secondly, adopting a new perspective also requires an intrepid business risk manager and chief strategy officer with the courage to challenge conventional thinking and reconnect their organization with the reality of uncertainty. Complementing existing practices with alternative frameworks, creating powerful strategies with uncertainty designed-in can be a surprisingly straightforward, rewarding and exhilarating discipline that will pay the business back in increasing returns for years to come. The following practical tools and ideas are offered as a departure point for organizations and senior practitioners ready to adopt new perspectives on strategic risk.

Two views of uncertainty Assumptions behind the tools used to create and manage strategic knowledge As we know, there are „known knowns‟; there are things we know we know. We also know there are „known unknowns‟; that is to say we know there are some things we do not know. But there are also „unknown unknowns‟ – the ones we don‟t know we don‟t know. (Donald Rumsfeld, 2002, then US Secretary of Defense)

Consider Figure 1.6.1. Which quadrant is your current attitude to uncertainty pushing your organization‟s strategic knowledge towards? The upper right-hand corner looks attractive: high confidence in both what the organization knows and what it believes is knowable about the future state of the business and the world. Once managed into this „known known‟ corner, risks appear highly quantifiable and strategic planning can follow a straightforward „plan A, plan B‟ type approach. Quantitative, statistical models and itemized, prioritized registers of discrete risks are well suited for understanding the organization‟s exposure because the future fits into a box with knowable, manageable dimensions. Of course risk and strategy practitioners implicitly understand that reality is not as neat as this: the future, however near or far in advance of the present, is seldom „knowable‟ with high confidence. But this intuitive understanding is forced to take a back seat because of the underlying assumptions behind the available tools and widely accepted deliverables. A less parametric, less simplified view of uncertainty is very hard to accommodate within frameworks built for a highly knowable world. As a result it is common for professionals to attempt to „help‟ the format they are using to reflect their real world intuition. Whatever the system being considered– a particular market, a new project, a crisis prevention strategy – it is closely interconnected with, and highly interdependent upon, myriad other systems, all subject to the same volatility and turbulence. This kind of complexity makes any future event sensitive to a vast network of variables, small perturbations in which can change the shapes of things to come beyond recognition.

umu.appleyards.co.uk

umu. A division of Appleyards

kno ws

Known known unknown unknown

HIGH

rategic Knowledge

Confidence in what the organization knows

• 54 RISK MANAGEMENT STRATEGY

orga

Known known known known

nisa tion the

Belief in the „knowability‟ of the future

wh at in

Belief in the „knowability‟ of the future

LOW

HIGH

Unknown unknown unknown unknown

Confidence in what the organization knows

Conf iden ce kno ws

Unknown unknown known known

orga nisa tion

wh at in

LOW

the

Figure 1.6.1 Perspectives on strategic knowledge Conf iden ce

Viewed this way, strategic risk quickly becomes the business of complex systems and uncertainty. More technically, this standpoint has moved from decision making under risk to decision making under uncertainty. So an appropriate question might be: how many of the tools in your strategic toolkit start with these principles as their underlying view of the world and approach the future with its inherent complexity and uncertainty designed-in?

Going left-field Stand in the upper left quadrant of Figure 1.6.1 for a moment. From here the organization still has high confidence in what it knows, but the nature of that knowledge has qualitatively changed: it is now explicitly understood that the future state of almost any aspect of the world is immersed in deep uncertainty, in no small part due to the

NEW PERSPECTIVES

IN

STRATEGIC RISK 55 •

fact that it is interconnected with other, equally uncertain systems. The only way to make this uncertainty shallower is to be very clear about what can be known about it and what cannot. This trades false confidence for a richer, more realistic understanding of what could happen – but how do organizations draw value from this new and positively uncertain picture? At first it might seem a great deal less comfortable to stand in the „known unknown‟ corner but this need not be the case. Just as business experience and mathematics have successfully provided a set of tools for building up strategic knowledge motivated by the attractive proposition of the „known known‟, different sources of business experience and other branches of maths (and biological, physical, social, cognitive and computer sciences) have established an abundance of tools for the „known unknown‟ perspective. And the good news is these two mindsets are not mutually exclusive; in fact, they can be highly complementary. The organization in the „known unknown‟ quadrant has high confidence precisely because it has drawn back the curtain, accepted what cannot be known and changed its thinking accordingly. Embracing uncertainty rather than minimizing it is about taking an eyes-open and pragmatic approach that befits the reality of how the future can unfold; it is about preserving a lack of resolution where it belongs and uncovering a qualitatively different kind of intelligence more appropriate for the challenges of a less knowable world. Risk Dynamics (below) outlines how visualizing risk as a highly networked and dynamic system with multiple levers and intervention points opens up an invaluable new layer of insight, creating management options and supporting decision making under uncertainty. Future Arcs (http://umu.futurearcs.co.uk) explores how a plural, recombinative view of the future unlocks the organization‟s natural agility and resilience that might otherwise be stifled by more conventional, linear forward thinking. Neither of these frameworks claims to have invented any of their component tools – they are all long-standing and well understood. What they do claim is to assemble these diverse approaches into a coherent package that can be brought to bear on the business of strategic risk in a „joined-up‟ and practical way. Both frameworks, following straightforward methods, work to restore the uncertainty and complexity that is traditionally modelled-out. They push three kinds of strategic knowledge into the upper left area of the diagram (see Figure 1.6.2) where it is arguably most valuable for (and most absent from) organizations thinking and planning for their futures. To summarize: • Many of the widely accepted tools in the business risk toolkit implicitly design uncertainty and complexity out of the organization‟s view of the future. • Inappropriately removing uncertainty and complexity via these underlying assumptions about how the future will unfold is damaging for strategic decision making.

kno ws

HIGH

e Known Unknown

Confidence in what the organization knows

• 56 RISK MANAGEMENT STRATEGY

11

orga

Known known unknown unknown

Belief in the „knowability‟ of the future

nisa

Assumptions assumptions

tion the wh at in

Belief in the „knowability‟ of the future

LOW

HIGH

Deep deep uncertainty uncertainty

Confidence in what the organization knows

Conf iden ce kno ws

Tacit tacit knowledge knowledge

orga nisa

3

2 2

tion

wh at in

LOW

the

Figure 1.6.2 Moving towards the known Conf unknown iden ce

• This is not just a downside issue: organizations willing to engage uncertainty see a much wider space of opportunities than those employing a conventional perspective alone. • Practical, straightforward tools for designing uncertainty and complexity back in are under-utilized due to a lack of support in the risk arena and the perceived safe ground of standard good practice. • Restoring uncertainty and complexity can help trade false confidence for new kinds of strategic intelligence that support decision makers with powerful, real-world insights.

NEW PERSPECTIVES

IN

STRATEGIC RISK 57 •

Risk Dynamics Designing complexity back in Risk Dynamics starts with the assumption that threats and opportunities facing the organization are not discrete, isolated events. They are parts of a system. This system is complex in its relationships, highly dynamic and much less predictable than the idea of risks as a list of self-contained concerns, each in its own box. This system of risks and opportunities may look and behave differently from one day to the next. It is perpetually in motion, constantly reacting to changes within itself and the wider world. This clearly begins to re-introduce the missing uncertainty and complexity, but how does this support robust decision making? In return for moving towards the known unknown and letting go of the idea that the future is knowable with any kind of certainty, a Risk Dynamics approach offers three key advantages: • visibility of important hidden structures; • access to the sensitivity and responsiveness of the real system; • increased ability to effectively communicate strategic risk.

Risk networks and impact families In order to build up a picture of risk as a system, questions of the following kind need to be addressed: • Does the occurrence of this risk make any other risks more likely? • Are there any risks that must be prevented from occurring simultaneously? • Given this exposure, which opportunities become more important to pursue? As a picture of relationships between risks emerges, it becomes easier to understand and manage their collective, systemic properties. „Risk networks‟ and „impact families‟ are two useful and intuitive tools for managing risks that take advantage of the exposed relationships in powerful ways. Risk networks are collections of risks and opportunities that modify each others‟ properties: an occurrence at one point in the network begins a chain reaction that causes other risks to increase or decrease in likelihood, or their impacts to become more or less severe. Figure 1.6.3 shows the process of uncovering key networks within the organization‟s web of risks. Arranging risks around the perimeter of a circle and plotting their connections gives a rapid impression of the network‟s topography. Impact families are collections of risks that share the same impact on the organization. Risks in the same family might not modify each other directly but when they occur simultaneously or in quick succession their combined effect can be extreme since they act on the same pressure point. An awareness of risk families enables decision makers to cope with or avoid such concentrated impacts.

• 58 RISK MANAGEMENT STRATEGY

RSK_01

RSK_05

OPP_06

OPP_07

RSK_03

RSK_04

OPP_08

RSK_02

Figure 1.6.3 Uncovering Network A

Visibility of important, hidden structures Returning to Figure 1.6.3, a clear loop structure is visible in Network A. This is a vicious circle of interactions that indicates that a change in the likelihood of any one of these risks is in turn amplified around the risk network. Such a self-reinforcing pattern is surprisingly common but hard to represent in a more conventional format. An insightful idea from systems thinking is that aspects of the real world can be thought of as feedback loops or cycles that are constantly accelerating or braking. Two opportunities in Network A interact strongly to mitigate the negative feedback created by the risks. A „virtuous circle‟ of mutually reinforcing opportunities is another common structure that can be intentionally worked into strategies.

Access to the sensitivity and responsiveness of the real system Since most individual risks now sit within a network of threats and opportunities that directly modify them, the picture begins to more closely reflect the actual volatility

NEW PERSPECTIVES

IN

STRATEGIC RISK 59 •

of future events. Small changes at any node can rock the system disproportionately. This is clearly important information to consider when basing critical decisions on a perceived level of exposure and deciding where to prioritize prevention and recovery resources. This extended view of individual risks also has the effect of revealing more intervention points for influencing any individual concern. The preventative measures and recovery plans for risks in the same network will often provide effective supplementary control over their network siblings. Remembering the feedback loops concept, a combined effect driven by making carefully orchestrated changes at multiple points in the same network is achievable. In this way a Risk Dynamics approach can actually increase the number and gearing of the levers available to managers to steer events.

Increased ability to communicate strategic risk effectively Risks and opportunities that cannot be communicated effectively cannot be managed. By situating a risk in the context of its networks and families it can be more vividly brought to life – this is particularly apparent when risks are visualized.

Scenarios for Network_A

Short-term thinking driving Short-term Thinking decision making Driving Decision-making

Increasingly Increasingly Distributed distributed Partner Base partner base

Increasingly reliant Increasingly Reliant Key Organisations onOnkey organizations

Network_A-OPP-07

Network_A-OPP-06

Network_B-RSK-05

Network_A-RSK-02

Network_A-RSK-04

Network_A-RSK-03

Network_A-RSK-01

Long-term Thinking Long-term thinking driving Driving Decision-making decision making

Figure 1.6.4 Scenarios for Network A

• 60 RISK MANAGEMENT STRATEGY

Figure 1.6.4 is an example of a visual summary of the key messages for stakeholders involved with managing Network A. Risks fade in as they become more likely. In the fictitious case of Network A exposure mounts quickly as the business veers increasingly towards a scenario where its decisions are being led by a short-term outlook and its reliance on key organizations is high. Note how the overlaps reflect the reinforcement and intensification of the feedback loop in Figure 1.6.3. Pursuing the opportunities for partnerships and planning in the bottom left of Figure 1.6.4 effectively pulls the system back towards a less exposed state.

In summary Strategic decisions and the future with which they interact are a shifting and networked system composed of risks and opportunities, forces and levers. The oversimplification underlying conventional registers reduces the organization‟s capacity to interact with and manage what is in fact a system, not a list. Risk Dynamics supports and integrates the application of techniques from systems thinking and complexity science into standard strategic risk practices (ie risk registers).

Risk Dynamics in action UMU helped a major metropolitan transport organization to develop strategies for the future management of its diverse engineering asset portfolio. Because these assets are highly interconnected, an approach closely based on the Risk Dynamics framework afforded the management team a clear view of their interlocking networks of risks, opportunities and assumptions. This rich picture of the complexity characterizing the underlying system revealed intervention points and opportunities for optimization that would not have been visible with a non-networked approach. Many of the organization‟s key assets have a life expectancy stretching above 30 years; the industry itself will undergo massive change over this period. Critical strategic decisions must be made in the short term that will have ramifications for commuters lasting decades. Preserving and understanding the level of uncertainty surrounding the future of this system helped catalyze robust and agile thinking equal to the challenge.

NEW

PERSPECTIVES IN STRATEGIC RISK 61



For more information, resources -and to contribute your experience and insights to the Risk Dynamics open framework -visit http://umu.riskdynamics.co.uk

This page intentionally left blank

2

Corporate Risk Concerns

Global, independent risk consulting Control Risks is an independent, specialist risk consultancy with 18 offices on five continents. We provide advice and services that enable companies, governments and international organisations to accelerate opportunities and manage strategic and operational risks. • Political and security risk analysis • Business intelligence and investigation • Forensics • Information security • Business continuity • Security consultancy and management • Crisis management and response • Travel security • Background screening For more information on Control Risks services please contact: [email protected] or +44 20 7970 2100

www.control-risks.com

2.1

Political risk James Smither, Control Risks

Rising oil and commodity prices have created a dual phenomenon that has seen political risk return to the top of the business risk agenda. Multinational companies are increasingly travelling to new locations to exploit previously marginal deposits, and nationalistic governments are seeking to extract the maximum benefit from this growing desire to tap into their natural resources. The need to operate successfully and with integrity outside a familiar and predictable comfort zone is itself an argument for comprehensive risk management. When such operations are in locations overseen by unpredictable administrations, set against a backdrop of continuing global geopolitical uncertainty, the need to marry a capability to understand and anticipate developments in the political context of an investment with more traditional areas of business planning such as operational, financial and market risk management is especially prominent. However, companies often make at least one of five classic mistakes in dealing effectively with the political risks to their project: • • • • •

Political risk is not recognized as unique. Business planners fixate on certain types of risk. Risk managers fixate on certain mitigation tools. Risk management initiatives are fragmented. Political risk management is misaligned with business planning process.

• 66 CORPORATE RISK CONCERNS

This chapter explores the reasons why political risk is often mismanaged in these ways, and suggests a template for overcoming these pitfalls and arriving at a more effective solution.

Political risk is not recognized as unique Political risk analysis is more than simply the study of politicians and policies in a given jurisdiction. Political risks are essentially all those risks that arise from the behaviour of actors attempting to maintain, attain or undermine governmental authority, or from weaknesses in governmental institutions. Hence rebel groups, movements of generalized community unrest, and even a company‟s local and international competitors can represent sources of political risk. A classic example of this complexity is sub-Saharan Africa, where the arrival of state-backed Chinese extractive companies – backed by government-to-government „soft loans‟ and often with dramatically different internal corporate governance and integrity standards – has significantly changed the rules of engagement for more established Western operators.

Market

Credit

Competition Intellectual capital Demand R&D/ development Industry changes

Interest rates Liquidity Foreign exchange rates Environmental/ natural events

FINANCIAL RISKS

STRATEGIC RISKS

HAZARD RISKS

OPERATIONAL RISKS

Products & services

Integration Customer challenges IT

Board composition

Supply chain

Public access Contracts

Political risks Employees

Security risks

Property/ infrastructure Suppliers

Externally driven

Internally driven

Recruitment Accounting controls

Regulation/ legislation Culture

© Control Risks 2007

Figure 2.1.1 Political risks co-exist with a number of inter-related internal and external risks

POLITICAL RISK 67 •

A key understanding of political risk is that it is unique and generally defies attempts to quantify it or subject it to scientific analysis. Most other risks to a business or specific project arise from within the accepted value system and from mistakes made in routine tasks (such as design, maintenance or audit). Political risks stem from intelligent actors who make a rational calculation about a company and its vulnerabilities. It can be hard to assess those calculations, especially because they often come from beyond the accepted value systems and „rules of the game‟. Accordingly, the mitigation focus is also different. Instead of simple attention to detail and reliance on testing and quality control procedures, political risk management requires understanding of value systems unlike your own in order to know how to influence behaviour, or to know what to expect. Risk management can be relationshipand negotiation-based on the one hand, and protection-based on the other. Finally, companies need to realize that they are themselves players in the political risk sphere rather than simply passive recipients of the risks prevalent in a market. An investment‟s own behaviour – the things that the company does or does not do, is seen to do or is seen not to do – can dramatically affect its political risk profile. There is, for example, a dramatic difference between building a fence around a high-impact extractives project and engaging proactively with its surrounding community through the construction of consultation-based development and environmental protection projects.

Business planners fixate on certain types of risk In addition to misunderstanding the unique nature of political risk, there is often an understandable tendency on the part of company management to fixate on its more „headline-grabbing‟ areas. Wars, nationalizations, coups d‟état and terrorist attacks clearly all continue to occur around the world, but these types of risk are statistically highly unlikely to affect the vast majority of business projects. An over-emphasis on the spectacular can lead to a sense of false threat perception, and consequent weak decision making. In a similar vein, a parallel under-emphasis on other less prominent or less dramatic types of political risk represents a lost opportunity to improve the chances of project success. Experience highlights the greater likelihood of companies facing losses or even collapse because of less glamorous risks such as radical activism, insuperable bureaucratic delays, an unforeseen corruption scandal or a subtly enforced degradation in their terms of trade. This underlines the importance of prioritizing the identification and, where they are a credible prospect, the mitigation of such risks. A similar flaw in political risk management in this respect can be an over-reliance on received opinion when assessing political risks to a project. This could include placing too much weight on the reassurances of a project‟s champion within the company or those of the host government that is seeking to attract the investing company – both clearly subject to bias – or on the „herding mentality‟ that an opportunity must be acceptably safe because so many competitors are already pursuing it. These can be categorized as „I‟ve been there and it‟s fine‟, „so-and-so told me it was fine‟ and

• 68 CORPORATE RISK CONCERNS

„everyone else is doing it so it must be fine‟. A number of investors are likely to have ignored clear warning signs of suffering ahead during both the Argentine and Asian financial crises of recent years for precisely this sort of reason. „Expect the unexpected‟ is a central watchword of effective political risk management. Few pundits or members of the global political and business elite would have accurately forecast the timing of paradigm shifts such as the 1979 Islamic Revolution in Iran or the 1989 fall of the Berlin Wall. However, those that at least allowed for the possibility would have enjoyed demonstrable advantages over their contemporaries.

Risk managers fixate on certain mitigation tools In addition to focusing on the wrong types of risks to begin with, companies also sometimes place their risk-mitigation eggs in the wrong baskets. The area of politicalrisk insurance can be particularly vulnerable to such „panacea‟ thinking. Typically covering the more „traditional‟ and cataclysmic political risks described above, a political-risk insurance policy can serve to assure lenders or shareholders and will of course transfer some aspects of state-level political risks. However, such insurance alone does not usually provide cover against the majority of the less straightforward sub-state and increasingly common political risks already described. It can also be extremely expensive and may not even be required at all. Furthermore, while financial compensation after a risk has materialized is obviously provided for through such a policy – and with it some mitigation of impact – an insurance policy alone will not reduce the likelihood of a risk being manifested, and any number of undesirable consequences such as death, injury and subsequent litigation by affected parties on the grounds of duty of care. As alluded to already, an over-reliance on implementing pure physical security measures at the expense of addressing some of the root causes of the security threats to a project can be similarly short-sighted: again, mitigating the impact of a risk occurring is being prioritized over reducing the likelihood of it materializing in the first place. Placing the emphasis on joint-venture partners, „prominent victims‟ or hand-picked „influence peddlers‟ when constructing a multi-party project consortium is similarly partial and, of course, highly vulnerable to a location‟s changing political wind. The end result of failing to select appropriate and comprehensive political risk management strategies – in common with failing to understand the uniqueness of political risk and in fixating on the wrong risks to a project – can be that certain types of potentially devastating risks to a project or asset are not treated as thoroughly as possible or are even missed entirely.

Risk management initiatives are fragmented A major reason why such sins of omission can occur is that responsibility for the management of risk within an organization is often fragmented or unclear. In many companies, executive management is likely to be responsible for high-level bargaining and partnering arrangements, an audit team handles integrity and compliance issues,

POLITICAL RISK 69 •

while a separate finance department is responsible for purchasing insurance policies. Meanwhile, the department for operational health, safety and the environment (OHSE) and/or human relations may take responsibility for „duty of care‟ issues such as pre-deployment preparations and in-country staff health and well-being. Security, supply chain management and the establishment of local relationships are often left to separate elements within local operational units. Another team completely – public relations – may be entrusted with the area of lobbying and press relations, including communications in the event of a crisis. Such fragmentation of responsibility can prevent a collective discussion of, and hence a shared awareness of and co-ordinated approach to managing, the risks to both a single project and a company as a whole. A company can therefore lack a single entity with a total view of its project risk exposure(s) and an appropriate suite of risk mitigators, and so miss the opportunity for co-ordination to ensure synergies and maximum risk management effect. Perhaps most importantly of all, this means the ultimate absence of a single point of responsibility and authority – even if it is only a „virtual team‟ with appropriate representatives drawn from the various business areas – where the buck can be said to stop.

Political risk management is misaligned with business planning process A final pitfall, which can be either a cause or an effect of the previous four, is the misalignment of political risk management for a project with the planning and execution of that project. In many cases, a decision to „go‟ on an investment opportunity and even the formalized partnering or joint-venture arrangements needed for market entry for that opportunity are completed before a process of political risk assessment is even launched. In the most extreme and costly cases – often in large infrastructure and utility concessions in emerging markets – a true appreciation of political risk is only gained when a political power shift occurs, a key influence-peddler suddenly falls from grace, and a contract is renegotiated or entire project expropriated. By which time, of course, it can be too late. In best-practice political risk management, the identification of assets at stake and the company‟s key criteria for success and failure for a venture should be being established even as the opportunity is first being identified. The specific political risks that the project might face should be factored into the business case together with their potential significance for its anticipated cash-flow projections, just as an assessment of the extent and cost of mitigation capabilities required to manage those risks should be factored into the structuring of project costs during the planning and tender process. Accordingly, a full range of options for managing those risks should have been identified and evaluated, leading to the development of a risk-mitigation roadmap in time for a go/no-go decision on the project and its eventual launch. Finally, best practice political risk management acknowledges the reality that political risks are never static. This underlines the need for constant reassessment and adjustments to the initial risk-management roadmap, in concert with the standard

• 70 CORPORATE RISK CONCERNS

performance monitoring of the investment carried out by the company. The use of multiple political risk scenarios over an investment‟s anticipated lifespan – against which current assumptions and mitigation strategies can be tested and then modified to allow for differing eventualities – can be an invaluable tool in this respect, especially for long-term engagements such as the construction of a mine or roll-out of a complex infrastructure project.

Towards best practice political risk management Political risk, then, is a complex area that requires sophisticated understanding and a comprehensive approach. Companies are advised to employ a number of relatively straightforward strategies to avoid the most common pitfalls that result in mismanaging the political risks to their projects and global footprint: • Understand the unique and challenging nature of political risk and the central role of human agency within it. A solution can be to develop a virtual „competency centre‟ to learn about political risk and raise awareness of it in various business units. • Look beyond the obvious when it comes to identifying political risks that may hamper or even kill a project. The use of „devil‟s advocates‟ to corroborate or challenge management thinking is critical. Companies should always employ an array of primary and independent secondary sources in conducting research into political risk. Plan for the unexpected when • identifying a viable and cost-effective risk management strategy. Companies should always use a structured decision framework to stretch discussions and avoid group-think when planning their risk mitigation. • Consider creating for each new project a multi-functional political risk „task force‟, or at the very least make political risk a distinct issue of concern among the wider risk management team to avoid a fragmented approach to risk mitigation. Visibility, clearly assigned responsibility and executive buy-in are all critical to the success prospects both of this team and of the strategy that it is tasked with implementing. • Build political risk assessment firmly into the project cycle and „doctrine‟ for new business initiatives. This will institutionalize a due and thorough consideration of the risks when it is still possible to act on findings, and help to avoid happening upon political risk when it is already too late. In other words, political risk management needs to be an integrated process. It should serve as a critical factor in shaping and reviewing strategy and be integral to the planning process for new business initiatives and projects. It should benefit from, and in turn enhance, co-ordination and shared awareness between the relevant functions and departments of a business. Political risk management must always be objective, and separated from the biases and motivations of parties with a stake in the success of a venture. Cross-checks

POLITICAL RISK 71 •

and the use of devil‟s advocacy are crucial in helping to derive a clear perspective, with critical external reviews of the effectiveness of mitigation approaches also highly recommended. Lastly, political risk management is best viewed as a dynamic rather than a static process: as part of project planning and execution, not a one-off exercise to satisfy a checklist. In essence, it is a constant process of regular review of the company‟s exposures, its risk tolerance and the risk landscape within which it operates, with regular adjustment of a portfolio of mitigation options to meet changes in all three areas.

Conclusions Despite the recent resurgence of political risks in crucial extractives markets in Latin America, Africa and the Middle East, business too often sees the management of these risks as a box-ticking exercise to satisfy external stakeholders. A significant result of this attitude is that a company is left with no integrated perspective on the universe of risk, with consequent gaps in its overall as well as project-specific risk management coverage (and also redundancies – often expensive ones – within its various business functions). This leads to promising opportunities being shunned, needless risks being assumed and wasted resources spent attempting to manage them. Companies that recognize the unique aspects of political risk, and deal with it in an integrated, planned way, generally perform best in areas or in operations that entail high exposure to a sensitive political environment.

2.2

Reputation and emerging communications technology Paul Miller, Cision

On 17 May 2007, just after midday the value of Apple Inc on Wall Street fell by US$4billion dollars. Within 15 minutes, the stock had made an almost full recovery. The source of the market‟s fleeting alarm? An erroneous report of delays in Apple‟s product pipeline, including a three-month lag in the arrival of the hugely-anticipated iPhone, on influential tech blog Engadget.1 While the story wasn‟t actually true, for a few minutes on Wall Street it had all the consequences of truth. Not so long ago, such a real and immediate threat to reputation was the stuff of nightmares. Thanks to recent technological advances and, I would suggest, attendant psycho-sociological developments, it is now everyone‟s reality. Economist-polemicist Nassim Nicholas Taleb thinks risk managers have a problem with a reality. His most recent book, The Black Swan, attempts to expose the shortcomings of contemporary forward planning models with a single, straightforward argument: business plans rely on Gaussian probability distribution to predict the future, and this notorious bell curve is, like any mathematical model, a poor substitute for reality. In particular, says Taleb, the Gaussian model cannot cater for extreme,

REPUTATION

AND

COMMUNICATIONS TECHNOLOGY 73 •

one-off events – a Wall Street Crash or an 11 September.2 Such „Black Swan‟ events overshadow commonplace, Gaussian behaviour to such an extent as to make the latter a near-negligible factor in shaping future events. The phenomenon known as Web 2.0 – a perceived technology that supports blogs and related internet self-publishing platforms and services – could be considered one of Taleb‟s Black Swans. That few foresaw the emergence of self-publishing tools is written in the very core of internet architecture. The asymmetry of the web – download speeds almost everywhere faster than upload speeds – stems from its originators‟ failure to anticipate its emergence as a channel of self-expression. Yet why should they have done? Who knew quite how many were willing to share pieces of themselves online, and how many more would lap it up as consumers? It is not so much the technical aspects of Web 2.0 that defeated the media planners, but the mindset of its mainly young constituency. Consider the following definition of Web 2.0, from the British actor, broadcaster and author, Stephen Fry, „Web 2.0.‟ he says, is: an idea in people‟s heads rather than a reality. It‟s actually an idea that the reciprocity between the user and the provider is what‟s emphasized. In other words, genuine interactivity if you like, simply because people can upload as well as download. 3

I think Fry really captures Web 2.0 in identifying it as a state of mind. For those who enter into it, the reciprocity he describes means that „user‟ and „provider‟ constantly swap places. No doubt the big man (traditionally the „provider‟) starts out with a greater claim to the audience‟s attention than the little man (formerly the „user‟). Yet when users gather around a particular issue, the size of the crowd – and the status of its individual participants – can make it attention-grabbing indeed. Furthermore, attention-grabbing material can help the little man to grow quickly. Regardless of an organization‟s Web 2.0 strategy (or lack of it), the odds are that at least some stakeholders are already of this state of mind. This development creates a new set of communications risks, as well as asking big questions of old assumptions. There are immediate risks to reputation as well as longer-term strategic risks. The essay that follows focuses on reputational issues, but the lessons – how a Web 2.0 state of mind is changing the communications mix – are essential in building for the long term also.

Inside the attention economy The reputation of an organization has always depended on the channels through which its values, performance and overall business health are communicated. Web 2.0 doesn‟t change that. But it does mean that reputation is no longer built solely on a framework of established communications hierarchies that is more or less fixed and readily understood. It is now also strewn across a vast and expanding universe of digital media channels. In addition, the influence of the legacy channels fluctuates with the varying popularity – and indeed, with the unabated emergence – of the new.

• 74 CORPORATE RISK CONCERNS

Tech evangelists, perhaps wary of the devastation their subject might have in store for traditional media, often claim that new channels simply add to the communications mix. The implication that they take nothing away is misleading. Media consumption should be considered as an attention economy of the kind defined by Herbert Simon in 1971: In an information-rich world, the wealth of information means a dearth of something else: a scarcity of whatever it is that information consumes. What information consumes is rather obvious: it consumes the attention of its recipients. Hence a wealth of information creates a poverty of attention and a need to allocate that attention efficiently among the overabundance of information sources that might consume it. 4

With so many channels now competing for attention, some will inevitably lose out, though not necessarily in toto. The research bears this out: while few studies show online media accounting for a dominant portion of the public‟s media consumption (even for those in the „digital native‟ demographics), almost all have traditional formats accounting for smaller audiences, for less time, with print leading the move away from centre stage. This trend is accelerated by an increasingly rapid proliferation of online options. At the end of 2006, Facebook was a social network open only to US college kids; in August 2007, it received 6½ million visits from people in the UK. There are virtual worlds, microformats, social news aggregators, and all of them mashed-up and recombined. One final self-evident complication: these services are global, supported by the world wide web. While reputations were seldom entirely localized according to the proclivities of local media, Web 2.0 has, as it has in so many other ways, catalysed what was already occurring – in this case, the globalization of communications.

The long tail of digital content Chris Anderson is the editor of Wired magazine, a techno-utopian monthly owned by Condé Nast. In 2006, he published a book, The Long Tail, which sketches its author‟s vision for digital economies.5 The „long tail‟ in question is an extension of the graph shown in Figure 2.2.1, which represents the power law y = 1/x. A surprising amount of human activity conforms to this power law. Sales types, for example, have looked to it for validation of the 80/20 rule. In real-world stores, what is stocked depends on value and inventory costs; the rule holds as the shopkeeper balances the two to yield favourable margin. With digital merchandizing, inventory costs are near zero, such that, Anderson argues, a long tail of small sales – imagine the graph with the x-axis drifting through the book for several more pages – is sustainable through e-commerce. Although Google‟s business model proves that Anderson‟s tail can be flexed commercially, it is by no means a universal model for digital economics. Nonetheless, it is extremely helpful in thinking about the digital-age attention economy.

REPUTATION

AND

COMMUNICATIONS TECHNOLOGY 75 •

Power law y = 1/x y

x

Figure 2.2.1 Power law graph Mainstream content providers, whether on or offline, can be considered destination channels: a known brand reached for in the newsagents, a URL bookmarked in the browser, a BBC or a New York Times. These outlets receive the most cumulative attention. The audiences of these big-hitting sites themselves consist of long tails: habitual users in the big head, drive-by search traffic at the other end (see Figure 2.2.2). Many habituals spend lots of time there, while numerous drive-bys quickly conclude they‟re in the wrong place and check out. It all adds up to a big head of attention. As we move down the tail from the big head, sites are subject to less cumulative attention. By the time we reach the extremes of the long tail, we find blogs and social network pages disliked even by their creators. Somewhere in between is the reputation frontline known as the „magic middle‟.6 It is populated with sites visible to a significant audience of (probably connected) stakeholders rather than a handful of (largely unconnected) consumers. Such sites also tend to be more focused, serving niche interests better than do more general content providers. Therefore, the site‟s value to an organization can be more or less than the cumulative attention might suggest, depending on whether or not the niche chimes with the activities of the organization. What is the acceptable visibility for content with potential to affect reputation? How much of the tail must be watched? And where on the tail are the key sites for engagement? Which sites are the „gatekeepers‟ that grant content exposure at a critical level? Obviously the answers to such questions vary from case to case, but in order to assess the risks (and opportunities) of any situation, we must be able to measure them.

• 76 CORPORATE RISK CONCERNS

Big head

Attention

Magic Middle

Long tail

Channel

Figure 2.2.2 The long tail of digital attention

Mapping the landscape The broadest hedge against risk involves extensive monitoring, but even Google‟s legion of tireless searchbots struggles to keep up with the entirety of the internet and its ever-lengthening tail. Therefore, any monitoring must be accompanied – and filtered – by understanding. From a straightforward resource point of view, more time needs to be spent with some parts of the distribution – whether in the big head, the magic middle or even the long tail – than in others. A map of the landscape, built on meaningful metrics, informs this strategy. There is no shortage of metrics for measuring online activity.7 Certainly one can achieve a good understanding of the popularity of destination sites through analysis of traffic, for which unique users provide the most reliable indicator. Engagement metrics such as average-time-spent-per-user are widely available for online channels. This data is subject to the same problems as any based on a panel of consumers, but even so, in combination with an analysis of the number and nature of „user‟ interactions with a page (comments on a blog post, for example), commonly available metrics can contribute to a detailed and strategically valuable analysis.

Search engine optimization and measuring search Communicators have long sought prominence in search engine results for their own material, and a search engine optimization (SEO) industry has grown up to support that goal. Strangely, professional communicators have been slow to grasp the metrics

REPUTATION

AND

COMMUNICATIONS TECHNOLOGY 77 •

of SEO activity, which largely entails dressing up content in accordance with known search behaviour and attempting, legitimately or occasionally otherwise, to harvest links for the page or pages in question. While all of the factors listed above for measuring destination sites play a role in search performance, the most important search metrics are those quantitative and qualitative measures of the content and the pages linking to it. Ranking according to link data allows sites to be prioritized according to their likely search visibility. Online risk is managed by developing relationships with sites to extents that reflect their relevance and search visibility, although for most sites the relationship should amount to little more than voyeurism.

Social upheaval Destination sites, search engines… as important as the above discussion is, it also seems a bit Web 1.0. Because while the internet has since its inception made the relationship between content providers and consumers less and less clear, recent developments have all but destroyed any comforting semblance of linearity. The rise of social networks has not only increasingly confused this relationship, but it has done so in such a way as to make relationships themselves the key to finding content in the first place. To the extent that hosted services provide their own metrics, the social sphere is measurable. The number of views for a YouTube video, for example, seems to me as good an estimate of audience as those provided by micro-sized television panels. But on looking across different platforms, the metrics threaten to get out of control. Is a Facebook friend worth more or less than a MySpace friend? Is a friend known through a group more important than one with whom an application is shared? Is a vote for a story on Digg worth more or less than a vote for the same story on a Digg clone catering to a specific niche? The answer in each case depends almost entirely on the proposition in question. But for any proposition, the main challenge comes in first making these metrics comparable, not only with those for other online spaces, but also with those for other media. Channels occupying separate media do not operate in isolation. Information flows between different forms of media as easily as it flows between channels. When messages flow between media, some of the greatest amplifications, dilutions and corruptions in the content of those messages can be expected.

We the gatekeepers In the context of the day-to-day activities of an organization, the flow of information through media channels is fairly consistent. For the most part, the chattering long tail is following an agenda set by the mainstream media, on or offline. But occasionally a story from the tail is so strong, or so well told, that it becomes a mainstream issue. On the way to the mainstream, it will invariably pass through (or the original channel will become) a gatekeeper site (Figure 2.2.3).

• 78 CORPORATE RISK CONCERNS

MSM

„gatekeepers‟

„chatter‟

Figure 2.2.3 Media information cycle

Who are these gatekeepers? Frequently they are readily identifiable, be they blogs, chatrooms or niche news sites, social or otherwise. These sites will have performed strongly in search performance. They will be known to and read by mainstream media sources as well as their peers. Even so, regularly monitoring and measuring this space is crucial to managing online reputation because, thanks to Web 2.0, new sites can become influential and established ones decline in influence far more rapidly than has traditionally been the case. Perhaps the starkest example of this „media content cycle‟ can be found in the response to the tragic shootings in April 2007 at Virginia Polytechnic Institute and State University, more infamously known as Virginia Tech. Rather than visiting the scene, some journalists indulged in „digital doorstepping‟, gathering information from social networks. The shortcomings of this approach became evident when several offline mainstream media sources incorrectly identified the student responsible for the massacre on the basis of views expressed on the profile pages of some Virginia Tech students. These personal spaces became gatekeepers for the Virginia Tech story. This is an extreme case that illustrates two significant and related trends in information distribution. The first relates to the increasingly questionable divide between public and personal information; the second the resource problems affecting the mainstream media. The second is to some extent a corollary of the first: former content monopolies are losing advertising revenues to search advertising, which is built on the public (or at least, non-private) exchange of personal information.

REPUTATION

AND

COMMUNICATIONS TECHNOLOGY 79 •

The future of news In the past 18 months, a number of major traditional media newsrooms have been redesigned to accentuate online influence. Indeed, where the newsdesk used to be the key point of interaction between professional communicators and news organizations, the internet has in many ways superseded it as the most important way in. At the same time, the internet has provided myriad other would-be attention magnets – and more importantly, more efficient methods of distributing content. Media consumption seems likely to continue shifting in favour of more personalized niche offerings. Looking at the distribution of media attention, it is obvious that even the least popular MySpace page accounts for some attention once given to a more traditional source. There is an obvious vicious circle here: more advertising money into the tail means less resource, and less quality content, at the head, which in turn drives readers – and advertisers – down the tail, and so on. We have said that the long, chattering tail feeds off a canon served up by the mainstream media. If the mainstream is diminished, what will emerge to fill the void? At present it seems that niches, of various levels of expertise, are springing around personal lines of information exchange. But where the mainstream has (or at least had) the resources to consistently validate its content, the jury is still out on the alleged wisdom of crowds. Engadget is a large operation with numerous staff, effectively a mainstream online source, but it still rushed to get the scoop on its bad Apple story. Nobody would claim that traditional media have an unblemished record where providing trustworthy content was concerned, but the kinds of networks now accounting for more and more attention, and increasingly capable of setting wider media agendas, seem a potent breeding ground for reputational risk. In such circumstances, measuring the impact of a range of established and emerging channels in order to balance risk across them in both monitoring and outreach becomes a critical task, not just for communications professionals, but for the business as a whole.

Notes 1. The story was said to accurately reflect the content of an internal e-mail sent to Apple staff and later retracted. 2. Taleb, N N (2007) The Black Swan, Penguin Allen Lane. Fortunately for Taleb, he is a trader, and has made his fortune betting against the future strategies of others. Unfortunately for the risk managers, they are the others. 3. Stephen Fry, Web 2.0 (Video interview (Adobe Flash)). Retrieved from VideoJug on 26 July 2007. 4. Simon, H A (1971), Designing organizations for an information-rich world, in Computers, Communication, and the Public Interest, ed Martin Greenberger, The Johns Hopkins Press, Baltimore, MD. 5. Anderson, C (2006) The Long Tail: Why the Future of Business is Selling Less of More, Hyperion.

• 80 CoRPORATE RisK CoNCERNS

6. A term coined by Dave Sifry, then CEO ofblog search engine Technorati. 7. Indeed, the US online measurement firm ComScore recently suggested that a suifeit of internet metrics was creating paralysis among reputation managers.

2.3

Corporate reputation Gillian Lees, Chartered Institute of Management Accountants (CIMA)

Introduction It goes without saying that a good reputation really matters. It can mean that customers choose your product or service in preference to a competitor‟s and thus make the difference between success and failure. However, managing reputation may be easier said than done. For example: • A well-deserved reputation that has been diligently developed over many years can be seriously damaged in a day by circumstances that could be regarded as insignificant when set against the bigger picture. • A good reputation can, perversely, be built on notoriety. • Although an organization‟s reputation can be harmed by adversity, it may emerge from the episode with its reputation enhanced – simply due to the way that it handles the situation. On the other hand, an organization can waste opportunities for building reputation through poor management of a crisis. The case of Northern Rock shows starkly how a reputation can be damaged in a matter of days, to the extent that, at the time of writing, its long-term survival is in doubt. But despite the difficulties, organizations of all sizes and sectors need to be aware of the importance of reputation and the attendant risks. A good reputation can:

• 82 CORPORATE RISK CONCERNS

• help the organization to optimize shareholder value (or an equivalent) by enabling it to attract customers and high-quality employees; • enhance the organization in good times and protect it during the bad ones. It can be argued that the reputation that Marks and Spencer had built up over many years was a significant factor behind its ability to come through its recent difficulties. Reputation is a major risk issue for all organizations and needs to be considered alongside all the other major risks such as operational, strategic and financial risks. What this means is that organizations need to mitigate against the loss of reputation, but they also need to be looking for the upside opportunities to enhance their reputations. This chapter explores reputation in terms of 10 different aspects such as quality and ownership. It then moves on to look at reputation risk in more detail, in particular: • • • • •

causes; identification of reputation risk; measurement models; management; reporting.

