We examine corporate governance, regulatory obligations, and the key risk management duties assigned to boards and executive leadership. The data that management obtains about risks and the effectiveness of controls being applied aids in decision-making and reassures both the organization and outside stakeholders that the entity remains a going concern with strong prospects for long-term survival. Globally, the purpose of corporate governance is to ensure that the right individuals are held responsible for an organization’s decisions, actions, and their resulting consequences. Beyond that, corporate governance offers confidence that organizations are guided and managed in a manner that promotes success and longevity, safeguarding not only the interests of shareholders but also those of other internal and external stakeholders. The composition of the board and the defined roles and responsibilities of its members offer direction for establishing an appropriate risk management framework within an organization. This framework, in turn, creates a foundation for ensuring that risk management and internal controls are effectively carried out.

6.1 Corporate Governance

Corporate governance can be described as:

“The manner in which companies are directed and the objectives they pursue. It clarifies who holds authority and responsibility, and who is tasked with decision-making. It serves as a set of tools that equips management and the board to better address the complexities of operating a business. Corporate governance establishes suitable decision-making processes and controls to ensure a balanced consideration of the interests of all stakeholders, including shareholders, employees, suppliers, customers, and the broader community.”

Corporate governance is relevant to all types of organizations—whether private, public sector, governmental, or not-for-profit—regardless of whether they are publicly listed. While smaller entities may face less scrutiny than larger ones, adopting elements of best practice remains beneficial. In the UK, the Financial Reporting Council (FRC) introduced its inaugural corporate governance code in 1992, originally termed the Cadbury Code of Best Practice. Although well-run companies existed prior to this, a wave of corporate collapses prompted the accounting profession, the London Stock Exchange, and other stakeholders to collaborate on a code to set a standard for effective board functioning, oversight, and risk management. This code evolved with the 1999 Turnbull Report, which guided directors of listed companies in establishing robust risk management and internal control systems to meet their goals. The most recent iteration, the 2018 UK Corporate Governance Code, continues to define corporate governance as “the system by which companies are directed and controlled.” It emphasizes:

At its core, the Code presents refreshed Principles underscoring the importance of strong governance for sustained, long-term success. By adhering to these Principles, implementing the detailed Provisions, and leveraging related guidance, companies can illustrate in their reports how governance drives long-term success and broader objectives (FRC, 2018, page 1). Key elements of the UK Corporate Governance Code include:

1. Board Leadership and Company Purpose
   • The board must promote the company’s long-term sustainable success.
   • It should establish and monitor the company’s purpose, values, and culture.
   • There must be effective engagement with shareholders, employees, and other stakeholders.
2. Division of Responsibilities
   • A clear separation of roles between the chair and CEO.
   • The chair should lead the board, ensuring open debate and constructive challenge.
   • Non-executive directors (NEDs) should provide independent judgment.
   • A strong company secretary should support governance processes.
3. Composition, Succession, and Evaluation
   • Boards should have an appropriate mix of skills, experience, and diversity.
   • At least 50% of the board (excluding the chair) should be independent NEDs.
   • Annual board evaluations should assess effectiveness and performance.
   • Succession planning should ensure long-term leadership stability.
4. Audit, Risk, and Internal Control
   • Boards must establish robust risk management and internal control systems.
   • The audit committee should be made up of independent NEDs.
   • There must be transparent and high-quality financial reporting.
   • External and internal audits should be independent and effective.
5. Remuneration
   • Executive pay should align with company purpose, values, and long-term strategy.
   • The remuneration committee, composed of independent NEDs, should oversee pay policies.
   • There should be clear performance-related incentives to avoid excessive risk-taking.
   • Pay policies must be transparent and fair, considering the wider workforce.

Application of the Code

• “Comply or Explain” Approach: Companies must either follow the Code’s principles or explain deviations in their annual reports.
• Focus on Stakeholders: Emphasis on engaging employees, investors, and stakeholders in governance decisions.
• Culture and Accountability: Ensuring companies operate with integrity, fairness, and accountability.

For risk professionals, the Code’s greatest significance lies in the board’s role in ensuring a solid risk management and internal control framework. Section 4, particularly Principle O, is especially pertinent:
“The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take to achieve its long-term objectives.”
The Code defines “principal risks” as encompassing—but not limited to—threats to the company’s business model, future performance, solvency, liquidity, and reputation. While typically viewed as downside risks, boards should also consider risks that could significantly enhance these areas. The Code also mentions “material controls” and “material uncertainties,” terms we will explore later. Over its 25+ years, the UK Corporate Governance Code has elevated boardroom standards, improving director appointments, remuneration balance, and shareholder relations. Though mandatory only for London Stock Exchange-listed companies, its principles are widely adopted by private firms, charities, public services, and organizations worldwide.

In 2018, alongside the Code, the FRC released “The Wates Corporate Governance Principles for Large Private Companies,” acknowledging the importance of governance across large organizations and the critical role private firms play in employment, productivity, and essential goods and services. These principles aim to enhance transparency and accountability for an organization’s actions and their effects on stakeholders like employees, suppliers, and customers, particularly during challenges.

In early 2022, the FRC assessed the Wates Principles’ adoption, noting that while companies embraced their intent, reporting quality could improve. Sir James Wates, who led their development, expressed hope that the review’s insights would encourage even non-regulated entities to adopt and refine good practices moving forward.

Materiality

The Code mandates that organizations evaluate and disclose material controls and material uncertainties. Traditionally, in this context, “materiality” is understood to pertain to anything significant to an organization’s financial health. In 2018, the International Standards on Auditing (ISA) released a report titled “Materiality in the Audit of Financial Statements,” highlighting the challenge of defining “materiality” due to its varying interpretations across different regions and contexts. At its core, though, an item is deemed financially material if it could meaningfully impact the organization’s profitability or if its omission could prevent an investor from making a well-informed decision. While this financial focus remains predominant, the growing emphasis on sustainability and the need to measure factors beyond profit—such as social and environmental capital—can complicate the meaning of “materiality.”