It concludes by looking at some future possible trends in the field. The chapter is based on a recent CIMA executive report, Corporate Reputation: Perspectives of Measuring and Managing a Principal Risk, authored by Dr Arlo Brady and Garry Honey, two leading experts on corporate reputation. Their approach was to interview a number of key industry players to obtain insights from a range of perspectives in order to stimulate discussion and debate. The intention was that this would make a meaningful contribution towards the development of good practice principles in terms of reputation risk management.

Reputation Reputation matters because it has a bearing on value. It may not be identified on the balance sheet but it can affect investor confidence, employee recruitment, supplier attitudes and many other stakeholders. The threat of the loss of reputation represents a major risk for an organization. But what is reputation? It is useful to consider it in terms of 10 different aspects: • Perceptions of control: while an organization can create and control a brand, reputation is something that is attributed to it by others. Thus, while the organization has the responsibility to protect and manage its reputation, it only has indirect control over it. Nevertheless, the organization does have control over its own behaviour and, through this, can influence the perceptions of its major stakeholders. • Quality: reputation is a fluid concept. A good one can be earned through hard work, but can be lost quickly through bad luck or incompetence. It can also take a long time to shrug off a poor reputation.

CORPORATE REPUTATION 83 •





• • •

• • •

Apart from the dynamics of reputation, its quality also depends on the relative values of the sector or its stakeholders. An organization may have long enjoyed a good reputation for quality, but if a competitor then raises the bar, this reputation will be eroded. Stakeholders: an organization can have many stakeholders and it is possible to have a good reputation with one group and a poor one with another; for example, a supermarket may be regarded differently by its suppliers than by its customers. Organizations must therefore understand who their stakeholders are and their relative importance. Reputation vs brand: reputation is not the same as brand. As we have already seen, an organization has more control over its brand in that it develops a brand in order to sell its product or service to customers. In contrast, a reputation is created by all stakeholders on the basis of their experience and expectations of the organization. Reputation as an asset: while reputation cannot be classed as an asset for balance sheet purposes, a good reputation can be seen as an asset to the organization. The value of reputation: as we will see, reputation is influenced by too many different factors to make it viable to ascribe a value to reputation. Reporting on reputation: in view of the difficulty of calculating a financial value for reputation, it is best reported as part of a narrative report. Reputation in itself does not constitute a risk, but the threat of the loss of reputation is a risk and should therefore be reported as such. Ownership: it is difficult to assign responsibility for reputation, but it is important to do so. The board has prime responsibility for the organization‟s reputation. Trust: reputation dictates how people behave and in whom they place their trust. So, it can be argued that reputation is ultimately a matter of trust. Damage: the extent of damage to reputation caused by an event will depend on how easily trust can be recovered. This will depend on the prior state of the reputation, the nature of the threat and the way that the threat was handled.

Reputation risk Reputation has a value even if it cannot be expressed in financial terms. The possibility of this value being reduced represents a business risk. Most organizations lack sufficient knowledge of the key drivers of their reputation and are therefore unable to take appropriate action to identify or protect against this risk from devaluation. Any incident that reduces trust among any single stakeholder group can damage reputation. The severity of this damage and its cost will depend on the influence of the stakeholder group and its impact on the organization. A risk to reputation occurs where the organization fails to meet the expectations of a stakeholder group. The key to effective reputation risk management is therefore the management of expectations. It is for this reason that stakeholder mapping can be a useful tool in reputation risk management.

• 84 CORPORATE RISK CONCERNS

Causes of reputation risk An analysis of reputation damage to corporations over recent years shows that reputation risk can be classified into three categories: cultural, managerial and external. This classification was tested in a survey with Strategic Risk magazine in 2006 and was found to be valid.

Cultural risk Cultural risks can be difficult to identify as they are embedded within the culture of the organization and relate to workplace practices and policies. Some may be imposed by a third party while others are discretionary. Legal risk, for instance, relates to regulatory rules and codes such as reporting regulations and company law; a good example is provided by the loss of reputation (and of its existence) suffered by accounting firm, Arthur Andersen, which fell foul of regulatory rules in relation to its audit of Enron. Ethical risk relates to self-imposed standards, albeit reinforced by codes of conduct formulated by professional bodies and similar organizations. Ethical risk arises when there is some inconsistency between words and deeds. For example, Google suffered reputation damage in entering the Chinese market and accepting censorship.

Managerial risk This includes executive risk, which relates to meeting performance targets and satisfying customers. Things can go wrong due to incompetence or even arrogance; for example, Coca-Cola tried to launch a bottled water in the UK called Dasani. This was found to be tap water and the disclosure led to a hasty and expensive recall. Operational risk relates to performance expectations and how well a product works. Despite quality control, mistakes happen and products need to be recalled. The extent of the reputation damage will depend on how well this is handled. Examples of good practice in this regard are held to be the recall of Tylenol in the United States and Perrier in Europe.

External risk These are risks to the organization from the outside. They can be quite close – in the form of a partner, supplier, agent or contractor – or distant in the form of a natural disaster on the other side of the world. Association risk arises where a critical part of the organization‟s product or service is delivered by a third party. In essence, the organization‟s reputation is dependent on the standards of the supplier organization. For example, Mattel‟s reputation has been damaged by the failure of its outsourced Chinese manufacturers to meet required production standards, so leading to a major product recall. Environment risk can arise from the natural or commercial environment. New technology alters the marketplace or a new overseas competitor enters the organization‟s market. Other risks can arise from disasters, whether natural or due to human error; for

CORPORATE REPUTATION 85 •

example, the major Buncefield fire affected unrelated businesses in the vicinity of the plant.

Identification of reputation risk CIMA‟s study on reputation risk did not find any organization that claimed to identify reputation risk specifically. Instead, organizations claimed that this was adequately covered through existing operational and strategic risk reporting procedures. Reputation risk tends to be seen as an outcome from these other risks and is therefore not singled out for dedicated attention. Reputation risk escapes scrutiny for four main basic reasons: • The nature of reputation risk as a failure to meet stakeholder expectations means that it is a subjective perception of character that is determined by others. It is therefore intangible and not anchored financially. • The cost of reputation damage depends on a wide range of factors, including competitor behaviour and market conditions. In addition, the final cost is only ever known after the loss of future business has been considered. The reputation damage cost can only ever be really known 5–10 years after an event or even longer. What all this means is that it is virtually impossible to calculate the cost of reputation damage in a meaningful way. • The probability of occurrence cannot be forecast as reputation is linked to human behaviour, which is notoriously difficult to factor into models. • The lack of ownership means that responsibility for vigilance is unclear. The most significant finding of the CIMA study was that reputation risk is not specifically identified, despite the fact that most interviewees agreed that it represented a principal risk that should be reported in the Business Review to comply with the new Companies Act.

Measurement of reputation risk There are several methods available for measuring reputation risk. The two basic types are: • a ranking model used by some analysts who use published information to compare reputations; • a bespoke approach that uses internal client information as an aid for reputation owners. The ranking model has the advantage of providing a comparative score, but the disadvantage that this fails to be stakeholder or issue-specific. On the other hand, the bespoke model can be used as a management tool, but it cannot provide a comparison between different reputations.

• 86 CORPORATE RISK CONCERNS

Management of reputation risk There are typically four responses to managing risk: • • • •

retention; avoidance; reduction; transfer.

The fourth option, to transfer risks, is not possible in the case of reputation risk in that it cannot be insured or handed over to another organization. Strictly speaking, reputation itself cannot be managed. Because it is determined by stakeholders, the reputation owner can only influence their expectations as an act of risk management. Therefore reputation risk management is actually expectation management through stakeholder engagement. Organizations manage reputation risk in different ways. There appear to be four different levels of commitment to this, as shown in Table 2.3.1.

Reporting of reputation risk Reputation risk is best expressed through narrative reporting. As we have seen, it is difficult to ascribe a monetary value to reputation risk, so any expression in financial terms is likely to be unreliable. The Business Review in the new Companies Act places more emphasis on narrative reporting with a requirement for a „description of principal risks and uncertainties facing the company‟ and a „balanced and comprehensive analysis‟ of the business. There is no doubt that reputation risk forms an integral and important part of this risk report for many companies. Narrative reporting is a developing area and there is considerable scope for improving the reporting of risk and value. A major initiative in this field is the Report Leadership group, which has demonstrated practical and effective ways to improve narrative reporting, including risk reporting.

Future trends There is no doubt that organizations will need to continue to pay close attention to their reputation and the management of the attendant risks. The following are some of the key issues that are likely to impact on the reputation debate. First, there is the issue of determining business partners in whom an organization can place its trust without risking its reputation to an unacceptable extent. In an increasingly globalized, complex world, this becomes more of a challenge as evidenced by the recent experience of Mattel and its recall of products manufactured by its Chinese partners.

CORPORATE REPUTATION 87 •

Table 2.3.1 Management of reputation risk Commitment level

Sophistication level

Controlled

• Managed by chief risk officer (CRO) • Executive interest

Managed

• •

Supervised



Unmanaged



Management process in place to handle risk to corporate reputation

Reviewed regularly by the chief financial officer (CFO) as a strategic risk and discussed at board level. Supported by independent tracking of diverse stakeholder group attitudes. Sophisticated and sensitive. Managed by risk manager Reviewed as part of a corporate risk register but not measured (RM) or monitored by the corporate Operational interest strategy committee. Compliant with Turnbull guidelines in risk identification but little control over reputation risks. Managed on a severity-of-risk Managed on an ad hoc basis by senior management basis responsively alongside all other operational and strategic risks. Tends to be crisis-response only, reactive not proactive: fire fighting approach. Not managed at all Reputation risk is not measured or managed in any way – it is not considered a risk worth measuring or trying to manage, other than by having an agency retained to handle any problems if/when they arise.

Second, the internet age of instant electronic information has provided another medium that organizations need to manage and monitor effectively. A good reputation can be hijacked by a malicious fraudster, and identity fraud is a major concern for financial institutions. Furthermore, organizations also need to bear in mind the use of electronic media for both communication and opinion forming. Blogging, for example, is opinion broadcasting without censorship or codes of conduct. We have already seen how reputation is dependent on stakeholder perception and truth is often a victim of sensationalism. What this means in practice is that organizations will need to devote a much higher level of proactivity than was ever required before in order to protect their reputations. HSBC, for example, has recently had to scrap its decision to abolish

• 88 CORPORATE RISK CONCERNS

interest-free overdrafts for students leaving university in the summer, on account of a successful campaign by students, using Facebook, an online social community. Third, there is concrete evidence that organizations are indeed facing a more risky environment than was previously the case; this, in turn, means that reputation itself faces more threats. As an example of this vulnerability, Adrian Slywotzky (2007) notes that the proportion of Standard & Poors (S&P) stocks that were rated A (high quality, low risk) fell from over 30 per cent in 1980 to 14 per cent in the mid-2000s. During the same period, C-rated stocks (low quality, high risk) increased from 12 per cent of the total to 30 per cent. Clearly, risk management requires more dedicated effort and attention than ever before. Finally, organizations are under increasing pressure to understand and report on their key value drivers; reputation is a highly influential driver of value and it will be a major challenge to develop common measures and ways of expressing the nonfinancial value of reputation and the related risks. But as a good starting point, the significance of reputation is such that it should receive dedicated and specific attention by an organization‟s board and management despite the challenges associated with identifying and measuring the risks related to it. It is only by shining a spotlight on the subject and assigning responsibility for it within the organization that progress towards commonly agreed principles is likely to be made.

Further reading Brady A and Honey G (2007) Corporate Reputation: Perspectives of Measuring and Managing a Principal Risk, CIMA, free download from www.cimaglobal.com/ corporatereputation Report Leadership: Tomorrow‟s Reporting Today, see www.reportleadership.com or www.cimaglobal.com/reportleadership Slywotzky A (2007), The Upside: How to Turn Your Greatest Threat into Your Biggest Growth Opportunity, Capstone Publishing Strategic Risk magazine, see www.strategicrisk.co.uk

2.4

Contract risk Robert Chapman and Dominic Healey, Siemens Insight Consulting

Introduction The most important lesson of the last few years is that board members can no longer claim to be ignorant of business risk. The board is not immune. When the absence of adequate risk management leads to something going wrong, as it invariably does, the board will be held accountable. Positions will be vulnerable and shareholders will want to hold individuals to account in the aftermath of adverse events. In addition, if the event is sufficiently high profile, the media is likely to ensure that the news reaches a wide audience. There is no longer any hiding place. The board needs to focus on those areas of risk that can have the greatest impact to their business. An area of risk management that receives insufficient attention is contract risk. In this chapter, contract risks from a buyer and a supplier perspective are examined, together with examples of good and poor risk management. Good risk management can capitalize on opportunities and secure business objectives. Poor risk management has led to the loss of executive jobs, reduction in share value, damage to reputation and loss of projected earnings.

• 90 CORPORATE RISK CONCERNS

Board accountability There is now a proliferation of standards, guides and books contributing to a wealth of knowledge on the subject of risk management. In addition, various forces have converged to push risk management into the consciousness of management and boards. However, effective risk management is not ubiquitous and would still appear to be elusive to some organizations. The application of robust, effective risk management, even within some FTSE 100 companies, is still weak. While all large companies carry out risk management to some degree, a key challenge for boards all around the world is to develop a new rigour in their processes. There still needs to be a transformation in the application of risk management from conformance to performance. The message has not got through that the mismanagement of risk can carry an enormous price and that effective risk management is a key enabler for meeting objectives and as such improving the balance sheet. In particular, those organizations that are most effective and efficient in managing risks to both existing assets and future growth will, in the long run, outperform those that are less so. More importantly, a business that cannot manage risks effectively may simply disappear. The solution is for board members to learn of the potential for adverse events, be sufficiently aware of the sources of risk within the area of business they are operating in, and take pre-emptive action. Steps must be taken to ensure that the objectivity and perspective sought by adding non-executive directors to the board, to support decision making, is not undermined by their lack of understanding of risk management, its tools or its techniques. Board members need to enhance their understanding of risk management and in particular the risks associated with any form of business change.

Identifying the board‟s appetite for risk management One of the common questions to be asked when setting up a risk process is „What is the organization‟s risk appetite?‟ But this can be premature. The more pertinent question is „what is the board‟s appetite for risk management?‟ To some, talking about risk management is about as motivating as planning a trip to the dentist. When the subject is raised during the „lift speech‟, eyes can glaze over and interest is lost. But risk management could not be further from root canal treatment. Carried out appropriately it can be energizing and very rewarding. Risk management can be one of the more exciting aspects of business – growth – through looking at new opportunities and how they may be taken advantage of.

Identifying responsibility While the board is not responsible for managing the business, it does have responsibility for overseeing management and holding it accountable. Hence, the duty of the board

CONTRACT RISK 91 •

is not to undertake risk management on a day-to-day basis, but to make sure that frameworks are in place that support the utilization of risk management throughout the organization. The board should ensure that the information it receives about risk is accurate and reliable. Directors should maintain a healthy scepticism and require information from a cross-section of reliable sources, from the CEO, CFO and senior management to internal and external auditors. Board members should be prepared to ask tough questions and they should make sure they are able to understand the answers. In particular, they should be fully conversant with the risk ownership profile of contracts and how risk management dictates behaviours.

Risk management applications Regardless of the size of an organization, risk management should be applied to at least the following activities, as banks, investors, shareholders and partners will increasingly expect to see evidence of a detailed risk assessment when reviewing business proposals of any substance: • • • • • • • • • • • • • • • • •

entering into a contract; developing strategic development plans (long-range planning); preparing business plans; seeking additional finance; preparing for and implementing organizational change; choosing between options; commissioning new premises or acquiring existing premises to refurbish; carrying out a project; submitting a bid for a major new commission; delivering a major commission; entering into a joint venture; looking to penetrate new markets; installing a new IT system; developing business resilience; acquiring a new company; expanding overseas; evaluating opportunities.

Contracts Reflecting on the bullet list above, the one area of risk that all businesses face at some stage is entering into a new contract. A series of questions need to be asked if an organization is considering such action. Clearly the questions will differ depending on whether the organization is delivering or procuring a service or product.

• 92 CORPORATE RISK CONCERNS

The three main functions of contracts are to define: • responsibilities (demarcation of work to be performed by the contractor and client if appropriate); • risk ownership (how the risks inherent in the activity will be allocated between the contracting parties); • the client‟s objectives (to implant motives in the contractor that match those of the client). There is a common misperception that the best way to manage risk is to transfer it and that such an action results in its removal. Transfer of risk to the wrong party can actually enlarge a risk. Client organizations, when deciding upon the allocation of risks, need to recognize that they will pay for those risks that are the responsibility of the contractor, as well as their own, for contractors will usually include contingencies within their tenders as a means of guaranteeing their return on investment in the event that risks allocated to them materialize. In addition, clients must recognize that the more risk that is transferred to the contractor, the higher the tender price will generally be (unless it is a very depressed market) or, more likely, that tenderers will withdraw. Hence, when considering the allocation of risk to another party, consideration should be given to the following factors: • the ability of the party to manage the risk; • the ability of the party to bear the risk if it materializes; • the effect that risk allocation will have upon the motivation and behaviour of the recipient; • the cost of the risk transfer; • how risk transfer will affect all of the activity objectives. The allocation of risks between the parties in a contract should be identified by the client prior to the tender process. The client should include within the tender documents a risk register, which describes the identified risks and the proposed allocation of ownership. The tenderers should be asked to price the risks, identify their proposed response categories and response actions, and confirm the allocation of the risks between the contract parties within their tender. The review of the risk registers within the tender returns will form a significant component of the tender evaluation process. How this is approached will depend on the form of the procurement route adopted. Clients must recognize that different forms of procurement have different risk ownership profiles. The main reason why the Scottish Parliament Building project failed to meet its objectives (as cited in both the Auditor General‟s report and the subsequent Holyrood report) was the choice of the procurement route. The selection of construction management was cited as the single factor to which most of the misfortunes that had befallen the project could be attributed.1 Surprise was expressed during the Holyrood enquiry about the selection of construction management when it was evident that the Scottish Office, (while working to publicly declared fixed budgets

CONTRACT RISK 93 •

and being highly „risk averse‟), had chosen a procurement route that offered no fixed budget and had a high degree of attendant risk for the client. In his report Lord Fraser stated: it verges on the embarrassing to conclude, as I do, that virtually none of the key questions about construction management were asked. Similarly none of the disadvantages of construction management appear to have been identified.

Delivering a service or product When considering risk management of delivery, several questions should be answered by the tenderer. These questions need to be specific, relevant and engaging: • How much could we lose if we cannot satisfy the terms of the contract once signed? • Are we absolutely sure what we are required to deliver if we accept these contract terms? • What are the critical resources for the delivery of this contract and, if after commencing the contract they were lost/no longer available, how would we recover and how long would it take? • What would be the damage to our relationship with our client, our reputation and our standing in the market if we do not deliver this contract on time? • What is our experience of delivering this type of product/service? • Do we have adequate business continuity plans in place to cope with disruption to our premises? • Are the production/delivery costs fully understood? • What changes in the marketplace that are currently expected could impact on the contract? • If critical members of staff for the contract, for whatever reason became unavailable, how would the organization respond? • How would our share value be affected by adverse media if the contract resulted in litigation? • Are there any critical project dependencies? • Are there any aspects of the service or product that involve novel technology?

• 94 CORPORATE RISK CONCERNS

Case Study 1: Airbus (delivering a product) Airbus, the European plane-maker, is an organization that has clearly failed to manage its production risks on its A380 „superjumbo‟ and deliver against its contracts with airline carriers. The A380 has cost Airbus €12 billion ($14 billion; £8 billion) to develop, and will be the world‟s largest-ever airliner, seating more than 800 passengers across two decks.2 It is designed to fly between the main international hubs. In September 2006 it was reported that the first of the 159 ordered so far would be handed over to Singapore Airlines, 12 months behind schedule. Airbus has admitted that it will deliver only nine next year, instead of the promised 25, up to nine fewer than planned in 2008 and five fewer in 2009. The A380 production problems caused a publicly stated 26 per cent slump in the share price of the majority owner, the European aerospace and defence group EADS, when it became public knowledge. As a result of these delays, several executives have lost their positions. In June 2006 it was announced Airbus chief Gustav Humbert had resigned over the A380 delays. He said at the time: the recently announced delay on the A380 production and delivery programme has been a major disappointment for our customers, our shareholders and our employees. As president and chief executive of Airbus, I must take responsibility for this setback and feel the right course of action is to offer my resignation to our shareholders.3

In September 2006 Charles Champion, the executive in charge of the flagship A380 programme, was dismissed, it was reported, due to deliveries being put back by a year, resulting in a €2 billion (£1.35 billion) reduction in earnings over the next three years. 4 According to Airbus staff, Champion paid the price for failing to inform the Airbus board promptly of the A380‟s mounting technical difficulties, and for allowing severe production bottlenecks to continue unchecked for months rather than fixing them immediately. Chief Executive Geoff Dixon of Qantas (one of the contracted carriers) has said that Qantas would be seeking compensation from Airbus, under the terms of its contract.5 Further compensation claims from other airlines are likely to follow. So, in addition to the loss of earnings, Airbus will face further losses through compensation payments to airlines. John Leahy, Chief Operating Officer for Customers, declared that it is standard practice to compensate contracted parties and said that „payments will be made for each day of delay in delivery‟.6 Airbus at the time was 80 per cent owned by EADS, and 20 per cent by the UK‟s BAE Systems. However, BAE Systems has decided to sell its stake in Airbus. Mike Turner, chief executive of BAE Systems, said he had „no regrets‟ about the sudden decision to sell off its 20 per cent stake in Airbus for £1.9

CONTRACT RISK 95 •

billion and insisted that major shareholders were right behind him.7 This was significantly lower than the anticipated sale figure of £3 billion mooted in April 2006. 8 BAE Systems also predicted that the European plane maker would announce further delays to the delivery of the A380 and was likely to unveil a hefty cash call in future.

Procuring a service or product When considering risks associated with procurement, several questions should be answered. Again these questions need to be specific, relevant and engaging. The following list, while not exhaustive, contains the key issues to be addressed: • • • • • • • • • • • •

Has the contracting party appropriate experience? Is the contracting party financially stable? Has the organization sufficient resources? What contractual commitments does the contracting party already have? Is the contracting party currently in litigation with other clients? What is the delivery track record of the organization? How robust are their processes? What are their management capabilities? Which of the organization‟s key representatives will be assigned to the contract? Is the organization able to deliver in the required timeframe? How will relationships be developed to engage the contracting party in delivery? How will risk management be addressed?

Case Study 2: Terminal Five (procurement of services) The British Airports Authority (BAA), when embarking on the Terminal Five (T5) project at Heathrow Airport, gave considerable thought to the contracts they would engage in and the management of risk.9 The research they conducted into major construction projects prior to the commencement of T5 highlighted two key areas that seemed to undermine progress: cultural confusion and the reluctance to acknowledge risk.10 From a slide included in a presentation by Tony Douglas (Managing Director of T5), a clear lesson was that process, organization and behaviours, together with leadership, should be a key focus (Figure 2.4.1). A key component of all of these aspects of management was the mitigation of risk.

• 96 CORPORATE RISK CONCERNS

Lessons Learned • Research from £1bn+ projects • Process, organization, behaviours – Actively expose & manage risks – Actively promote & motivate success (opportunity) – Actively address behaviours & all key relationships • Leadership – Change & uncertainty is the norm – Risk is the square of the size e.g 10x size = 100x risks – A different outcome means doing something different • No solution is a “dead-cert”

T

5

The world‟s most successful airport development

As a consequence of this research, BAA recognized that the risk associated with such a large infrastructure programme, coupled with the sheer complexity and scale of work involved, would require a fresh approach to the way the project should be managed if it was to be built on time and within budget. Risk management was seen as a key enabler for programme success. As a consequence BA took a unique contractual approach and prepared the T5 Agreement, a bespoke commercial partnering agreement between BAA and contractors and suppliers .11 The T5 Agreement is the legally-binding contract between BAA and its key suppliers. It is a contract based on relations and behaviours. Described by BAA as groundbreaking, it is considered to be unique in the construction industry. Through the agreement BAA accepts that it carries all of the risk for the construction project. With this burden removed from contractors and suppliers, BAA believed it would encourage contractors to solve anticipated problems, integrate as teams and focus on proactively managing risk rather than avoiding litigation. The programme is currently reported to be on budget and programme. BAA bears out Apgar‟s argument that those that succeed with new opportunities can better cope with risks and develop „risk intelligence‟ as a competitive advantage.12

CONTRACT RISK 97 •

Conclusion There is a need for businesses to move away from compliance to performance in the way risk management is applied to businesses. Boards need to become more informed about how risk management can improve bottom line performance. Among the business activities of business that most significantly either contribute to or erode performance are contracts. For any business, equal attention needs to be paid to contracts that are entered into to either supply or receive services. The degree of risk transfer between a client and a contractor will dictate the behaviour of the contractor, and risk transfer can prove to be a false economy. Risks within a contract need to be made explicit prior to the contract being signed so that each party is fully aware of the risks that it will own and the impact they will have, should they materialize.

Notes 1. The Holyrood enquiry, A Report by The Rt Hon Lord Fraser of Carmyllie QC, 15 September 2004,© Scottish Parliamentary Corporate Body. 2. BBC News (2005) Airbus confirms super-jumbo delay, Wednesday, 1 June. 3. BBC News (2006) EADS and Airbus bosses both quit, Sunday 2 July. 4. David Gow (2006) Airbus sacks third chief over A380 debacle, Guardian, Tuesday, 5 September. 5. BBC News (2005) Airbus confirms super-jumbo delay, Wednesday, 1 June. 6. BBC News (2005) Airbus pays price of A380 delays, Friday, 11 November. 7. Terry Macalister (2006) Airbus problems likely to continue, says BAE, Guardian, Thursday, 14 September. 8. BBC News (2006), BAE confirms possible Airbus sale, Friday, 7 April. 9. BAA plc has delisted from the London Stock Exchange and is now owned by Airport Development and Investment Limited, a company held by the Ferrovial Consortium. BAA owns and operates seven UK airports, and provides over 1 million m² of commercial accommodation for more than 900 retail organizations at its airports. T5 represents a huge programme of construction works. It involves over 60 contractors, 16 major projects and 147 sub-projects on a 260 ha site. The estimated cost is £4.2 billion. The projects will boost Heathrow‟s capacity by 30 million passengers a year. Many of the 60 aircraft stands are designed to handle the 550seat Airbus A380s. The programme is being financed by BAA and BA will be the sole tenant, transferring its operations from other terminals and consolidating its business into one building 10. BAA T5 Agreement fact sheet. 11. www.baa.com. 12. D Apgar (2006) Risk Intelligence: Learning to Manage What We Don‟t Know, Harvard Business School Press.

2.5

Managing reputational risk as a PLC William Cullum, Corfin Communications

Risk management for a public company should perhaps be seen simply as reputation management. Looking at the industry‟s own A Risk Management Standard, it is striking that the thing that should overarch the schematic „Examples of the drivers of key risks‟ is reputation. Why is it not there?

Reputation: your licence to operate A wizened old public relations person once said that your reputation is your licence to operate. If you damage or lose your reputation, people tend not to listen to you, and if they are not listening then you cannot raise capital or effect a takeover or make the changes that will drive your business. In short, you are out of a job. Reputation management wraps up all of risk management. In an ideal world, everyone in a company from the delivery driver to the receptionist to the chief executive, should recognize that what they do has an impact on the company‟s reputation. In an ideal world, reputation management should be seen as everyone‟s business and be a central part of any enterprise‟s culture. Of course, this is extremely difficult to achieve, but if you think of the businesses you admire you will note that they have done it. It is hard not to be impressed by people who work

MANAGING REPUTATIONAL RISK AS A PLC 99 •

in great businesses and, as we all know that a personal recommendation is the best recommendation, you can see that a successful culture becomes a powerful tool for promoting your business. In a public company, you are a public person. I know this seems obvious but it would be an easy bet to win if one claimed that many chief executives behave as if they owned the company rather than ran it for shareholders. As such, many are unwilling or uncomfortable about engaging with the broader world in order to articulate what it is that a business does and why it does it. Many just want to play with their train set, having failed to apprehend that as senior executives in a quoted company they have two jobs: one is to run the business, the other is to report to the markets or – as Michael Peters said – to be the business‟s chief story teller. A failure to engage either at all or in a way that is appropriate to your business represents a serious business risk. You can be ignored – or worse, poorly rated – resulting in being bought out at well below your market worth and in losing your job. Reverse engineer the issue and ask yourself what you would expect to see should you need to approach your business. Employ a good PR firm with whom you can have frank discussions and take your role as the chief story teller or public persona of the business seriously. Treat journalists, fund managers and analysts as clients (it is amazing how well they recall who has messed them around…) and try not to believe that you are charismatic: you are neither Bill Clinton nor Philip Green. Mainly you got to the top because you are hard working and pay attention to detail; don‟t confuse the story by confessing a strange love of disco dancing or erotic art. People will tend to remember you for all the wrong reasons.

Learn what is expected of you It is not just businesspeople who get this wrong. We live in a world obsessed by celebrity where our expectations of well-known people are absurdly high. Celebrities cannot afford to let their guard down. Attending a drinks function recently, the guests were thanked for their attendance by the chairman, a former senior military man of great bearing, thespian voice and walnut face. And that was it, he simply thanked them. The disappointment amongst the guests was palpable. They wanted him to amuse them – if only for a little while – with some nugget or insight from a world very different to their own. He did not deliver. And, for his part, I suspect that he did not even realize that this was expected of him. The risk to his reputation was ignorance of his audience‟s expectations and, as a celebrity, that is unforgivable. When you go „on parade‟ for your company, whether it is a seminar or „just‟ a drinks do, be prepared by knowing what the world expects of you. More seriously, Britain‟s Navy took a huge reputational thump when some of its personnel were captured at gunpoint by Iranians. On release, a couple of their stories found their way into the press. Again, a failure to understand what is expected of people in certain roles leads to likely errors of judgement. We British like our service personnel to have a stiff upper lip, especially in the Senior Service: little hurts like the pain of ridicule.

• 100 CORPORATE RISK CONCERNS

Presentational risk occurs every time a company makes a statement. At an initial public offering (IPO) or listing for example, the management team goes on display for the first time. Sometimes, in spite of the best public relations advice and training, this does not work well. Most of you will be familiar with Mike Ashley of Sports Direct fame. Here is a man who infuriates many in the City, investors and analysts alike, by apparently not giving people what they want – just read the press. Investors initially rewarded Mr Ashley‟s obvious and very successful endeavour by buying a large part of his equity, thereby making him very rich – and perhaps on this basis he feels secure enough to ignore the complaints against him. We can only speculate but, from a risk management perspective, perhaps the first question for an entrepreneur to ask is whether he or she is psychologically suited to being a public figure. If you don‟t like the spotlights, stay off the stage or, at the very least, employ a good PR firm that can help you stick to your messages. This is not as odd as it might seem. Some entrepreneurs, like the hugely successful Richard Branson and Philip Green, did not like the harsh and sometimes constricting focus of reporting to the City. They left the plc world. Others, like Anita Roddick, stuck with it but used professional managers to do the talking, saving her breath for (to her and many besides) more important issues. As an aside, try not to be too controlling in IPOs. Yes, you have to verify what you say about yourself in all that official documentation. However, we always advise our clients to allow, even encourage, third-party research and questioning. That is what makes a market, and if your story is sufficiently robust then there will be no issue. As private businessmen, people can say what they like when they like and need worry only about their customers. This can often lead to them being seen as mavericks and their sayings deemed insightful; this is probably not the case, being private may give your reputation more elbow room.

Stakeholders do exist On the other hand, being private can still present you with reputational risk. Ask anyone who has worked in private equity over the last 12 months. Private equity got into trouble not because it was private but rather because: • its ambitions got ever bigger; • the businesses it sought to acquire were increasingly consumer oriented; • the returns it appeared to be generating were disproportionately huge relative to the risks incurred; • its managers started to behave as if they owned the place (and maybe they did!). Rightly or wrongly, and especially in consumer industries, many people feel an emotional bond to „their‟ store, branch or pub, particularly where those businesses have improved their lives. As a private businessman or even as civil servant you may dispute the intellectual validity of the stakeholder but the emotional tie is real. This in turn confers upon you a responsibility for your brand or reputation. One of the things that infuriates people about government departments is that no one in the

MANAGING REPUTATIONAL RISK AS A PLC 101 •

massed ranks of officialdom appears to bear that responsibility. As for private equity, it started to alienate people because it refused to understand the risks attendant upon failing to manage its reputation. People at the top mistook arrogance or indifference for privacy.

The internet: a frontier moves closer The internet continues to democratize information and this has two consequences for risk management. The first is that more people know about your business. Moreover, they expect to be able to learn more about your business than they ever could previously simply by searching the internet. A key recommendation therefore is for a business to have a web site that is appropriate in terms of your industry, sales revenue and other such factors, and relevant to people‟s (employees‟, customers‟ and yes, stakeholders‟) expectations. The other thing about this democratization process is that it allows people to launch campaigns against you and your products. Some of these campaigns are ill considered and some are given a weight by the internet that is out of all proportion. We once waited for a full-scale internet-driven campaign to blow up in our faces only to find that it consisted of three people standing outside a store in Slough. Others are simply libellous or illegal. Nevertheless some campaigns do hit home, usually those from „left field‟. Managing your company‟s reputation in the ether is every bit as important as managing it in print. For example, think here of campaigns to improve the quality of a well known MP3 player, animal rights activism, civil liberties campaigns, the campaign against HSBC that used Facebook as an organizational tool or even „Fast Food Nation‟ (although this came out of a book). Note also that a national newspaper recently carried an article on how to conduct a successful campaign. In practical terms, how do you set about reputational risk management? The short answer is to perform a crisis audit, in other words to ask yourself what could go wrong in various parts of your organization and then to see what you might have to say to the outside world about this. It is best practice to nominate a crisis committee and to have a written methodology and cascade of contacts in place. And do appoint an emergency duty officer for the weekend. You should assume that any crisis, when it hits, will occur at the most inopportune moment. They always do. So if it is Christmas or the board is having a business review in France, that is when trouble will come knocking. Products will always need to be recalled at peak season, warehouses will always explode when fully stocked (think Buncefield here). transport employees will always go on strike at the height of the holiday period. The other thing to understand is that a Crisis with a big C is rather more common than you might imagine. It is simply that most are managed.

Never speculate If a crisis does appear, by all means try to work out whether what has happened has been an accident. If it is, seek to ascertain whether there has been a sin of omission

• 102 CORPORATE RISK CONCERNS

or commission but do this behind closed doors. Do not speculate as to causes and certainly never speculate in public or to a journalist. During a crisis focus on remedies rather than blame and stick closely to what you know. Another golden rule of crisis and risk management is to take your beating – but take it only once. Don‟t keep getting worked over for the same old thing. If you have had a crisis and dealt with it, then move on. Don‟t keep referring to it in your statements and updates: the capital markets tend not to spend too much time looking in the rear view mirror as they are much too hungry for new opportunities. The media, though, quite often likes its stories done to death – try not to oblige. If you do have boardroom issues, try to be discreet. There are good reasons for this. The first is that the lifespan of a job at the top is very short. CEOs last less than five years on average but good ones pop up in other places. So do not make mortal enemies. The other thing is that board changes can become strategic challenges that in turn become front-page stories. Think here of the turmoil at M&S and Sainsbury‟s a few years back when it became apparent that both businesses, previously consumer darlings, had failed to move with the times. The story moved from the business pages to food and fashion and then to news, and a negative cycle began. Restoring the reputations and market shares of both businesses has taken time, cash and considerable effort.

What does the world say about you? Reputational risk, as we have seen above, often stems from a misjudged remark or a misconceived notion about a business. The unfortunate Gerald Ratner revolutionized the UK jewellery trade but is more frequently remembered for his remarks comparing a pair of earrings and a prawn sandwich that cost him his career. Use perception audits as a valuable risk management tool – whether of consumers, media, analysts or investors – because, conducted properly, they allow management to get an unvarnished picture of how the business is seen. It is then up to the board to act. Finally, if you do tarnish your reputation, can the situation then be retrieved? In a recent Financial Times article, Luke Johnson suggested that a damaged reputation can be restored by (a) making lots of money, and (b) time. I might add that there is a third curative mechanism that is not to be recommended, namely Death.

Conclusion To sum up then: your reputation is your licence to operate and a company‟s reputation should be everybody‟s business. Your reputation is at risk all the time but especially in a quoted company on public occasions. Take advice from your PR company and do your homework so that you are well prepared. Stick to your messages and don‟t go „off piste‟; for example, finance directors are not supposed to be funny. Expect things to go wrong and build this into your planning and communications needs. Don‟t

MANAGING REPUTATIONAL RISK AS A PLC 103 •

speculate but be prepared to take the blame once, if it is indeed something that you have done wrong. Stick with what you know and are good at, and your reputation will remain healthy.

For all your investigative needs…call CSi • Traditional investigations

• • • • • •

Surveillance Automated investigative software Corporate security Fraud investigations Employment screening and due diligence Intellectual property and brand protection www.comsec-international.com a: 123 Aldersgate Street • London • EC1A 4JQ t: +44 (0) 20 7553 7960 e: [email protected]

CSi - Commercial Security International Limited CSi is a London based company providing specialist investigative services, surveillance and corporate security for companies, law firms, governments and private individuals. We provide clients with discreet and cost effective services of the highest quality for a variety of services in the following areas: Fraud Investigations • Surveillance and Protection • Asset Tracing and Recovery • Computer Forensics • Employment Screening • Due Diligence • Investigative Technology • Corporate Security and Risk Assessment • Brand Infringement Investigations. CSi has international experience and has conducted a variety of security and investigative assignments worldwide. Led by Roy Ramm, former Commander of the Metropolitan Police, our professional and enthusiastic team of consultants, expert investigators and operatives, have successful first-hand experience of working in diverse organisations in the private and public sectors. We also help to identify, design and implement prevention measures and control risk from crime and recover losses how ever they occurred. The CSi team is driven by long-term values and are committed to business ethics that never compromise on quality, discretion or integrity. Contact us: t: +44 (0) 20 7553 7960 e: [email protected] w: www.comsec-international.com

advertisement feature

2.6

Terrorism: rehearsing crisis management plans Roy Ramm and Neil Miller, Commercial Security International Limited (CSi)

Introduction: the evolution of terrorism If the history of terrorism tells us anything, it is that the threat changes in method and direction so as to defeat security measures and infrastructure. The 9/11 attacks in the United States were a perfect example of the threat evolving in such a way that it was unique in its simplicity: the terrorists found a weakness and exploited it ruthlessly and with devastatingly lethal effect. Terrorists seek maximum impact by threatening infrastructure, whether it is transport, power, broadcasting, communications or utilities. All of these have been attacked or have figured on target lists. Similarly the banking and financial sector, central to the commercial life of the country, has previously been targeted by terrorists, as have hotels and tourist destinations. Disruption and economic loss are primary terrorist objectives. But that is still not the full extent of the impact. Collateral damage through proximity to adjacent targets, secondary targeting and misdirected attacks, all mean that most businesses in major commercial centres need to consider the impact of a terrorist attack or threat.

• 106 CORPORATE RISK CONCERNS

Objectives There is an abundance of evidence that whilst a badly handled incident can cause complete organizational failure, organizations that are perceived to have handled a crisis well will earn public respect, retain customer loyalty and become stronger in the long term. This chapter aims to offer some reference points for assessing both existing security measures as well as implementing and rehearsing crisis management plans. In particular we look at: • current threat and motivations; • crisis management planning; • testing and rehearsing exercises.