Corporate governance requirements

The word “requirement” can indicate something that is either “desired” or “mandatory.” This distinction applies to corporate governance requirements globally, where some are optional while others are obligatory. Corporate governance requirements that are “desired” are generally known as principles-based. Here, organizations are encouraged to follow outlined principles, though adherence is not legally required. If they choose not to follow these principles, they must provide an explanation for their decision. This approach is commonly called “comply or explain.” In contrast, “mandatory” corporate governance requirements are known as prescriptive-based. Organizations must adhere to these rules, and failure to do so results in penalties. This method is often termed “comply and sign.” The framework for corporate governance typically depends on the country. For instance, the UK adopts a principles-based approach, reinforced by relevant laws and regulations, while the US follows a prescriptive-based model.

a) Principle based Corporate Governance: The Introduction to the UK Corporate Governance Code emphasizes that effectively implementing its principles relies on thorough, high-quality reporting regarding the provisions. Consequently, listed companies must detail in their reports how they have adhered to the Code’s core principles. They are required either to confirm compliance with the Code’s provisions or, if they haven’t complied, to offer a clear explanation. Companies are cautioned against adopting a superficial “tick-box” mindset when meeting these reporting obligations. Instead, they should embrace the UK’s “comply or explain” or principles-based framework. While following the Code isn’t legally binding, listed companies must disclose in their annual reports and accounts any instances of non-compliance, along with the reasons behind them. This transparency allows shareholders and other stakeholders to assess the significance of any deviations. The principles-based approach goes beyond merely noting compliance or non-compliance. It involves organizations thoughtfully determining how to apply the requirements in a way that fits their unique circumstances, rather than just mechanically checking off requirements. By tailoring their approach, boards take ownership of their strategy, governance, reporting, and assurance processes.

b) Prescriptive based governance: The UK Corporate Governance Code operates on a principles-based framework, employing the “comply or explain” method. In contrast, the “comply and sign” approach, also known as prescriptive or rules-based corporate governance, offers a different model. Under the prescriptive approach, compliance is not merely a regulatory expectation but is enshrined in law, with specific penalties—such as fines, imprisonment, or both—imposed on directors of publicly listed companies for non-compliance. Similar to the principles-based system, the prescriptive approach often emerges in reaction to major corporate collapses. For example, the Sarbanes-Oxley Act in the US was introduced following the Enron and WorldCom scandals. This rules-based method offers organizations clear guidelines for adhering to corporate governance standards, with a uniform set of rules applying to all listed companies. The threat of penalties also increases the likelihood of compliance. We’ll revisit Sarbanes-Oxley later in this section. However, some argue that the prescriptive approach can encourage a “box-ticking” mindset, where organizations focus on meeting the strict “letter of the law” or even exploiting loopholes, rather than seeking meaningful enhancements in their governance practices and reporting.

c) International corporate governance perspectives: Most nations have established formal corporate governance requirements, though their approaches vary. Some countries draw inspiration from the UK model; for instance, the Singapore Corporate Governance Code shares notable parallels with the UK’s framework. The Organisation for Economic Co-operation and Development (OECD) and the G20 jointly issued the G20/OECD Principles of Corporate Governance (OECD 2015), a widely adopted framework that remains voluntary. Elsewhere, countries adopt distinct methods, some of which are outlined below. In France, corporate governance is governed by legal provisions in the French Commercial Code and supplemented by recommendations from major French business associations. While these recommendations are not compulsory, companies typically follow them. The Corporate Governance Code is published by AFEP and MEDEF. In Germany, corporate governance is embedded in various laws concerning listed companies. Additionally, the German Corporate Governance Code (GCGC), revised in 2019, offers rules and recommendations, though these are not legally enforceable. In the US, the New York Stock Exchange mandates an effective governance structure with similarities to the UK system, while the Sarbanes-Oxley Act of 2002 imposes stringent, mandatory requirements on financial practices and corporate governance. South Africa’s King IV Corporate Governance Code adopts a unique stance with its “apply and explain” approach, which surpasses the “comply or explain” model by requiring organizations to provide clear insight into how they implement their governance practices.

6.2 Board Structure

We examined an organization’s governance framework in the context of the Risk Architecture within a risk management system, investigating how risk management activities should correspond with the organization’s management style and overall structure. In this analysis, we delved into agency theory to assess key relationships, such as those between shareholders, members, or trustees and the board of directors, the CEO, executives, and other stakeholders. Building on this, we now turn our attention to a more detailed exploration of the board of directors’ structure. Virtually all organizations are overseen by a board of directors or trustees, a group of elected individuals tasked with representing the interests of shareholders or members. As the pinnacle of the management hierarchy, the board holds ultimate responsibility for the organization’s governance. Boards may consist of executive directors, non-executive directors (NEDs), or a mix of both, with further discussion on board composition to follow later in this section. Executive directors are full-time staff members of the organization. Common examples include the Chief Executive Officer and Chief Finance Officer, though other senior leaders—such as those handling strategy, technical matters, sustainability, or communications—may also serve as executive directors, depending on the organization’s nature. Non-executive directors, by contrast, are not employees and do not participate in the organization’s daily operations. According to the Institute of Directors (2022), NEDs “enhance the board’s work by offering independent oversight and constructive challenges to the executive directors.” They are expected to maintain independence from the organization, its operations, and any related entities. Best practice suggests that boards should have a majority of NEDs compared to executive directors. Legally, the duties of all directors—executive and non-executive—are identical. For unquoted or unregulated companies, there is typically no obligation to include NEDs on the board. Nevertheless, many such organizations choose to appoint them, valuing the external perspective and expertise they contribute.

he structure of a company’s board is often influenced by the country in which it operates or is registered. Organizations in the UK, US, and similar jurisdictions typically have a unitary board, while those in continental Europe often adopt a two-tiered board system. However, this is not a strict requirement, and some companies outside Europe are shifting towards the two-tiered model.

Unitary Board: Pros and Cons

Advantages:

• Provides greater access to detailed information.
• Ensures closer involvement in the organization’s strategy.
• Enhances decision-making efficiency.

Disadvantages:

• Blurs the line between management and supervision from an external perspective.
• Increases the risk of conflicts of interest and loss of independence.

Two-Tiered Board: Pros and Cons

Advantages:

• NEDs (Non-Executive Directors) are appointed based on expertise rather than personal connections.
• The CEO cannot serve as the chair of the supervisory board, ensuring separation of powers.
• Reduces bias in decision-making.

Disadvantages:

• Typically larger than unitary boards, which can slow down decision-making.
• NEDs’ financial ties to company performance (e.g., stock ownership) may compromise their independence.

Committees of the board

Most boards assign tasks to committees that specialize in specific areas, such as governance. Some of these committees are ongoing, while others are formed temporarily to address particular issues, dissolving once their goals are met. The number and type of committees an organization has depend on its size, governance structure, and annual objectives. However, the three most typical committees, as mandated by the UK Code, are:

• Nomination Committee: Oversees the selection of new directors and ensures succession planning for both the board and the executive tier just below it.
• Remuneration Committee: Determines executive compensation, balancing the need to attract and retain talent with the risk of overpayment, a topic often sparking debate.
• Audit Committee: Manages financial reporting, evaluates the strength of internal controls and risk management systems, and serves as a channel for whistleblowing and addressing misconduct. Further details on the audit committee appear in Section 5.

Certain organizations establish an additional committee focused solely on risk management effectiveness, which may advise the board on:

• Overall risk appetite
• How changes in strategy or major transactions affect risk appetite
• Identification and handling of principal risks
• Emerging risks
• Results of stress testing
• The robustness of risk management and internal controls, including approving related disclosures for the annual report
• The suitability of the organization’s values, culture, and reward structures

Variations of these committees might include a combined Nomination and Remuneration Committee, an Audit and Risk Committee, or, in smaller organizations, a Finance, Audit, and Risk Committee. Additional committees could also exist, such as an Operations Committee, Sustainability Committee, Finance Committee, or Members Committee, depending on the organization’s needs. The configuration of board-level committees is entirely shaped by the organization’s specific circumstances and may adapt as the organization evolves.