Current threat and motivations Following the so called „spectacular‟ of 9/11, the Madrid, Egypt and Bali bombings and the events in London in 2005, there is no doubt that the major current terrorist threat emanates from extreme Muslim fundamentalist terrorism (MFT). The structure of the threat presents particular difficulties. Unlike the paramilitary structures of the Provisional IRA, so far the MFT does not offer apparent organizational structures. It appears to be based on a combination of ideological, philosophical and political strands that intertwine and run through the worldwide Islamic community and enjoy significant support, albeit that the support is limited from most moderate Muslims. In terms of motivation, terrorist activity in one state is „justified‟ as a response to government action in another. Whilst there is growing evidence of the existence of training camps in Pakistan and Afghanistan for British-born Muslim terrorists, there is also increasing evidence that MFT is as much a „home-grown‟ problem as it is an external threat to the UK. Though it may be too early and extreme to define the threat as endemic, the Government will look to community and faith leaders for robust action to stem further growth. Two further factors distinguish the current threat from any previously encountered in the UK. The first is communication: global internet and mobile communications now provide the kind of networks that allow the exchange of ideas, motivations, instructions and tactical coordination to take place with relative ease and anonymity. The second is the emergence of the suicide bomber. In any given terrorist incident your business could face: • • • • •

death and injury – physical and psychological – to members of staff and clients; physical damage to buildings, vehicles and other assets; loss of data and damage to information systems; reputation damage through poor preparation; loss of market position.

TERRORISM: REHEARSING CRISIS MANAGEMENT PLANS 107 •

Key points: what you can do As an organization, you will need to appreciate how the threat of terrorism could affect your daily business and personnel routines. Assessing current threats and asking straightforward questions should help determine the level of threat to your operations; for instance you should: • make sure you receive quality-assessed information relevant to your business; • consider your organization‟s physical vulnerability to the impact of a direct or neighbouring attack; • seek professional advice on other areas of threat vulnerability, such as international operations; • consider your business profile, trading partners, connections and public profile, and seek help to assess and reduce vulnerability; • assess whether your neighbours may raise your vulnerability; • discuss with your human resources department whether your pre-employment screening processes are effective; • ask yourself the difficult „what if‟ questions and make sure your answers are satisfactory; • NOT assume it will not happen to your business; • instil a positive security culture; • implement and regularly test your crisis management plan.

Crisis management planning Implementing a crisis management plan and gaining the trust and co-operation of your senior management and personnel is a big task. However, communicating the right message to the right people at the right time is critical to managing a major incident. Whether as victims of direct attacks or of collateral damage from widespread and indiscriminate terrorist campaigns, your organization must consider its vulnerability to the following criminal and politically motivated acts: • • • • • •

acts of terrorism; commercial sabotage; product contamination; criminal damage; kidnap, hostage-taking, extortion and ransom; major systems attacks and reputation assaults.

By failing to take advantage of the first „golden hour‟, those responsible for maintaining continuity can turn a serious situation into a major crisis. As a situation develops, failure to have planned an established crisis management mechanism will exacerbate

• 108 CORPORATE RISK CONCERNS

risk, damage reputation and harm the ability of an organization to work effectively with local government officials and law enforcement. It is therefore essential that comprehensive crisis management strategies are established, understood, rehearsed, tested and effectively implemented.

Testing the crisis management plan In this section we discuss the very real benefits of testing a crisis management plan (CM plan) in a controlled environment where policies and plans may be challenged without risk. Testing is about probing the CM plan for shortcomings and, by doing so, improving the plan if necessary. It also exposes the members of the crisis management team to the complexities of their roles and the stress that this generates when managing high-risk incidents. Executives and managers are skilled in the management of their business processes, but may not have experienced the challenges posed by critical incidents such as terrorism, kidnap for ransom, extortion, or malicious or accidental product contamination. During the course of such incidents, customers, staff, or the continuity of the business itself, may be threatened. These are high-risk issues and they generate considerable stress for those who have to manage them. In order to reduce the threats posed to a business by terrorism, each organization should prepare a CM plan and carefully select the members and deputies of the „crisis management team‟ (CM team). Only then will the management team be able to respond quickly and efficiently. CM plans require testing to ensure that they are comprehensive and flexible enough to meet all threats that may be posed to the business operation.

Rehearsing and training exercises Training exercises are a cost effective, realistic and secure method of testing the effectiveness of CM plans. They also expose the complexities of decisions to be made by those forming the CM team. This training has consistently proved to be a most helpful means by which experience can be acquired prior to meeting the challenges of a real critical incident. Implementing and testing a CM plan is about raising the awareness of staff and giving them confidence in the organization‟s procedures and ability to carry them out successfully. Without this necessary training, your personnel will become suddenly overwhelmed and unable to cope with an emergency. Planning for a crisis needs to be exercised until deemed reliable. The following are examples of typical exercises or simulations: • discussion-based preparation; • table-top simulation; • live rehearsals.

TERRORISM: REHEARSING CRISIS MANAGEMENT PLANS 109 •

Discussion-based preparation This is probably considered the most straightforward yet least effective of the testing processes. It is simply a discussion between expert security consultants and the CM team. The consultants will design and talk through a CM plan and the communication systems they have prepared for the organization, aiming to ensure that all those involved are at least aware of what has been implemented. It is really an „awarenessonly‟ exercise and does not physically or mentally test the individual ability of those on the CM team.

Table-top simulation Table-top simulation exercises are the most cost-effective method of testing CM plans, and therefore the most recommended by industry leaders. The simulation would normally involve a „paper feed‟ exercise that would last in the region of several hours. It would simulate subject areas that vary according to the client but would include threats such as kidnap, terrorism and product contamination. The purpose is to highlight all aspects the CM team could expect to encounter and therefore have to manage. It can, if necessary, be delivered to the CM team only, but can also be delivered to their deputies and perhaps some other key staff. It does not normally involve testing the effectiveness of communications within a business structure. It is aimed at testing the CM plan and generating debate as to the best course of action to be taken in respect of each threat. This simulation exercise often leads to the experience of mild stress levels amongst the participants as they deliberate upon the best courses of action. They are working with their seniors and peers, and peer group pressure simulates real stress. This is part of their preparation, and active participation helps to reinforce good practice in their memories.

Live rehearsals Live rehearsal is a method normally carried out by major companies and involves the police, fire brigade, armed forces, ambulance service and other bodies. It is valuable but expensive exercise, and is used mainly in training exercises for the emergency services. However, live rehearsals are probably the most effective testing an organization can have. The type of scenario would involve simulated „live calls‟ to a company switchboard following the detonation of a bomb in an organization‟s office, shop or site that results in a large number of casualties. Communication would be conducted through live links with the affected site and surrounding area. The company CM team would be established and the police would provide a casualty police computer link to simulate police and hospital activity with regard to casualties among the public and staff. A properly trained hostage negotiator would play the role of an anti-terrorist officer present at the company to liaise with police at New Scotland Yard.

• 110 CORPORATE RISK CONCERNS

In addition, further live problems can be incorporated into the exercise, such as: • • • •

Are further attacks anticipated? What should you do with your office – keep it open or close it? How should staff be informed and in how much detail? How should you deal with the media?

Conclusions All businesses have a „duty of care‟ to staff and to customers. The legal implications to the management team if someone is injured or killed as a result of a failure on the part of the management in the event of a critical incident can be enormous. It is therefore essential that your organization invests time and resources into a comprehensive and thoroughly tested crisis management plan, supported by a fully trained crisis management team and deputies. By being prepared and responding quickly and with confidence, your business will demonstrate the ability to confront and deal with a major business crisis and allow you to mitigate adverse effects on your employees, surrounding communities and the environment, as well as helping to avoid costly losses.

2.7

Conflicting priorities – best practice in conflict management Graham Massie, Centre for Effective Dispute Resolution (CEDR)

Preface The quality of canapés offered at law firm receptions has increased significantly in the last couple of years. And so has the quality of conversation – at least to the extent that I don‟t have to define mediation or explain who CEDR are as often as I used to. But what hasn‟t changed, particularly when I‟m talking to business people – to finance directors, chief executives and chairmen/women, rather than simply to lawyers – is what happens when I move into sales mode: „So, tell me about your business – do you get involved in many disputes yourself?‟ „Oh no, we don‟t really have disputes. It‟s not really my area as our lawyers deal with that sort of thing.‟ „Really? So do you have any conflict in your organization?‟ „Oh yes, conflict – we have lots of that.‟

• 112 CORPORATE RISK CONCERNS

And 9 times out of 10 the non-verbal answer is even clearer – a thin smile and a resigned look as I see the other person recall an argument, a difficult colleague or most often a simple reality of business life. So what‟s going on here? When Sun Tzu‟s Art of War is required reading at all of the leading business schools, why is it that business managers shy away from the word „dispute‟? It‟s certainly not because they don‟t have any – or because it doesn‟t have any impact on their business.

A universal condition Conflict is a fact of life even in the best-run organization. It goes under many names – disagreement, disharmony, dispute, difficulty or difference – but the results of mismanaged conflict are the same: at best unwelcome distraction from a heavy workload; at worst damage that may threaten the very future of the organization. On the other hand, conflict can be productive, with a healthy disagreement often fuelling the cauldron of debate from which new ideas and innovation emerge. Conflicting views can lead to debate and refinement of solutions, or can act as an impetus for further information gathering, leading to more informed decisions. So the challenge for management is to realize the benefits of creative tension without straining relationships to breaking point. From an unhappy customer to a disgruntled director, business can have the challenge of conflict come from any direction – and, just as with all other aspects of risk management, the goal is to maximize the benefits whilst minimizing the downside and avoiding, or at least surviving, the catastrophic. Poorly managed conflict costs money, creates uncertainty and degrades decision quality. Furthermore, it pervades an organization‟s activities, its effect can be significant but is usually unmeasured, and no one is really designated to deal with it.

The cost of conflict In November 2005 a research project by CEDR and law firm CMS Cameron McKenna gathered data from lawyers and business people involved in over 300 separate business disputes. We identified nine possible adverse consequences of business disputes: • • • • • • • • •

effects on company reputation; exposure in the public domain; effects on company morale; effects on personal reputation; damaged business relationships; lost customers; increased staff turnover; failure to meet targets; missed opportunities.

CONFLICTING PRIORITIES

IN

CONFLICT MANAGEMENT 113 •

We surveyed the extent to which each may have been significant. Remarkably, this revealed that, in 80 per cent of the disputes surveyed, at least one (but frequently more) of these consequences was described as being „significant‟ or „very significant‟ to the business. I‟m not sure I agree with the late business guru Peter Drucker, who coined the phrase that „You can‟t manage what you can‟t measure‟, but what I would say is that, if you aren‟t trying to measure something, it‟s a pretty good indicator that you aren‟t even trying to manage it. Yet one of the problems with corporate conflict is that the majority of the costs fall through the cracks of management responsibility. The in-house lawyer may be accountable for the legal costs of disputes, but even here financial management leaves a lot to be desired – the 2005 Fulbright & Jaworski Litigation Trends Survey reported that 43 per cent of corporate lawyers are unable to budget adequately for litigation costs. And yet the costs of conflict are huge. A 2006 study by CEDR has revealed that conflict costs British business some £33 billion a year – and, of that amount, less than a fifth relates to legal fees whilst the vast proportion can be categorized into three broad categories: • damaged relationships; • tarnished reputations; • lost productivity.

Damaged relationships Because of the way that most of us behave in conflict situations, disputes cause damaged business relationships, which in turn can lead to breakdowns in previously fruitful customer or supplier relationships, or to increased staff turnover. And even where conflict does not result in a parting of the ways, its effect on day-today business efficiency can be debilitating. One of the universal symptoms of conflict (and, generally, one of its most common causes) is a breakdown in communications – just as spouses who are having a row tend not to talk to each other, managers and business colleagues fail to communicate so well when there is tension or conflict in the relationship. And this behaviour can lead to failures to communicate vital information, possibly leading to missed opportunities and/or some key inputs to a decision being either suppressed or ignored.

Tarnished reputations Evidence of our historical love of conflict as a spectator sport can be found in the ruins of the Colosseum, but today‟s corporate combat can be tracked from the comfort of your armchair, courtesy of the media. However, you don‟t have to read too many news reports of corporate disputes to conclude that they really are „a plague on both houses‟, with even the winner‟s reputation often tarnished by what is revealed during the course of the battle. Whether it‟s the publicity about the harassment or discrimination case that harms both employer

• 114 CORPORATE RISK CONCERNS

and claimant equally, or the professional negligence claim that reveals shortcomings on both sides, exposure in the public domain is frequently damaging to both personal and corporate reputations – damage that is usually described in the language of the brand or public relations consultants, but is often most visible in reductions in stock market value. In fact, have you ever heard of an organization whose public reputation has been enhanced by reports of its involvement in a significant dispute?

Lost productivity A 2003 survey by accountants BDO Stoy Hayward1 identified the personal impact of disputes on senior management, with 46 per cent admitting that their stress levels increased, many (24 per cent) losing sleep over a dispute, and almost one in five even suffering from decreased motivation towards their own business. Other forms of lost productivity are also commonplace in business conflict – CEDR‟s research shows that a typical £1 million value dispute will burn up over three years of line managers‟ time in trying to sort it out – that‟s time that takes them away from their real jobs, creating a cost of conflict that far outweighs the legal fees involved (see Figure 2.7.1).

Work days In-house legal team In-house legal team

Managers directly involved in the dispute

172 The distraction ratio: 400%

430 + 688

Other managers getting sucked in

258

Figure 2.7.1 Time spent on a typical £1 million-plus dispute This distraction cost is one of the key hidden costs of corporate conflict. As our research shows, manager time is four times that of in-house counsel involved in a dispute, which means that 80 per cent of the cost of conflict comes out of line management budgets. And since engagement in conflict isn‟t a line item in most managers‟ budgets, this means that the cost comes through in the form of reduced time available for other priorities.

Is there any good news? Of course, conflict isn‟t all bad. And in fact some of the healthiest companies have some of the most intense discussions: „…all the good-to-great companies had a penchant

CONFLICTING PRIORITIES

IN

CONFLICT MANAGEMENT 115 •

for intense dialogue. Phrases like “loud debate”, “heated discussions” and “healthy conflict” peppered the articles and interview transcripts from all the companies.‟ Jim Collins Good to Great research2 of top management teams, has found that the more productive ones were able to manage conflicts without getting involved in personality conflict, treating conflicts as opportunities for collaboration to achieve the best solution for the organization as a whole. Conversely, when a separate research team3 studied a group of business failures arising from highly unsuccessful strategic decisions, they found a remarkably consistent pattern of stifled debate, with negative opinions or adverse information discounted as unhelpful.

Developing a conflict management strategy So what is business doing about addressing these risks? Well, the typical cocktail party conversation cited would suggest that they‟re not doing much beyond resigning themselves to the inevitability of it all. And perhaps the reason for this is that business people aren‟t very comfortable in dealing with conflict in their day-to-day roles. This isn‟t that surprising when we consider the limited training most have had in this area – a recent CEDR survey of over 600 business people revealed that only 37 per cent regarded themselves as being adequately trained to cope with business conflict. Furthermore – or, more likely, because of this lack of training – managers also revealed themselves to be significantly conflict averse. Over a third of managers (35 per cent) would rather parachute-jump for the first time than address a performance problem with their work colleagues, whilst just under a third (27 per cent) would rather shave their head for charity – and some (8 per cent) would rather live on „bush tucker‟ bugs for a week. However, the fact that many are doing nothing about this problem, or feel uncomfortable in dealing with it, doesn‟t mean that nothing can be done. CEDR has been in the business of effective dispute resolution for over 15 years. And in that time we‟ve worked on many thousands of disputes, acting as neutral mediators assisting over 1,500 negotiating teams every year. Whilst helping clients get themselves out of conflict situations, we‟ve learned a lot about how they got there in the first place, what mistakes they made along the way and what they could have done better. We‟ve now synthesized the lessons of our dispute resolution experience and have developed a package of consultancy and training solutions to help organizations improve the way they manage conflict, whether internally or with outside stakeholders, customers, suppliers or business partners. These solutions won‟t make conflict go away, but they will help organizations manage conflict more efficiently and effectively – cutting the cost of conflict.

How to get there Typically, the six key elements of a strategy for making conflict management a core competency in an organization are:

• 116 CORPORATE RISK CONCERNS

• • • • • •

developing conflict literacy; measuring conflict styles; building conflict management skills; developing team-working approaches; creating options for conflict resolution; embedding a conflict management culture.

Developing conflict literacy Some theoretical background and a common language about conflict are required to help organizations think effectively about the causes and consequences of conflict. Firstly, an organization needs to have a clear understanding of what it means by conflict. This isn‟t just a question of open warfare – as the earlier cocktail party conversation reveals, a lot of conflict occurs on an informal and sometimes covert level. It‟s important also to remember that conflict isn‟t necessarily bad. Secondly, a lot of conflict arises – or escalates – as a consequence of how people behave in difficult situations. Life experience causes all of us to acquire preferences and habits of how to respond to conflict and we tend to use these over and over again. Individuals and organizations can have different conflict styles, each depending on the extent to which they place emphasis on two key areas: their own needs/agenda (the outcome); and the relationship with the other person. Different terms may be used by different authors, but broadly individual styles can be divided into five categories: • Competing: focusing on achieving your own concerns above all else. • Accommodating: the opposite of competing, sacrificing your own concerns for the benefit of the other person‟s. • Avoiding: not wanting to pursue either your own or the other side‟s needs, and in fact you‟d rather not be involved in the conflict at all. • Compromising: this approach seeks the middle ground, partially satisfying your own concerns and partially satisfying the other‟s. • Collaborating: both assertive and co-operative, this approach tries to problemsolve to find a solution that fully meets the interests of both parties. Each of these labels carries emotional baggage, leading most of us to think of some as good behaviours and others as bad, or weak. However, in conflict management, these characterizations are inappropriate – each style has its place in certain circumstances, and each causes difficulties in others. There is no universal „right answer‟.

Measuring conflict styles As with much development work, the key to implementing change is first to understand where you are now. Hence, diagnostic tools can be used to assist individuals to determine their own preferred conflict style, thus making explicit what might previously have been unconscious habits and assumptions about the best way to handle conflict

CONFLICTING PRIORITIES

IN

CONFLICT MANAGEMENT 117 •

situations. These tools can also be used to establish a pre-action baseline, and results can generally be aggregated to form an impression of the overall culture of a team or organization.

Building conflict management skills Whilst each person will have a default behaviour, we are not locked permanently into that mode, and appropriate training can help individuals to modify their behaviour to suit particular circumstances. Furthermore, by understanding and recognizing the conflict styles of others, we can implement appropriate strategies to communicate with them. Additional communication and creative problem-solving skills training also add to the portfolio of conflict competencies.

Developing team-working approaches Although enabling individuals to modify their conflict management styles will have some impact in mitigating team-level conflict, additional work will most likely still be required at a team level to make sure that established team cultures are not overwhelming and that an appropriate collective strategy is adopted. For example, a collaborative style is generally accepted as being the most effective approach for dealing with task-based conflict, that is dealing with differing views as to the best way to achieve agreed objectives. A strategic management team may need high levels of disagreement to facilitate the critical evaluation of decisions, but an unmoderated competitive approach may lead to dissatisfaction and relationship conflict as well as suboptimal decision making.

Creating options for conflict resolution It is important that a conflict management system provides options for all types of problems for all people within the organization, and a „one size fits all‟ strategy is unlikely to be workable beyond a very narrowly defined area of conflict. Generally, therefore, a comprehensive system will provide for a range of entry points and for a variety of options, both rights-based and interest-based, for addressing conflict. One of the most important options involves providing an outlet for situations where direct discussions between key individuals are unable to resolve a problem. Mediation, the intervention of an impartial third party with neither decision-making authority nor the power to impose a resolution, has proven to be a highly successful method of resolving even the most intractable deadlock. Mediation is a flexible process conducted confidentially in which a neutral person actively assists parties in working towards a negotiated agreement of a dispute or difference, with the parties in ultimate control of the decision to settle and the terms of resolution. (Centre for Effective Dispute Resolution – CEDR)

It also has the advantage of being quick and cost-effective when compared to alternative recourse mechanisms such as arbitration, litigation or, perhaps worst of all, significant unresolved conflict.

• 118 CORPORATE RISK CONCERNS

Key facts about mediation • Over 70 per cent of cases settle at mediation, with a further 20 per cent settling within the following weeks, after parties have seen and explored the other side‟s position. • Of those companies that have used mediation, over 77 per cent said it was quicker, over 78 per cent said it was more effective and almost 80 per cent said it had reduced their anticipated legal costs. • Business cases mediated with CEDR in 2005 had an average dispute value of over £1.5 million, or a total figure of well over £1 billion. • 2005 saw the 11,000th case referred to CEDR.

Embedding a conflict management culture As with any change management project in an organizational setting, implementation of a conflict management programme requires activity at a variety of levels. It‟s not enough simply to build protocols and provide training; leadership needs to come from the top such that open communication and effective conflict management become embedded in the culture of the organization.

Conclusion Conflict is part of working life but it is how we deal with it that is important. Effective management of conflict can reduce the amount of time and money spent in trying to sort out a problem, reduce the damage it could cause to those involved and enable decision makers to make smarter choices earlier on. There aren‟t any silver bullets, but a lot can be done, and it‟s time that business woke up to the wastage that lack of proper conflict management causes.

Notes 1. BDO Stoy Hayward (2003) Commercial Disputes Survey, BDO Stoy Hayward, London. 2. J Collins (2001) Good to Great: Why Some Companies Make the Leap . . . and Others Don‟t, HarperBusiness, New York. 3. S Finkelstein (2003) Why Smart Executives Fail, Portfolio (Penguin Putnam), London.

2.8

Latent risks in commercial property damage and business interruption insurance Ian Drewer, Strategic Risk Partnerships Ltd

Nowadays, very few corporate management teams would suggest that the purchase of insurance cover, however comprehensive, will of itself represent adequate protection for their business against potential adverse risk events. The discipline of „risk management‟, applied in a far more holistic sense, is now generally recognized as an inherent part of sound business management practice and, indeed, is to be found as an integral part of the curriculum at most leading business schools. Similarly, during the past couple of decades more structured corporate governance requirements and increased regulatory oversight have served, inter alia, to emphasize the importance of appropriate management process for identification and control of potentially risk-creating circumstances. The ability to exploit risk has always been an essential element of entrepreneurial success. Many jurisdictions now require all public companies to implement a formal process for identifying, recording, reporting

Strategic Risk Partnerships Limited Professional Experience portfolio management

Knowledge

Client confidentiality

Bespoke

Reliable Decision making Expert 24/7 Global Corporate governance

Major claim Management

The SRP team has more than 100 years combined professional experience, including practical involvement in risk management and insurance activities, in the following sectors: business travel, cargo & transit risks, catering, chemicals, construction risks, cruises, ferries, hotels & leisure, intermodal transportation, commercial motor fleets, passenger railways, pharmaceuticals, property management, publications, safaris, shipping, telecommunications. The company offers insurance and risk management advisory and portfolio management services to industrial and commercial clients. We provide both comprehensive package solutions, tailored to the needs of the individual client, and task or project responses to meet specific situations. SRP will support in-house insurance or risk management resources or act for the client directly with brokers, insurers, legal advisors etc, of the client‟s choice in addressing that client‟s risk financing and/or risk management needs. Contact us Strategic Risk Partnerships Limited 10th Floor, St Clare House 30-33 Minories London EC3N 1DD, United Kingdom

Telephone: + 44 (0) 207 977 6770 Email: [email protected] Internet: www.srplondon.com

Registered in England at the above address. Registration Number 5695133 Strategic Risk Partnerships Limited is an Appointed Representative of Swinglehurst Limited, a Lloyd‟s Broker, authorised and regulated by the Financial Services Authority

LATENT RISKS IN BUSINESS INTERRUPTION 121 •

and mitigating potential sources of adverse impact. This „corporate governance‟ obligation, often supported by statute, is to be undertaken by corporate management in the interests of the various stakeholders in the business. Informed development of appropriate techniques and procedures and, more particularly, their refinement to more specifically suit the needs of the particular business, will often reveal not only the extent of possible exposure but also the limitations of generic „protections‟.

Insurance as a factor in corporate risk management Nevertheless, insurance of various kinds does remain a key factor in most corporate risk management philosophies. It is still generally regarded as an effective means of provision of financial support should external forces cause unexpected and fortuitous loss or damage to the affairs of the business, or have significant financial impacts.

Damage interruption and interference Thus, however effective a loss prevention and risk control programme the business may implement, there will remain for any business employing physical assets an interest in the purchase of some element of „property damage‟ insurance. Where damage to those assets would be likely to result in some kind of interruption to, or interference with, the business (with consequent loss of revenue) the protection afforded by „business interruption‟ cover also becomes desirable. Therefore, property damage and business interruption insurance will generally appear high on the list of „normal‟ insurances in most business portfolios and will be seen as the most fundamental support requirement in respect of any finance secured either on physical assets owned or used by, or the cash flows produced in, the business. Furthermore, providers of business finance (lenders) continue to impose requirements for relatively „traditional‟ insurance coverage in respect of any asset offered as security in connection with business finance arrangements. It is probably also fair to say that most such financing arrangements will specify „all risks‟ property damage and business interruption insurance, covering „damage‟ to assets used in the business and „loss of revenue‟ following such an event. „All risks‟ insurance applies to losses arising from damage caused by any peril other than those actually identified in the policy as being excluded. The alternative, „specified perils‟ (or „fire and perils‟) form of cover is generally considered as less satisfactory, in that cover applies only for losses arising from the perils stated in the policy as being insured; all other causes of loss are deemed uninsured. However, any business should consider very carefully indeed the sequential connection between physical damage, interruption or interference with the business and possible loss of revenue. There are many businesses in which that link is actually quite tenuous, or the potential loss of revenue really quite small (whether in absolute terms or as a part of the whole).

• 122 CORPORATE RISK CONCERNS

A good example can be found in the intermodal transport sector, where entities own container units that they lease out to freight companies and the like. Damage to an individual container unit (or even several at one time) is unlikely to cause substantial loss of revenue. The units can usually be quickly replaced and the time and cost of repair is generally limited. Similarly, damage to the office premises used for administration of such a business might be inconvenient, but is unlikely to cause significant interruption to the receipt of rental income in respect of units on hire. Suitable support for the alternative provision of essential administration functions would be more valuable than a full business interruption insurance programme.

The ‘all risks’ illusion Until relatively recently, as reflected in the thinking of financial institutions and similar bodies, most businesses could purchase an „all risks‟ property damage insurance policy (described above), applicable to any and/or all of its business activities. This would be possible whether those activities were concentrated on a single site, collected in one town or district, spread through a single country or scattered almost anywhere around the world. Such cover would be available from a choice of insurers, or syndicated combinations of insurers, in the London insurance market (and/or other major markets) and the purchaser could reasonably expect the coverage truly to apply to any cause of loss or damage not specifically excluded. It is all too easy to assume that worthwhile protection can be achieved today by the same means and with similar availability. One might reasonably feel that the provision of insurance must surely have become even more all-encompassing over the last couple of decades or so, as have so many other things in life‟s rich experience. That, unfortunately, is a serious mistake easily made. For some years the business of insurance, especially the manner in which providers operate, has undergone significant change, but not necessarily in the interests of the „insured‟.

Traps for insurance buyers „Property damage and business interruption‟ insurance offers various examples of the types of change (and thus the dangers) of which the commercial purchaser should properly be wary. Some result primarily from fiscal regulation of international business; the introduction and/or application and collection of taxes, not previously significant to the international transaction of insurance, offers an example. Insurers willing to provide international or multinational policies must be careful to comply with relevant fiscal controls. They may actually be required to collect and remit (to relevant national authorities) applicable insurance taxes. Other changes relate more specifically to non-fiscal regulatory developments, sometimes specific to insurance, sometimes on a wider front.

LATENT RISKS IN BUSINESS INTERRUPTION 123 •

Change in the insurance industry Yet other changes affect the structure and operation of the insurance industry itself. Many commentators saw consolidation as both a saviour and a potential curse for insurance providers and their customers. These observations have been proved correct; some insurers operating today would certainly have slipped in significance, perhaps even ceased to trade, had they not gained weight by merger and acquisition. However, such consolidation also reduces numbers, which in turn tends to reduce both capacity and competition. With reduced competition come, all too often, reduced standards of service. Thus many purchasers have for some time found that there are relatively few options and, perhaps, little or no real competition for the provision of the most wanted form of business insurance protection, the fundamental property damage and business interruption coverage.

Reinsurance dependency In addition, „direct insurers‟ (the carriers from whom the individual insured buys cover) need to protect themselves by „reinsuring‟ the business that they have underwritten. This mechanism enables a direct insurer to pass on to another tier of carriers, for a premium, a substantial part of the exposure that it has underwritten. Without this facility the direct insurers would rapidly reach their permissible limit of risk acceptance, or would be obliged to accept only much smaller amounts of exposure in any one piece of business. A relatively small number of major reinsurers provide key capacity throughout the „direct‟ insurance market. These reinsurers can exert considerable influence on the underwriting policy of the insurance companies to whom they provide this capacity (the „direct insurers‟). Since they each reinsure several „direct‟ insurers, this can significantly affect the extent to which the cover offered by any one such „direct‟ insurer might differ from that offered by another. In effect, therefore, the marketplace for any particular individual insured may actually be controlled by reinsurers with whom that insured entity may never make contact or discuss coverage, and with whom that insured entity has no contractual relationship. Furthermore, the insured entity concerned generally has no right of claim on the reinsurer‟s funds, should the „direct‟ insurer fail to honour the original policy of insurance.

Tailored cover for industrial/commercial entities Availability to the industrial/commercial entity of insurance cover tailored to suit its particular needs is obviously likely to be hampered by such factors. It is clearly desirable, if one is to buy insurance at all, to seek to include coverage for those potential (fortuitous) events identified as most dangerous to the health of the business concerned. Whilst probability and possible severity (of loss events) must be expected to influence pricing, it is surely unreasonable for the proper identification by the insured

• 124 CORPORATE RISK CONCERNS

of potentially severe (albeit remote) exposure to result more or less automatically in severe limitation, or even exclusion, by the insurance market of coverage for any such occurrence.

Exclusion vs price Nevertheless, the tendency to exclude, rather than price, is now a reaction that can readily be observed amongst the ranks of insurance carriers. The purchaser of insurance may thus be obliged to accept a policy that lacks the very elements that would really provide worthwhile coverage for the business. This situation has been and continues to be exacerbated by the serious „deskilling‟ that the insurance industry has suffered over the past several years. Initiated primarily by those insurers who have chosen to specialize in low-value, high-volume (essentially personal-lines) business, the consequences have undoubtedly also affected many insurers who are involved in provision of coverage for industry and commerce. Whereas personal-lines specialists might reasonably argue that low-cost administration is paramount and formulaic coverage is an acceptable concomitant, the proper provision of appropriate cover to industry and commerce demands a very different profile.

Appropriate protection Appropriate protection for substantial industrial or commercial concerns almost inevitably means more complexity of coverage. The limited availability of necessary skills in this sector is apparent in the comparative paucity of experience amongst underwriting staff, the absence of policy wording specialists and the frequency of appointment at senior level of executives with little, if any, previous practical operational experience in the relevant insurance disciplines. Without a practised skillbase in these crucial roles, it is not surprising that training and capability elsewhere in the business may be found wanting. Therefore, in addressing its requirements for property damage and business interruption insurance, it behoves any business to analyse carefully not only the risk to which it is potentially exposed, but also the coverage that the insurer intends to make available and the capabilities of the insurer itself. This may not be easy. It will require careful explanation of the business to be insured and appropriate consideration of the insurer‟s ability to comprehend, together with evaluation of the personnel who are to be involved in the account. The experience and abilities of the insurer ‟s team, including not only the underwriting staff, but also administration and claims personnel, will be of major significance. The words in the proffered policy may well seem clear enough, but the insurer‟s view of their meaning can all too easily be significantly different from that of the insured.

Wording interpretation Regrettably, the meaning applicable to those words in the understanding of the insured, and ostensibly echoed by the insurer at the time of purchase of the policy, can all too

LATENT RISKS IN BUSINESS INTERRUPTION 125 •

often be found to have changed – in the interpretation of the insurer – when it comes to the occurrence of a serious loss event. Careful analysis of the business profile is essential to the effective purchase of business interruption insurance. The formula set out in the policy wording for calculation of any loss should be appropriate to the particular business. The relevant factors should be discussed carefully with the insurer at the outset, with careful recording of the conclusions and decisions, to ensure a clear understanding that the wording will be applied as the insured entity intends. This is likely to avoid considerable distress should a major loss event unfortunately occur, since it substantially reduces the potential for „alternative‟ interpretation of the wording by the insurer in such circumstances (to reduce potential claim payments).

Regulation and simplification Elimination of uncertainty in the determination of the cover actually afforded by any policy of insurance has attracted a great deal of regulatory attention in the UK (and elsewhere) in recent years. Not unnaturally, the main thrust of such effort has been directed at those categories of insurance provided to private individuals („personallines‟ business) and those parts of the insurance industry that operate in that sector. However, the resultant regulation has also affected the provision of insurance cover to industrial and commercial enterprises. The insurance industry in England and Wales is subject to regulation by the Financial Services Authority (FSA) and great play has been made during the last couple of years of the FSA‟s requirement for „contract certainty‟ in general insurance. As with much regulation, this does not mean what it appears to say; „contract certainty‟ does not mean certainty of contract. That is to say, it does not mean that the two parties will have an identical understanding of the meaning of the contract of insurance and thus the manner of its application and the extent of protection afforded.

Compliance „Contract certainty‟ is currently interpreted primarily as requiring early issue of „finalized‟ documentation. The emphasis is on provision of a document within a timeframe, free of outstanding requirements as to information, coverage issues, supply or conduct of associated services and so on. As such, in the case of commercial insurance, the process adopted can tend to favour the insurer to the detriment of the insured.

Coverage reduction To achieve rapid and untrammelled issue, a noticeable trend has developed amongst insurers to „standardize‟ (often „dumb down‟) the policy documents used. The document so issued may allow for subsequent endorsement to include any special provisions or additional protection (in many cases using pro forma endorsement wordings). This may not be unreasonable in the case of high-volume, low-exposure personal-lines business, for which the regulations seem really to have been designed.

• 126 CORPORATE RISK CONCERNS

However, the approach is inherently flawed when utilized for most categories of commercial insurance. In the somewhat simplistic forms most generally used, this can create, rather than solve, significant problems for any reasonably substantial enterprise seeking to arrange industrial property damage and business interruption coverage. There is a very real risk that wordings for „tailored‟ coverage, developed over time by such insured entities to provide for their own particular and individual insurance needs, will be severely impaired or even lost entirely. At least one major insurer has been known to delete various extensions of cover from long-standing corporate programmes (though mainly liability rather than property coverage), then subsequently offer the insured a version of the „deleted‟ cover in the form of separate policies at additional premium cost. „Contract certainty compliance‟ has been given as a prime „reason‟ for this practice. Another insurer announced that it intended to discontinue, or at least greatly restrict, the availability and use of „tailored‟ property damage and business interruption insurance coverage for commercial insured entities, to ensure that it „knows what cover is provided‟. It is tempting to view any such change as opportunism on the part of the insurers concerned, aimed primarily at driving up premium income. In some cases this may indeed be so. In many cases, however, the dangerous consequences may be largely accidental. Whichever circumstance might apply, such arbitrary changes to a commercial „property‟ insurance programme could seriously reduce the scope or extent (and thus value to the insured) of protection. The implications are perhaps most likely to be critical for „business interruption‟ aspects of coverage.

Disadvantage to the insured The reason(s) for implementation of such change make little real difference. Once the revised document is issued and the premium paid, the „new‟ wording will apply. Commercial insurance policies are often lengthy documents and require skilled reading; subsequent renewals may be effected without detection of the full extent of the imported changes. The true consequences may well only become apparent as and if the feared loss occurs, when the cover is suddenly found lacking as compared with that which the insured expected and knows full well should have been available.

The principle of trust As the only form of contract where consideration is required of one party in return for no more than a qualified promise by the other, insurance depends primarily on mutual trust. The principle of „uberrimae fidei‟ (the utmost good faith) is fundamental to any insurance contract and is enshrined, under English Law, in the Marine Insurance Act, 1906 (section 23), which states that: A contract of marine insurance is a contract based upon the utmost good faith, and, if the utmost good faith be not observed by either party, the contract may be avoided by the other party.

LATENT RISKS IN BUSINESS INTERRUPTION 127 •

The Courts have determined that this principle applies not only to „marine‟ insurance, but to any category of insurance cover. As the words make clear, this most fundamental of principles applies in both directions. Equitable application of the principle requires not only that the insured must declare to the insurer any material information about the subject matter of the insurance, but also that the insurer is obliged to declare to the insured any material change in its own operation. Unfortunately, the nature of an insurance contract offers little opportunity for effective sanction of the insurer. Design, development and satisfactory operation of an effective programme of property damage and business interruption insurance (or any significant industrial/ commercial insurance coverage) demands co-operation between insured and insurer(s), but successful outcome can properly be judged only by the insured. Careful analysis, preparation and execution, with a proper awareness of the potential pitfalls, can greatly improve the probability that the coverage will perform as intended by the insured party.

2.9

Managing litigation risk: lost in translation Sean McGahan, McKinty & Wright

Does this scenario sound familiar? You apply the tools and techniques of risk management and gain a deeper understanding of the costs of claims and litigation, especially the predictable exposure to personal injury claims. You then see the apparent profits of business units decreased or even wiped out over the medium to long term because of claims against your organization. What can be done about this? Since 98 per cent of personal injury claims in the UK succeed, a standard recommended response is to increase health and safety measures. Unfortunately this does not automatically translate into more successful outcomes when claims are made. Such an approach can even be counterproductive, either because the organization does not properly understand what health and safety measures the law requires, or because it fails to communicate its choices on risk effectively in court. Put simply, messages that are there to be communicated are being lost in translation. The purpose of this chapter is threefold: • to show you how the language of risk management is different from the language of law; • to explain to you the competitive risk assessment psychosis and conspiratorial risk aversion policy mistakes you can make if you misunderstand the language and processes of law;

MANAGING LITIGATION RISK 129 •

• to show how you can create a better capability to defend your organization‟s decisions on risk and communicate more effectively in court.

The language of law The law uses language similar to the language of risk management, but that language is interpreted in a different way. Understanding this difference is a key to unlocking controls that may reduce your residual risk. If you have ever picked up a legal textbook, talked to lawyers or been in court, you will have encountered language on the issue of risk that sounds vaguely familiar. There is an entire body of law, called „tort‟, that sets out how much risk is acceptable and when you will be held liable if a risk materializes and causes damage to others. Tort law sets down that, in certain circumstances, you are deemed to owe a „duty of care‟ to others. An employer‟s duty to employees is an example. How much care you have to exercise is determined by an objective „standard of care‟. If the „standard of care‟ you exercise is lower than a court would expect, and this contributes to someone sustaining a loss, then a court will hold you liable to pay compensation for the damage caused. Compensation for personal injury is the classic example. In order to determine the „standard of care‟, courts are expected to look at the „magnitude of the risk‟. The greater the risk the greater the „standard of care‟ will be. An example will let you understand this. Take a zoo. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. An attack by a lion would probably cause serious injury or death, while an attack by a penguin is likely to result in the victim being more embarrassed than anything else. So the law requires a higher „standard of care‟ applied to lions than penguins. If you think about it, this idea of setting a „standard of care‟ on the basis of the „magnitude of the risk‟ looks like part of a risk management process: establishing the „probability of an occurrence and possible consequences‟. In setting this „standard of care‟, the law takes into consideration the „costs of preventative measures‟ and the „social value‟ of the activity being engaged in. Again, this is language on which you can place a meaning as it sounds pretty much like „cost–benefit analysis‟ and „defining your context‟ or „setting strategic objectives‟ in a risk management process. Taking all of this together, in theory the law has a means for determining what a given organization‟s risk appetite should look like. Therefore, if you use a sound methodology for setting a risk appetite for your organization the law should be capable of coming to roughly the same conclusions. A court should recognize that if the „magnitude of the risk‟ posed by an activity is tolerable, the „social value‟ of the activity should override concerns about the magnitude of the risk. Unfortunately it does not quite work out like that. The standard of care set by the courts in individual cases can vary greatly. For instance, in the leading case of Tomlinson vs Congleton, the House of Lords overturned the decision of the Court of Appeal on the standard of care that a council should exercise towards people who choose to swim in a lake. This is because the overall process by which the issue of risk is considered by courts is in fact very different from a risk management process. The

• 130 CORPORATE RISK CONCERNS

courts make decisions on risks without using the methodologies generally recognized in risk management as key elements of high-level decision making. Risk managers use a whole range of analytical tools to make decisions about risk tolerance, and can also rank risks by creating a risk profile. A court cannot use any of these methods and is wholly dependent upon the evidence presented to it during a trial. Also, courts do not use quantitative analysis. Although monetary values are placed on injuries in the form of an award of damages to a successful party, these monetary values are not used to counterweight the monetary cost of precautions to prevent injury. The law turns its back on quantitative analysis in deciding the „standard of care‟. Instead semantic tests such as „reasonableness‟ and „practicability‟ are utilized. There is also no audit of decisions to ensure a level of uniformity of decision making. All this means there is scope for differences in interpretation of the „standard of care‟ imposed by different courts. Written judgments of courts are full of examples of variances in the „standard of care‟ they impose. The result is that, in the absence of good evidence on risk being given to a court, judges cannot be blamed for sometimes taking a fairly basic approach to risk that sits well with the fact-finding capabilities of a trial. Was there a risk? And was there anything that could have been done about it? Faced with an accident resulting in injury, especially catastrophic injury, there is a natural tendency to take the view that some additional precaution should have been taken. Courts naturally tend to set a low risk tolerance. In the absence of contrary evidence on risk, the legal process therefore has an inherent process bias in favour of setting a high „standard of care‟.