6.3 Regulatory influences

We’ve touched on factors that shape corporate governance. These factors typically apply nationwide, impacting all organizations registered or operating within a given country. Such influences often stem from independent entities or legal frameworks, which are set up to offer guidance and/or enforce governance standards, particularly for listed organizations. These bodies or laws also hold the authority to monitor compliance and impose penalties, such as fines or prosecution, for violations. We will now examine three major influences on corporate governance:

• The UK’s Financial Reporting Council (FRC)
• The US’s Sarbanes-Oxley Act
• The Organisation for Economic Co-operation and Development (OECD)

6.3.1 Financial Reporting Council (FRC)

The FRC originated in the 1980s as a private sector body promoting high quality financial reporting, consisting of the Accounting Standards Board and the Financial Reporting Review Panel. Following large corporate scandals it took on audit and accountancy regulations in 2004, actuarial oversight and standard setting in 2006 and became an independent entity in 2011. The FRC now regulates auditors, accountants and actuaries, setting the corporate governance, reporting and auditing standards and holding those responsible for delivering them to account. As such they monitor and take enforcement actions when things go wrong and as an independent, transparent organisation they also consult with and report to the UK government. The FRC (2021) note that their role as a strong regulator is ‘central to creating trust in the quality of corporate governance, corporate reporting and audit, and actuarial work, and ensuring confidence from investors’. They also note that having a strong independent regulator underpins confidence in the UK market, which is based around a virtuous circle of:

• Market confidence
• Engage investors
• Better governance
• Better quality reporting
• Rigorous audit

As noted in this and previous units, the FRC are responsible for the UK Corporate Governance Code, the related Guidance on Board Effectiveness and the Wates Corporate Governance Principles for large private companies. In addition to the standards and codes, the FRC provide guidance and supporting reports, procedures, regulations, frameworks, thematic reviews and case studies for investors, accountants, actuaries, auditors and directors. As such, the FRC have a significant influence on corporate governance in the UK, and, in collaboration with their international peers, also have an influence on corporate governance exercised in many other countries.

6.3.2 Sarbanes Oxley (SOX)

The Sarbanes-Oxley Act (SOX) of 2002 was enacted following corporate scandals involving Enron, WorldCom, and Global Crossing. Effective from 2006, it mandates that companies listed on U.S. stock exchanges provide accurate financial disclosures. This reflects the “comply and sign” model of corporate governance, where failure to comply can lead to fines and jail time for executives. As highlighted by Hopkin and Thompson, Sections 302 and 404 are critical to risk management within SOX:

• Section 302: Holds the Chief Executive Officer and Chief Financial Officer personally accountable for the accuracy, documentation, and filing of financial reports, as well as the integrity of the internal control framework.
• Section 404: Requires annual financial reports to affirm that management is responsible for maintaining an “adequate” internal control system, including an evaluation of its effectiveness and disclosure of any deficiencies. External auditors must also verify management’s claims about the presence, functionality, and effectiveness of these controls.

SOX further mandates the adoption of a recognized risk management framework, recommending the COSO ERM model. Consequently, it significantly impacts both risk management and corporate governance, especially for U.S.-listed companies. In the wake of major corporate failures in the UK, new governance rules have been introduced, applicable to financial years ending December 2023 onward. Informally dubbed “UK SOX,” these changes align UK regulations more closely with U.S. standards. This new framework imposes significant reporting obligations on directors, necessitating considerable time and resources to achieve compliance.

6.3.3 OECD

The Organisation for Economic Co-operation and Development (OECD) is a global, non-profit entity that sets international standards and policies by working with representatives from governments, parliaments, international bodies, businesses, and the wider community.

The OECD pursues a three-pronged strategy:

• Offering expertise and recommendations to shape policies and guide decision-making.
• Engaging with and influencing policymakers to foster the exchange of ideas and experiences.
• Promoting the creation of international standards to ensure consistency in critical areas, while providing a platform for collaboration to achieve common goals.

In 2005, the OECD introduced the “Guidelines on the Corporate Governance of State-Owned Enterprises” to assist countries in fulfilling their roles as company owners. These guidelines were revised in 2015 and again in 2023, with the latest update emphasizing key issues such as climate change and other environmental, social, and governance (ESG) risks; the rise of digital technologies and their associated opportunities and challenges; crisis and risk management; and excessive risk-taking in non-financial corporations. While the UK and US are OECD members, they are not obligated to adopt its corporate governance recommendations. Nonetheless, their membership means they both shape and are shaped by the OECD’s guidance.

6.4 Board roles and responsibilities

We explored various risk management roles and responsibilities within organizations, including those of the board and the chief risk officer in their strategic oversight and corporate governance functions. From the board’s viewpoint, under their “statutory duty,” both executive and non-executive directors bear distinct obligations, as defined by legal and regulatory frameworks, a topic covered in Hopkin and Thompson. Beyond these legal and regulatory requirements, the board also has additional risk management responsibilities that, while distinct, are closely intertwined with these core duties.

a) Board members: When someone in an organization mentions a “board member,” they often mean a non-executive director (NED), even in cases where the board is unitary, comprising both executive directors and NEDs. Irrespective of the board’s makeup, NEDs are expected to remain independent from the organization’s day-to-day operations and bring expertise in fields pertinent to the organization. When their independence is confirmed, NEDs may be designated as independent non-executive directors (INEDs).

The duties of NEDs include:

• Oversight and Challenge: Offering independent oversight and constructive feedback to executive directors, contributing creatively to board discussions.
• Strategic Guidance: Providing informed input and serving as a constructive critic in evaluating the goals and strategies set by the chief executive and executive team.
• Performance Monitoring: Assessing the executive management’s performance, particularly in relation to progress toward achieving the organization’s strategy and objectives.
• Remuneration: Setting appropriate compensation levels for executive directors.
• Networking: Facilitating connections between the business, the board, and valuable external individuals or organizations.
• Risk Management: Ensuring the reliability of financial information and verifying that financial controls and risk management systems are strong and reliable.
• Audit: Confirming that the company accurately reports to shareholders with a fair representation of its actions and financial status, while ensuring robust internal control systems are implemented and regularly reviewed.