Mistakes to avoid If you do not recognize that courts have a basic approach to risk, you can easily adopt an approach to controlling the risk of claims and litigation that actually increases the effect of this bias in favour of setting a high standard of care. The biggest mistake is to adopt poor risk management policies. These can take two forms.

Compulsive risk assessment psychosis This phrase was first coined by John Adams. You generally see the psychosis in organizations that do not have an overall risk management process in place. Elements of a risk management process are introduced that are not part of a coherent strategy. The result is that an organization gets flooded with documents identifying risks and suggesting things that could be done about them, without any overall evaluation. These documents give the impression to a court that the identified risk should have been guarded against. If you identify something as a risk in isolation from a risk profile, the law interprets this not, as you would, as something to be ranked, but generally as something that is above your risk appetite, or below the „standard of care‟. The result is that you are found liable. Courts are not there to rank risks for organization. If an organization has not ranked its own risks and set a risk appetite, courts are not going to do it for them. They will generally err on the side of causation and find the organization liable.

MANAGING LITIGATION RISK 131 •

Conspiratorial risk aversion policy In this form, practices and procedures become increasingly risk averse. The intention behind this process is to reflect the perception the organization has of the „standard of care‟ expected in law. Often the perception is gained from the results of a few cases that went to trial or even stories in the media. If an organization becomes risk averse, this will simply encourage a court to reflect this risk aversion in its decision. The other problem with this approach is that it creates divergence between an organization‟s objectives and its risk management. Policies and procedures become risk averse and hinder operations. Individuals and operational units are hampered by procedures that do not fit the organization, and will therefore break the rules in order to achieve their objectives. Where those breaches occur, the policies and procedures become the basis for showing a breach of the „standard of care‟. You see this behind many of the most criticized rulings on risks by courts. If a school bans children from running during break time and a child is injured while running because staff disagree with the rule and do not enforce it, the school may be found liable because it failed to follow its own „standard of care‟. It is worth noting that in the leading case of Tomlinson vs Congleton, the House of Lords decided on a lower „standard of care‟ than the council itself proposed to exercise, and dismissed the claim.

So what should you do? Plan ahead to take part in the trial process before incidents occur and claims are made. That is the essence of litigation risk management. It sounds straightforward but few organizations actually do it. The following are just some of the steps that can be taken. • Adopt a recognized risk management standard and apply that to your „riskscape‟, while still complying with the law. If there is clarity about what the objectives of an organization are and clear assessment, analysis, evaluation, reporting and treatment of risk based upon quantitative analysis, then a court lacks any inherent tools on which to base a rejection of the risk tolerance set. In terms of decision process, for a judge to do so would be like one doctor attempting to second-guess another doctor‟s diagnosis based on an MRI scan by using a CT scan. The MRI scan is objectively the superior methodology. It would of course be open to the plaintiff to call evidence to attack the risk tolerance set, but if the process is robust there may be little to attack. • Do not allow your health and safety practices to diverge from the risk tolerance set for the organization. There are health and safety absolutes and other issues that involve balancing risk and opportunity. • Use your risk appetite as a means of determining which claims you will fight. If you don‟t, then there may be little logic to the selection of claims to accept and claims to reject. • Align objectives for defending claims with business goals, otherwise your claims handlers may adopt an approach to claims that creates risks to your objectives.

• 132 CORPORATE RISK CONCERNS

• Form a litigation team with clearly defined roles to handle claims, rather than having a silo mentality. • Translate your message on risk into language that the law can understand. If you do not, your message may be misunderstood by a court. The right language can be adopted without undermining the risk process, and makes the process court-friendly. You will then be able to speak to a court in language it can hear and understand. • Get a memory for the organization. Often a message on risk cannot be communicated as processes have not been put in place to recall what an organization‟s attitude to risk was at any given time in the past. • Create a voice for your organization. Communicating in court is not a straightforward process for organizations. The system by which evidence is introduced to judges in a trial grew up before large corporate organizations had evolved. Trials are designed to allow individual personalities a voice. Witnesses are called by lawyers to give evidence in a witness box. Lawyers cannot give evidence and so cannot be the voice of an organization at a trial. Without the voice of a witness in the first place they can do very little. In most litigation the action is brought by an individual, the plaintiff. That person sits in the witness box and can actually speak passionately to a judge. He or she can also recall evidence from memory, or simply make evidence up. An individual starts with an advantage over organizations as a result. Organizations need to be able to deliver a message about risk loud and clear in a courtroom, but most of them have little or no voice that can be channelled into a trial process. • Check that your organization has the ability to capture events as they occur in a manner that will not be counterproductive in court. Too often it is assumed that the processes of health and safety investigations, such as root-cause analysis, translate into effective evidence for court. Often they don‟t. • Upon resolution of a claim, record all lessons learned by applying a managed approach to litigation in a systematic way so that lessons are learned and the litigation capability of your organization can improve over time. • Debriefing should be held regularly to ensure that no unit or individual in an organization comes away from taking part in a claim process with the wrong lessons learned. If you have not thought about litigation risk management before, then think about it now. Winning in court requires effort. To quote Samuel Goldwyn: „The harder I work the luckier I get.‟

3

Risk Issues in Operational Management

This page intentionally left blank

3.1

Managing risk through management systems Mike James, Lloyds Register Quality Assurance (LRQA)

The purpose of this chapter is to examine the organizational issues associated with managing risk by means of a management systems approach. It has been written from the perspective of an independent business assurance provider and is based upon our experience gained in conducting assessments on behalf of many organizations throughout the world. At the end of the chapter there is a brief description of an evaluation technique developed by the Lloyds Register Group to address these issues.

The management of major risks outside the management system At present, in many organizations, the major risks – for example, failure to achieve a strategic objective or risk of legal action – tend in part to be managed outside the scope of the formal management system. This is despite the fact that these organizations acknowledge that they invest significant sums of money in the implementation and maintenance of these systems. Independent research conducted on behalf of LRQA amongst the top managers of major global organizations has confirmed this.

INCREASING CONFIDENCE IN YOUR FUTURE Too much of today‟s risk management is an exercise of going through the motions of standards compliance, with little demonstrable impact on the business revenue, relationships or reputation. What‟s more, too many management systems fail to deliver the confidence management needs about how well it‟s meeting stakeholders‟ expectations; to know that its key business risks are under control and to let them feel secure that they can manage the future in today‟s uncertain world. With management systems playing a more critical role in business success than ever before, it‟s never been more important to demand more from your systems‟ assessor. This is why at LRQA our approach is different. LRQA‟s risk management support - Business Assurance - is designed to help you ensure that your systems are driving down critical risks and delivering real improvements in the eyes of your critical stakeholders.

Lloyd‟s Register Quality Assurance is a member of the Lloyd‟s Register Group

Business Assurance is our approach to management systems assessment. It focuses on developing effective and efficient management systems -giving your business the confidence it needs to thrive and grow. By understanding your business and your goals, we‟re able to

“Assurance: The quality or state of being safe. A belief in one‟s powers.”

work with you to accurately pinpoint the key areas that need to improve, helping you turn risks into opportunities and weaknesses into strengths. With Business Assurance, you can feel confident about your future.

Contact us +44 24 7688 2373 [email protected] www.lrqa.com

• 138 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

There are a number of reasons why this occurs. In some cases it is because of a lack of understanding of the capability of the management system on behalf of the top management, and in others it is due to lack of understanding of the nature of the real risk(s). Increasingly it is because modern organizational design with its vast array of alternative structures and business models is making risk far less visible to top managers. When considering risk, many people tend initially to think about downside risk, as greater weight tends to be placed upon this in the human mind. Very often managers confuse their greatest fear with the greatest risk, though these are very often not one and the same thing. Clearly risk needs to be viewed as some combination of likely occurrence and impact and not the event(s) an organization or prominent individual would most dread. Although a process of formalized risk weighting may take place, in reality this can still be influenced by subjective bias. This is very often the case when there is a change in the top management. In this case, given this initial analysis it is perhaps not surprising that the manager will set up a discrete set of processes to deal with the perceived risk, in order to act quickly and – as he or she sees it – avoid the organizational bureaucracy associated with the management system. Initially this approach will work as it has all the focus and attention of a top manager who has the power to implement process change. However, as the process falls outside of the boundaries of the formal management system it will cease to be reviewed and audited on a regular basis. As other issues inevitably arise they will take priority and the risk will cease to be managed effectively. The lack of systematic management, without objective risk evaluation and reviews, also fails to address the risk of getting the risk assessment wrong in the first instance. On many occasions this can prove to be one of the greatest risks facing an organization because limited resources have been focused on addressing the wrong imperatives.

Addressing upside risks Let‟s turn our attention to how an organization addresses the business opportunities (upside risks) in its market place. These are very often embodied in the goals and objectives of an organization. In this case the key question is: Are all the processes needed to manage the achievement of these goals within the scope of the management system? Our experience is that in many cases the answer to this question is no. Again, there are a number of very good reasons for this. Within an organization, this very often comes down to a lack of integration between the management system and the business system. For example, in the age of knowledge-base competition, how many organizations know the age of their top designers, engineers, scientists, programmers and analysts? How many have identified succession planning as a major risk to their quality objectives, and how many have built this into their management system? Or is this seen as an HR matter. There are many similar examples of this type of behaviour across the spectrum of business risks.

MANAGING RISK THROUGH MANAGEMENT SYSTEMS 139 •

The impact of changing organizational structures In a wider context, as companies take advantage of technology, in particular the internet and the global labour market, they are designing new organizational structures in order to compete more effectively. This has manifested itself in the creation of global supply chains, outsourced functions and a far greater degree of collaboration among companies, including among competitors. It is a well-understood principle of business management that there needs to be a logical relationship between an organization‟s strategy and structure, and that its strategy must determine its structure over the long run. However, there are now far more structural alternatives available and the new forms of organizational structure open up new strategic opportunities for organizations. The resulting effect has been a constant readjustment of company structures as CEOs seek to get a good fit between their organizations‟ strategies and structures. This is something we are encountering constantly within our clients. The speed and regularity of these reorganizations means that there are very often significant time lags between new business structures and the systems and processes in place to control them. In addition, in a global market with blurring organizational boundaries the modern organization now sees itself as a component in a series of networks of other organizations. One way of describing a network is as the least organized form of activity that can be described as an organization. Traditionally, management systems operate on the premise that authority and responsibility are exercised within the boundaries of a relatively fixed entity. Organizational networks make it far more difficult to exercise control and make risk far less visible. They make it possible for managers to believe that it doesn‟t exist because it cannot be seen. This can be a major issue – for example, when the management system is acting as part of the governance system in the areas of environment, health and safety or social accountability. In the current business climate, significant emphasis is placed upon an organization as a social entity as well as an economic one, and poor corporate behaviour can result in the destruction of shareholder value. Therefore, in this instance, although production can be outsourced the responsibility for the way in which it is carried out cannot. Companies have to find ways to apply management systems control to organizational networks.

Adopting management systems Our research shows that over 60 per cent of directors believe that risks would be significantly reduced if their partners and suppliers adopted their management systems. And an equivalent number believed that their businesses would be more effective with common management systems across the whole value chain. Interestingly, fewer than 40 per cent said they encouraged this practice within their own organizations. A further effect of organizational design and the move to knowledge-based competition has been a tendency to decentralize, pushing power closer to customers and markets. This includes empowering staff to take decisions and increasingly using softer methods of control such as mission, vision and values.

• 140 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Again our research has found that senior management engagement and a prestigious brand were overwhelmingly seen as more effective than penalties and incentives in getting employees, suppliers and partners to comply with the management system. In many cases, however, this can place the elements of the management system that deal with governance and require top-down central control in conflict with the need to act with local autonomy. Managing conflicting risks centrally and locally is a major challenge. Without the clearly defined responsibility and authority that exists within a management system, the power to take key decisions centrally can be inadvertently lost through decentralization. The increase in the use of formalized management system standards in recent years has had the effect of increasing the use of performance measures by organizations. What is measured sends out messages of what is important. The right measures drive the right behaviour, so the key question is what to measure. This is a difficult thing to achieve in practice, and in many cases organizations have struggled to find the right balance. There is a tendency to measure what can be measured, not what is important, and also a tendency to create too many measures. The latter has the effect of pouring concrete into a management system as decision making becomes paralyzed with information overload. It is vital for companies to understand the difference between key performance indicators (KPIs) and performance indicators. KPIs should be few in number, measure what matters and provide an indication of future performance.

The IntegratorTM system approach Lloyds Register Group has developed an advanced assessment technique called IntegratorTM to evaluate how well an organization manages its risks using a management systems approach. The development of the technique has been informed by our expertise in risk management and our role in assessing the management systems of many of the world‟s top organizations through the Group‟s subsidiary, LRQA. Managing risk successfully in the modern organization requires more than just an understanding of risk management techniques. Success depends on the organization‟s ability to integrate aspects of its business management systems in a way that provides an indication of how likely the management system is to deliver the required performance in the future. This means that business risks have to be objectively evaluated and integrated into the management system. There should be effective interaction between the management system and all relevant performance data. Finally the measurement of performance should be linked to business risk. The results of the evaluation are based upon three interlinked management indicators that measure business risk alignment with the management system, process management and performance measurement. By considering these three elements together, it is possible to evaluate the strengths and weaknesses of an organization‟s ability to manage business risk in a systematic manner. This is not a simple numerical scoring system measuring past performance. The premise underpinning this is that successful organizational performance over the long run is enhanced through high levels of integration between business processes

MANAGING RISK THROUGH MANAGEMENT SYSTEMS 141 •

and mature management systems that are built into the organizational culture. So what constitutes a mature management systems culture? • Top management are engaged with the management system, not just committed to its implementation. • Business risks are mitigated in a cost effective way. • There has been a move beyond simply following instructions to just the way things are done. • A small number of key metrics will show things are working and there will be a measurable reduction in risk. The actual assessment technique, known as PRIMAL, measures the maturity of the management system‟s culture within an organization and is based upon LRQA‟s proprietary version of the „plan, do, check, act‟ cycle. There are two additional elements used in the assessment; these are resource allocation, which enhances planning, and organizational learning, which leads to effective action in the long run. We have found in many cases that risks are correctly identified and systems and processes put in place to manage them. However, adequate resources are not made available and/or the techniques used have been proven to be ineffective in the past. By rigorously applying the PRIMAL assessment technique, an organization confronts the reality of its risk management approach and prevents the all too common behaviour of trying to solve the same problem in the same way with the same resources. It is often said that unforeseen events are always unforeseen. Yet in reality, how many unforeseen events were that difficult to foresee? Putting that another way, should not an organization really have known then what it knows now?

3.2

Using scenario analysis and stress testing to quantify and manage operational risk David Breden, HSBC Operational Risk Consultancy*

A common issue for operational risk managers is deciding which of the myriad risks that beset the firm is the one upon which it should focus its attention. Typically the operational risk manager will be receiving advice of a large number of small losses that relate to basic human error or to low-level fraud, and will feel comfortable managing these losses and resolving the operational issues that they raise. It may be harder to focus attention on a threat that to date has not affected the firm but that, if it occurred in certain adverse circumstances, would result in a significant loss event that might even threaten the future of the business. When looking at such risks, the manager will face the challenge of lack of interest as business units adopt a „can‟t happen here‟ mentality – basing their view on the *The views expressed in this chapter are the author‟s personal views and do not necessarily represent the views of the HSBC Group.

SCENARIO ANALYSIS

AND

STRESS TESTING 143 •

fact that it has not happened yet. It will be necessary to remember that it is precisely the sort of event that people do not expect and are not prepared for that will have the greatest impact on the firm‟s fortunes. In order to focus the attention of business managers on the potential risk that has been identified, it is often helpful to develop a specific scenario to illustrate the scale of the problem in a stressed situation, and if possible highlight the potentially damaging effects of the risk. With this information, the manager will hopefully be able to suggest methods that can be employed to control or mitigate the risk and identify steps that could be taken if the threat materialized. By analysing the potential threat, organizations can prepare a response in the same way as we prepare for loss of a key building or system by developing contingency and business continuity plans. Such techniques are already widely used in many circumstances. We test aeroplanes in wind tunnels to check performance under extreme conditions and crash cars into walls to see how well they would protect occupants in a crash scenario. Use of such techniques in connection with a broader range of risks will help risk managers prepare themselves better for the potentially extreme risks that threaten their businesses.

Defining stress tests and scenario analysis Both stress testing and scenario analysis have been used in industry for many years to enable management to consider possible courses of action to address uncertain or extreme market or other conditions. A stress test will tend to vary one element of a specific environment to examine how a particular object responds to the stressed situation. With scenario analysis, however, a situation will be explored that affects a range of areas of the business to enable management to consider how a defined event will affect the totality of the business. In this way, for instance, an oil company will create a scenario based on a significant rise in oil prices and will consider how this will influence its overall strategy. There are numerous definitions of scenario analysis. Michael Porter defines a scenario as „an internally consistent view of what the future might turn out to be – not a forecast, but one possible future outcome‟.1 This definition highlights the fact that we cannot be sure which of the various futures we will actually be called upon to work in, and reflects the fact that scenario analysis lets us prepare for several such options rather than staking our future on a random choice of a future that we consider most likely – or in many cases the future that will be most convenient for our interests. Gill Ringland, meanwhile, focuses on the management of uncertainty: „That part of strategic planning that relates to the tools and technologies for managing the uncertainties of the future‟.2 Going slightly further, and once again drawing on Gill Ringland‟s guide to the subject, we have another definition that stresses the creative element of scenario analysis: „A fairy tale or story‟.3 This definition focuses upon the ability of business managers to build the scenarios that are of value to the business and that will test the firm‟s ability to respond positively to the variety of different scenarios that it wishes to explore.

• 144 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Methodologies for developing scenarios4 There are three basic methodologies for developing different scenarios. These are dealt with below in order of increasing complexity.

The expert scenario To create an expert scenario, the firm will gather together a team of individuals who will have sufficient knowledge to be able to decide upon the sort of event that would have a material effect upon the firm but also the expertise to explore in depth the potential impact of the event on all areas of the firm‟s business. From the point of view of risk management, the individuals will need to define how the described scenario will cause issues for the firm across its operations, and define in very broad terms the cost of the event and the relative probability of alternative outcomes of the scenario.

The morphological approach This approach is broadly similar to the familiar risk self-assessment process. A scenario is identified and different variable elements are ranked High, Medium or Low. On the basis of this ranking, a scenario is developed that will produce a significant storyline for investigation. Using an example of a human pandemic, we might conclude that the probability of an outbreak in Asia is high, whilst it is moderate in Europe and low in America. In terms of business size, the financial impact of such a pandemic on our business may be assessed as moderate in Asia but high in America and Europe. On this basis the scenarios based on Europe or Asia might be prioritized over the American case.

The cross-impact approach Under this approach, different elements are selected for analysis; the elements will influence both the final outcome and each other. An example of a cross impact approach is a Bayesian Net. Such approaches will generally require a computer model to work through the different impact scenarios. Once the methodology has been selected, the scenario analysis process will proceed to follow these steps: • Having chosen a scenario, you will select a series of key elements with a high degree of uncertainty on the business. For a bird ‟flu outbreak this could include the location of the outbreak as compared to business volumes in the area, anticipated severity, speed of contagion, effect on national infrastructure and ability of staff to continue working remotely from office premises. • Alternative behaviour patterns will then be described for the key elements as the planner seeks to factor in the way in which the business will react to each of the different scenarios depending on severity. • Having described these scenarios, the business will then select a series of informative scenarios that it will choose to manage. Such a scenario will need to be sufficiently severe to stretch the firm whilst at the same time being manageable for the firm.

SCENARIO ANALYSIS

AND

STRESS TESTING 145 •

Planners will develop the scenario story in conjunction with key business units who will define critical factors and results and explore the relationship between the different elements of the scenarios and management responses. Once the scenario is complete, management will develop their strategy to manage this scenario.

Sources of information When developing stress tests and scenario analysis, planners will have recourse to a series of information sources. In every case, the planner will be looking for information that will provide guidance on the potential frequency of the event or on the impact of that event if it should happen. Such information can be gathered from loss events or near misses that the business itself has experienced, external information related to loss events in other similar institutions, situations based on expert studies of the firm‟s operations or analysis of the internal control environment or the overall business environment.

Internal loss events All operational risk managers will be familiar with the concept of collecting details on internal loss events. They will seek to understand the loss and put in place mechanisms to ensure that the event does not recur. They may also use this data to model exposures. The information can also be used to develop potential loss scenarios. This procedure will seek to examine whether a certain loss event could have given rise to a significantly increased loss in the event that the circumstances of the loss changes. To use the data, the risk manager will need to analyse the event and identify the main factors that determine the size of the loss. If, for example, we are looking at a loss that has occurred as a result of the misdirection of a currency payment, we will identify four main drivers of loss amount: • the size of the transaction (as more will be lost if the sum misdirected is large); • the time taken to resolve the situation (as claims for lost interest will increase with time); • the volatility between the currency pair in which the payment is conducted (a volatile currency pair will expose the firm to increased loss if rates move against its position); • the willingness of the erroneous recipient of funds to return funds quickly. By looking at the activity profile of the firm and varying the drivers indicated, it will be possible to create extreme scenarios to illustrate the potential tail of the exposure distribution even if any losses experienced to date have been small.

External loss events Another valuable source for the development of scenarios is the use of external loss data. Here we seek to learn from the misfortunes of others, but attractive as that might

• 146 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

seem, this source of information is not without its difficulties. Operational risk is highly context dependent, meaning that different firms will experience different effects from identical loss events. This means that events cannot be automatically considered relevant to a peer organization. To illustrate this point, we can consider the example of a systems failure in a highly automated firm that will be totally irrelevant to a firm using traditional manual methods. Equally, differences in the control frameworks of different companies will determine levels of exposure to specific risks. That said, it is helpful to examine major loss events that appear in the press or in external loss databases and consider whether they are relevant to our own situation. If relevance can be established (and publicly available information is often sketchy), then the event can be used as a basis for creating a loss event scenario reflecting the impact of a similar event on our own organization.

Management or staff knowledge Often, one of the main sources of information on potential risk exposures, and hence on unexpected losses, is management or staff knowledge. The people in the organization who routinely interact with systems, processes, products and markets will be readily able to identify situations where structures are weak or require constant vigilance if error or failure is to be avoided. Risk identification workshops or risk self-assessment exercises can be run to explore the potential impact and likelihood of such events, and material threats can be developed into a scenario to explore the potential loss and, if cost effective, develop plans to address and rectify the weakness.

Control or environmental factors Another source of information for potential unexpected loss events can be found in qualitative management reports prepared, for example, by internal auditors that highlight areas where controls are overlooked or rarely carried out. Such areas are prime candidates for loss; scenarios revolving around an event, made possible by non-application of a control structure, can be educational and can often encourage staff members to observe control requirements. Another source of information can be related to key risk or performance indicators that will highlight areas of increasing risk. As a general rule, however, a changing environment, activity in new areas or rapid growth are all areas where scenarios can be used to explore the evolving dangers facing the business.

Advantages of scenario planning Scenario planning presents management with a series of benefits that can help increase organizational resilience and preparedness for unexpected events. In the same way as organizations devise and test business recovery and continuity plans, the creation of developed scenarios to explore extreme scenarios allows firms to prepare for storms on the horizon. By identifying a range of risks we are able to prepare our business to meet a series of different circumstances rather than simply selecting a specific situation to

SCENARIO ANALYSIS

AND

STRESS TESTING 147 •

plan for. In this way we can prepare the business and evaluate the cost effectiveness of different alternative risk limitation actions. Additionally, scenario analysis serves an educational purpose by involving business unit management in thinking about the different threats that confront the organization, understanding the full potential impact of the events and then creating strategies to address and minimize both the impacts and the probability of the events occurring. The result of the activity will be a greater consciousness of the firm‟s risk environment and a fuller understanding of the scale of possible loss in the event of an occurrence. Once this knowledge is acquired, there should be a greater willingness to embrace and observe the control structures that have been put in place, as the scale of the potential problems will be understood. The performance of scenario analysis should also help us in the management of the firm‟s risk profile. As we create scenarios, it will become clear that some of the scenarios we identify would have a catastrophic impact if they actually happened. The first response to such a scenario will probably be to try to reduce the likelihood of the event by introducing additional control structures. On other occasions, however, the challenge may be to seek a way of transferring risk away from the firm through insurance or by creating a hedge to minimize risk impact. Another alternative might be to put in place a recovery plan to decide how staff members will react to the situation and to what extent they are able to manage the scenario.

Shortcomings of scenario analysis However, there are challenges to creating informative scenarios. One of the most significant is to create a scenario that is sufficiently severe to challenge the firm whilst at the same time maintaining realism. It is a basic fact that it is possible to create scenarios so severe that staff and management dismiss them as unrealistic or simply conclude that it is impossible to successfully manage them. So the challenge is that if the scenario is too bland we will conclude that we can easily manage the situation and will fail to address the potential threat; if it is too severe the exercise will be deemed unrealistic and thus also be rendered valueless. Our target, therefore, is to identify a range of stretching but manageable scenarios, where preparation in advance can help us minimize the potential impact of the scenario. Another issue is that scenarios are essentially subjective: the likelihood and potential impact of the risk will be based on the best estimates of business experts. Of course the experts can be wrong and, what is more, they may fail to identify a specific scenario that then comes to pass, catching the firm unprepared. There is much that we do not know about the risks that may affect us in the future, and we will be unable to prepare ourselves for the „unknown unknowns‟. That said, preparation for known scenarios will reduce the potential for unexpected shocks to our business.

• 148 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

The use of scenario analysis in the quantification of operational risk The quantification of operational risk presents a challenge, because most successful companies will have little data on the high-impact losses caused by the development of extreme scenarios. We are after all exploring the regions of unexpected loss, and as a result many of the assessments made will be based on the informed judgement of business experts. We will seek information about the likelihood of an event and the potential impact of that event, but in doing so will probably wish to allow for uncertainty by describing both likelihood and impact in the form of a distribution between our estimate of a bestcase and worst-case scenario, with greatest concentration on our best estimate. By using Monte Carlo analysis or other statistical techniques, we can then run thousands of iterations of the same data to determine the range of potential impacts between a best-case scenario, where impacts cluster at the low end of estimates, and a worst-case scenario where our nightmares are realized. Management can then use this information to inform their decision-making process. By modelling the risk and assigning monetary values to loss we can select the risks that constitute the biggest threat and decide how much we are prepared to invest to address the risks.

Conclusion A major factor in company management today is the avoidance of surprises. Profit warnings are greeted with displeasure, and senior management is unlikely to relish the prospect of revealing a fall in levels of performance due to unexpected operational factors. It therefore becomes a matter of self-preservation to determine as far as possible what risks are most likely to impact significantly on the firm‟s trading performance, explore the extent of the potential problems, and then develop strategies and plans to address these issues. Scenario analysis developed as a methodology for allowing firms to adopt strategic direction in the face of an uncertain future. Risk managers are today using the technique to meet the uncertain threats posed by operational risk.

Notes 1. M Porter (1985) Competitive Advantage, New York, Free Press. 2. G Ringland (2006) Scenario Planning: Managing for the future, John Wiley and Sons. 3. G Ringland (2006) Scenario Planning: Managing for the future, John Wiley and Sons. 4. In this section I am indebted to A Guidance to Business Modelling, 2nd edition (2005), Economist Books.

3.3

Critical engineering and risk management: avoiding complacency Paul Saville-King, Norland Managed Services Limited

Introduction The ever-increasing demands of customers, combined with the need to sustain competitive advantage in a global economy, have driven a pace of change that today‟s business has never experienced before. Challenges of 24/7 accessibility, speedier service and the drive for lower costs mean significant technology and communications investments are necessary to stay ahead. Add the result of global terrorism, the failure of trusted household names such as Enron and WorldCom, and the proliferation of international regulations such as Basel II and Sarbanes–Oxley, and the landscape is vastly different. These changes are further centralizing the role of technology in corporate strategy and increasing a company‟s dependency on information and communication systems, and the engineering infrastructure that supports them. One does not have to look too far for evidence that this is affecting the world of facilities management in the design and day-to-day operation of increasingly complex buildings.

• 150 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

However, it appears widely unrecognized by risk managers and boardrooms just how much risk there is for business disruption caused by the engineering infrastructure. At a recent 2006 business continuity seminar there was not one agenda item relating to operational risk in an engineering infrastructure sense, and the hall of exhibitors had a notable absence of engineering service providers. This is the second year that this has been the case. One could assert that this is a failure of the „risk industry‟ to recognize the potential for the immediate and the catastrophic impact associated with infrastructure failure. This omission combines with the relatively high probabilities of such disruption happening in heavily technology-dependent businesses with traditional maintenance approaches. It appears that boardrooms sit in relative comfort, thinking that the engineering aspects of their operational risk profile are the most tangible and controllable risks they face. This is not the case. If your business is dependent on technology for communications, IT for its core business activity (for example Amazon) then you may be at increased risk. Take Reuters, which according to media reports was offline for 10 hours and unable to provide the market data that is their core product following a power outage. Share prices suffer from engineering complacency and under-investment, and the traditional mechanical and electrical services tender process drives out costs by encouraging savings in the most intangible yet critical elements of service design. Engineers‟ holidays and training are simple examples; these may be easy short-term savings for hungry contractors eager for new business but they will expose the client to long-term risks associated with increased staff attrition and low levels of critical engineering competence. As with business continuity planning (BCP), investment banks are leading the way in managing their critical engineering systems. Banks are also adept at planning to meet the future challenges posed by increasing infrastructure complexity, even in the face of the common conflicts between IT and facilities management departments. Building owners and management should network with facilities staff and executives from this group to add a new perspective on engineering risk management and battle to convince core business leaders that these „cost centres‟ require continued levels of significant investment, even in the face of competitive cost pressures. Combine the above challenges with the increased „risk awareness‟ that now permeates boardrooms, and what you get is a new horizon for the management and audit of „operational risk‟. A study by the Chartered Management Institute (CMI)1 found that 70 per cent of respondents had concerns about IT systems failures and 64 per cent had concerns about communications failures. Actual disruptions followed a similar trend with 41 per cent of IT disruptions and 25 per cent of communications disruptions. Only 6 per cent of respondents to a BCI survey2 selected loss of power as their biggest threat, but this is understandable in the current „terror-focused‟ geopolitical context. Why is critical engineering and risk management (CERM) important? Simply put, no power or cooling = no communications or IT = no business. The question then is: „What can I do to avoid catastrophic failure of my engineering infrastructure and the resulting impact to my business?‟

CRITICAL ENGINEERING AND RISK MANAGEMENT 151 •

Extensive data analysis3 has demonstrated that around 90 per cent of catastrophic business-critical impact related to human or process error and not to the design of the infrastructure at all. Unfortunately for some, especially those of an engineering disposition, concentrating on the less tangible softer elements of managing risk takes people out of their comfort zone.

Industry estimates vary wildly about the actual costs of downtime and there are tangible and intangible elements of this to consider. According to Gartner research, the costs of downtime include: 1. 2. 3. 4.

productivity loss; revenue loss; damaged reputation; impaired financial performance.

In financial terms alone, downtime for a brokerage/trading institute can run at around $6.4 million per hour.4 That equates to over $100,000 per minute. The London Chamber of Commerce found that 90 per cent of businesses that lost data in a major disaster were forced to shut down after two years.5

Without doubt Sarbanes–Oxley has spread its tentacles into many areas of operational risk but it seems not yet to have made a material difference where this risk is of an immediate and dramatic systemic nature (through the engineering infrastructure). A traditional mechanical and electrical maintenance services partner may not be equipped – or have the right culture and awareness – to deliver adequate risk protection, especially in the softer elements that produce the most significant risks. In some respects the industry as a whole is still 15 years behind the risk management and banking sectors, although some pioneering companies are attempting to change the industry. A structured approach to mitigating engineering risk is recommended. The five fundamental pillars (see Figure 3.3.1) of critical engineering and risk management cover the most important aspects of this approach, namely: • • • • •

focus; consistency; compliance; visibility; learning and improvement.

• 152 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Learning

Visibility

Compliance

Consistency

Focus

Effective CERM

Right culture

Figure 3.3.1 CERM pillars

The five pillars Focus Focus relates to the need to concentrate specifications, systems and processes on activities completely aligned with reducing or eliminating risk from the critical engineering infrastructure. Examples in this respect would include challenging the norms around traditional key performance indicators (KPIs). Traditional maintenance specifications often have measures around completed maintenance tasks or reactive tasks completed on time. In reality this is often misaligned with the activities critical to keeping the customers‟ core business operational. Many organizations include uptime specifications within service provider contracts (such as 99.999 per cent availability) when this is recognized by industry experts6 as impossible, even with a system-plussystem design. What does this achieve except to cause conflict between customers and supply partners even when the intent is correct? Surely, it is far better to include measures and KPIs that reflect the inputs or levers that will influence the maximization of uptime. Examples include many of the softer elements of service provision such as specific CERM competencies, staff motivation and levels of proactive scenario training delivery. These softer aspects pose measurement challenges, and this may be why historically many service providers and facility operators have hesitated to challenge ambiguity and define them more adequately.

CRITICAL ENGINEERING AND RISK MANAGEMENT 153 •

Additionally, CERM best practice would recommend that the areas critical to the customer‟s core business are identified in a joint working group (for example the data centre or trading floors) and as a result critical engineering paths are mapped holistically. This should be in terms of geographic location, systemic interconnectivity and security/accessibility. Once completed, this review allows for a complete realignment of the planned preventative maintenance (PPM) system to focus activities on those elements of the path that are most effective for risk mitigation. This should involve new ways of working and perhaps the introduction of technologies such as hand-held units or tried-and-tested non-intrusive maintenance techniques. Around 90 per cent of existing maintenance systems can be modified without any major cost or disruption to the business.

Consistency Consistency relates to the consistent application of „hard earned‟ local knowledge, tested systems and procedures. At its most basic level, this provides a platform for measurement and benchmarking across geographic regions or even between client groups. At the more complex end of the spectrum, consistency alludes to the need to ensure that tacit knowledge7 is transferred between team members, across boundaries and at its ultimate between homogeneous customer groups. This requires a time commitment that many incorrectly judge to be a poor investment. Primarily, this pillar relates to the need to have consistent core processes that have passed resilience tests and deliver effective risk management from an engineering perspective, for example evolving traditional permits in use in facilities management and mechanical and electrical engineering to a system specifically designed for authorizing works relating to critical equipment and areas, thereby reducing potential risk significantly. These principles seem simple but in practice are rare in most maintenance operations. Another essential control mechanism is the software change permit. Some senior managers have lost their jobs through failure to control the software aspects of what would otherwise have been a straightforward maintenance or project activity. In one example an „old‟ revision of software – accidentally installed – on an uninterruptible power supply (UPS) protecting hundreds of trading positions caused an immediate and unplanned shutdown despite rigorous prior change management approvals. This one event cost hundreds of millions of dollars of lost revenue for an investment bank. A software control permit not only forces clarity about „the what‟ and „the when‟ but it also forces consideration about contingency measures and fall-back positions should things not go according to plan.

Compliance Compliance relates to the need to ensure that critical engineering activities and measurements, and the critical processes that support them are effective. It is more than auditing although this is an essential element. It is more about stakeholder assurance and, when combined with adequate visibility, provides managers and board members with peace of mind. Traditional audit processes focus on antiquated elements of

• 154 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

performance, usually around financial processes, statutory maintenance compliance and performance against traditional service level agreements (SLAs). This approach is not „critically aligned‟ and should be prioritized for change. Compliance must also pick up important „noise‟, which may or may not contain essential information that could prevent a future business impact. Examples include the implementation of a critical incident reporting system, which records not only detail of actual business impact but records – and more importantly encourages – the reporting of near-miss data. Most near-miss recording systems fail to differentiate those events that result in a business process change or improvement, despite this being a key ingredient for generating enthusiasm and buy-in from the engineering team.

Visibility Visibility concerns the ability of the management team to focus on delivering or supporting the core business through having peace of mind about engineering risk. This is made possible through the accurate reporting of critical engineering exceptions and potential threats that would otherwise need to be „mined‟ out of the daily furore. An example of this is the CERM risk register, which not only records current and future risks relating to the engineering infrastructure (such as design issues, union strikes and potential fuel supply shortages), but also includes a success register for risks that have been systematically eliminated. This demonstrates a progressive and unrelenting „war on risk‟, especially if the unfortunate should happen and difficult questions are asked by shareholders or board members. Technology has an important role to play here, and sophisticated yet simple dependency modelling systems can facilitate effective traffic light analysis – via a web browser – of the status of all systems, processes, system capacities and competencies no matter how large or globally dispersed a company is. This is probably the most important aspect of CERM, and serious thought and investment are essential to have adequate and effective levels of visibility.

Learning and improvement Learning and improvement demonstrate CERM as being a dynamically evolving concept. Events happen despite the best systems in the world and, apart from a reliable CERM incident response team, your service provider or expert should ensure that effective lessons-learned exercises are carried out. Structure this to reflect the McKinsey 7S model with headings of systems, structure, strategy, staff, shared values (culture), skills and (management) style. These headings provide useful insight into the concept that these elements act in harmony (or not) and that one cannot focus only on the „hard‟ elements such as systems and processes. „Soft‟ elements such as management style, skills, CERM strategy or „culture‟ are just as likely to be complex root causes of system failure and far harder to eliminate. The sharing and leverage of local knowledge also fall under this category. This is more difficult than it seems, and a technological solution for knowledge management will not solve the problem. Again, the „soft‟ elements of critical engineering such as a

CRITICAL ENGINEERING AND RISK MANAGEMENT 155 •

risk-aware culture, CERM competencies and varied communications mediums are far more effective in this regard.

Culture and behaviours It is clear that you can have the best systems, technology and processes in the world but, without the right culture and behaviours in the first place, these processes will be poorly applied at best, and at worst deliberately disregarded. There are several „levers‟ that can be applied to driving the right behaviours and culture required for critical environments as follows:

SYSTEMS

UPHILL STRUGGLE

UNACCEPTABLE RISK POSITION

MANAGED RISK POSITION

DOWNHILL RIDE

WEAK/FEW

MANY/ROBUST

• stringent recruitment and selection in the first place based on required behaviours, not just experience and qualification; • correct launch and communication of the need for a more robust approach to critical engineering and risk management; • constant communication of progress and the establishment of clear metrics; • formal training on systems and processes; • appraisal alignment incorporating risk mitigating/highlighting behaviours; • 360 appraisal feedback from suppliers, customers, management and peer workers; • celebration of successes, no matter how small they seem at first; • reward and recognition, both formal and informal; • formal knowledge-sharing programmes.

BEHAVIOURS UNA - LIGNED

Figure 3.3.2 Risk evaluation matrix

ALIGNED

• 156 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

A new model Although the elements above are intended to provoke thought and evaluation of your current approach, it is important to select a service provider that recognizes the redundancy of traditional maintenance and is willing to work closely with you to implement a completely new model. What should be clear to you is that it is not enough to rely on systems and processes – it is the culture that counts. This takes time, and when implementing a new CERM model – depending on the starting point – it can take up to two years to change to the desired state. Systems alone can be implemented by a proficient operator in as little as three months. The model shown in Figure 3.3.2 provides a framework for you to assess your risk position in relation to behaviours/culture versus systems/processes. The right approach to CERM is not a collection of isolated systems and processes but a cohesive collation of many elements in a new model.

Five steps to peace of mind The following are five recommended steps, based on the above, which when followed will reduce your exposure to engineering infrastructure risks: 1. 2. 3. 4. 5.

Be clear what you want to achieve and set SMART targets. Choose a CERM-aware partner. Realign your maintenance model (five pillars). Drive hard on the „soft stuff‟. Review formally and audit on a regular basis.

Notes 1. CMI (2005) Business Continuity Management, CMI, London (440 respondents). 2. Business Continuity Institute (BCI) in conjunction with IMP Events and sponsored by Hitachi Data Systems, 13–18 March 2005. 3. A live online database of Norland Managed Services customers – CERMView™. 4. Meta Group (2000) IT Performance Engineering and Measurement Strategies: Quantifying performance and loss, October, Meta Group; Fibre Channel Industry Association. 5. London Chamber of Commerce and Industry, Disaster Recovery: Business tips for survival, LCCI, London. 6. Uptime Institute. 7. Tacit knowledge is that which enters into the production of behaviours but which is not ordinarily accessible to the consciousness.