A central role of the NED is acting as a “constructive” critic. From a risk management standpoint, this critical perspective allows NEDs to confirm the accuracy of financial data and the strength of risk management systems. This responsibility is especially significant for NEDs serving on the audit committee, a role we will explore further later in this unit.

b) Board as a group: The board, collectively, holds critical responsibilities for overseeing risk management and internal controls. These duties include:

• Overseeing the creation and execution of suitable risk management and internal control systems that pinpoint the risks the company faces, enabling the board to thoroughly evaluate the principal risks.
• Defining the nature and scope of the principal risks the organization encounters and determining which risks it is prepared to accept in pursuit of its strategic goals (establishing its “risk appetite”).
• Ensuring that the organization has instilled an appropriate culture and reward system throughout its operations.
• Deciding how principal risks should be managed or mitigated to lessen their likelihood or impact.
• Regularly monitoring and assessing the risk management and internal control systems, as well as management’s processes for doing so, to confirm their effectiveness and ensure corrective measures are taken when needed.
• Establishing reliable internal and external communication channels and taking ownership of external messaging about risk management and internal controls.

While management handles the daily execution of risk management and internal controls, the board must ensure that management comprehends and effectively mitigates risks, providing timely updates to enable the board to fulfill its duties. Many organizations emphasize the board’s role but passively accept risk management and internal control updates without questioning or scrutinizing how these responsibilities are carried out. In fulfilling its role, the board should also reflect on:

• The intended risk management culture.
• The depth and regularity of risk-related discussions tied to strategy, major initiatives, and significant commitments.
• The risk management expertise, knowledge, and experience of both the board and management.
• The consistency and quality of risk information shared with and received from the board.
• How risk management and internal control tasks are assigned.
• The level of assurance the board needs and the means by which it is secured.

Ultimately, the board should address a fundamental question from the final step of a basic four-step risk management process: “Given the environment in which we operate, the goals we aim to achieve, the risks we face, and our capacity to manage them, can we meet our objectives?” If the answer is “no,” the board should engage in decisions to further address principal risks, adjust objectives, or accept certain risks at their current levels.

c) Chief Risk Officer (CRO): The Chief Risk Officer (CRO) serves as a key advocate for the Enterprise Risk Management (ERM) process, unifying various risk management approaches within an organization—such as those tailored for health and safety or finance—into a comprehensive view of the risks the organization faces and manages. This role involves collaborating with others to ensure risks are effectively handled, tracking progress, and facilitating the flow of relevant risk information throughout the organization—upward, downward, and laterally. As the highest-ranking executive accountable for risk management processes, the CRO’s title might vary (e.g., Head of ERM), but the responsibility remains the same. The CRO’s duties can be grouped into four main categories:

• Insights and Context: Leveraging knowledge of internal and external factors to promote robust risk management in dynamic and adaptable organizations.
• Strategy and Performance: Crafting a risk management strategy aligned with the organization’s goals.
• Risk Management Process: Overseeing the execution of the risk management framework.
• Organizational Capability: Building and leading a skilled, flexible, and responsive risk management team.

In sectors like financial services, regulations often mandate the appointment of a CRO. Other organizations opt to create this role as their risk management practices mature, recognizing its value. As the top executive responsible for risk management, the CRO can maximize their impact by reporting directly to both the CEO and the board of directors, though this isn’t always the arrangement. A 2018 Deloitte survey of 94 major financial institutions found that regular meetings between the CRO and the board—sometimes without other executives present—enable the board to gain an unfiltered perspective on the organization’s risks and risk management efforts. Limited access to the CEO or board can diminish the CRO’s effectiveness.

The CRO’s responsibilities are intricate and must be carefully defined and customized to ensure the role delivers value and strengthens the organization’s resilience amid a fast-changing landscape. Some key benefits and contributions of the CRO include:

• Engaging constructively with external stakeholders across the broader enterprise.
• Acting as a trusted partner within the leadership team, guiding the organization to take calculated risks while fostering a strong risk culture.
• Leading the risk team to build ethical, proactive collaborations with departments like compliance, operations, customer service, finance, HR, sales, and technology—shifting away from the outdated view of risk management as merely a numbers-driven or bureaucratic exercise focused solely on downside risks.
• Assisting the board in establishing a positive tone at the top regarding risk ethics and cultivating a healthy risk culture.
• Helping the board define risk appetite, striking a balance between risk and reward to support strategic goals, while addressing risks to the business model and ensuring resilience and sustainability.

6.5 Assurance

nternal audit plays an essential role in the risk management process by offering independent assurance on the strength of the control environment and evaluating how well the organization’s risk management strategy and activities are functioning. The term “risk assurance” refers to the data and insights provided to managers and directors about the state of the risk and control environment within an organization. It represents the internal mechanisms used to establish checks and balances within governance and risk frameworks. As previously noted in the context of corporate governance, the board oversees risk management and thus requires confirmation that the risk strategy is effective. A cornerstone of a strong risk assurance framework is the audit function, with external auditors also playing a vital role in delivering critical risk information and assurance to directors. Internal audit teams employ various methods to deliver thorough assurance, such as statistical sampling, risk prioritization techniques, and assurance mapping. To ensure robust governance, risk management, and internal controls, organizations must maintain an efficient and effective framework that provides consistent, dependable, and sufficient assurance. Assurance mapping serves as a tool to connect assurances to specific risks and identify their sources within the organization. Assurance mapping is described as “a systematic approach to identifying and organizing the primary sources and types of assurance across an organization’s four lines of defense, while optimizing their coordination for maximum impact.”

Role of Internal Audit

Internal auditing is defined as:

“An independent, objective assurance and advisory service aimed at adding value and enhancing an organization’s operations. It supports the organization in achieving its goals by applying a structured, methodical approach to assess and strengthen the effectiveness of risk management, control, and governance processes.”

This definition highlights that internal auditing is primarily focused on reviewing how an organization manages risk. This is accomplished through various methods, most notably by analyzing actual business practices and controls and comparing them to established standards. Any gaps or instances of non-compliance are discussed with local management to determine the causes, leading to either an agreement to restore full compliance or a revision of the control requirements, setting new standards to follow moving forward. Through this process, internal audit improves the organization’s efficiency and effectiveness. The Chartered Institute of Internal Auditors (CIIA) outlines the role of internal auditors, their value to an organization, and the distinction between internal and external auditing. It also emphasizes their critical role in evaluating risk management, aiding management in refining internal controls, and sharing these insights with both local and senior management. This collaboration reinforces the importance and practicality of risk management efforts and underscores why risk and internal audit teams work closely with operational managers.

A defining feature of internal audit is its need to remain independent from operational management. Most organizations have an audit committee, a subgroup of the main board, which reviews reports and discusses risks and controls with both internal and external auditors. This committee typically consists of independent non-executive directors—senior figures with a keen interest in understanding the real-world performance of the control environment. Internal audit is designed to present its findings directly to the audit committee in a protected setting, free from managerial pressure to downplay or conceal issues. Generally, the head of internal audit reports directly to the audit committee chair rather than to an executive like the CEO or COO. In some cases, the internal audit function may be housed within a corporate department (e.g., finance), with the head of internal audit reporting operationally to the finance director. However, this does not undermine the direct reporting line to the audit committee, which remains key to its effectiveness. The board of directors is the ultimate recipient of internal audit’s work, relying on its assurances about the internal control system. While no system can fully eliminate risk, the board depends on internal audit to provide a well-informed assessment of how the risk environment is being managed.