3.4

The role of strategic purchasing and supply management in risk management Emma Brooks, Chartered Institute of Purchasing & Supply (CIPS)

Value generators and value protectors Procurement‟s profile in organizations is on the rise. A wider spend remit is being influenced and internal barriers are being broken. Some of the most valuable assets the purchasing team can bring to an organization is due diligence of vendor rating and regular detailed monitoring of supplier performance to identify, monitor and manage enterprise-wide risks whilst encouraging innovation and continuous improvement. This has manifested itself through enhanced relationship-management skills in purchasing teams both internally and externally. This resource is yet to be fully exploited and, although procurement has made some progress in influencing spend areas such as marketing, HR and legal services,

vision...

…can ta ke you places you’ve never dreamed of, helping you stay at the forefront of the latest procurement thinking.

strength...

...in numbers will ensure you’ll always find the right people for your company, and the resources to help them grow.

supp or t...

...at the moment you need it most, we’ll give

you the confidence to keep moving forward, taking your career to new heights.

CIPS – one organisation, 44,000 members, infinite benefits CIPS has grades of membership suitable for everyone – whether or not you’re in a full-time purchasing role.To discover how CIPS membership can help you and your staff make the best purchasing and supply decisions, call today on 01780 756777or visit our website www.cips.org and apply online.

Internationally-recognised status & qualifications - MCIPS Best practice publications & handbooks Continuing Professional Development Scheme Information & guidance service Career management service & job opportunities Discounts on training courses, seminars & conferences Access to over 400 leading publications

STRATEGIC PURCHASING

AND

SUPPLY MANAGEMENT 159 •

the skills and value that procurement can add to the purchasing process have yet to be maximized on a company-wide scale. There are vast sectorial differences too, as procurement teams still struggle to make an impact in the service industry, while their presence is deep rooted in manufacturing and retail. The role of purchasing and supply management (P&SM) professionals has been transformed and, in many industries, there has been a shift from a transactional, backend administrative function to a fully embedded, cross-departmental, value-adding function. Procurement professionals are taking on a more consultative role and are working alongside business units to deliver shared goals. To become more strategically focused, P&SM professionals have begun to investigate what is important to the organization and the end customer in order to identify what delivers both customer and shareholder value. Once you have established what the important issues are, you then begin to understand the risks and vulnerable points and can start building a resilience plan. The role of procurement is that of risk management and building robust supply chains, both upstream and downstream, that can weather disruptions with minimal impact. Professor Paul Cousins, Director of the Supply Chain Management Research Group at Manchester Business School, summarizes the role of procurement as that of „value generator and value protector‟. All initiatives, including risk management programmes, must be tied back into shareholder value and customer perceptions, and procurement professionals are the custodians of this process. However, research shows that procurement professionals still have some way to go if they are to catch up in the risk management stakes. A CIPS-commissioned report compiled by Dr Helen Peck from the Resilience Centre at Cranfield University found that: High-profile events such as corporate governance scandals, international terrorism and civil contingencies requirements have propelled corporate risk management and security into the headlines; although they appear to have had relatively little impact on awareness of risk management in purchasing and supply.

McKinsey‟s also report in their recent „Understanding supply chain risk‟ global survey, that almost two-thirds of respondents said that the risks to their supply chain had increased over the past five years. As we operate in a global environment, this pattern is likely to continue and risk management will become a major focus for P&SM professionals. So why are they still struggling to get involved and noticed? It is paramount for procurement professionals to ensure they have the ear of the board in order to play a key role in risk management strategies and prove their worth. Successful risk management programmes assess the risk in terms of likelihood and impact as well as what it means to the organization. Why is this important to my organization? How will it impact value? Until this connection is made it is difficult to obtain senior management buy-in or even to be taken seriously at all.

• 160 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

The business risk environment Modern organizations operate in a very commercially pressured global environment. Competition is strong, and risks must be taken in order to remain efficient and competitive. We often see risks as having a negative impact on our organization; however, with risk often come opportunities and innovation and not always threats. Like finance and auditors, procurement professionals have had a reputation for being risk averse, providing 101 reasons for not doing something. A more modern approach is to find solutions and provide a robust framework for business to operate in, allowing scope for risk takers, and closely monitoring the process step by step. Organizations have become very lean and mostly operate on a just-in-time basis. Therefore the slightest disruption to any element of their supply chain can have devastating results. There is often no „slack‟ to withstand a major movement in an organization‟s operations. Procurement practices such as outsourcing, low-costcountry sourcing and lean supply have exposed us to new risks but have also given us the experience to mitigate and avoid their impacts. Trends such as reducing the supply base and using sole sourcing have forged closer working relationships in order to collectively monitor and manage risks in the supply chain. BA more than anyone discovered these risks when a breakdown of relationships with Gate Gourmet resulted in their planes being grounded for several days in 2005; BA probably did not view their catering supplier as a particularly high risk at the time. Wherever possible, the purchasing organization should adopt a partnering approach to the important and vulnerable supplier relationships as a way of mitigating the risks of supply chain vulnerability. Whenever an organization is significantly vulnerable to the consequences of failure of supply, the appropriate style of relationship to manage a supplier would usually be partnership. Industries have also become consolidated and if one major player is affected the knock-on effects can be catastrophic. Consolidation may make it almost impossible to switch to alternative suppliers who have the same capacity, especially when nonstandard products are used. Generally there is no slack in these manufacturers‟ capacity either, so finding a supplier to switch too may be impossible. The packaging industry is one example where there are only a few large consolidated businesses. Organizations must become agile and risk aware. We need to be able to activate contingency plans at short notice.

The right tools for the job Procurement professionals have a wealth of tools and skills that are appropriate for risk management, from close working relationships within both buying and supplying organizations to monitoring and performance measurement techniques. As procurement professionals, we are experienced in calculating savings, and this is one way of demonstrating the value we can add to an enterprise-wide risk management programme. If you are able to price a risk or disaster in terms of the cost of the loss, you are then able to cost or calculate a „saving‟ on avoiding that loss. This is

STRATEGIC PURCHASING

AND

SUPPLY MANAGEMENT 161 •

indeed a powerful tool for obtaining proper attention from the board and shareholders. Successfully managed risk taking is also likely to attract attention. Showcasing examples of increased profit, innovation or sales through the successful mitigation of risks will also raise the profile of the procurement team. As value generators and protectors, customer perception and value are considered throughout the procurement process as well as shareholder value. Dr Peck‟s research also looked at downstream indicators that impact on customer satisfaction to establish the level of involvement that procurement teams had in measuring and monitoring these indices. She found that in nearly three cases out of four, respondents stated that lead time to customer is included in routine monitoring. Just over 60 per cent also indicated that availability of company products/services was also routinely included. As ever, the devil is in the detail, and marked differences appear between the sectors. Lead time to customer featured in routing monitoring in 95 per cent of public sector organizations, over 81 per cent of manufacturing businesses, nearly 65 per cent of the transport, retail and distribution sector and under 64 per cent of financial/business services. When respondents were asked to identify the single most important factor influencing awareness of purchasing and supply risk within their own organizations, customer requirements emerged as the overall front-runner. Through carefully monitoring supplier contracts, relationships and performance, comprehensive risk assessments can be profiled and problems foreseen and avoided, or opportunities successfully managed to fruition. Partnering and outsourcing have led to inproved relationships and more prudent performance measurement tools.

Example: risk management for temporary staff The recruitment and management of temporary labour is often a very strategic-spend category for organizations. People, their quality of work and overall attitude, integrity and appearance can have a major impact on the performance and image of your organization. For some industries, where customer-facing personnel deal with highly personal and data-protected information, the risks of getting it wrong are high. There have been several reported incidents where bank account details have been sold from customer call centres, costing one particular bank over £230,000, not to mention the reputation impact on customer security assurance. The role of the P&SM professional is to pre-empt these risks and put processes in place to highlight, mitigate and avoid them where necessary. A starting place is thorough pre-screening of suppliers prior to contract negotiation. It is good practice to carry out site visits and screening of the supplier‟s internal processes. In a call centre environment, criteria such as monitoring staff calls and e-mail, the use of USB data sticks and CDs in hard drives, restricted access to reporting and the storage of customer data are just some examples of issues that should be considered, as well as system support, data backup and business continuity plans. Critical issues such as these should be written into the supplier contract and the relevant key performance indicators logged and regularly monitored.

• 162 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Once the supplier has been awarded the contract, it is advisable to regularly audit both the supplier‟s and buying organization‟s processes. Suppliers should be encouraged to self-audit and report back with regular management information, and the buyer should carry out spot checks and regular scheduled audits. Where this level of detail and potential risk exists, a collaborative relationship should be formed. By meeting on a regular basis and implementing a process of continuous improvement of joint objectives, risks are generally reduced and often avoided. Relationships must be forged to ensure that both parties have a shared and mutually agreed value proposition, allowing scope for innovation and process improvement from both parties. Selecting the right supplier to engage with is critical: too small and its internal resources may not stand the pace, too large and it will see you as a nuisance and be less likely to employ joint initiatives. It is not only the confidentiality and data protection issues that must be considered; issues that are perceived as more simple, such as getting the right person on site in a timely manner and reconciling accounts, are often overlooked. The aged debt for temporary staff agencies is a problem that has been around for some time. These aspects of the purchase-to-pay process are of equal importance as they have the potential to damage a strong working relationship between buyer and supplier and therefore affect security of supply. This value-adding, end-to-end risk consideration is where procurement professionals really make a difference.

Summary The Cranfield study concluded that when it comes to best-practice risk management in purchasing and supply, one size is unlikely to fit all. Analysis of how companies assessed and managed risk revealed a complex picture with distinct differences between sectors. For example, while recent disruptions to supply were a major influence in manufacturing, it was corporate responsibility risks that had the greatest impact in retail and the public sector. For financial services companies, it was changes in business strategy that drove change. The risk management tools, however, are more commonplace. Fixed-price contracts, collaborative relationships and closely monitored key performance indicators are common across most sectors. The role of the procurement professional is to ensure that both internal and external contacts are on red alert to monitor the identified weakness in the supply chain and act quickly to remedy them. Risk management in the supply chain is more about resilience; risk is on the increase and is part and parcel of our business lives. Often it cannot be avoided, so a method for managing and minimizing its effects is the only way forward. A lack of time and resources is a common problem; therefore procurement professionals need to raise the awareness and understanding of supply chain risk management tools and techniques in order to obtain recognition at a senior management level, and ensure it is given the time and attention it requires.

3.5

Carrot and stick: why BS 25999 is set to change the way the UK does business Keith Tilley, SunGard Availability Services (UK) Limited

The risk landscape has changed dramatically over the past 10 years and the majority of organizations are ill prepared to meet these threats. According to From Adversity to Availability, SunGard Availability Services‟ authoritative investigation into the current state of the Information Availability and business continuity market, just 41 per cent of the FTSE 250 are fully prepared for forced relocation. And with adoption of business continuity management (BCM) being particularly poor among SMEs, that figure is even worse. This state of affairs could be set to change with the advent of BS 25999, the first national standard in BCM, which looks set to make BCM a prerequisite for doing business in the UK in the years to come.

CARROT

AND

STICK: BS 25999

AS AGENT OF CHANGE

165 •

Misconceptions lead to complacency As the industry pioneer, SunGard is a passionate proponent of „Information Availability‟ (IA), an all-encompassing strategy that spans BCM, disaster recovery and solutions for always-on environments: all the factors instrumental in keeping people (employees and customers) and information connected at all times. The overriding purpose of IA may be simply stated as being to avoid downtime and keep the business running – by planning and prevention, containment and recovery and by identifying, removing and addressing areas of operational risk, business interruption and loss. Until now, the majority of board directors have been somewhat apathetic about Information Availability despite its fundamental importance to the fortunes, and even the very survival, of their businesses. The reasons behind this apparent lack of interest are partly historic – in its infancy, disaster recovery was traditionally limited to recovering technology and regarded as „the IT department‟s problem‟ – but also because misconceptions have led to complacency. One of the common misconceptions exploded by the From Adversity to Availability report is that insurance is an adequate substitute for good BCM. But, in the report‟s words: Insurance provides no protection; it only provides compensation. Insurance will not enable your organisation to keep operating through a disaster; nor will it protect your organisation against system downtime. Insurance will help you recover your infrastructure and your premises but provides no recompense for the loss of the most critical asset: your information.

While directors have long had a statutory obligation, as the Institute of Directors notes, to „exercise reasonable care in the performance of their work‟ and act in the best interest of their stakeholders, it is only with the advent of BS 25999 that there is an objective benchmark against which they can be judged. As our report points out, failure to exercise proper care is not just a failure of moral responsibility but also incurs the risk of personal liability, creating the possibility of criminal and civil actions against the individual concerned. It is SunGard‟s position that Information Availability is such a crucial aspect of good corporate governance that failure to take it into consideration could be considered dereliction of duty.

BCM set to move up the corporate agenda Since BS 25999 was proposed it has been the subject of intense debate. When the draft document was posted on the British Standards Institution‟s website as part of the public consultation, it was downloaded an unprecedented 5,000 times. A staggering 658 pages of comments were subsequently submitted. It is no exaggeration to say it has been eagerly awaited. The new standard is intended to be a framework that organizations of all types can follow to achieve a common standard. It sets out what organizations need to do, not how they should do it. It is deliberately not prescriptive because it has to be relevant to

• 166 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

all, from small business to multinationals and across the public, private and voluntary sectors. It does not contain a groundbreaking new approach – just tried and tested processes and best practice. However, for the first time, a recommended testing schedule has been enshrined in official BCM guidelines. This fact alone means that BS 25999, when implemented wholeheartedly and not just as a box-ticking exercise, will improve an organization‟s survivability in the event of disaster. In addition, the Standard insists that the scope of business processes covered is pre-defined at senior management level and that a director signs off the plans. Although in practice this may well be delegated, BS 25999 is likely to be a catalyst in gaining senior management buy-in and raising the profile of business continuity within an organization. Unlike its predecessor, PAS 56, which many in the public sector argued was too heavily geared to the financial services industry, commercial pressures mean that BS 25999 is likely to achieve much greater take-up. It could give companies a competitive edge when pitching for new business, while if, as expected, take-up of the standard is widespread, firms that lack the requisite badge may be at a disadvantage. BS 25999 has been designed as a universal benchmark rather than being specific to any single industry sector. That means for any organization that outsources services or relies on a supply chain in any way, accreditation by these suppliers or thirdparty service providers is a simple way of ensuring that all the parties involved have adequate contingency plans in place. Business continuity managers have long argued that BCM should be regarded as an investment not an expense, and the new British standard gives this argument more weight. Compliance with the standard reduces the cost of evaluating suppliers, derisks the supply chain network and allows organizations to differentiate themselves by demonstrating they provide a quality and reliable service.

What‟s the answer? SunGard offers a range of services designed to keep its customers in business, no matter what. As the leading provider of Information Availability solutions since 1978, SunGard is well placed to advise organizations on the service – or, typically, the combination of services – that will best meet their specific IA needs, depending on the tolerance for downtime. This varies from company to company, system to system. A poll of companies around the world by the Economist Intelligence Unit found that 47 per cent of risk managers questioned claimed that more than 24 hours‟ downtime could seriously jeopardize the survival of the entire business. The comprehensive range of SunGard‟s Information Availability solutions means that whatever a company‟s size, sector or budget, it only need pay for the level of protection it needs.

CARROT

AND

STICK: BS 25999

AS AGENT OF CHANGE

167 •

• Professional services: From helping organizations achieve BS 25999, specialist BCM software and expert, vendor-independent consultancy advice on issues such as security and performance optimization, SunGard provides an array of products and services designed to help get risks under control, thereby safeguarding profits, operations, customers and reputation to keep organizations in business. • Recovery services: SunGard‟s disaster recovery facilities enable organizations to react quickly, relocate and restart. Customers bring their backup data and people to our facilities, giving them immediate access to hardware and state-of-the-art automatic call distribution systems – and we get them back up and running as fast as possible. And if they can‟t get to us, our mobile recovery services come to them. • Managed IT solutions: SunGard hosts customer systems in one of its secure, hugely resilient data centres, but leaves customers in full command of the applications that drive their operations. This means they benefit from best-of-breed technology with round-the-clock monitoring and support from our highly skilled IT professionals. • Information Availability solutions: In today‟s age of data dependence, a holistic Information Availability strategy combines professional services, recovery services and managed IT solutions to provide comprehensive support for an organization‟s people, infrastructure and data so that it is „always prepared, always ready and always on‟.

Gazing at the crystal ball In its early days, disaster recovery was traditionally perceived as being about recovering systems and data – the IT department‟s responsibility. Information Availability is much more than that – it is about keeping the business running, no matter what. But old habits die hard. One of the biggest challenges facing the BCM professional today is to embed an Information Availability culture within the organization so that it is factored into each and every business decision. This requires a major cultural shift. We predict that the ability to anticipate and plan for all the events an organization might encounter will increasingly become part of the daily business agenda. Moreover, the ability to do this more effectively than the competition so that all information and communication systems continuously perform to their optimum will increasingly sort the winners from the losers.

• 168 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Case study. Irwin Mitchell: staying afloat during the floods Irwin Mitchell is the UK‟s fourth-largest legal firm, with over 2,300 employees in the UK and Spain. It is also the leading personal injury and medical negligence litigation practice in the country and was recently voted National Law Firm of the Year. Irwin Mitchell has always taken a very proactive approach to business continuity (BC) planning. It has worked with SunGard Availability Services for several years to ensure that any disruption to its IT or telephony functions is minimized and that all data is kept securely. SunGard provides the firm with high-availability services for data hosting as well as both on-site and remote disaster recovery services, depending on the systems in question and the nature of the incident from which it is trying to recover. Like all in the legal profession, Irwin Mitchell has stringent service level agreements (SLAs) in place with all of its clients. For instance, its insurance department must call a client within one hour of receiving an instruction. Such SLAs must be met, come fire, flood, power outage or any other business disruption. Telephony recovery is often overlooked by businesses when developing their BCM response but Irwin Mitchell and SunGard placed strong emphasis on ensuring the resilience of the firm‟s call centre, which takes up to 7,000 calls a day.

Invocation! In June 2007, Sheffield was hit by severe flooding following some of the wettest weather on record in the UK. On Monday 25 June, Irwin Mitchell‟s Sheffield operation, located in two buildings in the city centre, was badly hit by the flooding. The ground floors of both buildings were completely engulfed. Irwin Mitchell‟s business continuity team alerted SunGard at around 5 pm that day. By 6 pm, Gary Thomas, Head of IT Operations, called SunGard to invoke its services and action its recovery plan. Fortunately, the flooding hit the building after the call centre had closed for the evening, but it was now essential for Irwin Mitchell and SunGard to ensure that normal services could be resumed the following morning. While SunGard started to put the firm‟s recovery plan into action, the BC team worked through the night, activating localized plans to create a makeshift call centre in the boardroom on a higher floor of the building. Irwin Mitchell would eventually relocate around 50 of its contact centre staff to its local SunGard Recovery Centre, based in Elland, West Yorkshire, with the remainder of the team staying in the makeshift facility. As part of the BC plan, SunGard kept 30 of the IP phones used in Irwin Mitchell‟s call centre at the recovery centre in Elland. By 1 am on Tuesday

CARROT

AND

STICK: BS 25999

AS AGENT OF CHANGE

169 •

morning, SunGard had two recovery suites ready with 100 PCs and 30 IP phones. SunGard mirrored Irwin Mitchell‟s call centre PC systems, so employees would have exactly the same information on screen. SunGard shipped in a further 70 IP phones from its mobile recovery centre in Leicester and by 4 am, Irwin Mitchell had access to 100 call centre positions, each of which was identical to those in its own offices. As Gary Thomas says: „To all intents and purposes, the recovery centre became another Irwin Mitchell building.‟

Keeping staff up to date Another important part of Irwin Mitchell‟s recovery plan was to keep staff updated on developments and on what they should be doing. The firm had established a free 0800 telephone number for use as a staff information line in emergencies. This number is a key component of Irwin Mitchell‟s crisis management strategy and is printed on staff ID cards and explained during inductions. On the morning following the invocation, Tuesday 26 June, everyone knew exactly what they needed to do. Call centre staff were told to travel to work as normal for transfer to the SunGard recovery site in Elland by bus. The smooth, fast recovery ensured that the call centre was able to meet its SLAs despite the flooding.

Logistical problems Irwin Mitchell ultimately used only one of the recovery suites earmarked for it at Elland, as some staff continued to use the boardroom as a makeshift call centre. Fifty staff were transferred from Sheffield to Elland and continued to work there for over two weeks. This extended duration was necessary as there were ongoing issues with power while the utility companies patched up the city. One of the major tests for the BC team during the invocation was the logistical challenge of transporting staff to and from Elland when all of the local transport networks were severely disrupted due to the flooding. Thomas notes: „We actually ended up booking hotel rooms for our call centre staff in Elland as it was simply impossible to transport them on a daily basis. What is usually around a 40-minute journey from Sheffield to Elland was taking over two hours. Fortunately our staff were flexible, pulled together and were happy to do what was required in the face of adversity.‟

A successful recovery Effective planning, a good IT infrastructure based on Voice over IP technologies and a rapid response by SunGard ensured Irwin Mitchell continued to function

• 170 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

almost as normal. Irwin Mitchell staff at Elland were able to receive client calls and forward them to all corners of the Irwin Mitchell enterprise. Irwin Mitchell was able to maintain its normal level of service despite the severe floods, which caused over £2 million worth of damage to the firm‟s buildings. Irwin Mitchell prides itself on the fact that it answers 98 per cent of its calls within 15 seconds. On the day after the floods, this dropped only marginally to 96 per cent, an impressive performance given the circumstances. As Thomas says, „From an operational and technical point of view, the recovery worked beautifully. Our clients would not have noticed any drop in the level of service and the feedback from our staff has been overwhelmingly positive. Considering that we did not invoke until the Monday evening, it was a remarkable feat to be fully operational again for the start of business at 8 am the following morning. SunGard delivered a very smooth, professional service: we were in constant contact with its technical team at Elland and they provided us with the expertise and reassurances that we needed in what was quite a stressful time.‟

Moving forward Irwin Mitchell viewed the success of its recovery from the floods in Sheffield as vindication of its investment in and focus on business continuity management. Thomas remarks, „Business continuity is often something that organizations begrudge paying for as it can be hard to see any immediate return on investment. However, our board has always recognized its value and this one invocation gave us that return. Having a clearly defined BC plan in place helped save the business. The damage we would have sustained otherwise is incalculable‟.

3.6

Risks in the supply chain and how to manage them Tim Kitchin and David Lawson, Lloyds Register Quality Assurance (LRQA)

Cost cutting is no longer the main driver of supply-chain globalization, according to the UK‟s Chartered Institute of Purchasing & Supply (CIPS). In 2007, CIPS members concluded that globalization‟s real benefits are to improve business efficiency and reduce commercial risks. Four in five of these same procurement professionals already manage an international supply chain, and 96 per cent expect their supply chains to globalize still further in future. The trend appears unstoppable. How ironic then, that supply chain management should so often prove to be a source of commercial risk itself. Supply chain assurance – assessing and controlling supply-chain risks to promote business advantage – has never been more critical. Just quoting three of the industry journal Supply Chain Digest‟s „11 greatest supply chain disasters‟ should illustrate the point. • Most recently, consider Cisco‟s 2001 inventory disaster: lack of demand and weak inventory visibility in a slowing market led to a $2.2 billion inventory write-off and Cisco‟s stock price was slashed in half.

• 172 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

• A little further back, consider Aris Isotoner‟s sourcing calamity in 1994: then a division of Sara Lee, Isotoner decided to shut its successful Philippines-based glove and slipper manufacturing plant to chase even lower costs elsewhere. Costs rose, quality plummeted, revenue was cut by 50 per cent, and the company was soon sold to Totes Inc. • Finally, consider GM‟s 1980s robot mania: CEO Robert Smith spent $40 billion on robots that mostly didn‟t work, while Toyota focused on a management systems approach, developed its „lean‟ production systems and became the world‟s biggest and most successful auto manufacturer. At first sight, the examples above may sound either like clear-cut systems failures or like examples of poor business planning, but they are all examples of where „soft systems‟ of business planning or market insight failed to translate into the „hard systems‟ that control supply chain behaviour. This conflict between hard and soft systems is even more pronounced in recent headline-grabbing stories. Take Gap or Nike‟s supply-chain difficulties, for example. Both are extremely subtle, combining difficulties in valuing reputation assets, in reading changing consumer sentiment, in monitoring remote behaviours, and knowing how far to intervene in local labour practices. And even Mattel‟s 2007 difficulties in controlling the use of lead paint in its Chinese toy manufacturing operations are far from straightforward, combining monitoring difficulties with product design constraints and high dependence upon a single sourcing location. Supply chain management is not easy. The lesson to take from all these examples is that any cost-cutting programme or business-efficiency planning for your supply chain must run hand in hand with a broad risk-based management system – grounded in a thorough assessment of both the hard and soft risks affecting the supply chain. Getting it right means developing an assurance approach that cuts across a variety of functions and locations. An integrated approach to risk management sees risk identification, process design and performance management as distinct activity clusters. Their interaction must be managed through a comprehensive assurance programme. The role of this assurance is to manage the interactions of these three elements on an ongoing basis. This chapter looks at these three clusters at a high level – the changing nature of risks, the changing nature of supply chain management responses, and the changing nature of performance monitoring – and offers some high-level principles on how to connect them.

The changing nature of risk Of course, globalization itself is nothing new. In the 1800s, the famous „slow boats‟ were busy plying their trade from China to London, bringing tea, silks and spices. The risks then – smuggling, mutiny, piracy and product tampering – were almost wholly operational, and they still exist today, albeit for higher stakes. Product tampering is now highly politicized, evoking concerns over national security and the risk of global bioterrorism. Piracy is now an upstream activity, more concerned with hi-jacking of design IP and manufacturing secrets than with actual products. Mutiny too remains

MANAGING RISKS IN

THE

SUPPLY CHAIN 173 •

a threat through disloyal employees; witness the recent attempt by a rogue Coke employee to sell trade secrets to PepsiCo. And smuggling, of course, is still prevalent through the quasi-legal mechanism of grey imports or the plainly illegal manufacture and distribution of counterfeit product – an issue that extends way beyond fake Gucci watches and dodgy perfumes. For example, the UK Medicines and Healthcare Products Regulatory Agency announced in January 2007 that it was investigating twice as many cases of fake drugs as five years ago.

Although much remains the same, it is also true that much has changed The first shift has been the creeping burden of responsibility placed upon firms. On the surface, legal boundaries remain more or less as they were, but under the surface de facto responsibilities have shifted. Information transparency, consumer activism and the corporate social responsibility movement continue to increase the depth and breadth of accountability. Corporations must account for the behaviour of a wider and wider network of providers across a wider and wider portfolio of responsibilities, with more and more precision. This creates the social backdrop against which the diamond industry was forced to introduce a global system of supply-chain warranties: the Kimberley process. It is this same backdrop that forced Starbucks to introduce its CAFE standard. And it is the same backdrop that caused BP to withdraw pre-emptively from the Global Climate Coalition and to help kick-start the Extractive Industries Transparency Initiative to clamp down on corruption in the extractive sector.

The burden of compliance Secondly, this general shift in social responsiveness has been accompanied by an increased burden of compliance, as society at large is less and less willing to „take things on trust‟. Compliance covers a wide spectrum from compliance with an internal company-wide standard, to voluntary industry standards, to adherence to national laws, or to regional or global trade agreements. While traditional certification approaches are very well able to cope with the internal and legalistic modes of compliance, these new regimes (industry-wide, multi-country and largely voluntary) pose real operational challenges for risk managers in knowing how far and how fast to respond. With a greater compliance burden come not just costs but also new risks associated with breaching the implied contracts. The potential scale and cost of such breaches becomes all the greater as the boundaries of responsibility start to blur between government and corporate stakeholders.

The changing nature of supply chain management In the face of this twin burden – to be more responsible and to be stricter in honouring that responsibility – the most critical obstacle to a rapid response has been the fragmentation of the supply chain. Supply chains have extended relentlessly, in both

• 174 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

number of parties involved and their sheer geographical reach. And as they have done so, these supply chains have become more empowered. It is now extremely rare for a retailer or manufacturer to own its production capabilities. Even at „tier 1‟ supplier level, suppliers will be serving multiple customers to different specifications, and seeking to add as much value as possible to raise their margins – many developing their own value-added brands. For risk managers, this change means that compliance is increasingly an exercise in aligning interests and building the case for change, not enforcing it. The result is that while companies may have more and more visibility of potential problems, they have less and less control across their own supply base. Several factors have contributed to this fragmentation: • One is the growth of ICT – not merely the advent of just-in-time stock reordering systems and radio-frequency identification (RFID) technologies, but increasingly e-commerce and e-logistics systems giving customers end-to-end visibility of realtime movements. • The rise of outsourcing, not just in ICT but in entire business processes, has enabled organizations to unbundle as never before. • Offshoring has increased, as a natural response to the scarcity of domestic skills and the availability of lower-cost labour elsewhere. • There has been a reduction in corporate nationalism. While political protectionism and the urge to „buy local‟ will never go away, fewer and fewer corporates now rely upon national identity as a cornerstone of their success. The need to appeal to a global middle class precludes this approach. Even corporate megabrands like McDonald‟s now strive to be less American and more local in their activities. Together these changes have driven the emergence of the truly global enterprise in which capabilities are distributed across the globe, rather than being replicated in each location. Increasingly, functions are located where the skills exist to fulfil them. In this context it is no surprise that US corporate icon IBM relocated to China its global head of procurement – a role that leads a global team of 5,000, and manages a budget of some $40bn – regardless of any patriotic backlash. While globalization may not be new, what is new is the extent of multi-directional trade across the world‟s companies and economies, leading to a step change in supplychain management. Taken together, this growth in complexity runs directly counter to the need to respond flexibly and rapidly to changing market conditions and stakeholder sentiment. It makes risk harder to identify, harder to reallocate and harder to respond to.

The changing nature of performance monitoring This final relationship shift, from coercion to collaboration, has significant implications for supply chain assurance. From an operational standpoint, today‟s supply chain assurance can no longer be an exercise in ruthless corporate control but must become a process of continual supplier monitoring, renegotiation and remediation. But in the

MANAGING RISKS IN

THE

SUPPLY CHAIN 175 •

eyes of regulators, customers and external critics, the case for censuring and even ceasing trading with underperforming partners will continue to increase. Bridging this control gap is the role of supply chain assurance.

Principles of supply chain assurance: the four Cs In dealing with the complexity it is all too easy to get lost and actually increase complexity and the burden of compliance. To ensure that supply-chain management systems support genuine assurance, LRQA advises its clients to focus on broad general principles: • • • •

completeness; collaboration; cross-cutting; communication.

Completeness The first principle of supply-chain assurance is „completeness‟. Given the spread of hard and soft risks, any effort to introduce a management system for the supply chain must begin with a high-level assessment to identify and prioritize the risks – at all levels of the chain. These should then be evaluated, taking into account their potential frequency and impact. Only then can appropriate mitigation be determined and controls identified for those of greatest priority.

Collaboration The second principle of supply chain assurance is „collaboration‟. Suppliers and subsuppliers must be involved in this process and understand and accept they have a part to play in risk management in a network of related suppliers.

Cross-cutting The third principle is to focus on risks that cross silos and geographical boundaries and to design systems that are „cross-cutting‟. Do not try to cover every risk, but equally do not isolate and address risks at the site or functional level. It is important that it is the supply chain that is being covered, not just one supplier in the chain. Ideally, start by taking one cluster of risks, governed by one compliance standard, and apply your audit and improvements across the whole supply chain. And even within that standard, be careful to focus only on the material issues. Don‟t dilute the review across the supply chain by trying to cover all needs and requirements.

• 176 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Communication Finally, any assurance response must explicitly factor in issues of „communication‟ from the outset. Principles, compliance requirements and incident escalation procedures must be communicated through the network to be effective. Many of the greatest supply chain disasters occur not because of a breach of protocol, but because of a failure to communicate and respond to a threat. Lose control of communication and you put your shareholders‟ future in the hands of the media. Tomorrow‟s flexible, globalized supply chains will remain a key driver of competitiveness, but they conceal dramatic risks. By better understanding all the individual elements (and their potential risks) of the total supply chain network, companies can acquire the confidence they need to invest in the future.

3.7

Product recall: assessing risk in the food industry Ed Mitchell, XL Insurance Company Limited

It is nearly three years since the implementation of the new European regulation governing food safety and product recalls – Regulation (EC) 178/2002 was implemented in the UK on 1 January 2005. During this period the UK has seen an upward trend in the number of recalls of food and drink products, including a number of wellpublicized losses. While it is clear that exposure to a product recall is increasing, it is not so clear to what extent companies are addressing their regulatory requirements and assessing their exposure to loss. Best practice quality assurance systems are critical in preventing product contaminations and subsequent recalls but when assessing the risk to their brand, companies should be looking at a number of different areas outside their quality assurance systems.

Regulatory risk While the purpose of Regulation (EC) 178/2002 is to protect the consumer it also creates more onerous requirements for food companies with clear requirements:

The XL INSURANCE companies have the strength to provide not only

comprehensive

product

recall insurance solutions but also 24/7 access to a dedicated crisis management team.

OUR PRODUCT RECALL SOLUTIONS: - Accidental Contamination

- Malicious Contamination - Product Extortion Experience our strength

www.xlinsurance.com

The strength to take the crisis out of a product recall.

The XL Insurance companies have one or more of the following ratings: A+ by A.M. Best, A+ by Standard & Poor‟s, Aa3 by Moody‟s, AA- by Fitch.

«XL Insurance» is a registered trademark of XL Capital Ltd. XL Insurance is the global brand used by member insurers of the XL Capital Ltd group of companies. Ratings accurate as of 7th June, 2007.

Companies face increased product recall exposures Changes in EU product recall legislation have created a riskier environment for food and drink companies with significantly tighter requirements and obligations to follow. Food and drink manufacturers are increasingly under the spotlight from regulators, the media and consumers so it is critical that companies are on top of their legal obligations as regards the safety of their products and their responsibilities in the event of a recall. Key exposures are financial loss caused by a recall and, potentially more costly, damage to the company‟s reputation. In today‟s world a company can live or die by its brand and if it handles a recall badly, its reputation will be on the line. XL Insurance offers a two-tier solution: 1) Risk Transfer: insurance coverage 2) Loss Prevention and Mitigation: a dedicated network of Risk and Crisis Management Consultants. The focus is on crisis management with an inclusive loss prevention service and a 24/7 crisis response hotline for policyholders.

advertisement feature

PRODUCT RECALL: RISK IN

THE

FOOD INDUSTRY 179 •

Regulation „If a food business operator considers or has reason to believe that a food which it has imported, produced, processed, manufactured or distributed is not in compliance with the food safety requirements, it shall immediately initiate procedures to withdraw the food in question from the market.‟ (Regulation (EC) 178/2002 – Article 19.1)

The basic principle of not placing an unsafe product on the market may sound simple enough but in practice this is not straightforward. An „unsafe‟ product is defined under the regulation as one that is either „injurious to health‟ or „unfit for human consumption‟. Defined as such, these terms can create potential pitfalls for a food company. For example, in evaluating a potential product-safety situation a food company may conclude after testing that the levels of a certain potentially harmful substance in its product are sufficiently low not to create any adverse heath issues and therefore decide not to recall. However, if the authorities become involved and, upon further investigation, differ in their view of the product‟s safety, for example by taking a zero tolerance approach to the substance in question, it may oblige the company to instigate a recall of the product. At that stage it may be too late for the company to take action. If consumers and the media are questioning the company‟s „inaction‟, its reputation may have been compromised. This is a difficult and complicated area for food manufacturers. Under the legislation, the responsibility to recall and to inform the authorities lies firmly with the food company. Making the right decision is critical but if a company gets it wrong it not only faces a potentially expensive recall campaign but it could also severely damage its brand. Food companies not only need to ensure that their products are in compliance with applicable legislation but also to be fully aware of their regulatory requirements and obligations should a problem arise. Critical in this process is having an appropriate traceability and recall plan in place. The traceability plan must adhere to the „one step up, one step down‟ principle so that the company can immediately know not only where the product (or its ingredients) came from and the person from whom it came but the next person to whom it has gone. Being able to trace your product is a regulatory requirement and its effectiveness will be critical in recalling products. Therefore, companies need to be sure that their recall plan is not only up to date but, most importantly, regularly tested. For any one company, a recall may be a rare event and without mock recalls a company won‟t actually know to what extent it is in fact prepared for the worst should it happen.

• 180 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

First party

Regulatory requirements in export locations

Third party

Cost of co-ordinating overseas recalls

Exports Strict safety requirements Retailers initiating recalls Costs incurred by retailers passed back to manufacturer

Retailers (wholesalers foodservice)

Third-party manufacturers

Costs incurred in recalling due to your contaminated ingredient Jeopardise contract Contractual requirement to buy recall insurance

Maintaining shelf space

Manufacturer Quality control – HACCP etc. Product testing

Traceability plans

End products

Recall/crisis plans

Ingredients and components

Batch control Plant sanitation Etc.

Your brand in someone else‟s hands

Integrity/quality of supplies Suppliers:

Control over quality Auditing and testing

Contract manufacturers

local or imported

Contractual control

Supply chain management Regulatory approval of suppliers‟ products Contractual control

Figure 3.7.1 Exposure map for manufacturers

Assessing the loss exposure In assessing a food risk, a product contamination insurer will generally look at two key variables: the likelihood of a loss happening and the severity potential should a loss occur.

Likelihood of a loss It goes without saying that for a food manufacturer the best way to prevent a contamination happening is to ensure that it has the right food safety systems in place. Central to this is a company‟s HACCP (hazard analysis critical control points) plan incorporating a product testing regime. The more robust the HACCP and testing procedures, the less likely it is that a contamination will occur. Therefore, it is critical to ensure that the company‟s HACCP plan is regularly reviewed to ensure that it is in line with current food safety requirements. Likewise, testing is only useful if you are looking for the right contaminants. Having a rigorous microbiological testing regime for pathogens will not help if your product is found to contain pieces of metal and you have no metal detection systems in place. Preventing a recall from happening, however, isn‟t just about a company‟s food safety programme. Ensuring that safe products leave the factory gates is, of course, critical but companies should also be looking at those areas that can impact the likelihood of having to recall or, indeed, be

PRODUCT RECALL: RISK IN

THE

FOOD INDUSTRY 181 •

responsible for the recall. Naturally this can also impact on the severity of a loss as well. One of the most significant exposures to a loss potential is the supply chain. In today‟s global market outsourcing manufacturing or importing raw materials may make good economic sense but it comes with risk: ultimately companies are putting their brands in someone else‟s hands. Given the global attention on outsourced manufacturing from countries such as China, in both the food and non-food sector, supply chain management is a critical area for companies to focus on. Food companies tend to rely on certificates of analysis that accompany supplied goods but the question any company should be asking is to what extent is a certificate of analysis adequate protection against a contamination? Ultimately, it is impossible to remove the supply chain risk, but companies can go a long way to improving their exposure by enforcing rigorous testing programmes for supplied ingredients and products as well as carrying out appropriate due diligence and auditing of suppliers. In addition to the accidental contamination exposure, however, companies should also be assessing their exposure to malicious contaminations and extortion demands. Companies with fully automated production lines and products contained in tamper evident packaging will be less exposed than companies with more human intervention on the production line. The tampering risk will range from disgruntled employees and outside interest groups, for example animal rights campaigners, through to the bio-terrorism risk which is more of a focus today than ever before. In assessing this risk companies should be looking to minimize the tampering exposure in areas from recruitment, training, use of seasonal staff and site security through to production processes and supply chain management.

Loss severity Most risk managers for a food and drink company will consider a serious recall to be a potentially catastrophic risk, but measuring this risk can be a challenge. For instance, in assessing property exposures a company can establish PMLs (possible maximum loss) and MFLs (maximum foreseeable loss) and buy insurance limits accordingly. However, doing the same exercise for a recall exposure is not as straightforward, and some companies do not actually go through the process of working through a full recall disaster scenario. Another problem is that modelling a recall loss is very difficult given that there are numerous variables that can influence the size and ultimate cost of a recall. One way to assess a recall loss exposure is to look at batches, lots or daily production and, on the basis of testing cycles, create a loss scenario. This is a very useful way to estimate loss potential but history has shown that it is often irregular and unexpected situations that cause the largest losses. The other relative unknown in a recall situation is the response from regulators, customers, consumers and the media, all of which can affect the consequential loss of sales. A relatively inexpensive recall can lead to a far greater impact on a company‟s reputation and sales if media and consumer issues are either not handled well or perceived by the public to be handled badly. In assessing the severity potential of a food risk, insurers will look at the way in which production and testing is combined, as well as the crisis planning in place to contain a loss should it occur.

• 182 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Common mistakes in a recall situation • Not having an up-to-date product recall procedure. • Relying on suppliers‟ information. • Sticking your head in the sand and not being aware of issues and new regulations. • Operating in „silos‟ and not seeing the impact across the company. • Shying away from the media once a recall situation has developed.

In a contamination situation, the size of the recall will depend on the amount of identifiable products affected. For example, a company that segments production into small coded lots, tests each lot and only releases products once test results are known will be in a strong position to prevent a severe loss happening (assuming the contamination is picked up in testing). On the other hand, a company that segments production only into daily production amounts, releases products to the market and only receives test results on those products a week later will be more exposed to suffering a severe loss because, as a minimum, it will have to recall the whole week‟s worth of production. Likewise, with the supply chain risk increasing, companies could also look to assess the potential impact of a contamination of multiple products by a contaminated ingredient. For example, should a supply load of an ingredient be contaminated, how many days worth of production and how many product lines can that ingredient ultimately affect, and what measures can be put in place to reduce that exposure? Naturally, economics and the production structure come into play again. You cannot test every product and companies will structure their production in accordance with the nature of the business. To that extent, however, some companies may find themselves more or less exposed when assessing that exposure.

Mitigating the loss In addition to the costs associated with a recall, a company can also suffer consequential business interruption. The worst-case scenario in a recall is loss of consumer confidence and long-term brand damage. Often, however, the business interruption loss will be limited to the amount of time it takes a company to restart production after a recall – not unlike any other business interruption loss. Critical in avoiding loss of consumer confidence however, is a robust crisis management plan incorporating both a recall and business continuity plan. A sound business continuity plan for a food company will have in place contingency plans should a contamination occur; for example the forward planning of backup suppliers or the maintenance of spare production capacity in plants. In a recall situation the last thing a company wants is to be left without the ability to get products quickly back on the supermarket shelves.

PRODUCT RECALL: RISK IN

Security

THE

FOOD INDUSTRY 183 •

Laboratory

PR

Legal issues

Crisis management team Other consultants

Regulators

Food & drink manufacturer

Figure 3.7.2 Crisis management network

Securing the brand In a brand-conscious marketplace, it is the damage to a company‟s reputation that can result in the most significant costs, well beyond those of actual recall. If managed badly, a major recall can destroy a company‟s reputation. If done well, it can even enhance reputation and sales. Effective crisis management can be critical in differentiating between the two outcomes. As part of this, the media response to a product recall needs to be handled fast and effectively. In these days of 24-hour TV news and the internet, journalists are working to increasingly tight deadlines to satisfy their audience‟s expectations of instant information and analysis. The food and drink sector has experienced a number of well-publicized challenges in recent years and some companies have been caught on the back foot at a time when they needed to act fast with a proactive message, reassuring the public in response to media reports. As Warren Buffett famously said, „It takes 20 years to build a reputation and five minutes to ruin it. If you think about that you‟ll do things differently.‟ Quick responses to customers are essential to convey continuing confidence in the brand and the company, with a view to limiting the fallout from negative reports on a product. At the same time, the communication with food regulators, business customers and external specialist consultants, like public relations specialists, emergency testing laboratories, legal advisers and security consultants has to be coordinated and maintained. Figure 3.7.2 illustrates the use of networking in crisis management.

• 184 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Conclusion With a wide range of exposures, food and drink companies should have solid systems in place to protect their brand and reputation in a serious recall situation. Luckily large recalls although increasing in frequency, are relatively rare, but the key is to be fully prepared because consumers and the stock market will respond favourably to a wellhandled crisis as it reflects positively on the management team. An effective crisis management plan is more than just media management. It is a thorough risk management system that will address everything from traceability and recall planning, supplier management and quality assurance issues through to product security planning, business continuity and, ultimately, media training. While many food and drink companies have a recall plan in place, they often lack the breadth of a comprehensive crisis management plan leaving them exposed to losses outside of their control in a product contamination situation, especially due to the increased legal requirements outlined above. Being prepared for a crisis in advance is vital and can be the difference between disaster and recovery once a contamination is discovered and may ultimately contribute to the survival of the business.

Product contamination insurance Coverage is provided for recall expenses, extending through to the policyholder‟s loss of profit and rehabilitation costs; it also gives access to crisis management consultants in a number of specialist fields. In some cases insurers will also contribute part of the premium towards pre-incident crisis management preparation. This allows the policyholder to work with specialists who can advise on implementing the best practice system and who can also assist in responding to a crisis.

3.8

A shared business continuity challenge: protecting SMES and the supply chain Mike Osborne, ICM Computer Group

According to the Chartered Management Institute‟s Business Continuity Survey 2007, two-thirds of UK small businesses do not have a business continuity plan in place. Given that SMEs account for more than 99 per cent of the total number of UK firms, without a doubt the single largest challenge to the business continuity industry today is to ensure that these SMEs, which so underpin the UK economy, have access to and embrace professional business continuity. This challenge applies equally to the Business Continuity Institute (BCI) as a professional body, its current members (typically employed within larger organizations with long-established plans and policies) and to the business continuity providers who have traditionally focused on opportunities in those larger organizations. This last point is significant because a review of the „lower end‟ business continuity market indicates that SME services are often provided by non-business

ICM‟s acquisition by Phoenix IT Group, which already incorporates NDR, means we are now the UK‟s fastest growing provider of Business Availability. Our latest, and largest, state of the art Business Continuity centre in Farnborough demonstrates our commitment to building Business Continuity centres exactly where our customers need them. This flagship facility increases our number of inner and outer London positions to 5,000 and our national positions to 7,500. Our outstanding IT recovery services include rapid ship-to-site with regional stockholdings and 10 mobile units, data replication, data vaulting, and high availability services. Professional services include technical recovery planning, business continuity planning and managed rehearsals - no one does more to ensure your business availability. We continue to raise standards and pioneer best practice, as demonstrated when our low cost business continuity solution, Disaster Cover Direct, was named Most Innovative Product of the Year at the CIR Business Continuity Awards 2007, while the personal, tailored level of service we pride ourselves on helped us to be voted Business Continuity Service Provider of the Year.

BUSINESS AVAILABILITY

To find out more call us on 08701 22 22 00 email [email protected] or visit www.icm-computer.co.uk

A SHARED BUSINESS CONTINUITY CHALLENGE 187 •

continuity specialists, such as meeting-space providers and local IT companies, who offer business continuity as a „tick-in-the-box‟ add-on without necessarily providing the education and professional skills exchange offered by the professional business continuity providers. In terms of professional business continuity providers, selling to SMEs can be costly and time consuming, with high input for small returns. Yet it is widely acknowledged that traditional business continuity services, which have responded to early adopters and the needs of larger organizations, are complex and costly and fall beyond the reach of a large proportion of UK businesses. Business continuity providers therefore have to initiate solutions that are appropriate to the SME market in order to satisfy the supply chains of existing, larger customers. In this respect, business continuity providers have an obligation to existing customers and the overall market to propagate business continuity to those organizations who have not yet implemented any business continuity arrangements. The supply chain is the single largest business continuity risk to mature organizations with business continuity arrangements in place. With supply chains increasingly becoming more complex and interlinked, many organizations are trimming down the number of suppliers they use, and reducing supply lead times and stock holdings to reduce costs, which can serve to increase risks if the chosen suppliers do not have adequate protection.

Disaster Cover Direct With these issues in mind, ICM developed Disaster Cover Direct, a packaged business continuity service for SMEs, to help increase the UK‟s economic resilience and protect larger customers at points of vulnerability through their supply-chain relationships with well-meaning, yet unprotected businesses. (See case study at the end of this chapter.) The perceived barriers to SMEs adopting business continuity are often cost, time, resources and the belief that it involves high input for small returns. There is also the fear that business continuity is a huge burden that requires formal structures and high maintenance, and generally involves procedures that are not necessarily in line with the „entrepreneurial spirit‟ of small companies. Where these are the barriers, the onus is firmly with business continuity providers to ensure that all organizations, irrespective of size, receive education and assistance, and have access to simple and affordable business continuity services, to the benefit of the entire UK economy. The relevance and importance of Disaster Cover Direct was recognized by the business continuity industry, when it was named the Most Innovative Product at the 2007 CIR Business Continuity Awards.

• 188 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

The implications of BS 25999 for the supply chain Put simply, if you want your company to be able to continue operations through adverse conditions, the ability of your suppliers to continue to operate to pre-defined service levels through periods of disruption will be vital to your organization‟s continuity. It therefore needs to be factored into your own business continuity planning. Your company may be required to declare that you have effective risk-based controls in order for it to be declared to be a going concern. If your suppliers are not being required to make commitments relating to continuity of supply based upon accepted good practice, how can such a declaration be made with any credibility? One of the ways in which a larger organization can mitigate this is by utilizing BS 25999 as a measure by which to gain confidence that their suppliers‟ plans are of an adequate professional standard. The standard has been designed to be just as applicable to small and medium-sized organizations as to large corporations, and specifies the process for achieving certification that is appropriate to the size and complexity of an organization. It stresses the need for organizations to establish their own robust business continuity arrangements, but also to be sure that such arrangements exist up and down the supply chain in their key suppliers and distributors. With regard to suppliers and outsourced activities, the specification of BS 25999 states that: „The organization shall assure itself that its key suppliers and outsource partners have effective BCM arrangements in place‟. Furthermore, the Chartered Management Institute, the Continuity Forum and the Cabinet Office recommend that: Business Continuity Management should be used more extensively throughout supply networks in the UK, in particular with essential suppliers and outsourced providers. Plans should be verified and audited where possible. It is also essential to check whether suppliers have rehearsed their plans.

Helping the supply chain We know that SMEs need business continuity. In order to achieve this, they need a business continuity plan. While this automatically calls for a focused approach, SMEs do not require the level of cover and expensive professional consultancy that larger organizations do. In the same way, they do not need to dedicate as much time and resources to business continuity as larger organizations. They just need to dedicate enough. However, one vital thing some SMEs may need before all of this is convincing! With the advent of BS 25999 many more SMEs will be pushed towards implementing business continuity, often without knowing where to start. Once a company has made the decision to address business continuity, it is halfway there. Getting to that starting point is the most difficult challenge. There is a surfeit of seemingly related solutions offering distinct but limited business continuity aspects, such as resilient IT storage solutions, that can complicate the understanding of what it is to have business continuity in place.

A SHARED BUSINESS CONTINUITY CHALLENGE 189 •

Research by the BCI suggests that only 27 per cent of organizations actually involve themselves in helping their suppliers to develop a business continuity management plan and get involved in rehearsals of the plan. Too many companies are vulnerable to a failure in their supply chain. It would be wise for an organization to understand where its vulnerable points are with respect to its supply chain. Issues that create vulnerabilities may include: • • • • •

high-volume supplies (single source); high-risk marketplace subject to disruption; specialist suppliers; availability of compatible products or services; geographical locations and transit routes of supplies.

Should a continuity event impact on either party, there are benefits to both sides in understanding what will follow: • • • •

likely delays; shortfalls; alternative arrangements; contractual implications.

If these are recognized and understood then the contingency arrangement can be implemented without additional delay or contractual concerns. The Chartered Management Institute‟s findings from its Business Continuity Management Review, published in March 2007, show that the majority of respondents (61 per cent) report that their organizations outsource some of their facilities or services. The questionnaire asked respondents if their organization required its suppliers or outsource partners to have business continuity plans. The use of BCM down the supply chain remains limited as indicated in Figure 3.8.1 below. In addition, the survey asked how those who require outsource partners or suppliers to have business continuity plans (BCPs) verify their effectiveness. Almost half (48 per cent) accept a statement from the supplier/partner in question. Around a third (34 per cent) take the more active step of examining the supplier/partner‟s BCP, while 17 per cent are involved in the development of the BCP. At present, just 5 per cent assess their suppliers‟ or partners‟ plans against BS 25999/PAS 56. A Michigan State University (MSU) study commissioned by AT&T identifies four major factors of a good supply-chain business continuity plan: • awareness that the supply chain is susceptible to potentially crippling disruption; • prevention through risk identification, risk assessment, risk treatment and risk monitoring; • remediation plans for recovery from a disruption; • knowledge management, which calls for a shareable, post-event audit of supplychain disruption throughout the organization and the supply chain.

• 190 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

70 60

Business-critical suppliers only Outsource partners

50 40

35

All suppliers Intends to

30

23

22

None

20 12 10

Don't know

6

7

0 Figure 3.8.1 Percentage of outsourcers requiring suppliers to have business continuity plans

Business continuity professionals need to be aware of the barriers, perceived or otherwise, that SMEs face in adopting business continuity and to take steps to assist them, where possible, in achieving appropriate and adequate arrangements to meet the recognized business continuity standards. Organizations also require the support of industry bodies to help them ensure their suppliers are not a point of weakness that could negate their own careful planning. Disaster Cover Direct provides a perfect introduction to business continuity planning with the support of an industry-leading service provider and the technical and professional expertise that brings. Disaster Cover Direct offers a safe way for companies to provide basic cover to satisfy individual customer requirements. At the same time, free affiliate membership of the BCI and induction training from an independent MBCI consultant will help SMEs gain a better understanding of what is involved in the good practice of business continuity, therefore providing an excellent starting point for their future business continuity development. At the moment, ICM‟s Disaster Cover Direct solution offers a unique combination of service provision and professional help to SMEs, and we hope to see other top providers pick up the gauntlet and address this marketplace with supportive solutions and initiatives in the future. Not only is it an issue of paramount importance, but addressing it is of benefit to us all.

A SHARED BUSINESS CONTINUITY CHALLENGE 191 •

Case study Connection Seating was established in 1995 as a small manufacturer of office chairs. Now known as Connection, the company has grown into a £10 million business, manufacturing very high levels of office, meeting and breakout furniture, including soft seating and office desking and chairs, and employing over 50 staff. Since 2003, Connection has continued to increase turnover by around 20 per cent per annum. As the company is growing at such a rate year on year, it has become increasingly apparent that in the event of any serious IT failure due to unforeseen circumstances, the company‟s growth and customer satisfaction could be seriously affected. This is not something that Connection wants to risk. In addition, Connection‟s sales department was seeing more and more tender documents from larger organizations, requiring information on how Connection could guarantee that its systems would not impact on their product delivery dates. Connection‟s IT and Systems Manager, John Cupitt, had worked for several large manufacturing companies that had always used ICM for business continuity and maintenance contracts. The proven track record and great service made ICM the first choice, so it was decided that ICM should be contacted to check if there were any packages suitable for a company of Connection‟s size. John Cupitt says: Initially I spoke to ICM regarding costs on the standard business continuity package. Unfortunately this exceeded our spend limitations. However, our account manager then told me of a new package aimed specifically at businesses of our size, which was a low-cost, pre-packaged version of the standard business continuity offering. This sounded perfect.

We have now signed up with ICM for Disaster Cover Direct. It provides enough seats for our core staff to work and more than ample servers and equipment to comfortably run our systems. Disaster Cover Direct provides excellent value for money and allows smaller companies such as ourselves to take on services that are normally associated only with large organizations. We also feel that we now have a very positive advantage over our competitors and will ensure that this is fully highlighted when tendering for large orders. As the company grows and develops, I‟m sure that there will be more opportunities for Connection and ICM to work together in the future. Disaster Cover Direct has been designed to enable larger organizations to push it down through their supply chains, with the BCI Benchmarking tool embedded within the package to ensure standards expected by larger organizations are met.

• 192 RISK ISSUES

IN

OPERATIONAL MANAGEMENT

Disaster Cover Direct makes business continuity practices accessible and means that SMEs can take appropriate steps to protect themselves, without recourse to complex analysis and resources. They can develop their business continuity plans at a pace suitable to their business operations and, as their understanding of the issues deepens through exposure to ICM and vendor independent resources, via the free BCI affiliate membership.

4

Intellectual Property Risks

This page intentionally left blank

4.1

Intellectual property or poverty? An IP risk guide for business Peter Finnie and Arnie Clarke, Gill Jennings & Every LLP

Introduction The recent increase in public awareness of intellectual property (IP) has not necessarily led to a greater understanding of its generation, use or relevance to modern business. Although the term „risk management‟ is generally understood, very few companies understand the risks associated with IP, let alone have a strategy for dealing with them. For many technology-led companies, IP is a key asset used to support their efforts to secure private equity funding from investors over the course of a series of funding rounds. As a consequence, investors are placing greater emphasis on IP due diligence during the investment process. IP issues may undermine the ability to attract and retain investment. Unresolved IP issues may affect the planned „exit strategy‟. Investors are also quick to exploit weaknesses in an IP portfolio, frequently leading to renegotiation of the initial valuation of the company or influencing the decision to

• 196 INTELLECTUAL PROPERTY RISKS

invest at all. A company that can demonstrate why IP is relevant to its business and show that it has taken effective measures to develop an appropriate position is more likely to gain the confidence of investors. The more sophisticated company understands how IP fits within its business plan and builds a better understanding of the IP-related risks it faces. These risks are largely hidden and require a systematic approach to reveal and actively manage them in a responsible and cost-effective manner. This chapter highlights the IP-related risks frequently faced by businesses. We also look at how these risks can be revealed, avoided, mitigated and resolved.

What risk? So what are the hidden risks associated with IP? Broadly speaking, IP-related risks fall into four distinct areas: • • • •

IP acquisition; IP exploitation; IP monitoring; IP enforcement.

IP acquisition Creating an effective IP portfolio is a complex matter that also represents a serious investment in terms of time and money. This is especially the case for patents. A product or service may be protected by various forms of IP rights covering several different aspects of the product or service. These IP rights include patents, confidential information (know how), registered trademarks, registered designs and copyright. Companies need to be aware of these different IP rights, how they are created, what protection they offer, and how much they cost. The lifetimes of the different IP rights vary considerably, as does the time taken to acquire them. It may take several years to obtain the grant of a patent, by which time the technology has moved on, making the protection offered redundant. What is the value of a patent in such circumstances? Also, a formal patent application requires a full written disclosure of the invention, and this will eventually be disclosed to the public when the application is published. An alternative strategy would be to keep the invention secret – but is that achievable? Sometimes it is useful, or perhaps necessary, to acquire IP or rights under IP from other parties. How do you know what you are buying is valid and enforceable? How much is it worth? It follows that companies must carefully assess the costs and benefits associated with acquiring IP on a case-by-case basis and regularly review previous decisions to ensure they remain valid.

IP exploitation How can IP be exploited to commercial advantage? The fundamental right is the right to „exclude‟ others, sometimes rather cynically referred to as the „right to litigate‟.

INTELLECTUAL PROPERTY OR POVERTY? 197 •

One strategy is to use IP to maintain exclusivity in the market for a product or process, where the IP acts as a deterrent to keep competitors from undermining the commercial position. This approach assumes that you have sufficient funds and resolution to litigate. Litigation is generally very expensive and beyond the financial reach of most companies. An alternative strategy is to license the IP to others in return for a royalty. A successful licensing strategy will provide an income stream. But what terms do you offer? How do you negotiate the royalties? What happens if the licensee doesn‟t perform sufficiently well to justify the licence? There are many complexities to licensing IP. Sometimes IP is acquired, typically through dedicated R&D efforts, with a view to selling it to a third party. How do you ensure such IP is valued at the right price? What steps can you take to maximize the valuation on sale? Companies need to consider carefully from the outset how best to exploit their IP from both a domestic and international perspective.

IP monitoring There is a wealth of publicly available information about IP online. It is possible to search for and download copies of published patent applications and granted patents, check the status of a particular case and view details of the documents held by a patent office (the „file wrapper‟). You can obtain the details of all the cases owned by one or more competitors. A watch can be placed for new patent publications in a particular technology area or perhaps for publications in the name of a key competitor. Professional patent database searchers can conduct searches to assess the novelty of a particular invention before a patent application is filed. Similarly, professional searchers can be used to identify patents that might be infringed prior to launching a new product – known as a freedom to operate search. The results of searches can also be used to reveal activities of others that might infringe your own patents, which can be an effective way of policing an IP portfolio or of providing prime leads for an IP licensing strategy. Publicly available information on registered trademarks can be used similarly. To what extent should you consult the patent and trademark databases regularly? Importantly, how will this source of information add value in terms of managing risks?

IP enforcement Litigation is typically expensive and patent litigation is particularly so. However, it is not always necessary to litigate in order to achieve the desired result. What about mediation or arbitration as an alternative? What is your attitude to litigation? Is it part of your strategy for maintaining market position? Do you have the funds for litigation? If not, will IP litigation insurance be of any assistance? In any litigation it is necessary to carry out a cost–benefit analysis before commencing proceedings. What are the likely costs if you win? What if you lose?

• 198 INTELLECTUAL PROPERTY RISKS

What is the likely award in damages? How much management time will it take up? In short, will it pay for itself? A clear policy of IP enforcement is important due to the high costs involved in some IP disputes. Is there any value in IP if you are not prepared to enforce your rights?

A structured approach The key to good management of IP risk starts with the company‟s business plan. This should contain an explicit IP strategy that deals with all of the issues and problems discussed above. The absence of an explicit IP strategy is a criticism that can be made of companies ranging from start-ups to major companies. A recent study reported that fewer than half of the major European businesses surveyed had a documented IP strategy. Many companies give little attention to the need to remain properly focused on IP matters (rather than simply the acquisition of IP for the sake of it) and the support IP can lend to the business plan. IP strategy should be formed in the context of the commercial aims of the company as a whole, including the exit strategy, where appropriate. The aim is to ensure that companies get the most out of their R&D efforts and to provide a framework to manage IP risks in a responsible and cost-effective manner. The following are some of the issues to be considered and steps that should be taken when developing an IP strategy: • Establish a clear understanding of how IP can support the company. How is the IP going to be exploited to add value? If appropriate, how does the planned exit strategy affect this and vice versa? • Establish clearly defined procedures for formally identifying innovation at an early stage so it can be reviewed at an appropriate level, a decision reached on whether to seek registered protection, and an internal register of company IP updated accordingly. It is all too easy to overlook the protection of innovation in the rush to get new products to the market. • Develop a formal patent, design and registered trademark filing strategy. On what basis does one decide to file a new patent or trademark application and what factors dictate the filing strategy – where, when and how to file? • Develop an IP awareness programme for key staff. Consider introducing an employee reward scheme as an incentive to innovate, report and assist in process. • Produce support documentation, such as invention proposal documents, inventor acknowledgements, standard agreements and assignments, patent status reports and bibliographic summaries. These can be used to support internal procedures and provide written materials in a format that can be very useful when responding to requests for information from board members and investors. • Put in place a system for watching for the publication of patent applications and granted patents by key competitors as a means to identify IP infringement risks

INTELLECTUAL PROPERTY OR POVERTY? 199 •







• •

and opportunities. Maintaining a state of blissful ignorance is not a policy to be admired! Consider general third-party IP issues, including contracts with suppliers and joint developers. The contracts of employment of key staff should be reviewed to ensure the terms cover the key IP issues that may arise, for example the ongoing duty of confidentiality. Consider the reality of potential commercial risks. Simply because a commercial product technically infringes a third party‟s IP does not necessarily mean that party will assert its rights. This frequently depends on the company culture of the third party and its financial standing. Actively police your IP portfolio. IP is merely a tool that can be used to prevent your competitors exploiting your technology, brands, copyright and know how. If you do not maintain exclusivity by enforcing your IP, out-license it or sell it, you are squandering an often costly investment. Set up an IP committee that frequently reviews IP matters. Lastly, though importantly, agree and monitor an IP budget for the company. The costs of acquiring IP and considering third-party issues can be significant. What impact will this have on cash flow?

The IP strategy should be made explicit by committing it to paper. It should be reviewed regularly to ensure it is consistent with the business plan.

IP due diligence We have had experience of acting for both investors and companies during numerous due diligence exercises, including trade sales and initial public offerings (IPOs). The following are just a few real-life examples of IP issues that had a significant impact on the investment process: • The importance of the IP to the future success of the company was oversold leading to a significant devaluation of the company when it became clear the IP was not as strong as first asserted. • The IP was not related to the current business plan and therefore of no apparent value (despite assertions to the contrary to support the valuation of the company) but still represented a significant ongoing cost. • The company had no coherent internal policy for identifying and protecting innovation at an early stage. As a result, the opportunity to protect a particular innovation, said to be key to the success of the business plan, had been missed. • No international novelty searches were conducted on new patent applications within the first year and so the investors had no evidence to support the assertion made by the company that strong patent protection was available for the technology – a key factor in the pre-money valuation. • The unsophisticated patent filing strategy effectively delayed the grant of any US patents, to the detriment of the ability to attract US-led investment.

• 200 INTELLECTUAL PROPERTY RISKS

• The patent applications were not written with the business plan in mind so the patent claim structure was inadequate to support the planned exploitation of the technology. • No detailed assessment of third-party rights had been undertaken, even when it was clear there were several US patents that could adversely affect the company‟s plans to exploit its own technology. This approach to risk did not inspire much confidence in the responsible directors. • No ongoing watch of published patent applications or patents by competitors had been put in place to give an early warning of potential risks. A simple infringement search of patents held by competitors mentioned in the business plan revealed several infringement risks. This held up the investment process for several weeks and seriously undermined the value of the company. • Plans to exploit the IP were incompatible with existing agreements with third parties involved in joint research and development on some key aspects of the technology. Joint ownership of inventions can limit the ability to exploit the IP to the fullest extent possible. In this case, the planned trade sale to a major company in the longer term was a wholly unrealistic exit strategy. • No trademark applications had been filed, even in the UK, and no trademark clearance searches had been conducted. • The company was not free to use its trademarks in the United States (often a key market) so a new name was required. This arose from a failure to check at an early stage whether the trademark could be registered and used in the United States. Where branding is important it is not sufficient simply to obtain a UK-registered trademark and assume you can do the same elsewhere. Getting the trademark side of things wrong can be very costly. It is worth noting that all of the above should have been foreseen by the companies involved but were overlooked, largely because they did not have a systematic approach to the development and implementation of an explicit IP strategy.

Conclusions The hidden risks of IP can have an enormous commercial impact for both investors and companies alike. Taking a risk management approach to IP, and in particular developing an explicit IP strategy that deals with these risks in a cost-effective and responsible manner, will repay itself in the longer term.

4.2

Securing key business decisions with strong IP rights Eric Achour and Jean-Louis Somnier, Novagraaf

As a business leader, how would you react if your expansion to emerging countries was slowed down, or even made impossible, because your brand or your product/service was already being used in these new markets by existing competitors or individuals who anticipated your interest in realizing growth? How would you react if you discovered that the technology you developed for a new range of products, while spending a huge R&D budget, was now being used by one of your competitors and, to make matters worse, that competitor was marketing this new technology by promoting its product line as a leading „time-to-market position‟? How would you react when you had joined forces with a business partner and, after the joint development effort, you discovered that your return on investment was not as high as expected because your „intellectual share‟ was not that clearly defined in your contract? Those questions are not theoretical: they are taken from amongst thousands of „real life‟ situations where companies were seriously harmed in their business and development efforts because they failed in adopting the right protection and defence of their intellectual property (IP).

T h e N ov ag r a a f g ro u p Le adi N g iNTe L Le c TuaL prop e rTy

c o N s u LT a N T s

The Novagraaf group is one of Europe‟s leading service providers in the

field of intellectual property. At Novagraaf we believe

that

intellectual property is the key corporate asset: an asset that should be properly protected, audited, exploited and managed as part of an overall strategy. With our consultancy, management and administrative services for trademarks, patents, industrial designs, internet domain names and copyrights, Novagraaf assists you in leveraging the full potential of all your IP rights. With more than 350 dedicated professionals across Europe and a global network of partners and associates, we can manage any IP rights portfolio, however large or complex. With endless opportunities for capitalizing on intellectual property, Novagraaf is the name to remember.

m ain o ffice s in Am ste r d am , Br u sse ls, Ge n e va, Lo n d o n an d Par is

w w w. n o v a g r a a f. c o m

SECURING KEY DECISIONS

WITH STRONG

IP RIGHTS 203 •

On top of that, those failures occur in every kind of business sector regardless of the company size, development stage and geographic location. All too often those failures occur because IP matters have not been a part of the decision-making process and are only considered when it is too late to take action. One may also forget that if freedom of competition is the rule in the market, the rules are fundamentally changed with IP rights protection. In this chapter, a short introduction on IP and what IP rights entail is followed by an illustration of how businesses can be harmed by making the wrong IP decisions (or no IP decisions at all) and the consequences for business growth and increased business risk. A second focus will be on which IP decisions should be taken to mitigate the IP risks

Intellectual property: a short overview As defined by the World Intellectual Property Organization (WIPO), „Intellectual property refers to creations of the mind: inventions, literary and artistic works, symbols, names, images, and designs used in commerce.‟ Intellectual property (IP) encompasses many fields, such as industrial property, which includes mainly inventions (patents), trademarks and industrial designs. Other fields are the geographic indications of source; copyright, which includes not only literary and artistic works such as novels, poems and plays, films, musical works, artistic works but also documents, manual, advertising and software WIPO adds: „Intellectual property surrounds us in nearly everything we do.‟ Intellectual property rights (IPRs) are grants of monopoly given to the owners of those rights (inventor, author, company, etc). This monopoly applies to territories, time frames and domains of application. IPRs exist mainly in the form of patents, trademarks, copyrights, designs and models, and property of those rights is covered by international and local legal regulations. One can easily understand that IP is „omni-present‟ in everyday business life. The complete set of attributes of any product or service can be protected by IP rights (a brand, a logo, a shape/design, some packaging features, characters/colours/fonts, some functionality features that rely on specific technology components, pieces of software, materials, etc) in specific countries or territories, for a specific time frame and for certain domains of applications. IP also covers the operational activities/processes that were needed to produce the products or to deliver the service.

„When business meets IP‟ In today‟s business arena innovation and business development are crucial to any company, both in the „traditional‟ physical world and in the expanding „online‟ world. We have identified six major „business decisions‟ clusters where we are convinced that intellectual property practice and rights are critical factors of success in today‟s competition.

• 204 INTELLECTUAL PROPERTY RISKS

• • • • • •

conducting research and development activities; launching new products and services; expanding your business in new areas, alone or with partners; transferring the ownership of all or part of a company; increasing presence on the internet; recruiting retaining and motivating people.

From an IP point of view, business risks increase dramatically when a decision or move forward is suddenly restricted or made impossible because situations were not assessed in advance from the proper IP angle. We will review for each cluster the potential business risks arising from an IP standpoint that may prevent performance improvement and hence value creation. Then IP-related activities and business decisions to be taken to mitigate the risks are identified.

Conducting research and development activities The core purpose of R&D is to find new innovative technology (in a very broad sense, in all the technical domains), stepping ahead of competition with new features that will be incorporated in new products, services or industrial processes. In those specific cases, business risks from the IP standpoint arise in two main areas. The first is the potential publicity or disclosure of the R&D (missing the „first mover advantage‟); second is a lack of freedom to operate and exploit the outcome of the R&D because of existing competitors‟ IP rights (patents). Here are a few examples of actions that will mitigate the risks in this area of business leveraging the IP possibilities: • Set up a „secrecy policy‟, ensuring that you have taken all necessary measures to prove at a later stage that you own the inventions (reporting on labs measures or experiences). Tip: Never disclose an invention publicly; by writing in scientific publications, you would lose all your rights if the publicized invention is copied afterwards by a third-party. • Conduct „prior art‟ search systematically, to ensure that your field of investigation is free to operate; this will give you the right to patent your invention. Tip: „Watch‟ the technical domains in which your competitors are active (continuously screen the patents‟ publications on dedicated websites) and beware of „misleading‟ patents. • In your innovation process, protect those inventions that are „promising‟ from a business point of view with patent rights, as early as possible. Hence, taking chances on future developments is recommended whether you will exploit them on your own or with a partner (a sound patent strategy can help companies to protect their R&D and offer tremendous opportunity gains). Tip: Use the procedures of International Patent Grant to „buy time‟ on your competitors („PCT route‟) and get your protections extended both on geographical areas and timing.

SECURING KEY DECISIONS

WITH STRONG

IP RIGHTS 205 •

Launching new products and services Introducing new products and services in existing and new markets or opening branches in new territories are day-to-day activities for almost any company. They are key performance drivers. Business risks in the area of IP could arise in two main areas. First, existing IP rights – registered trademarks of third parties (competitors, individuals, etc) – could make it difficult or impossible to launch new products and services. Second, there may be counterfeiting or imitation of the products or services once launched. Some examples of actions that must be taken to mitigate those risks are: • In the development stage, protect up front all attributes (trademarks, designs and models, patents, etc) that are critical to the business for the next three to five years; target countries or regions for short-term and mid-term development (including „diversification‟ options). Tip: First protect your national market, then focus on the „biggest‟ potential markets plus countries with clear risks of counterfeiting or imitation (apply the 80/20 rule). • Perform „active watching‟ of your portfolio of trademarks to ensure that no attempts are made to profit from your success. Tip: Ensure through a proper search that your trademark is „meaningful‟ in the countries you target.

Expanding your business in new areas, alone or with partners Opening new branches in new countries, building new plants abroad, distributing your products and services through new distribution channels, alone or with partners (licensing) – all these business decisions can put your IP rights at risk. Third-party IP rights may inhibit or prevent the launch of the new activity. Difficulties will arise in working with business partners unless contracts – on licensing, JV, consortium relationships – clearly define the responsibilities or rights for each partner on IP matters that will ultimately limit profit making. Mitigating risks when launching new activities can be achieved by: • Ensuring that you set the right IP clauses in the contracts up front with your partners (exploitation of the trademarks, the patent, etc). Tip: Take sufficient time for negotiations and, if necessary, sign a „confidentiality agreement‟ before the final sign-off. • Pre-empting „IP territories‟ up front for future developments. Tip: Ensure that you keep track of all your IP rights all around the world in a proper IP management information system that is constantly updated.

Transferring the ownership of all or part of a company The business news reports daily on companies being sold to financial groups or to group holdings, partially or completely. The selling process always includes a thorough valuation of all the assets of the company and the potential or projected earnings. IP

• 206 INTELLECTUAL PROPERTY RISKS

rights are considered more and more as critical assets in these processes and play a major part in the total valuation of the company (owned portfolio of trademarks and patents, licensing agreements, etc). Hence, some major companies state publicly that „IP rights‟ are included in their deals. The major IP risk to face in this case could be a loss of value in the transaction with a „neglected‟ portfolio of IP rights that cannot be properly valued („legal weakness‟ of the IP rights; inadaptability to the business development perspective, etc). One possible action to mitigate the risks in launching business activities, leveraging the IP possibilities is: • Ensure that you have a well-managed IP rights portfolio (right protection at the right place; properly updated and documented). Tip: A thorough legal and financial audit of the IP rights (from a seller or buyer standpoint) must be conducted during the due diligence phase.

Increasing presence on the internet There is no need to question the importance of internet presence for a company; nowadays, the only relevant question is „How… ?‟ How do you exist on the internet? How do you live there as a company? The internet is without any doubt a fantastic accelerator for business information and exchanges, but it also opens a borderless world for accelerating non-valid business transactions. Furthermore, the rules for conducting business on the internet from a legal point of view are constantly being updated. Some IP risks that have to be faced could be stated this way: • counterfeiting or imitation of the products or services sold on the internet (online, unauthorized dealers); • misuse of trademarks or domain names to „abuse‟ consumers and redirect navigation flows; • non-compliance with legal requirements on your website presence; • imitation of websites features or lay-out. To mitigate the risks due to your presence on the internet: • Perform „active watching‟ of your trademarks‟ usage on the internet. Tip: Benefit from the expertise of IP firms that have developed state-of-art web scanning tools. • Ensure that you comply with the legal requirements for your website. Tip: Check legal terms visible on your website (terms of use, privacy policy, copyrights, etc). • Ensure that you keep control of your „access keys‟ to the internet (domain names). Tip: Maintain a clean domain names portfolio, with a clear strategy to simultaneously reserve domain names and trademarks (when appropriate).

SECURING KEY DECISIONS

WITH STRONG

IP RIGHTS 207 •

Recruiting, retaining and motivating people By definition, IP is „driven‟ by an intellectual activity; that is to say, it is performed by people „employed‟ by a company. From an IP rights point of view, risks exist in the following dimensions: • individual members of the company or partners claiming „rights‟ on the ownership of a creation or invention; • disclosure and „leakages‟ of secrecy; • demotivation of creativity or development if no clear incentives are related to IP production. From an HR perspective, examples of actions how to mitigate the risks are: • Ensure that your HR contracts with all employment situations are valid from an IP rights standpoint (employee, traineeship, PhD, sub-contractors etc). Tip: Pay attention to: (a) confidentiality or non competition agreements; (b) clause(s) on inventions ownership or rights and rewards of employees (specific to each country).

Conclusion: IP is an „insurance‟ that mitigates business risks All the examples mentioned are based on our extensive experience and IP practice serving a very wide range of clients, in different business sectors and operating in different parts of the world. These „real life‟ examples illustrate that IP is at the core of the competitiveness of companies. And, instead of being perceived as a cost by too many business leaders, it is modern thinking and a way of doing business in the current economical environment where IP is considered to be not only an „insurance‟ that mitigates business risks but also a key development tool for increasing the value of your company. The recent news of some major firms fighting over key IP rights demonstrates that, considering the stakes, IP must be well-managed at boardroom level in every company.

Protecting Innovation . . .

Advancing Business Potential . . .

West Central Lincoln

Runcorn Road LN6 3QP

t: +44 (0)1522 801111 f: +44 (0)1522 870505

e: [email protected] w: www.loven.co.uk

4.3

Risk-free branding Keith Loven, LOVEN Patents & Trademarks

Handled right, a brand can become a significant asset of a business. But if you ignore a few simple guidelines on choosing and using brands and trademarks, you could leave your business exposed to the risk of expensive and damaging legal action. At best, your business could waste money on something that can never become an asset. This article aims to set out those simple guidelines, and the reasons for them.

What is a brand? It is clear from the examples I see in my day-to-day practice that many businesses have not really thought through what a brand is for; so let‟s start with the basics. A brand or trademark is a simple tool to help you sell customers your product or service rather than those of other businesses. Many people think that the function of a brand is to tell customers what they are buying. This is wrong. The product description tells you what you are buying; a brand indicates where it comes from. An example is Heinz® Baked Beans. The product description is baked beans. Baked beans are produced by a wide range of manufacturers, but some consumers will choose the Heinz product, rather than just generic baked beans, because the brand will indicate to them a quality and reliability with which they are happy. The Heinz brand acts as a sort of guarantee, along with, of course, the packaging design – itself an aspect of branding. While many strong brands are words, there will often be design elements (logos) associated with them. Packaging design can be an important aspect of branding,

• 210 INTELLECTUAL PROPERTY RISKS

but really anything that fulfils the basic function of indicating origin can be a brand – think, for example, of musical jingles, product design, colour schemes, even smells.

What makes a good brand? A good brand will fulfil the function mentioned above of helping you sell customers your products or services. A brand is more likely to do a good job if: • It is not too close to another company‟s brand for the same or similar products or services. If customers are likely to confuse your product with someone else‟s, they might buy the other company‟s instead; and, of course, if the other company has a well-known brand, getting too close to it is likely to attract the attention of their lawyers. • It is not too close to an ordinary description of the products or services. You cannot stop other companies using everyday descriptions of their own products or services, so if you choose, for example, SUPERBEANS as your brand for baked beans, other companies could quite legitimately claim that their beans are also super beans. Whose super beans do the customers buy? • It is applicable to any product, rather than only to your original product. What happens when you want to bring out other types of food apart from baked beans? If you have already established a reputation in the original brand, why spend money building up another new brand when you could cash in on the goodwill by applying the existing brand instead. But this will only work if the brand is not product specific. • It is memorable. The best brands tend to be short and snappy so that they are easily remembered.

Who owns the brand? It is surprising how often brands are chosen without any thought about other companies‟ rights. If your chosen brand looks like another‟s brand for the same or similar goods or services, sounds like another brand, or even just gives the same impression to the consumer as the existing brand, then you may have no right to use it. If the earlier brand is registered as a trademark, the mere use of your chosen brand could leave you liable to be sued for damages, an injunction preventing you continuing to use the brand, and costs. This could be very damaging to your business. I have had clients suggest in such circumstances that the owner of the trademark is unlikely to notice their use, and that this was therefore a reason for continuing. In terms of business risk, this is very dangerous. Apart from the possibility that any day you could be hearing from the trademark owner‟s solicitors, if you ever come to sell the business, due diligence investigations are likely to reveal the risk and this will have a significant adverse impact on the value of the business. Therefore, it is important to seek professional advice at an early stage so that proper clearance investigations can be carried out before you adopt a new trademark. It is no good leaving this stage until the day before you launch your new product;

RISK-FREE BRANDING 211 •

by that stage you will have paid out for your printing and advertising, all of which might need to be scrapped if your chosen brand conflicts with an existing registered trademark. You need to be seeking advice from a trademark attorney even before you make your choice of brand, since he or she could give you guidance on the selection of brands, and then perhaps help you whittle down your shortlist to include only those brands that are going to be good protectable trademarks.