• Core internal audit roles in regard to ERM
  • Giving assurance on the risk management processes
  • Giving assurance that risks are correctly evaluated
  • Evaluating risk management processes
  • Evaluating the reporting of key risks
  • Reviewing the management of key risks
• Legitimate internal audit roles with safeguards
  • Facilitating identification & evaluation of risks
  • Coaching management in responding to risks
  • Co-ordinating ERM activities
  • Consolidated reporting on risks
  • Maintaining & developing the ERM framework
  • Championing establishment of ERM
  • Developing RM strategy for board approval
• Roles internal audit should not undertake
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management’s behalf
  • Accountability for risk management

Three lines of defense

A widely recognized framework for understanding these roles is the three lines of defense model. Although this has evolved into what is now called the three lines of assurance model, many organizations continue to rely on the original three lines of defense approach. Here, we provide an overview of the three lines of defense (3LOD) model, introduced by the Institute of Internal Auditors (IIA) in 2013. This model offers a structure for managing risk and maintaining control within an organization, along with corresponding responsibilities. While it originated in the financial services industry, it has been broadly embraced across various sectors. The key components of the 3LOD model are:

• Governing Body and Senior Management: Positioned above the three lines, they establish the organization’s strategy and objectives.
• First Line: Holds primary accountability for managing and mitigating risks.
• Second Line: Consists of risk management and compliance functions that support the first line by facilitating and overseeing risk management practices.
• Third Line: Delivers independent assurance on the effectiveness of governance, risk management, and internal controls across the first and second lines.
• ‘Fourth Line’: External auditors and regulators, who assess governance and the control framework.

It’s important to note that the three lines pertain to an individual’s responsibilities rather than their position within the organizational hierarchy. As a result, in many organizations, a single person might perform both first- and second-line duties. In the 3LOD model, the first line—business management—bears the main responsibility for implementing the risk management framework (RMF). The second line, typically an independent risk function, supports and critiques risk management activities, including identifying, measuring, monitoring, managing, and reporting risks, acting as a “critical friend” to the first line. The second line also primarily designs the RMF. The third line—internal audit—provides independent, objective assurance on the RMF’s robustness and the suitability and effectiveness of internal controls.

The implementation of the three lines of assurance model has encountered several obstacles. A primary challenge is the assumption that the lines operate as separate, distinct entities, with risk management and internal controls functioning in a vertical, linear fashion. This strict interpretation has led to silos, where each line assesses risk management and internal controls from its own standpoint, resulting in both gaps and redundancies. In practice, the boundaries between the first and second lines are often blurred, with many organizations having first-line functions performing second-line assurance tasks, and second-line functions engaging in first-line risk management and control activities. Additionally, the model’s emphasis on “defense” has caused opportunities to be overlooked. In the financial services sector, the three lines model has proven inadequate for delivering assurance, with issues like a lack of independence in the second line and skill deficiencies in both the second and third lines prompting suggestions for a four-lines-of-defense approach.

Key updates to the model include:

• Acknowledgment that all roles collaborate to generate and safeguard organizational value.
• Adoption of a principles-based framework, offering greater flexibility since governing bodies, management, and internal audit don’t align neatly into fixed lines.
• Elimination of the strict separation between the first and second lines, recognizing their fluid interplay, with roles now more precisely defined.
• Emphasis on risk management’s role in achieving goals and adding value, with “defense” removed from the title to highlight both value creation and protection.
• Exclusion of regulators and external auditors as a distinct fourth line.

Where the three lines model is in place, risk practitioners will be in the second line of the model. If the 3LOD is being used, that role will be strictly related to the provision of advice and support with no responsibility for managing risk. Whereas it is true that risk practitioners are not usually the owners of risk and therefore not involved in management of risks, there are instances where that is not the case. As such, this blurring of the first and second line can cause confusion, with instances where employees note that they are in line ‘one and three quarters.’ The update model allows for that blurring between lines one and two, recognizing that individuals in either line can undertake activities in the other line.

External assurance

Historically, external assurance has focused primarily on confirming an organization’s financial health. Over the past ten years, however, its scope has broadened as stakeholders increasingly demand transparency and improved communication not only about financial performance but also about sustainable practices, initiatives, and outcomes. External assurance enhances trust in an organization’s sustainability disclosures by offering an independent, third-party evaluation, similar to how external auditors validate financial statements and adherence to accounting standards. This shift in assurance is supported by updated standards, which now mandate that organizations track, measure, and take responsibility for their impact on wider ecosystems. This aligns with the principle of double materiality. External assurance now extends beyond ethics, conduct risk, and corporate social responsibility to encompass an organization’s effects on broader ecosystems. With growing requirements to report on climate change impacts and a heightened focus on environmental, social, and governance (ESG) factors, many organizations are prompted to reassess their strategies, while all must consider how to provide external assurance beyond just financial stability.

External audit

Earlier, we explored the three lines of defense—or three lines of assurance—model, where the third line, internal audit, offers the board independent assurance on the effectiveness of an organization’s risk management and internal controls. In line with applicable laws or regulations, this internal assurance is validated through an independent review by external auditors, who assess whether the financial statements offer a “true and fair” representation of the organization’s financial position and confirm that the accounts comply with accounting standards. We also discussed the Sarbanes-Oxley Act, specifically Section 404, which mandates that registered external auditors verify management’s assertion that internal accounting controls are established, functioning, and effective.

It’s worth noting that the UK Corporate Governance Code assigns the audit committee several key responsibilities, including:

• Managing the tender process and advising the board on the appointment, reappointment, or removal of the external auditor.
• Evaluating and ensuring the independence and objectivity of the external auditor.
• Assessing the effectiveness of the external audit process.
• Formulating and enforcing policies regarding the external auditor’s provision of non-audit services.

External auditors primarily serve the organization’s shareholders or external stakeholders. Their reports enhance the reliability of financial statements, fostering increased confidence and transparency for shareholders.

Internal assurance

We previously described risk assurance as the data and insights delivered to managers and directors about the state of an organization’s risk and control environment. It serves as an internal mechanism to establish checks and balances within our governance and risk management structures. Organizations require an effective system to gain a comprehensive view of risks, supported by assurance reports to the board that strike a balance—avoiding excessive detail while maintaining robust oversight of critical issues. Internal risk assurance is derived from multiple sources, categorized under five main areas:

• Measuring organizational culture
• Reports from audits
• Reports from individual units
• Unit performance evaluations
• Documentation from units

An additional vital source of internal risk assurance is the practice of ‘self-certification’ of controls, commonly known as a ‘control risk self-assessment’ (CRSA). In this process, local managers periodically (often yearly) submit a report indicating the level of risk assurance achieved in their area. In the financial services industry, particularly for operational risks, this self-certification is termed a ‘risk and control self-assessment’ (RCSA). Regardless of the label, this process typically involves completing a structured survey or questionnaire. Alternatively, some organizations conduct RCSAs through facilitated workshops, where local risks and controls are identified and evaluated. In organizations with advanced risk maturity, key risk indicators may be employed to gauge compliance in specific risk and control areas, moving beyond a simple ‘yes or no’ compliance check. This method allows focus to shift toward pressing issues—such as controls that are entirely ineffective against major risks—offering a more immediate, ‘real-time’ view of concerns rather than relying solely on annual reviews, thus enabling targeted management action.

The audit committee

We have explored both internal and external reporting, which form part of the assurance mechanisms—both internal and external—that an organization provides. Additionally, we’ve examined how risk management, reporting, and assurance align with the organization’s governance through the risk management framework (RASP) and its risk strategy. Consequently, effective assurance within an organization requires a clear connection between risk management and governance. The UK Corporate Governance Code mandates that organizations establish an audit committee. Many non-publicly listed organizations have recognized the value of setting up such a committee. Typically, an audit committee comprises non-executive directors (NEDs), with executive directors attending as needed. It is chaired by a NED—though not the organization’s chair—and operates as a sub-committee of the board.

The audit committee is often seen as the overseer of compliance within an organization, though its responsibilities extend beyond that role. It is tasked with maintaining a broad perspective over the entire group, with its duties encompassing:

• Financial reporting
• Narrative reporting
• Internal controls and risk management systems
• Internal audit
• External audit

The independence of both the audit function and the board’s audit committee allows auditors to question operational practices without being swayed by the challenges of direct involvement in the processes under review. When issues or deviations from standard practices are identified, the audit team can confront operational managers, pressing for corrective measures. Serving as a critical link, the audit committee channels risk assurance to the board, delivering insights and analysis on the risk and control environment that might otherwise remain out of the board’s reach.

Organizational Viability

The primary purpose of establishing risk management and internal control systems, and ensuring their effectiveness through various assurance methods, is to instill confidence among internal and external stakeholders that the organization has a sustainable future. This sustainable future, typically projected over the next 12 months, is referred to as the organization being a ‘going concern.’ Accounting standards mandate that companies use the ‘going concern’ basis for their financial reporting unless they intend to—or are forced to—liquidate or stop operations. If there are significant uncertainties that might jeopardize an organization’s ability to remain a going concern, these must be disclosed in the annual or half-yearly financial statements. We explored the concept of ‘materiality,’ defining a risk or issue as financially material if it could impact the organization’s profitability or if concealing it would prevent an investor from making a well-informed decision. Beyond the going concern principle, the UK Corporate Governance Code also requires organizations to confirm whether they reasonably expect to continue operating and meet their obligations as they arise over a specified assessment period. This is known as the longer-term viability statement. The evaluation period is expected to extend well beyond 12 months from the approval of the financial statements and should consider factors like the business’s nature and its developmental stage. Additionally, it’s worth highlighting the concept of ‘double materiality’ at this point. Developed by financial regulators and policymakers, including the European Commission, double materiality emerged from the growing recognition of the need to address climate-related financial risks. This approach evaluates not only the financial consequences of an organization’s risks and issues but also the real and potential effects of its decisions on people, society, and the environment.

Control Environment

We explored the concept of real controls, examining how they should actively manage and alter risks. We delved deeper into assessing their effectiveness and how auditing and other risk assurance methods integrate into the risk management framework, often termed the control environment. A critical aspect of governance is the provision of key risk information and status updates to the board, and we will evaluate the role these activities play. Additionally, we will consider fundamental principles of managing corporate reputation, highlighting how robust risk management supports and safeguards brand integrity. Earlier discussions on corporate governance developments emphasized the importance of creating a cohesive control environment within organizations. Corporate governance codes have tasked directors with ensuring the presence of effective risk management and internal control systems. According to the FRC’s 2014 ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting,’ an internal control system comprises the policies, processes, tasks, behaviors, and other elements that collectively:

• Enable efficient and effective operations by helping the organization identify current and emerging risks, respond appropriately to them and significant control failures, and protect its assets.
• Minimize the likelihood and consequences of poor decision-making, excessive risk-taking beyond board-approved levels, human error, or intentional bypassing of controls.
• Enhance the quality of internal and external reporting.
• Ensure compliance with relevant laws, regulations, and internal business conduct policies.

This system incorporates:

1. Control activities.
2. Information and communication processes.
3. Mechanisms to monitor the ongoing effectiveness of internal controls.

The internal control system should:

• Be ingrained in the company’s operations and embedded within its culture.
• Be agile enough to address evolving risks, whether from internal factors or shifts in the external business environment.
• Include protocols for promptly reporting significant control weaknesses or failures to the appropriate management levels, along with details of corrective actions being taken.

The broader control environment extends beyond internal controls, just as risks encompass both internal and external dimensions. In Unit 1, we addressed the significance of the risk and business environment and its evolution over time, suggesting that the control system must be regularly reviewed to remain aligned with current and anticipated risks.

So, what exactly is the ‘control environment’? It can be understood as the comprehensive set of controls and their interactions that manage risks. Real controls actively address and modify risks. Often, multiple measures are employed to tackle a single risk—such as data gathering and guidance—but it is the application of that data and adherence to the guidance that truly mitigates the risk. For instance, in managing employee fraud, the control environment might include:

Data Collection:

• Pre-employment checks for references, criminal history, and personal background.
• Regular audits of finances and inventory.

Guidance:

• A policy of prosecuting all employees found guilty of fraud, with public disclosure of such actions.
• Periodic staff refresher training.
• Accounting and asset protection measures to prevent fraud, theft, or damage. (Audits also serve to address other risks, like errors or misstatements.)
• Standard practices, such as requiring staff to take a mandatory two-week annual leave.

Each measure operates independently, but when the collected data is utilized and the guidance followed, they collectively form a system aimed at reducing employee fraud. If the data is ignored or the guidance disregarded, the risk remains inadequately managed—or unmanaged entirely.

Risk culture evaluates how individuals impact the risk management process and helps define what constitutes an effective risk culture for an organization. It also involves analyzing risk appetite and tolerance, exploring their importance to goal achievement, and addressing the need for and structure of risk appetite statements. Embedding the right risk culture within the broader organizational culture can be critical to the success or failure of risk management efforts—and, as global examples show, even to the organization’s overall survival. By defining risk appetite, tolerance, and capacity, organizations gain clarity on how much risk they can handle and are prepared to accept in pursuit of their goals. This understanding helps identify which risks matter most and determines the level of effort needed to address them. Achieving an acceptable level of risk often demands shifts in mindset, behavior, and the organization’s risk culture. Together, risk culture and appetite ensure that the most relevant risks are properly evaluated and managed, safeguarding and enhancing the organization’s value while supporting its objectives.