Protecting a brand Assuming you have chosen a good brand that is free for you to use, you need to register it as your trademark. While it is possible to accrue common law rights in a brand through extensive use, enforcing those rights can be complicated and expensive because of the evidence required to succeed. There is also the risk that your rights can be eroded by others adopting and registering similar trademarks subsequently. Registration of a trademark clearly establishes ownership and makes it much more straightforward to pursue others who encroach on it. It is not necessary to establish a reputation, or to show that the infringer was deliberately seeking to associate his business with yours. Use of the same or a similar trademark on the same or similar goods or services will be an infringement. Equally, should you come to sell the business, or part of it, ownership of the registered trademark will add to the value of the business.

Maintaining the value of a brand Trademark registrations need to be renewed every 10 years, so it is important to make proper provision for renewal. Your trademark attorney will be able to look after this for you, but it is also important to make sure that your use of the trademark does not detract from its value, and that any changes that affect the registration are officially recorded as soon as possible. Since the function of a trademark is to help your customers buy your products or services rather than someone else‟s, it is important that the trademark is not allowed to evolve into the name of the product. There have been many examples where this has happened, resulting in rights to the trademark being lost. This is why the owners of the Hoover® brand would be upset to see references to a Dyson® hoover, for example. If hoover were to become a generic term for a vacuum cleaner, then the word would stop doing its job as a trademark. You must make sure that the trademark is always used alongside the product description, effectively as an adjective. It is also important to make sure that what you have registered reflects what you are actually using. If you change your brand, you might need to consider applying for a new registration. If you don‟t, your registered trademark could become vulnerable to attack. It is also important to make sure that your registration reflects what you are actually selling. If you move the use of the trademark into new product areas, you will again need to review whether an additional registration is required.

• 212 INTELLECTUAL PROPERTY RISKS

Further, it is important to keep an eye on what other companies are using as trademarks. If a competitor starts using or seeks to register a trademark too similar to your own registered trademark, some of the value of your registration might be eroded. It is important to warn off other companies from such use as early as possible to maintain the value of your own trademark. You might need to arrange for a watching service to be initiated so that you can be notified of attempts by others to register similar trademarks. This will need to be done for all the territories in which you sell your products or services.

In summary 1. 2. 3. 4.

Choose a brand that does not try to describe the goods or services directly. Check to make sure that no one else has rights in the brand. Register the brand as your trademark. Look after your brand as you would any other valuable property.

The two case studies that follow highlight some of the main points made in this chapter.

Case Study 1: The importance of acting soon enough A local heating and refrigeration services company with nationwide contracts had been operating under its brand, an acronym of the original company name, for 11 years when, unknown to it, a national company registered the same name for a range of services overlapping its own. It remained in blissful ignorance of this for several more years until the national company noticed the local company‟s website and threatened action for infringement. At this stage the company consulted us. Now, the national company had registered under the 1938 Act, and the transitional provisions of the UK Trade Marks Act 1994 provided that businesses that had been using a trademark before it was registered under the old Act by another company could continue that use without being penalized for infringement. However, our client had to prove its entitlement here, and that meant a lot of work in digging through their records to establish when it started use and exactly what services it had used the brand on. Example invoices had to be provided, with advertisements/directory entries. Eventually, the national company‟s lawyers were satisfied, and a co-existence agreement was drawn up between the companies, the effect of which was that the national company would tolerate the local company‟s use, but only to the extent that it had been used before the trademark registration had been obtained.

RISK-FREE BRANDING 213 •

Of course, like many businesses, the local company had extended its range of services over the years, and some services were not first offered until after the national company had registered its trademark. For these services, the local company had lost the right to use its own name in respect of the additional services; it had to remain strictly confined to the scope of its use before the national company registered. The lesson to be learned from this is that it is vital to secure your company‟s trademarks by registration as soon as possible, and that in doing so you look strategically. If the local company had registered its trademark in the early days, instead of waiting, it could have guaranteed its right to continue using its own trademark without interference, and hindered or even prevented the national company from registering the trademark. While the old law did recognize rights based on use, under the 1994 Act, this is no longer the case (although if a company can show that it has strong common law rights to prevent another company from „passing off‟ its goods or services as its own, then it might have grounds to object to that company registering the trademark – but success will all depend on the quality of evidence, and collecting evidence can be very costly).

Case Study 2: The importance of doing your homework A client consulted us after receiving a threatening letter concerning possible trademark infringement. He had purchased a business and was assured that the main brand name used by the company was protected because the limited company name included that brand. Unfortunately, his solicitors had not questioned this either. The threatening letter came from lawyers acting for the US company supplying the business‟s main product. On investigating, we found that the US company was indeed the registered proprietor of the trademark, and since it now wanted to pass the dealership to another UK company, it was understandable that it should want to prevent our client‟s business from continuing to use the brand. We had to advise the client that his position was weak, and that he would have to rename the company and stop using the brand. He would have to develop his own brand along with the replacement product. Regrettably, the „goodwill‟ that he thought he had purchased with the business had evaporated. The lesson here is that one needs to seek proper professional advice from a trademark attorney before any transaction involving trademarks or brands. The registration of a limited company name at Companies House does not guarantee that the business has the right to use the brand. Nor does registration of a domain

• 214

INTELLECTUAL PROPERTY RISKS

name. If a trademark is registered, the proprietor has the right to stop others using the same or a similar trademark in relation to the same or related goods or services. The term 'goodwill' can be meaningless if someone else owns the brand.

Bird Goën & Co A truly European Intellectual Property Law Firm

BIRD GOËN & Co offers the full package of intellectual property services comprising patents, trademarks, designs and copyrights, as well as support and advice for contract and licensing activities. BIRD GOËN & Co can provide IP owners and users, by the way it approaches its function as an IP law firm, with a truly pan-European range of IP services through a centralised office. - to conduct the day-to-day overall practice and administration of Intellectual Property (IP) work, - to protect our clients intellectual property by developing innovative, cost-effective passive and active IP strategies and minimising the negative impact and/or cost of litigation, - to train, that is to ensure that our clients, when they wish it, are trained in, and made fully aware of, the implications of their decisions as far as IP is concerned and hence to allow them to preclude crises. In performing these functions, all of us at BIRD GOËN & Co endeavour to share the values of a sound work ethic, focus on client service, continuous development of both legal and technical in-house knowledge, long-term perspective and high professional standards.

4.4

IP risk estimation and management: the example of patents and patent portfolios William E Bird, Bird Goën & Co

In this chapter we will discuss risk management of patents as one important example of intellectual property rights (IP). A patent is a property right but the validity of a patent may be challenged at any time. For this reason, a patent has been called a probability right – a property right with only a certain probability of being valid. Hence, there is a legal risk of invalidity at all times. This starts with the patent application, whose validity is in question until the patent is examined and then granted or „issued‟. The legal risk can be reduced by doing searches for relevant disclosures (ie sales, publications, verbal presentations, etc) or prior art, and adapting the patent application and its claims accordingly. The legal risk can also be reduced by obtaining grant of the patent in different jurisdictions, such as Europe, the United States, Japan, as the different examiners at the various patent offices will apply different prior art and hence a more balanced view is obtained.

IP RISK ESTIMATION AND MANAGEMENT 217 •

Even after grant, however, there is still a risk of invalidity. This can be reduced greatly if the patent is challenged unsuccessfully in a serious opposition procedure or before a court. If such a challenge does not happen, the remaining risk can be estimated, for instance by applying actuarial ruin theory. If a patent is revoked (declared invalid) then it is „ruined‟. Attempts to invalidate the patent can be assumed to follow a model, for example stochastic processes that vary in intensity randomly. Only if the intensity exceeds a certain level will the patent be destroyed. Such a stochastic process leading to ruin can be modelled mathematically. An idea of the rate at which invalidation attempts reach this ruining intensity can be estimated from the opposition procedures at the EPO. Opposition is raised against about 5–6 per cent of all granted European patents. In a third of the cases the patent is revoked. Hence the rate of effective oppositions is about 2 per cent of all granted patents. This risk factor can be applied to all patents in a portfolio and, if the financial value of the portfolio is known, the financial risk of invalidation can be estimated. If necessary an attempt can be made to insure against this residual invalidity risk.

The commercial risks Besides the legal risk there are also commercial risks. These may be categorized into technical risks (that an invention cannot be implemented successfully or economically for technical reasons), market risks (that there is no market for the invention) and timing risks (that an invention is made available at the wrong time for the market). Technical risks are clearly in the domain of the applicant of the patent. Market and timing risks are more complex as they relate to how an invention is received by third parties in the market place. A valid patent must satisfy the requirements of novelty, inventive step and industrial applicability. The legal requirement of novelty is that the claimed subject matter has never been disclosed in any form to the public without a confidentiality restriction in any language anywhere in the world. Hence all patents are about possible future technologies. Predicting the future is notoriously difficult and so is predicting the value of a patent. An idea as to value of patented technologies can be obtained from the licensing efforts of universities, for which considerable information is available publicly. What is noticeable about the value of patents based on accumulated licence revenues is the skewed or asymmetrical nature of these revenues – and hence in the value of the patents. An example of a US patent portfolio from a well-known US university is given in Figure 4.4.1 below taken over a period of 25 years showing the cumulative revenue for each patent. The range of revenues is over a span of four or five orders of magnitude! Some results obtained from these statistics are interesting: • Of the 270 cases (involving 400 issued patents) reported in Figure 4.4.1, 160 provided no revenue at all. These cases had only generated patenting costs. That is to say, about 60 per cent of the patenting effort resulted in negative return on investment.

Cumulative revenue

• 218 INTELLECTUAL PROPERTY RISKS

$40,000,000



$30,000,000 $20,000,000 •

$10,000,000



$0 0

50

100

150

200

250

300

Invention case number Figure 4.4.1 Invention case number Source: Investigation of High-Value UCLA Patents AUTM 2005 Regional Meeting; 3–5 February, Arizona, Ken Polasko, UCLA Office of Intellectual Property.

• Only a few of the patents brought in significant figures, say above $500,000, in fact about 2 per cent. That is to say, 2 per cent brought in over 90 per cent of the total cumulative revenue. • Assuming about $50,000 for the costs of patenting, only about 10 per cent brought in more than they cost to patent – never mind the development costs. These figures have been confirmed in principle in other studies. • A rather shocking fact from these statistics is that significant success occurs with a number of patents that is outside three times the standard deviation from the mean – that means success is an unusual result and statistically unlikely! • There are a very few big hitters. The whole patenting exercise is dependent for its success on just a very few development projects – a hallmark of a risky business! One rule of thumb is that only one patent in a hundred has a value greater than $5 million. In fact, this kind of statistic is very difficult to manage. One way of portraying the difficulty is to compare patents with other well-known traded items that form a basis for investment like stocks, bonds and shares. The so-called Moody ratings are given in Table 4.4.1. Figure 4.4.1 shows that 160 out of 400 granted patents (40 per cent) provided no revenue: in other words, at least this number defaulted. If one looks at the rate of default according to the Moody ratings over a relevant period of time (eg 20 years), the results displayed in Figure 4.4.2 indicate that a default rate of at least 40 per cent would be in class B or possibly in one of the C classes. All these are rated as „below investment grade‟: „very speculative‟, „substantial risk‟, „very poor quality‟. Note that this does not mean that patents are not a valuable item; what it means is that they

IP RISK ESTIMATION AND MANAGEMENT 219 •

Table 4.4.1 Moody ratings Moody‟s rating

Definition

Notes

Aaa Aa A Baa

Highest rating available Very high quality High quality Minimum investment grade

Investment grade bonds Investment grade bonds Investment grade bonds

Ba

Low grade

B

Very speculative

Caa

Substantial risk

Ca

Very poor quality

C

Imminent default or in default

Below investment grade. „Junk bonds‟ Below investment grade. „Junk bonds‟ Below investment grade. „Junk bonds‟ Below investment grade. „Junk bonds‟ Below investment grade. „Junk bonds‟

90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Year 5 Year 10 Year 15 Year 20

Aaa

Aa

Aaa

Baa

Ba

B

Caa-C

Figure 4.4.2 Cumulative default rates by rating categories, 1970–2001

are not items that can be traded in a normal way. This is one reason why a market in buying and selling patents has grown only slowly. Another statistic that can be generated from the reported material is that, although revenue is earned early for most of the patents that are successful, for example in less than 12 years from filing, some are still earning 19 years after filing, and some only started earning after 15 years. A technology must be the right one at the right time. That is to say, there is a „window of opportunity‟. If this is missed – either by being too late or too early – then the patent value is lower or non-existent. From experience, this window can occur at any time during the 20-year life of a patent. This makes it

• 220 INTELLECTUAL PROPERTY RISKS

hard to decide when to abandon a project – maybe it will be successful next year! This uncertainty makes patents a very difficult type of business to manage. It is a risky gambling problem rather than a linear relationship between work input, investment and return. It is difficult to decide if a patented technology will be successful and when it is going to be successful. Such a skewed distribution would appear to require very special management techniques if a patenting policy is to be financially successful.

The patent portfolio One approach to this type of risk is to rely on numbers – the patent portfolio concept. If one patent in a hundred is worth more than $5 million – then let‟s have a lot of them. Table 4.4.2 gives the top filers of patent applications at the European Patent Office (EPO) in 2006. Filing over 4,400 patent applications per year means over 20 per working day. This requires not only the necessary research and development personnel but also an organization able to capture these inventions and convert them into patent applications. This is patent portfolio management on a grand scale.

Table 4.4.2 Top filers of patent applications at the European Patent Office, 2006 Rank

Company

Applications filed

1 2 3 4

Philips Samsung Siemens Matsushita

4,425 2,355 2,319 1,529

5 6 7 8

BASF LG Electronics Robert Bosch Sony

1,459 1,214 1,093 1,088

9

Nokia

882

General Electric Company

768

10

Source: European Patent Office

With a larger number of patents in a portfolio, the variation in average value is less. A well-publicized statistic from IP Bewertungs AG is shown in Figure 4.4.3. Here the value is given in thousands of euros. This suggests that a typical value will be about €55–65,000 per patent – very consistent with actual average value that can be derived from Figure 4.4.1 above. For a novel and ingenious alternative to the use of the patent portfolio concept, see the UC Berkeley–Novartis agreement discussed in the box below.

IP RISK ESTIMATION AND MANAGEMENT 221 •

25

Median

Expected value

Probability (%)

20

15

10

5

150–

140–145

135–140

130–135

120–125

125–130

115–120

105–110

110–115

100–105

90–95

95–100

85–90

80–85

75–80

70–75

65–70

60–65

55–60

50–55

0–50

145–150

© IPB

0

Figure 4.4.3 Patent value (in €‟000) Source: Monetary-Patent-Valuation: The certified IPB-Model, IP Bewertungs AG.

Novartis, through its subsidiary Novartis Agricultural Discovery Institute, entered into a five-year contract with UC Berkeley‟s Plant and Microbial Biology Department in 1998 for $25,000,000. The contract was with the entire faculty. The university owned the IP but Novartis had the first right to negotiate. The company also had the right to review all of the research, whether funded by Novartis or by a government or public source. Novartis had an option to negotiate a licence for up to one-third of any of these discoveries annually. It could cherry pick the ones it wanted. The contract clearly makes use of the known statistics on patent value from academia (see Figure 4.4.1). Novartis obtained through the contract the right to review a large number of projects but was allowed to select just a few of these to negotiate a licence. This allowed it at least the theoretical possibility to forego the cost of building up a patent portfolio with only a few big hitters and instead to cherry pick the best.

The small and medium-sized company The accruing of a large-scale patent portfolio is obviously very difficult for small companies and for individuals. Here there is a David and Goliath situation; one has to

• 222 INTELLECTUAL PROPERTY RISKS

hope that the few patents one has will prove able to stop giants in their tracks. The risk of making a mistake can be reduced by detailed technical, legal and market analysis. Extensive legal and technical evaluations can be expensive. The skewed nature of the value distribution (see Figure 4.4.1) makes the use of analytical tools such as the Black–Scholes formula (which relies on a normal distribution of both increases and decreases in value) inappropriate. An alternative is real options analysis. This technique is considered to be expensive (eg about €100,000 if done in detail) and only suitable for high-value patents such as those for pharmaceuticals. In using real options analysis, greater security can be obtained if a patent portfolio or patent family is considered. The distribution of Figure 4.4.3 is then often approximated by a normal distribution log that fits well to real options analysis as there are no negative values. Other valuation schemes have been proposed that rely on a less costly retrieval of information. An example of such a methodology is the use of value indicators, such as those proposed by IP Bewertungs AG and others. However, as this method relies on a certain statistical relationship between the value indicators and patent value, the method is recommended for larger numbers of patents, for example patent portfolios or patent families. The individual patent remains a tough risk to assess – not only for the owner but for any third party as well.

The future: patent auctions In the last few years it has become more common to auction off patent portfolios. Once this trend has become well established there will be more market data available on how patents behave as a traded commodity. This should, in due course, result in better data for the assessment of patent value. The patent auction, if successful in the long term, should also allow a return on investment to be obtained with a reduced transaction cost in comparison to licensing the patents or implementing the technology oneself. This will in itself provide one escape route to reduce financial risk.

The spectre of third-party patent infringement A risk for any company implementing a technology – whether patented or not – is the possible infringement of third-party patent rights. A patent is an exclusive, absolute and negative property right; it is not an acceptance to implement a technology. A patent provides the negative right of excluding others from technology defined by the claims. It is an absolute right; whether you knew of the patent, or whether you copied or invented the technology yourself independently, makes no difference. The classic approach to guard against patent infringement is a freedom-to-operate analysis (FTO). Once the exact commercially relevant design for a technology to be implemented is known, a search can be made in patent databases to identify dominating patents. As patents are national rights, it is necessary to consider patents

IP RISK ESTIMATION AND MANAGEMENT 223 •

of each country where a patented technology will be made, offered for sale, sold, used, stocked or imported. Such a search is often not easy to carry out, as keyword searching depends for its success on the choice of keywords. As different patent drafters may use different words for the same thing, choosing the right keywords is best left to a person with experience in searching and in the relevant technology. Generally, broad search terms will be included to try to catch all relevant patents and patent applications. This will result in a certain amount of noise – hits that are not at all relevant. Do not be surprised if you get several thousand hits to analyse. The strategies for carrying out FTO analysis usually involve a series of cuts. With each cut the number of documents left to analyse is reduced but the effort per document increases with each cut as the relevance of the documents increases. If any documents are still left after the last cut, these will have to be considered in detail. Are the patents valid? Does the intended product or method fall under the claims? Can a licence be obtained or is it possible to design around? FTO analysis can be expensive and time consuming. As one is trying to prove a negative, there is always the possibility of missing something. A safety net for attack by competitors can be provided by a large patent portfolio. If a competitor attacks for patent infringement, one may have a patent that the competitor infringes. Such a situation can lead to a cross-licensing defence. Such defences are used often by large corporations with big patent portfolios. The cross-licensing defence usually does not work against individual inventors or against patent trolls (those who trawl through patent registers for exploitable opportunities). Both of these probably have no products that they sell, hence there is nothing that could infringe a patent of the defendant. The danger of this type of court case is magnified many times in the United States by the US court system. A patent troll or an individual inventor may obtain the services of an attorney who works on a contingency basis. This reduces the costs of the plaintiff – an option normally not available to the defendant who is left to bear the heavy costs of legal defence. Either one defends against the patent infringement court case (eg by showing that there is no infringement or the patent is invalid) or one tries to come to the most economical settlement. For small companies with too few patents for a cross-licensing strategy the outlook is grim. One may well be in „bet-your-company‟ litigation! Sometimes a major mistake is made with FTO – see the inset on the Polaroid versus Kodak litigation. To deal with this risk, an option that has often been courted is that of patent infringement litigation insurance. Patent insurance pays a company for all or a part of losses incurred if the company infringes, or is accused of infringing, someone else‟s patent. Presently, offers to provide such insurance are limited, and any that exist are likely to be expensive. No EU member state has any legislation on patent litigation insurance that might, for instance, make it compulsory. A study of this topic has been made by the European Commission and a final report was issued in January 2003: A Study for the European Commission on Possible Insurance Schemes Against Patent Litigation Risks. The interested reader is referred to this extensive report for further details.

• 224 INTELLECTUAL PROPERTY RISKS

For 30 years, Polaroid built and dominated a worldwide market for instant photography. Kodak wanted to get into this market and produced its own design. It considered that it had FTO as this design did not infringe Polaroid‟s patents or otherwise these were invalid. Unfortunately for Kodak, the patent infringement court disagreed and in 1985 decided that Kodak had violated Polaroid‟s patents for instant photography. The decision ended a nine-year legal struggle between the two photography giants. The final damage award to Polaroid was $924.5 million. Ironically, digital photography dealt Polaroid a fatal blow; in 2001, it filed for bankruptcy.

Can you be confident your ideas are secure?

T

HE comprehensive professional services of Beck Greener will ensure effective protection for your new project.

We provide expert advice based on a wealth of experience in the field. We protect inventions from simple mechanical toys to complex new drug formulations requiring global protection. We protect famous brands worldwide, and we help start-ups to identify and protect a name or logo with the potential to become a famous brand of the future. Our patent par tners a r e e x p e r ienced European patent attorneys and represent clients directly before the

European Patent Office. We act directly at the Office for Harmonization of the Internal Market (OHIM) obtaining and defending Community trade marks and designs.

If you require expert professional services in the field of intellectual property, contact one of our partners: For trademark matters contact Ian Bartlett. For patent matters contact Jacqueline Needle.

B

G

E C K R E E N E R E s t a b l i s h e d 7

PAT

ENT

& T

RA DE RNE Y S

M

1 8 6 A RK

AT

TO

Beck Greener, Fulwood House, 12-13 Fulwood Place, London WC1V 6HR. Tel: + 44(0)20 7693 5600 Fax: + 44(0)20 7693 5601 Email: [email protected] Website: www.beckgreener.com

4.5

Intellectual property litigation Jacqueline Needle, Beck Greener

Intellectual property (IP) litigation can be expensive, particularly in the United Kingdom. Businesses are said to avoid the expense by ignoring IP and turning their backs on protection for their new products or concepts. This could be an expensive mistake. Inventions and ideas disclosed without protection are effectively donated to all comers, and those who neglect IP by their ignorance increase the likelihood that they will be sued for infringing the rights of others. Any organization that introduces new products or new business methods, or changes the way it promotes itself or its name or brands, could find itself on the receiving end of an action for IP infringement. In a nightmare scenario, a business finds officials on its doorstep empowered to confiscate goods or documents. In this chapter, we will look at patent litigation as an example of IP litigation generally, and will consider the cost of patent litigation in order to determine whether the cost genuinely provides a reason to avoid protecting innovation. We will consider how a business can effectively use IP, and the steps it can take to avoid becoming embroiled in litigation.

INTELLECTUAL PROPERTY LITIGATION 227 •

The cost of patent litigation The European Commission is so certain that litigation costs adversely affect the take-up of patent rights that it has proposed that anyone applying for a European patent should be required to have compulsory patent litigation insurance. A study for the Commission determined the average amount spent by each party in a patent infringement action in a number of EU countries. The results are set out in Table 4.5.1. Of the countries in Table 4.5.1, neither Germany nor Finland considers the validity of a patent in an infringement action and the parties invariably incur the additional costs of a separate nullity action. Therefore, in practice, the costs given for those two countries should be doubled.

Table 4.5.1 The average spend by a party in a patent infringement action Country

First instance costs

Appeal costs

Percentage of costs recovered

France

€80,000

€45,000

Low

Germany

€165,000*

€200,000*

Low

Finland

€120,000*

€25,000*

100%

Sweden

€120,000

€65,000

100%

UK

€550,000

€430,000

50%

* Countries where the validity of a patent is not considered in an infringement action.

The same study looked at the number of European patents in force in various countries and at the number of patent infringement actions started per annum to determine a litigation ratio indicating the incidence of patent litigation. For example, in France 250,000 European patents are currently in force and 50 patent actions are started a year, so the litigation ratio is 1:5,000. Only 50 per cent of patent actions in France proceed to trial and judgement so that a similar calculation gives a first judgement ratio of 1:10,000. The figures for other countries are set out in Table 4.5.2. As the table shows, with the exception of Germany, in most countries very few patents are the subject of litigation. Even where an action is started, at least half are settled before trial. In the United Kingdom, only about 20 actions a year go to trial, which is onesixth of those started.

• 228 INTELLECTUAL PROPERTY RISKS

Table 4.5.2 The incidence of patent litigation Country

European patents in force

Litigation ratio

Ratio to 1st judgement

France

250,000

1:5,000

1:10,000

Germany

300,000

1:600

1:750

Finland

20,000

1:2,000

1:5,000

Sweden

82,000

1:5,000

1:8,000

250,000

1:2,000

1:12,000

UK

UK litigation procedures Table 4.5.1 reveals that patent litigation in the United Kingdom is generally expensive, and higher than in other European countries. This difference in cost arises out of differences in process. UK patent infringement proceedings involve both disclosure and evidence. During disclosure each party has to locate and make available internal documents relevant to the issues. Then evidence, generally in the form of written statements by independent experts, is prepared and filed. The disclosure and evidential stages may take months and can be very expensive. The proceedings are concluded by a trial before a specialist patent judge, which can take several days. The UK procedure can be compared with that in Germany, for example, where there is an emphasis on written submissions. Both parties are required to set out their entire case in written form. There is no disclosure, and evidence is rare. The case then goes to trial before a panel of judges at a hearing that typically lasts up to three hours. In the past, patent infringement actions in the United Kingdom had to involve three types of professionals, namely patent attorneys, solicitors and barristers. This led to considerable expense, and the Patents County Court was set up to provide affordable patent litigation. It offers the parties a greater choice of professionals and, for example, in the Patents County Court a patent attorney may act alone. The study referred to above on behalf of the European Commission found that actions in the Patents County Court generally cost about a third of the cost of actions in the Patent Court. More recently, appropriately qualified patent attorneys, referred to as patent attorney litigators, have been given rights allowing them to litigate in the mainstream English courts, up to and including the House of Lords. This reduces the number of professionals needed in a case. There have also been changes in practice in these courts that have streamlined procedure and have required the issues to be simplified. Hopefully, we are now in an era where patent infringement actions, whilst never cheap, can be undertaken for a much more reasonable cost.

INTELLECTUAL PROPERTY LITIGATION 229 •

Is the cost of enforcement a reason to avoid protection? We have seen that patent infringement actions in the UK can be costly. However, fewer than 1 per cent of UK patents are involved in litigation, and of that 1 per cent under 20 per cent are subject to trial. As so few patents are litigated to trial, it seems bizarre to forgo protection for a valuable innovation to avoid that cost. Innovations generally involve many work-hours in their conception and development, and substantial costs can be incurred in getting the project to market, for example in testing, packaging, advertising, distribution and similar. The costs of a patent application, filed before any disclosure of the invention is made, will be relatively modest in such a context. It does cost money to pay professional patent attorneys to register trademarks and to draft and file patent applications, but the potential rewards are high. For the price of one full-page advertisement in the Daily Telegraph it would be possible to cover the fees arising over a five-year period to obtain grant of a patent for a new invention in a selection of four or five European countries, in the United States and in Japan. The newspaper may be in the bin within 24 hours, whilst the patent could provide a platform for profitable trading for 20 years. Once a patent application has been filed the innovation can be appropriately marked „patent applied for‟. This acts as a „keep off the grass‟ sign and can be very effective. Not many businesses coming across a new product will decide to copy or emulate it without taking some notice of the warning. Even where there is no patent notice, many reputable businesses will search for patent applications before deciding whether to proceed with a similar product. Thus, a patent application will involve the competitor in expense in determining the existence and relevance of any patent protection. At worst, the patent application will delay competitive copies; at best it will prevent them. Photocopy machines, for example, were made and sold only by Xerox for the full term of its basic patent; no competitor tried to sell competitive machines and there was no need for legal action. Xerox therefore had a de facto, and extremely valuable, monopoly for nearly two decades. Even if there is a competitive product on the market, a patentee does not have to sue for patent infringement. There may be scope for licensing or other deals. For example, a company with restricted production facilities may find it beneficial to turn an infringer into a licensee with full responsibility for the production. Ron Hickman, who invented the „Workmate‟, did have to commence an action against Black & Decker when they began to copy his work bench. However, it soon became apparent that it would be much more lucrative for Black & Decker to take over the production, which until then had taken place in Mr Hickman‟s garage.

Effective use of IP All businesses, regardless of their size, have competitors and seek commercial advantages over those competitors. A small company coming into conflict with the

• 230 INTELLECTUAL PROPERTY RISKS

rights of others does not have the commercial „muscle‟ that large corporations can use to force a settlement. IP rights might be the only weapons a small company can deploy in the event of a conflict. Effective use of IP could be vitally important to a small company. A company using IP effectively will: • have a person in authority who has adequate knowledge of IP issues; • have routines in place to safeguard rights; • seek professional assistance when required.

Adequate knowledge Conflicts can arise, or rights can be lost, if appropriate action is not taken during the timescale of a project. A knowledgeable owner or executive can identify, and then avoid, any risk of conflict by undertaking searches to establish the rights of others. During any project the executive can also decide whether any of the ideas are so commercially valuable that protection should be sought.

Safeguard rights Any proprietary information of commercial value should be identified and kept confidential. Employees should be made aware that such confidential information must not be divulged. Measures can be taken to restrict the availability of confidential information within a company, and departing employees should be reminded that their duty of confidentiality will continue even after they have left. The recipe for CocaCola is still known to only a handful of people and the courts have demonstrated a willingness to protect such secrets. Recently, an ex-employee of Coca-Cola in the United States who offered part of the recipe to PepsiCo was jailed. The majority of those made rich with the assistance of IP, such as James Dyson, have had ideas or inventions that have been patented. A patent can only help if it is valid, and a valid patent can only be obtained if the patent application is filed before there has been any public disclosure of the invention. It is essential that any new idea of potential worth is kept totally confidential to the company during the early stages of the design or development. At some time, a positive decision should be made as to whether patent protection is likely to be required. If it is decided that patent protection is not warranted then public disclosure can be made, but it should be realized that putting the idea in the public domain also dedicates it to the public as the right to obtain patent protection in most countries has thereby been given up.

Seek professional assistance It is important to get the patenting decision correct, especially if a project is thought to be of potential value to the company. Not only must an invention be new to be patentable; it must also be non-obvious compared with what is already known. However, many inventors will wrongly define the final result of their labours as obvious, perhaps because they see it as just the consummation of days or weeks of everyday work.

INTELLECTUAL PROPERTY LITIGATION 231 •

A patentable invention also has to be of industrially applicable subject matter and not in the list of entities that are explicitly excluded from patent protection. The inexperienced are often heard to exclaim wrongly „you can‟t patent that‟. If the invention has taken time and money to develop, will take further resources to get into the market, and is forecast to have a future, it would be wise to take professional advice. In such circumstances there is a very high chance that the invention will be patentable. Even if the patent attorney advises that an invention is not generally patentable, other protection options may arise. For example, the significant differences between European and US patent laws mean that products that cannot be patented in Europe can often be patented in the United States. Alternative forms of protection, such as a Community Registered Design, may also be available and might be commercially useful.

Avoiding litigation Generally, it is only necessary to follow a few simple rules to avoid being the defendant in an unwanted legal action for IP infringement: • • • •

Do not copy the products, documents or other materials of competitors. Keep records of all company work leading to ideas and innovations. The keeping of notebooks is recommended for engineers. Before adopting new names, brands or innovations, make appropriate searches to establish if competitors have any relevant rights. • Where your competitor is found to have rights, ask a patent attorney for „freedom to use‟ advice. • Where there is an identified risk of conflict, move to another project, or negotiate with the competitor before committing to the project.

This page intentionally left blank

5

The Role of IT in Providing Risk Solutions

From complex and interlinked supply chains to those trimmed down for reduced costs, the risks to larger organisations remain the same. Any supplier without an adequate, tested business continuity plan poses a serious risk and could undo the steps you have taken to protect your business, in one fell swoop. In response to this, and as part of our commitment to propagate business continuity to those organisations who do not yet have a BC plan in place, ICM has developed Disaster Cover Direct; a low cost, straightforward business continuity package aimed specifically at small businesses. Disaster Cover Direct offers SMEs a simple, affordable business continuity solution which, in turn, provides larger organisations with the peace of mind that there is no weak link in their supply chain. With the BCI Good Practice Benchmarking tool for measurable BS25999 compliance included within the package, you can be sure that your suppliers will not let you down.

How easily could your supply chain collapse?

BUSINESS AVAILABILITY incorporating

To find out more call us on 08701 22 22 00 email [email protected] or visit www.icm-computer.co.uk

5.1

How IT can mitigate continuity risks Alistair King, ICM Computer Group

Introduction Traditionally, IT and business continuity strategies were developed and executed in isolation from each other. IT was there to serve the information needs of the organization, while business continuity (BC) and disaster recovery (DR) ensured that it could continue to operate when systems were rendered unavailable, and get them back up and running as soon as possible. More recently, forward-thinking organizations have aligned their IT and BC strategies so that business availability can be maximized. More resilient IT infrastructures, designed to protect data and allow for quick and easy recovery, have improved the recovery time and point objectives for data in the case of an „incident‟ (as defined by the IT Infrastructure Library). This chapter reviews how IT and business continuity should be thought of as a unified strategy to achieve improved business availability. It will explore the causes of IT downtime and discuss how IT solutions have evolved to include an element of business continuity that is intrinsically embedded into their make up. Finally, it looks at how business continuity strategies can take best advantage of IT solutions to deliver quicker and more complete recovery of IT systems.

• 236 ROLE OF IT IN PROVIDING RISK SOLUTIONS

Various IT solutions are considered in the context of their recovery time objectives and recovery point objectives. These measurements allow IT and business continuity professionals to target and measure the time it takes to recover from a business outage and the point to which data can be recovered.

Recovery point and recovery time objectives defined These two measures provide the key information from which business continuity analysts work when setting out a recovery plan. The recovery point objective (RPO) describes a point in time to which data must be restored in order to be acceptable to the owner or owners of the processes supported by that data. Essentially this defines how often snapshots of data and full backups need to be taken. It should be remembered that lost data may need to be re-entered before the system can be restarted and the business process fully resumed. The recovery time objective (RTO) defines the amount of time in which a business process must be recoverable for continuity of service to remain undamaged. In simple terms, it defines the time in which key IT systems must be up and running once again. When calculating the RTO, many factors should be taken into consideration as well as just the time it takes to restore the data from the backup: • Factors such as any possible time lapse between the occurrence and the detection of the incident; • subsequent management decisions as to procedure for dealing with the incident; • locating and informing key individuals; • any time necessary to locate the recovery media, or time to post-process restored data before restarting the downed applications. All these will have an impact on the RTO and therefore must be considered in the final calculation; however, specific factors may vary from organization to organization. There are a number of points to keep in mind here. Most importantly, it is vital to understand that, while these metrics refer specifically to business processes and not to systems or resources, they are almost always dependent on IT systems. This is why it makes sense to link the two and to consider aspects of business continuity planning when selecting and implementing IT systems. Other resources can of course be used to replace the failed or unavailable systems on which processes depend. As well as stipulating the recovery time for data and systems respectively, the RPO and RTO will usually define the service level to which that process must be recovered. It may only be necessary in some cases to recover specific information, or key components of applications, for a business process to resume to a satisfactory level. It is also important to understand that the RTO and RPO define objectives rather than mandatory targets for recovery. The business continuity plan will aim to achieve

HOW IT CAN MITIGATE CONTINUITY 237 •

recovery within a time frame as close to the RTO as possible, restoring the most recent data possible, but stipulating acceptable tolerances.

The causes of downtime When organizations are reviewing their business continuity plan it is important to be aware of the causes of downtime so that appropriate solutions can be employed to prevent outages and help the recovery process. According to Gartner Research, there are six main causes of downtime. They are, in order of magnitude: • • • • • •

software failure; planned downtime; operator error; hardware failure; building/site disaster; environmental disaster

The first four causes are IT-related and the frequency of an outage due to them will depend on the IT infrastructure in place. The last two causes will require a comprehensive business continuity plan to keep downtime to a minimum. In these areas, the deployment of IT systems can be closely aligned with business continuity and disaster recovery plans to give an organization the best chance of a speedy recovery.

Software failure If a critical software application or operating system fails, it will always be difficult to recover as the business or process will have an inherent dependency on that software. Whatever is stopping the system running on the main system will also prevent it being run on any other. Thorough testing, ongoing maintenance and the availability of support from the supplier are all vital to minimizing the risk of software failures. Business continuity plans can put in place alternative systems or provide for a reversion to manual processes. However, this is often not a viable option. Organizations are thus highly dependent on the stability of their software.

Planned downtime Planned downtime is, by definition, a pre-planned exercise that is predictable but still means that employees, customers, suppliers and other stakeholders may not be able to get access to the systems they require. They can be made aware of the planned period of downtime but for the organization it can mean lost business or inefficiencies. Certain high availability solutions can avoid both planned and unplanned downtime where systems may need to be available 24 × 7 × 365.

• 238 ROLE OF IT IN PROVIDING RISK SOLUTIONS

Operator error Any organization that is dependent on its IT systems to support business processes will take all possible and practical measures to avoid errors or system failures from causing downtime. Outages caused by operator error can be addressed to a limited degree by business continuity planning. Management processes, training and the following of best practice in IT service provision using methodologies, such as ITIL and PRINCE2, will help to minimize the risk of operator errors, while the right management tools can make IT infrastructures easier to manage, thereby further reducing the margin for error. The selection of systems and principles used can to some extent assist business recovery planning in this area, but it will never be possible to entirely eliminate the potential for human error.

Hardware failure The potential for hardware failures can be obviated to a very significant degree through the deployment of systems that will make the recovery process faster. Of course, various measures can be taken to minimize the potential for hardware failures in the first place. Proper and thorough analysis of business requirements and the subsequent evaluation and testing of reliable solutions, along with the provision of adequate bandwidth, storage capacity and other resources, will help to minimize the risk of systems failing and prevent them being placed under excessive strain. Ongoing monitoring and management of system and network resources will also help to prevent any outages due to hardware failure. But even these measures will not prevent all potential for downtime. Specific solutions that provide systems and/or data redundancy and enable faster or „hot‟ replacement and recovery of components and systems can be highly significant to both business continuity and disaster recovery planning.

Building, site or environmental disaster A comprehensive business continuity plan is needed to fully protect against the impact of any event, disaster or incident that could render the building or site in which systems are located and processes carried out unusable or inaccessible. IT systems will play a major role in these plans. If IT resources are deployed intelligently and with business recovery and disaster planning in mind, this can enable faster and more accurate recovery, ultimate achievement of RPOs and RTOs and subsequent higher levels of business availability.

How IT and business continuity can work together As many business processes depend on IT, their recovery in the event of a disaster or major systems failure will largely depend on the rapid restoration of systems and data.

HOW IT CAN MITIGATE CONTINUITY 239 •

This dependency makes business continuity planning even more essential. The more the organization relies on IT, the more necessary it is to have not only a highly robust and resilient IT infrastructure, but also a bulletproof continuity plan. Increasingly, organizations are realizing that they cannot have one without the other. There are many more tools on the market now to help increase the resilience and redundancy of systems, and it is now more viable than ever to use those solutions as active elements of the business continuity plan. In an ideal world you would understand all the issues before you sit down and design your systems and infrastructure, including the need for business continuity planning. In the real world though, decisions are usually made to meet specific and more immediate requirements. While the impact on other systems and processes may be considered, little or no direct thought will be given to the potential implications for recovery. Any benefit to the business continuity plan will be incidental. Most organizations are in this position today and need to develop the recovery plan around existing systems. However, more organizations are now starting to build greater resilience and redundancy into their systems as a matter of course and, where they do, these systems can be used as an effective part of the recovery plan. Many, for example, are deploying storage area networks, electronic data vaulting and other such technologies to reduce their dependency on a single location. When triangulated with a business continuity centre, the level of resilience this kind of infrastructure provides is extremely high. Rather than being dependent on the restoration of a server or specific data, the RTO and RPO will depend on the time taken for staff to physically relocate to the recovery site. Even so, it is important to remember that the principal reason for implementing any technology will not be, in most cases, to bolster business continuity. The main driver may be to reduce risk and ensure the organization can continue to function normally in the event of any system outage. But in most cases the justification for investment will be made on the grounds of a defined business requirement and objective. A systems area network (SAN), for example, will provide improved performance and increased capacity, and will optimize use of available data storage in the live environment. As it enables data to be shared or striped across a number of devices, it will also provide a high level of data redundancy and as such can be used as an effective component in the business continuity plan.