Culture is often described as ‘how things are done here,’ but it encompasses more—encompassing the shared ideas, customs, knowledge, beliefs, and behaviors of groups, whether in society or organizations. Risk culture parallels this but centers on how people perceive, interpret, and handle risks. Defining risk culture is challenging, yet it reflects the collective mindset of management at all levels, shaping how individuals act in specific situations and how they feel compelled to act consistently. The Institute of Risk Management (IRM) defines risk culture as the ‘values, beliefs, knowledge, and understanding of risk shared by a group with a common purpose, such as employees or teams within an organization.’ A positive risk culture can grow stronger over time through a reinforcing cycle of actions and behaviors that align with the organization’s ideal standards. Conversely, tolerating dysfunctional behaviors can spiral into a destructive cycle, fostering a harmful risk culture. Leaving risk culture to chance—allowing individuals or teams to approach risk haphazardly—is inadequate. Building a proactive risk culture involves:

• Clearly communicating expectations to all staff through tools like policies, presentations, newsletters, onboarding, documents, posters, and job roles.
• Persuading employees that effective risk management benefits them personally.
• Engaging staff in identifying risks to boost their commitment.
• Offering training to embed proper practices and understanding.
• Investing in robust IT security tools and maintaining transparent, well-communicated monitoring of IT use.

A robust risk culture empowers people to consistently make sound decisions in the right way, even in a fast-paced, complex, and interconnected environment. Such a culture equips management to determine viable actions, navigate difficult trade-offs, and weigh the pros and cons of their decisions effectively.Kier Group plc emphasizes a strong risk management culture in its 2024 annual report. The company follows a Performance Excellence approach to develop its people, processes, and projects consistently. Instead of assigning a single non-executive director to engage with employees, all directors participate in Visible Leadership Tours (VLT) to understand workplace culture and concerns firsthand. The Board ensures that policies, practices, and behaviors align with the company’s values and goals. Safety remains a top priority, with continuous efforts to improve health and safety standards for employees and suppliers. In FY25, Kier focused on strengthening risk management through performance lifecycle management, while Commercial Directors helped build a risk-aware and resilient culture by identifying, evaluating, and managing risks in contracts.

Real-world examples in this section illustrate that organizations can exhibit either a positive or negative risk culture, often revealed through their risk management processes and control environment. For instance, risk management might be viewed as a valuable tool that enhances an organization’s ability to meet or exceed its goals, or it could be treated as a mere compliance-driven checklist. The importance of a proactive and intentional tone from leadership was addressed in Unit 2’s Risk Strategy within the ERM Framework. A positive risk culture enables individuals and teams to effectively integrate risk management into the organization, fostering an appreciation for its benefits and its potential to drive positive outcomes. Encouraging people to confront significant, often overlooked ‘elephant’ risks fosters greater transparency in the risk culture. Culture pertains not to individuals alone but to groups—typically teams or organizations, though it can extend to cities or nations. The COSO ERM Framework, updated in 2017, acknowledged that even a top-tier ERM system fails to deliver value without a supportive risk culture. As highlighted, the revised framework describes enterprise risk management as the ‘culture, capabilities, and practices, woven into strategy development and implementation, that organizations use to manage risk while creating, preserving, and realizing value.’

5.1 People and risk culture

While culture originates with individuals, it ultimately characterizes groups. Each person possesses a unique personality, which can be evaluated through various methods and techniques to create a profile of their traits and assess their fit for specific roles. This systematic approach, known as personality profiling, allows individuals to explore their core personality, work preferences, and strengths, while also shedding light on how others perceive them, how they collaborate, and how they might adjust their traits to suit their work environment or handle crises. Specific profiling methods focused on risk assess an individual’s inclination toward risk-taking, gauging their willingness to embrace risk and their resilience when facing it. The IRM’s risk culture framework places personal risk preference at the heart of risk culture, showing how it interacts with personal ethics, behaviors, and the broader organizational culture to shape risk attitudes. The ideal personality traits often vary depending on the organization and its context. For example, a spontaneous, convention-challenging CEO might drive value creation in a startup, while a systematic, compliant approach is essential for protecting value in regulated sectors. Traits like caution or pessimism might seem undesirable but can be vital in safety-critical fields like oil and gas, aviation, or construction. Conversely, resilience and boldness may suit leaders naturally, though these can sometimes push organizations toward risky or unwise decisions when restraint might be wiser. Although personality traits solidify by adulthood, an individual’s risk preference doesn’t fully predict their behavior in real scenarios—flexibility in adapting to context is highly prized in managers. Moreover, risk predisposition alone shouldn’t determine someone’s suitability for a role, task compatibility, or performance level, nor does it imply one trait outshines another. Understanding risk predisposition, however, helps clarify differing perspectives on risk, influencing factors like risk tolerance, perceptions of riskiness, preparation efforts, opportunity recognition, and the commitment to managing and monitoring risks.

Risk perceptions

A person’s risk predisposition isn’t the sole factor shaping how they perceive risks. It’s easy to assume individuals have complete information about a risk and can assess it rationally and effectively, but each person’s unique perspective leads to varied interpretations. Risk has an objective dimension (e.g., the measurable chance of rain tomorrow) and a subjective one, influenced by psychological, cultural, and intangible factors, which can cause individuals to either downplay or exaggerate its seriousness. Perceptions of risk can differ across an organization’s hierarchy—senior leaders might overlook operational risks on the ground, while frontline workers may miss broader strategic risks. These perceptions also evolve with time and experience. Such variation matters because it can lead to flaws in risk identification, where critical risks are overlooked, and unimportant ones are flagged. Key challenges tied to differing risk perceptions include:

• Variations in how people define and recognize risks (risk identification).
• Individuals concealing risks or highlighting misleading ones for personal gain rather than organizational benefit (risk identification).
• Differing opinions on the probability of a risk occurring (risk analysis).
• Uneven understanding of a risk’s potential impact and scope (risk analysis).
• Deliberate under- or overstatement of risk severity for self-serving reasons rather than supporting organizational goals (risk analysis).
• Disagreement on what constitutes an acceptable risk level (risk evaluation).
• Misjudgments leading to flawed or inconsistent data, hindering proper risk assessment and response.
• The existence of true ‘unknown unknowns,’ risks beyond detection through standard methods (as explored with known unknowns in Unit 3).

These differences highlight that risk assessment is inherently inconsistent across individuals. No two people share identical views, and no one perceives risks with perfect objectivity, as personal biases shape their judgments. This creates two significant risks:

• Organizations may handle identical risks unevenly based on who’s managing them, amplifying overall uncertainty.
• Risk managers might prioritize addressing stakeholders’ perceived fears to gain favor, rather than tackling the most critical risks objectively.

Risk attitude—how people respond to uncertainty based on whether they see it as an opportunity, neutral, or a threat—hinges on these perceptions. This, in turn, affects each stage of the risk management process and shapes strategic choices.

Risk biases

Bias is a tendency to favor or oppose a person or group based on experience, assumptions, social norms, or judgment. Cognitive bias occurs when the brain simplifies information processing based on personal experiences and preferences, which may not always be accurate. The Board of Innovation identified 16 cognitive biases that can impact decision-making, including:

• Confirmation bias – believing information that supports our existing views.
• Conformity bias (groupthink) – being influenced by the majority, even against personal judgment.
• Authority bias – giving more weight to ideas from authority figures.
• Bandwagon bias – adopting ideas because others already have.
• Anchoring bias – relying too much on familiar information.

As decisions become more strategic and impactful, recognizing these biases becomes crucial. Hillson and Murray-Webster (2007) discuss common biases, describing them as “gut feelings” or heuristics, including availability, representativeness, and confirmation traps. Group biases like groupthink, cultural conformity, and cautious or risky shifts also affect decision-making. Risk perception is shaped by three key influences: conscious, subconscious, and emotional factors. While it is not necessary to analyze all biases in every decision, being aware of them helps understand risk attitudes, behaviors, and overall risk culture within an organization.

5.2 Risk culture models

Numerous models exist to assist organizations in comprehending, evaluating, and enhancing their risk culture, each emphasizing distinct elements or signs of risk culture. For instance, Deloitte’s model, outlined in their paper ‘Enabling Risk Intelligent Cultures,’ identifies four key influencers of risk culture: risk competence, motivation, relationships, and organization.

1. LILAC models

The LILAC model serves as a framework for assessing risk culture, drawing from research by the UK’s Health and Safety Executive (HSE). This research emerged in response to significant rail disasters in the UK during the 1980s and 1990s, prompting Her Majesty’s Railway Inspectorate (HMRI) to commission a safety culture inspection toolkit focused on a select set of indicators affecting safety culture. The resulting five indicators of a strong safety culture are:

• Leadership – fostering a constructive safety culture
• Two-way communication – robust channels for communication flowing top-down, bottom-up, and across levels
• Staff involvement – meaningful participation from employees
• A learning culture – capturing lessons, sharing them, and applying improvements
• A just culture – shifting from blame to accountability, while prioritizing employee well-being

These elements form the acronym LILAC: Leadership, Involvement, Learning, Accountability, and Communication. Hopkin and Thompson note that integrating risk management into everyday work practices is a long-term goal for most organizations, offering examples of how this risk-aware culture might manifest. Beyond safety, LILAC also applies to broader risk management areas, such as training and the control environment, topics revisited in later Units.

2. ABC model

The ABC model aims to explain the origins of risk culture through three components:

• Risk Attitude – the stance an individual or group takes toward risk, shaped by how they perceive it
• Risk Behaviour – the visible, risk-related actions individuals exhibit
• Risk Culture – the collective values, beliefs, knowledge, and understanding of risk shared by a group united by a common goal

Risk culture impacts both risk attitude and risk behaviour, while risk attitude influences risk behaviour, and risk behaviour, in turn, contributes to shaping risk culture. Hillson delves deeper, addressing two common misunderstandings about the ABC model:

• “First, risk attitudes are distinct from risk culture. It’s inaccurate to label an organization as having a ‘risk-averse culture’ or ‘risk-seeking culture,’ as terms like risk-averse or risk-seeking refer to attitudes, not culture.”
• “Second, risk behaviour differs from risk culture. Describing risk culture as ‘how we handle things around here regarding risk’ is misleading, since ‘handling things’ pertains to behaviours, not culture.”

Thus, behaviours are the measurable aspect, evaluable through tools like surveys or interviews. Risk attitude is defined as ‘the organization’s long-term perspective on risk, characterized by the 4Cs: comfort, cautious, concerned, and The ABC model aims to explain the origins of risk culture through three components:

• Risk Attitude – the stance an individual or group takes toward risk, shaped by how they perceive it
• Risk Behaviour – the visible, risk-related actions individuals exhibit
• Risk Culture – the collective values, beliefs, knowledge, and understanding of risk shared by a group united by a common goal

Risk culture impacts both risk attitude and risk behaviour, while risk attitude influences risk behaviour, and risk behaviour, in turn, contributes to shaping risk culture. Hillson delves deeper, addressing two common misunderstandings about the ABC model:

• “First, risk attitudes are distinct from risk culture. It’s inaccurate to label an organization as having a ‘risk-averse culture’ or ‘risk-seeking culture,’ as terms like risk-averse or risk-seeking refer to attitudes, not culture.”
• “Second, risk behaviour differs from risk culture. Describing risk culture as ‘how we handle things around here regarding risk’ is misleading, since ‘handling things’ pertains to behaviours, not culture.”

Thus, behaviours are the measurable aspect, evaluable through tools like surveys or interviews. Risk attitude is defined as ‘the organization’s long-term perspective on risk, characterized by the 4Cs: comfort, cautious, concerned, and critical,’ and can be depicted within a risk matrix.critical,’ and can be depicted within a risk matrix.

3) Double ‘S’ Model

The IRM Risk Culture paper highlights the Double ‘S’ model as a valuable tool for understanding broader organizational culture, framing it through two core dimensions:

• Sociability – the people-oriented aspect, reflecting the quality of social interactions, plotted on the vertical axis
• Solidarity – the task-oriented aspect, centered on goals and team performance, plotted on the horizontal axis

The model posits that high sociability fosters unity and a shared sense of purpose in a connected workplace, while strong solidarity ensures effective execution of risk controls and actions. The model identifies four cultural types—fragmented, networked, communal, and mercenary—none of which is inherently superior. Each suits different organizational contexts. For instance, strong sociability can inspire individuals to exceed their role’s expectations, working harder for the ‘community’s’ success. Yet, it can also lead to drawbacks, such as overlooking poor performance due to friendships or prioritizing consensus over tough decisions. Conversely, high solidarity builds relationships around shared goals and enables rapid team mobilization during crises. However, an overemphasis on tasks can backfire if the strategy is flawed, neglecting broader organizational health, or if individuals focus on self-interest, asking, ‘What’s in it for me?’ You might notice parallels between the Double S Model and the Decision-making Style Matrix, which also maps a spectrum from task/technical to people/social focus along one axis. Most personality and culture models hinge on these two dimensions, a point reinforced in the IRM Risk Culture paper. Research suggests that, regardless of the specific risk culture framework, organizations should enhance both sociability and solidarity to improve risk management effectiveness.

5.3 Successful Risk Culture

What defines a strong risk culture? It involves a deep understanding and positive mindset toward risk, fostering sound decisions and behaviors. This is demonstrated as organizations shift from merely responding to incidents to proactively identifying and managing risks effectively. A robust risk culture empowers and incentivizes individuals and teams to take calculated risks wisely. Key elements of a successful risk culture include:

1. A clear, consistent message from leadership—both the board and senior management—about