Virtualization as a tool for business recovery With virtualization the initial drive for adoption will almost certainly be the need to reduce the size, complexity and cost of the datacentre. By adopting virtualization technologies such as VMware there is an opportunity to save on power and space as well as increasing uptime. The fact that fewer servers are used to service the needs of the business reduces the likelihood of a single failure, and in the case of a failure system requirements can be spread across the entire server estate.

• 240 ROLE OF IT IN PROVIDING RISK SOLUTIONS

Virtualization also provides a useful tool for business recovery. Virtual backup solutions can minimize backup time by taking a snapshot of a virtual machine‟s virtual disk, and generating the backup from that snapshot. Because snapshots can be created quickly, operations are only briefly interrupted. Data restoration is also quicker because the reduced length of time it takes to provision or restore virtual servers aids the recovery time and point. This will not necessarily recover the entire business process however. Virtualization solutions need to be configured to meet recovery needs, in order to be effective in the case of a major outage.

Technology and the business continuity plan Indeed, there is no one technology that will do everything that is required to recover your business processes. Certain technologies can provide building blocks for the business continuity plan, but there is no single solution. Businesses are increasingly dependent on technology to operate and, as a consequence, to recover those processes, but you still need a carefully planned strategy for dealing with unforeseen events or downtime. Virtualization, SANs, data vaulting, data replication tools, hosting and other technology solutions are making it possible for organizations to build more inherent resilience and redundancy into their infrastructures and achieve faster recovery times for key business processes. Other legacy technologies, such as directly attached storage, only provide limited recovery options and offer little in the way of additional options for business continuity planning. In most organizations today, many of the established systems cannot be used to complement the business continuity plan. Servers are still largely dependent on ageing backup regimes and out-of-date recovery plans that will no longer meet business requirements. The need for a well-thought-out and tested business continuity plan is therefore as great as it ever was and, given the increased dependency on IT systems, perhaps greater than it has ever been. New technologies can help to improve and enhance recovery, and allow more ambitious RPOs and RTOs to be set, but they can never replace the business continuity plan.

Summary: achieving optimum business availability for IT-dependent processes Today, organizations depend on IT more than ever. Few business processes can operate and deliver the required level of service without the computer systems that underpin them. The need to plan for outages or loss of access to systems is therefore vital. While the focus must always be on the business process itself, the rapid recovery of systems and data will be fundamental to the reinstatement of those processes.

HOW IT CAN MITIGATE CONTINUITY 241 •

As such, it is only sensible to consider business continuity and disaster recovery planning when selecting new systems that will support key business processes. By implementing technologies that will make recovery more straightforward, faster and easier to manage, organizations can reduce the amount of time and cost associated with a recovery from unplanned downtime, and significantly reduce risk. Another factor to consider here is that, taken as point solutions, data vaulting, replication, hosting, SANs, virtualization and other IT solutions and services can all assist and contribute to mitigating risk and to the business continuity plan. However, they are deployed for specific purpose and not considered as part of an integrated continuity plan. For this reason, it is important to carry out professional business continuity assessment and planning. You need to understand business needs and what needs to be recovered, as well as all the technologies and how they can be used to best effect as part of an integrated business continuity plan. Business continuity is about understanding the organization and what you need to recover and restore to ensure key processes can be carried out. There is no panacea; there are many tools that can simplify and enhance the process of business continuity planning and recovery, but it is only a comprehensive and professionally prepared strategy that can ensure your organization minimizes the risk of downtime and achieves optimum levels of business availability.

5.2

The real-time enterprise: the need for NOW! Bart Patrick and Mark Elkins, SAS UK & Ireland

Introduction A study of pedestrians in major cities around the world concluded that we are walking up to 30 per cent faster than in 1990.1 Quite literally homo sapiens has stepped up a gear, and this is true in our commercial life. Activities that used to take hours now take minutes. Decisions that previously took time to reach are expected to be made in shorter time frames. We are living in the NOW! society. Decisions are based upon information – the analysis of data. With the amount of available data doubling every year we are able to make more informed decisions that improve enterprise performance. Coupled with the „need for speed‟, we are now able to make those decisions more quickly. Speed is now essential in transactional process delivery and in the management of certain risks. It has not always been so for payment card processing but this is changing. The Faster Payments initiative is just one example of how speed of transactions is increasing and that service delivered will have an immediate impact. Soon the expectation will be that other transactions and applications – risk assessment, mortgage processing and secured loans amongst others – will be carried out with an immediate effect. The initial driver is transaction based, but real time will extend into

THE REAL-TIME ENTERPRISE 243 •

all functions of the enterprise: risk, marketing, finance, sales and others. This will take end-user service to new levels. At the same time, to effectively manage the performance of the business, in fully meeting the needs of shareholders key decision makers will need to understand just how the business is performing. Again, after improving risk management functions in real time, the financial status of the business will need to be ascertained. Real time is just not about what is happening at this moment; it‟s about taking the NOW! experience and predicting the future through effective modelling with proven methodologies. The ability to bring modern risk management techniques into the real-time environment will improve performance, delivering improved dividends to shareholders, better service to clients and competitive advantage to the company.

„The amount of data being generated is doubling every 11 months and some think it will double every month soon‟ (Dr Jim Goodnight, SAS CEO, May 2007 at the SAS Executive Forum).

The need for NOW! The growth in the amount of reliable data available to aid risk decision making and performance management continues to grow. There are many challenges in collating that data, including: • Diverse systems: companies have merged, acquired and divested businesses with differing IT standards and protocols. This has created an environment of hugely different hardware and software even within the same enterprise. • Diverse geographies: there is only slow progress in standardizing language, coding structure and data-entry formats within most multinational organizations. This creates huge issues in creating a consolidated view of data. • Data quality: over time, differing management and staffing regimes will have entered data in different manners – is it A.Smith, A Smith or ASmith? Are they all the same person? Have staff entered codes incorrectly? How can we find and cleanse these? • Legacy systems: IT is a rapidly changing environment. However, there are still systems in use that are over 20 years old. These systems are often deeply embedded into the core operations of enterprises and difficult to replace. Companies will often wrap these hardened credit, market and operational risk systems in newer technology to reduce the impact of the requirements they can no longer support. • Data integration: if you bring together the geographies, differing standards, data quality, and diverse and legacy systems, you are presented with a long-term strategic challenge, which has so far been taken on by relatively few organizations.

• 244 ROLE OF IT IN PROVIDING RISK SOLUTIONS

Figure 5.2.1 illustrates that only a small proportion (between 1 per cent and 5 per cent) of the companies surveyed in 2007 had any form of fully integrated data. The diagram illustrates traditional considerations in data collation. But there is now another factor – speed. As a society we are moving at an ever-increasing pace, and information is needed now to beat the competition, to improve customer service and to win the business. This also impacts on risk where, for instance, the inability to give a mortgage applicant an instant decision risks a company taking their business elsewhere.

Fully implemented My organization has a single set of accurate, good-quality data that is used for decision making.

1%

17%

Data within my functional area is integrated.

Data from across all areas of the organization is integrated.

My organization has a standard set of data definitions that everyone follows.

Fairly consistent execution

5%

3%

3%

12%

13%

14%

Figure 5.2.1 Level of data quality and integration in the organization Source: SAS Research, March 2007.

The requirement is for more reliable quality data than ever to be analysed at the point of use. Because of the amount of data, which is doubling annually, and of the need for NOW! it sounds like an insurmountable challenge. There can be no compromise in terms of the quality of decision making – particular with risk rising up the corporate agenda and being used to direct day-to-day business activity. Swift, accurate analysis needs to be performed – and subject to constant improvement to reflect the dynamic, competitive market place. Let‟s look at the need for NOW! In the financial services industry many transactions could be classed as time critical (decisions required in milliseconds), time sensitive

THE REAL-TIME ENTERPRISE 245 •

Time critical

Business issue

Time sensitive

Time agnostic

Fraudulent transaction Fund transfer within same bank Losses

Credit risk – mortgage, Compliance reporting Credit scoring and electronic transfer, loans, secured loans, HP, PCP, application processing default Portfolio stress testing Operational risk management

Customer and merchant service, high volume, relatively low value Loss reduction

Intermediary and customer Low/no speed driver – service, industry commitment eg postal mortgage (faster payments). Mid value, application mid volume. Loss reduction

Risk – analytic need

Limiting financial loss through fraud Managing reputational loss risk Lowering customer attrition. Managing channels to market

Fraud. Treating customers fairly MiFID Operational risk monitoring

Customer may go elsewhere if time lines too extended Risk of fines from regulators

The bottom line

Shareholder, customer and employee confidence

Customer confidence

Lower priority – less urgency

Need for speed need driver

Figure 5.2.2 The time continuum: the need for speed (decisions in less than two hours) and time agnostic (a decision needs to be made – at some point within the next week!). This is based on what is acceptable to the customer as Figure 5.2.2 illustrates. The drivers for real-time or near real-time risk management are competitive pressure compliance (the FSA‟s Treating Customers Fairly (TCF), RegNMS, Cheque 21, MiFID, Anti Money Laundering, etc) and the underwriting of profitable business that delivers shareholder value plus sustainable growth. Kaisen (continuous improvement) techniques must be applied – to adapt to a constantly changing environment. All transaction types will and can move, from time sensitive and time agnostic to time critical. Companies that refuse to recognize this are failing to understand their customers‟ expectations, and will suffer as a consequence. But the concept of real-time analytics – with the immediate response – does not benefit only the transactional element of the banking environment. Imagine how the deployment of a real-time enterprise platform would benefit the performance of the entire organization – remember we live in the NOW! society where new channels (the internet and mobile particularly) promote speed and customer convenience. The accurate, efficient and risk-sensitive use of excess liquidity is the concern of most institutions. In order to achieve this, a near real-time assessment of risk levels, credit, market and operational risk is required and companies must have in place a suitable data and systems architecture that can deliver the analytics required. Organizations are making progress in creating the bedrock on which to build realtime platforms to transform the way they do business. In a recent survey, 28 per cent

• 246 ROLE OF IT IN PROVIDING RISK SOLUTIONS Exceeded previous years

Maintained/declined

% of companies fairly consistently or strongly executing in areas 10%

Advanced analytics

26%

Availability of technology for information access Cross organizational data integration

22% 38% 8% 22% 27%

Openness to change

40% 19%

Information sharing across organization

32% 22%

Access to variety of information sources Reliance on business intelligence for decisions

35% 15% 28%

Figure 5.2.3 Real-time analytics Source: SAS Research, March 2007.

of companies stated that they had exceeded their previous year‟s reliance on business intelligence for decisions, and 32 per cent had also improved on their information sharing across the organization. But this trend will have to be accelerated in order to make it fast and convenient to manage the business in real time. Over a quarter (26 per cent) of companies reported that they had improved their use of analytics in the last 12 months (SAS Global Enterprise Risk Management research 2007), as illustrated in Figure 5.2.3. The confidence of proven, robust analytical modelling needs to grow so that a win–win– win situation is created for the organization, customers and shareholders.

Real time: a partnership approach? Creating a real-time decision-making environment is like sailing. The sea can change rapidly and experience needs to be applied to that changing environment in order to reach the desired objective. In other words, models on which decisions are taken on an individual transaction need to reflect the latest corporate experience. In the pursuit of a flexible real-time adaptive platform, responsive to transactional and risk dynamics, organizations need to develop, in conjunction with suppliers and internal IT, a phased approach to deliver the long-term vision of the real-time, risk-

THE REAL-TIME ENTERPRISE 247 •

driven enterprise. Business intelligence and analytics need to evolve to new levels of sophistication to support this. Two examples where real-time decisioning is already impacting on business success are: • Transaction monitoring for payment cards: whereby a true enterprise fraud-detection application, capable of running multiple organizations or levels of hierarchy within a single instance, has been deployed. This provides a 100 per cent real-time score processing on card purchases, payments and non-monetary transactions. The consumer has no awareness of the authorization process cycle. Fraud risk is being managed in real time. • Customer analysis: acting on customer data, just in time, is critical in the competitive retail industry. Any delay in processing huge (and growing) amounts of data in real time can affect profitability. This has been eliminated by integrating the huge amounts of data, in real time, and presenting this at the point of demand to ensure sales opportunities are never missed. These are low-level instances. However, in order to have the true real-time enterprise these isolated usages of real-time decision making and analytics need to be expanded. For this to happen, a holistic approach is needed in order to obtain the granularity required. All systems, people and processes need to be brought together. However, these basics need to be supplemented by three vital items: • First, a global agreement that supports the global drive needs to be arranged with all suppliers in the chain. • Second, a close global working relationship needs to be garnered for the global arrangement to work. • Finally, this needs to be a platform-led development with the partners, to reduce the need for retooling each time a new real-time resource comes on line, and to lower the potential for technology redundancy. A platform should be robust enough to evolve over time to support all global needs. Evolution is important. The ability to learn from experience is particularly crucial in fraud detection. Fraudsters do not stay still and scams constantly evolve. Both to protect reputation and to prevent financial loss requires the constant evolution of models and incorporation within the authorization process, with no commercial disruption. New modelling technologies and methodologies are available to provide better and faster fraud detection and model evolution.

At point of sale or ATM there are four simple options: Accept, Accept and Modify Chip Logic, Refer or Decline. Milliseconds are allowable for a decision. No one wants a customer or merchant to wait minutes or hours for a decision, which would be embarrassing for all concerned.

• 248 ROLE OF IT IN PROVIDING RISK SOLUTIONS

Any risk-modelling approach must be able to integrate both the value of pooled consortium data and customers‟ own data into customer-specific and controlled models. The modelling and real-time scoring environment should also be able to support a champion/challenger strategy and the ability to use a range of models for different purposes. By using a champion/challenger approach, new models can be tested against old ones to preserve their effectiveness. This is true for any type of risk: credit, market, operational, fraud, legal and reputational. These models must be frequently updated to minimize the inevitable effect of model decay over time. The additional value of a partnered, global development should ease transition from the legacy non-time-focused management system. The benefit of partnering increases the organizational understanding of how the system operates, leading to an intimate knowledge of the capabilities of the real-time platform developed. This, in turn, will ensure that an organization can cope with multiple business applications as the real-time environment grows to include all types of risk.

Real-time maintenance For this type of solution each and every activity should be captured and stored within a risk data model. The information stored within this database can be used for a number of different purposes: 1. 2. 3. 4. 5. 6. 7. 8.

Standardized internal reporting. Ad-hoc internal analysis. Running what-if analyses and simulations during rule building. Providing feeds to regulatory authorities and industry initiatives (eg the APACS PIPJIU). Providing feeds into the consortium database for consortium model refreshes. Providing data back to the supplier for customer model refreshes. Monte Carlo and other scenario analysis. Stress testing.

Items (5) and (6) mean that a software vendor has the information it requires, in the right format, to build and update risk models. This methodology eliminates the high traditional effort required to collate data, shortening the model build process and enabling an increased model refresh rate. The benefit of this is greater accuracy, more reflective of the current environment.

Maintenance of data quality and credibility Your data integration system should evaluate data as it comes in, dynamically correcting errors before they are pushed further into the process, thus improving data credibility.

THE REAL-TIME ENTERPRISE 249 •

Creating automated processes for system resilience Rather than swapping out part or all of the architecture each time there is a capacity issue, why not accommodate this load as a marginal increase in hardware, increasing system stability and availability?

Delivering mid-process report viewing Why not create a system that can ensure that decision makers have the information they need to do their jobs as soon as they get to the office or go online? Batch processing does not give you the up-to-date information required. There is a huge systems and maintenance overhead in delivering end-of-month reports. Why not make them real time? The real-time platform offers the potential to reduce maintenance and reporting overheads, making systems more efficient and, even better news, giving the business the up-to-date information it needs to create competitive advantage in a changing business environment.

Developing on the real-time platform Delivering real-time fraud management for card portfolios shows how organizations can start the real-time journey. Many software vendors claim to offer real-time solutions, but a real-time platform means that solutions can be added to ensure an enterprise-wide approach to risk. Credit and debit cards are purely the beginning, and the vision should be for the real-time capability to extend into other risk management areas. The most time sensitive area of the banking industry is in risk management – in particular credit risk. The EU faster-payments initiative shows the pace of life and customer service is changing and a real-time processing capability will be required for internet and other payments. In terms of credit underwriting, the speed and accuracy of decision can be an important factor for both intermediaries and customers alike. The development of a real-time decision-making capability will deliver that competitive advantage. In addition, any software deployed must reduce the exposure to default and impaired credit agreements at the point of inception. Any forward-thinking business strategy should be to take a real-time platform, such as that used for fraud management, in order to reach into all areas of organizational performance. In credit management the issues run from predicting bankruptcy to fraud detection and on to initial credit risk assessment through to holistic portfolio management. These issues can only be overcome by ensuring that those who need to understand the credit risk status of their entire business know this accurately and can address these challenges NOW!, not in the future. The ability to achieve this will determine which businesses lead the pack and which struggle to follow the leaders.

• 250

ROLE OF

IT

IN PROVIDING RISK SOLUTIONS

Note I. British Council Press Release- Singapore May 2007- www.britishcouncil.org.

5.3

Creating a risk management software solution Andrew Birch, Symbiant

Introduction Symbiant specializes in creating data management solutions. In the past we have developed some very powerful and complex tools for some of the world‟s biggest corporations. So, when we were approached by a Big-Four accountancy firm that needed a risk management solution for its clients, we thought nothing of it and readily agreed. The firm was trying to help some of its middle-market clients find a risk management tool that was economical to buy and yet included features that other systems appeared to be ignoring, such as virtual workshops, flexible ways of recording risk appetite and linkage to control self-assessment. The firm gave us some inputs and agreed to work with us as a means of pushing forward risk management thinking and practice. It did not want to get into selling risk management software itself as its policy in this area is to provide consulting and advice, rather than actual software. So ownership of the software would be ours, as would all the costs of development.

The right software makes all the difference Symbiant Tracker is a web based issue tracking solution for Internal Audit. Issues are assigned to assignees who receive automated emails then log on and keep the issue updated with their progress.

For more information on Tracker or to order a free trial please visit

www.symtrack.com

Symbiant Risk Suite is a web based ERM solution that is easy to embed and facilitates an ongoing and continuous risk management program, creates all reports including risk registers and risk maps with appetite lines.

For more information on Risk Suite or to order a free trial please visit

www.symrisk.com

RISK MANAGEMENT SOFTWARE SOLUTIONS 253 •

This therefore was the gamble: how much would it cost us in time and money to develop such a solution? From our initial conversations with the firm, with nine programmers on the job, we anticipated three to six months and up to £500,000. This was in April 2005. It took us until March 2006 to have the first working model, a period of almost 12 months.

The task in hand The problems we faced were plentiful. Solutions we create have to be useable, and this is almost our trademark. However complicated the software or the tasks it performs, it must be intuitive and need little or no training for the clients to use it. We had done this very successfully with Symbiant „Tracker‟, which was an internal audit tool for implementing issues and recommendations. The auditors enter issues on to the system and then assign the issue actions to auditees. This gives ownership of the action and the auditees keep the issue updated with their progress. Thus at any one time the auditors know the exact state of all the issues on the system. The companies that had already bought Tracker were telling us how wonderful it was, how they had managed to roll it out and how, without any training, the auditees (users) had taken to it. They also commented on the powerful reporting suite and how it made producing reports for the audit committee such a simple affair. In essence, they were all more than satisfied with what we had created. This was the precedent we had to follow. We had to make a risk management tool as good and as easy to use as Symbiant Tracker. Even though there are many more elements to risk management, we had to create a tool that simplified it for the users.

The groundwork We first looked at other solutions on the market to make sure we were not reinventing the wheel. What surprised us the most was the lack of user friendliness that seemed to dominate software in this area. For something that is ideally a company-wide issue (risk management), these other solutions would require a good level of user knowledge and a great deal of training. I think the main problem with the other solutions we looked at was that they had been written by experts in a set methodology that directed programmers what to write and assumed everyone who used the solution would understand the process as they performed it. In reality, this is never the case. It is fairly easy to create a solution that will do what you want it to do, but it is difficult to create a solution that will get others to do what you want them to do. On the other hand, we are software developers who knew nothing about risk management or its practices. This was our main advantage over the other products on the market. We knew from years of writing software solutions that if users don‟t get to grips with the software quite quickly you can forget it; they just will not use it and that makes the expense pointless. We had to create something we could use and understand, but more importantly that any risk manager, computer literate or not, could use and understand. It had to allow someone who may never have seen the program before to

• 254 ROLE OF IT IN PROVIDING RISK SOLUTIONS

use it without any training. In other words, we were seeking a solution that a company could embed with very little effort and no steep learning curve.

Workshops or sweatshops Our first step was to understand the risk management framework: the information that needs to be collected and how that information is assessed. This involved lots of flip charts and asking what must have seemed like very silly questions, especially when we got to risk maps, gross impact and likelihood, and net impact and likelihood. What was that all about? The workshops helped us to understand this. We had our voting paddles and a list of 10 risks we had to discuss then measure. It took us two hours to vote on three risks. One of the voting paddles stopped working for no apparent reason; other paddles missed responses and had to be redone. We started the day full of enthusiasm and by lunch time just wanted the pain to go away. Worst of all, we knew we had another seven risks to assess. In the afternoon session the first two risks were probably quite accurate; the next five were just a rush and any button would do. We just wanted to bring the day to an end. We had got the message and learned that this had to be the most arduous task risk managers have to endure. We also discovered that companies tend to run these workshops only once a year at most, and that they may last a week. So, at best, the risks that companies face on a dayto-day basis are generally only tackled once a year, the main reason being the logistics and costs involved in getting all the required people together at the same time in the same room. This in itself seemed to conflict with the combined codes recommendation (derived from the Turnbull Report) that a company‟s risk identification process should be continuous. Rather than being continuous, this seemed like an annual event, and not one to which people would look forward. Due to the potentially mundane nature of these workshops it has also to be said that the accuracy and quality of the results must be questionable. How can anybody be working efficiently and thinking clearly when they are willing the day to end? The next part of our training was learning how the results are assessed, scores totalled and averaged and risk maps plotted with hot spots. We then learned about risk appetite and producing risk registers – normal, standard deviation and distance from appetite.

A to Z is not always that simple Eventually we had a road map. The basic architecture of what a solution needs to do provides a total risk management solution: not something that only deals with a small section of the risk process but a solution that would cover all the areas a company needs to run an effective risk programme. The problem was putting this together in a workable intuitive solution, and this was when the huge scale of the task started to dawn on us. Risk management is actually quite a complex issue, with many parts; simplifying would not be easy. We had to have a risk identification process: some way that users could make management aware of potential threats. This could partially be done via incident reporting. Give users the ability to report an incident and all the relevant details, which

RISK MANAGEMENT SOFTWARE SOLUTIONS 255 •

could then be converted to a potential risk by management. Also, questionnaires would help with this task, applying standard, assessment and key risk indicators/performance indicators. In this way management could ask specific questions and use the indicator questions to see if trends or danger zones were emerging.

Goodbye sweatshops Now to tackle the workshops, something to replace the annual boardroom nightmare. A virtual workshop would allow users to discuss the issues, vote on them and then suggest and ballot a specific treatment. This would provide a key solution to the current problem of annual risk assessment in the boardroom. It would also allow risks to be assessed in small, workable chunks as they emerged. A workshop would be opened and assigned to a group or groups; members of those groups would have access to the workshop(s). The workshop would start in the open stage, with a date set when the open stage would finish. Issues would then be added to the workshop and users could discuss them in a forum/blog style. All members of the group would receive an e-mail notifying them of the new workshop and all the relevant details. Users would then log in, in their own time, from their own computers, read user comments and add their own responses. This would allow everyone to discuss the issues and ask any questions they may have had. When the target date was reached the workshop could be moved into its voting phase, a new target date set for when the voting stage will end and an automated e-mail sent notifying the relevant people of what they have to do. Using preset responses users could decide on the gross and net impact and likelihood for each issue and, if required, a risk appetite choice (Figure 5.3.1). Management could then assess those responses in real time using risk maps and other reports. Once the risks have been assessed the issues that the group felt were not major risks or were within the appetite could be removed from the workshop. The workshop would then be moved into its treatment phase and the automated e-mails triggered. Users would then log in and either suggest treatments or agree with other users‟ suggestions. The reports would let the management know which were the most popular treatments and they could then adopt one or more of the proposed actions (Figure 5.3.2). The final stage would involve assigning the actions to people so they could carry them out. Again an automated e-mail would notify individuals of the action assigned to them and they could report back via the system, keeping the action progress up to date. For this tracking part of „Risk Suite‟ we decided to use a cut-down version of Symbiant Tracker.

A better way The key to a good product is giving the user a „better way‟, and the solution we were creating was certainly achieving that; we just didn‟t know how much of a better way it would be until someone actually used it for real. But we had managed to make sense of and simplify what had been quite a drawn-out and complicated procedure. All we now had to do was get some users to test it under realistic conditions.

Gross

Impact Catastrophic

Almost Certain

Score 25

Net

Insignificant

Unlikely

2

Appetite

Likelihood

Medium

Figure 5.3.1 Workshop discussion – voting on gross and net impact Risk 18:Summary: Credit card fraud Risk: If we are seen as a soft spot for card fraud it could cost us a lot in bank charges and possible revoking of our merchant account Objective: To hit €20m turnover by January 2010 (3 years) Add New Subject risk rating RE: risk rating Co Cash only RE: Co Cash only RE: Co Cash only RE: Co Cash only Needs urgent attention RE: Needs urgent attention Doesn't chip and pin check for fraud cards? If we have chip and pin surely we have only what everyone else has? [Respond] [Delete]

Figure 5.3.2 Proposal options

User Demo User Administrator Paul Pennington Carl Jensen Elena Barros Julia Young Eugenia Solla Peter Cross

19 Sep 19 Sep 05 Oct 05 Oct 05 Oct 05 Oct 20 Jul 21 Jul

Date 2007 2007 2007 2007 2007 2007 2006 2006

RISK MANAGEMENT SOFTWARE SOLUTIONS 257 •

We approached our client base and asked for volunteers. Out of about 35 volunteers we picked 10 from different sectors so that we could get a spread of opinion. All the testers liked the solution and made suggestions as to what they would need to make it work for them. User feedback is the best way to develop a program; the basic structure was in place and so all we had to do was modify it so that it would fit into all 10 companies. This in itself became a new task. We ended up making the solution use a skin template so users could rename things and change the layout to suit their own individual requirements and terminology.

The bugs One of the most annoying parts of software development is the bugs, and Risk Suite had its fair share; but after a few months of intensive trials across 10 companies we found probably 98 per cent of them. Once we had fixed the bugs we knew about, and added all the „nice to have‟ features that our volunteers had suggested, we launched „Risk Suite Version 1‟ as an affordable total risk management solution.

Roll out Because Risk Suite is installed on the corporate intranet or internet, it does not need to be installed on everyone‟s PC. This makes rolling it out simple and, because it is intuitive, it is easy to embed. One of our first clients was the Institute of Chartered Accountants in England and Wales (ICAEW), which was then looking for a risk management solution. To say they were impressed may be an understatement. They were so impressed they took the unusual step of endorsing it as a user. As they had never endorsed any software before or since, this in itself gave testimony to what a superb product we had created. Since then we have continued to build and develop Risk Suite in response to user feedback. We are now on Version 2.4 and have users all over the world. We have also recently learned that The Cape Peninsula University of Technology in Cape Town South Africa uses our Risk Suite to teach students about risk management and what an effective risk program should consist of. Apparently, the students enjoy using the program; it is fun to use and they are impressed with its capabilities. When we first started out to develop Risk Suite the last thing I would have expected is that risk management is fun, but I have to admit that I now love running the workshops when we are doing demonstrations for clients. We get people without any training who have never seen Risk Suite identifying risks, assessing them and suggesting treatments. When we provide the risk managers with a risk register and risk maps, all created from their users‟ input, we can feel their joy of knowing there is finally a product to help them do their job properly. If readers would like to learn more about Risk Suite or Tracker, or to arrange a free trial, please contact Symbiant at www.symbiant.co.uk.

Appendix: Contributors‟ contact list Appleyards Ltd Appleyards House 72 Brighton Rod Horsham West Sussex RH13 5BU Tel: +44 (0) 8705 275201 Fax: +44 (0) 8705 143047 Contact: Scott Hartop e-mail: [email protected] www.appleyards.co.uk Beck Greener Fulwood House 12 Fulwood Place London WC1V 6HR Tel: +44 (0) 20 7693 5600 Contact: Jacqueline Needle e-mail: [email protected] www.beckgreener.com Bird Goën & Co Klein Dalenstraat 42A B-3020 Winksele Belgium Tel: +32 (0) 1648 0562 Fax: +32 (0) 1648 0528 Contact: William Bird e-mail: [email protected] www.birdgoen.com

APPENDIX 259 •

Centre for Effective Dispute Resolution (CEDR) 70 Fleet Street London EC4Y 1EU Tel: +44 (0) 20 7536 6000 Fax: +44 (0) 20 7536 6001 Contact: Andy Rogers e-mail: [email protected] www.cedr.co.uk Chartered Institute of Management Accountants (CIMA) 26 Chapter Street London SW1P 4NP Tel: +44 (0) 20 7663 5441 Fax: +44 (0) 20 7663 5442 Contact: Lottie Muir e-mail: [email protected] www.cimaglobal.com Chartered Institute of Purchasing & Supply (CIPS) Easton House Easton on the Hill Stamford PE9 3NZ Tel: +44 (0) 1780 7567 77 Fax: +44 (0) 1780 7516 10 Contact: Liz Lees e-mail: [email protected] www.cips.org Cision UK Ltd Cision House 16–22 Baltic Street West London EC1Y 0UL Tel: +44 (0) 20 7251 7220 Fax: +44 (0) 20 7689 1164 Contact: Paul Miller Direct line: +44 (0) 870 736 0010 e-mail: [email protected] www.cision.com Commercial Security International Ltd 123 Aldersgate Street London EC1A 4JQ Tel: +44 (0) 20 7553 7960 Contact: Neil Miller e-mail: [email protected] www.comsec-international.com

• 260 APPENDIX

Control Risks Cottons Centre Cottons Lane London SE1 2QG Tel: +44 (0) 20 7970 2100 Fax: +44 (0) 20 7970 2222 e-mail: [email protected] www.control-risks.com Corfin Communications Floor 11 78 Cannon Street London EC4N 6HH Tel: +44 (0) 20 7929 8998 Fax: +44 (0) 20 7929 4869 Contact: William Cullum e-mail: [email protected] www.corfinpr.com Ernst & Young LLP Risk Advisory Services 1 More London Place London SE1 2AF Tel: +44 (0) 20 7951 2000 Fax: +44 (0) 20 7951 1345 Contact: Fiona Sheridan e-mail: [email protected] [email protected] Gill Jennings & Every LLP Broadgate House 7 Eldon Street London EC2M 7LH Tel: +44 (0) 20 7377 1377 Fax: +44 (0) 20 7377 1310 Contact: Peter Finnie e-mail: [email protected] www.gje.co.uk HSBC Operational Risk Consultancy Bishops Court 27–33 Artillery Lane London E1 7LP Tel: +44 (0) 7357 661 2853 e-mail: [email protected] www.hsbc.com

APPENDIX 261 •

ICM Computer Group ICM House Oakwell Park Oakwell Way Birstall West Yorkshire WF17 9LU Tel: +44 (0) 1924 422 111 Contact: Alistair King e-mail: [email protected] www.icm-computer.co.uk The Institute of Risk Management 6 Lloyd‟s Avenue London EC3N 3AX Tel: +44 (0) 20 7709 9808 Fax: +44 (0) 20 7709 0716 Contact: Rebecca Brueton e-mail: [email protected] www.theirm.org Lloyds Register Quality Assurance Limited LRQA Centre Hiramford Middlemarch Office Village Siskin Drive Coventry CV3 4JF Tel: +44 (0) 24 7688 2288 Fax: +44 (0) 24 7630 6055 Contact: Alex Briggs e-mail: [email protected] www.lrqa.com LOVEN Patents and Trademarks West Central Runcorn Road Lincoln LN6 3QP Tel: +44 (0) 1522 801111 Fax: +44 (0) 1522 870505 Contact: Keith Loven Direct line: +44 (0) 1522 801113 e-mail: [email protected] www.loven.co.uk

• 262 APPENDIX

McKinty & Wright 5–7 Upper Queen Street Belfast BT1 6FS Tel: +44 (0) 28 9024 6751 Fax: +44 (0) 28 9023 1432 Contact: Sean McGahan Direct line: +44 (0) 28 9041 2820 e-mail: [email protected] Norland Managed Services Limited 454–460 Old Kent Road London SE1 5AH Tel: +44 (0) 20 7231 8888 Contact: Paul Saville-King e-mail: [email protected] www.norlandmanagedservices.co.uk Novagraaf France 122 rue Edouard Vaillant 92593 Levallois-Perret France Tel: +33 (0) 1 49 64 60 00 Fax: +33 (0) 1 49 64 60 60 Contacts: Eric Achour and Jean-Louis Somnier e-mail: [email protected] www.novagraaf.fr SAS UK & Ireland Wittington House Henley Road Medmenham Marlow Buckinghamshire SL7 2EB Tel: +44 (0) 1628 486 933 Fax: +44 (0) 1628 483 203 Contact: Bart Patrick e-mail: [email protected] www.sas.com/uk

APPENDIX 263 •

Siemens Insight Consulting 5 The Quintet Churchfield Road Walton on Thames Surrey KT12 2TZ Tel: +44 (0) 1932 241000 Fax: +44 (0) 1932 236868 Contact: Dominic Healey e-mail: [email protected] www.siemens.co.uk Strategic Risk Partnerships Ltd St Clare House 30–33 Minories London EC3N 1DD Tel: +44 (0) 20 7977 6770/6772 Contact: Karen Smith e-mail: [email protected] www.srplondon.com SunGard Availability Services (UK) Limited Units 12–13 Bracknell Beeches Old Bracknell Lane West Bracknell Berkshire RG12 7BW Tel: +44 (0) 800 143 413 Contact: Piper-Ann Shields e-mail: [email protected] www.sungard.co.uk Symbiant Westgate House 100 Wellington Street Leeds LS1 4LY Tel: +44 (0) 113 237 394 Contact: Andrew Birch Direct dial: +44 (0) 1943 870052 e-mail: [email protected] www.symbiant.co.uk

• 264 APPENDIX

Thomas Miller Risk Management (UK) Ltd International House 26 Creechurch Lane London EC3A 5BA Tel: +44 (0) 20 7204 2569 Contact: Lee Tricker e-mail: [email protected] www.tmrm.com XL Insurance Group XL House 70 Gracechurch Street London EC3V 0XL Contact: Donal Kelly e-mail: [email protected] www.xlgroup.com

Index ageing consumer and workforce risk 21 all risks property damage insurance 122 attention economy 73 board accountability 90 and responsibility 90 and risk management 90 brand, securing 182 branding, risk 209 et seq ownership 210 protection 211 quality 210 value maintenance 211 BS 25999, effect of 163 et seq and supply chain 188 business continuity and IT 238 management 163,165 plan 185 et seq SMEs 188 and technology 240 business interruption cover 121 business planners, and risk 67 combined risk profile 12 commercial property damage and business interruption insurance 119 et seq compliance, burden of 173

compulsive risk assessment psychosis 130 conflict cost 112 literacy 116 management, best practice 111 et seq management strategy 115 resolutions options 116 styles, measurement 116 productivity, effect on 114 relationships and reputations 113 consolidation and transition risk 22 conspiratorial risk aversion policy 131 consumer demand risk 24 corporate reputation 81 corporate strategy and risk xxiv digital content, long tail 74 disease pandemic risk 24 emerging markets risk 21 China risk 25 complexity, designing in 57 communications technology 72 et seq continuity risks, use of IT 235 et seq contract risk 89 et seq contracts 91 cost inflation risk 23 corporate governance, managing risk 43 critical engineering and risk management (CREM) 149 et seq

• 266 INDEX

culture and behaviours 155 and engineering infrastructure 150 the five pillars 152 et seq data collation, need for 243 Disaster Cover Direct 187 downtime, causes of 237

internet, and risk management 101 IT, mitigation of continuity risks 235 et seq virtualization 239 kaisen techniques 245

energy shocks risk 23 enterprise risk management (ERM) 8, 9 and banking 8 enterprise-wide scenarios 13 nature 30 and role of technology 27 et seq trends 27 enterprise risk strategy 5 et seq Ernst and Young Strategic Risk Radar 19

loss exposure, food risk 180 mitigation 182 management systems 40 adopting 139 certification 44 competitive advantage 44 and corporate governance 39 et seq implementing 42 management outside 135 risk management 135 et seq media information cycle 78

global financial shock risks

21

news, future of 79

hidden structures, visibility

58

organizational structure, understanding 47

innovation failure risk 25 insurance compliance and standardization 125 in corporate risk management 121 industrial/commercial tailored cover 123 principle of trust 126 integrator system approach 140 intellectual property risk 195 et seq due diligence 199 effective use of 229 the internet 206 litigation 226 et seq avoidance 231 nature of 203 new products 205 ownership, expansion 205 R & D 204 rights, strength of 201 et seq risk estimation and management 216 et seq

patents and patent portfolios 216 et seq auctions 222 commercial risks 217 default rates 219 freedom to operate analysis 222 litigation cost of 227, 229 UK procedures 228 portfolio concept 220 SMEs 221 third party infringement 222 performance monitoring 174 plan failure risk 23 political risk 65 et seq best practice 70 business planning, misalignment with 69 nature of 66 power law graph 75 PRIMAL 141

INDEX 267 •

private equity risk 25 product recall, risk in food industry 177 et seq insurance 184 regulatory risk 177 unsafe product 179 property damage and business interruption insurance 122 real time maintenance 248 partnership approach 246 platform development 249 recovery point, recovery time objectives 236 regulatory and compliance risks 19 regulation and process 31 reinsurance 123 reputation 82, 98 and communications technology 72 et seq risk 83 reputation risk 102 identification 85 management 86, 87 measurement 85 as PLC 98 et seq reporting 86 radical greening risk 23 real-time enterprise 242 et seq and transactional speed 242 risk allocation to third party 92 assessment workshops 47 aversion factors 29 business, strategy 17 et seq cultural 84 dynamics 55, 57, 60 engineering 151 external 84 identification and assessment 10 intellectual property 195 et seq acquisition 196 enforcement 197

exploitation 196 monitoring 197 legal language 129 management applications 91 managerial 84 mitigation and controls 11, 68 networks and impact families 57 and procurement 92 and quality 41 silos 12 supply chain 171 et seq types, comparison 9 risk management champions 48 communication, need for 49 and critical engineering 149 et seq incentives 48 fragmentation 68 practical embedment 46 software solution 251 et seq scale, problems of 5 scenario analysis in operational risk scenarios 148 shortcomings 147 scenario planning 146 scenario testing and operational risk 142 et seq definition 143 information sources 145 scenarios, development methodologies 144 search engine optimization 76 search performance 77 service or product delivery 93 procurement 95 siloed risk approach 34 social upheaval 77 software, risk management solution 251 et seq stakeholders, role 100 strategic purchasing and supply 157 et seq business risk environment 160

• 268 INDEX

role of professionals 159 strategic risk, new perspectives 51 et seq communication 59 stress testing, and operational risk 142 et seq definition 143 information sources 145 supply chain assurance, principles of 175 management 173 risk 171 et seq SME‟s, protection of 185 et seq systems, effect on risk management 32 pyramid 33 risk 35 impacts 37

temporary staff 161 terrorism, crisis risk management 105 et seq current threat and motivations 106 evolution 105 management plan 108 organizational performance 106 planning 107 rehearsing and training 108 uncertainty, designed-in 51 assumptions 52 value generators and value protectors 157 et seq war for talent risk 24

Index of advertisers Appleyards 53 Assurant Solutions xxxvi–xl Beck Greener 225 Bird Goën & Co 215 BSI Business Information viii The Chartered Institute of Purchasing & Supply 158 CIMA ii Cision x–xi Companies House xiv CSi – Commercial Security International Ltd 104 Control Risks 64 Ernst and Young 16 Gill Jennings & Every LLP ix Halcrow xxiv HSBC Insurance 6–7 ICM 186, 234 Intercontinental Hotels & Resorts lii–lviii

The Institute of Risk Management v–vii LOVEN 208 LRQA 136–37 McKinty and Wright Solicitors xxviii–xxxii Novagraaf 202 The Patent Office xxvi Risk Frisk xx–xxiii, lxvi–lxix Rushton International xliv–xlviii SAS xvi, 28 Stewart – Risk Management Information Software lx–lxiv Strategic Risk Partnerships Limited 120 SunGard Availability Services 164 Symbiant Ltd 252 Synergi xviii XL Insurance

xii, 178

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF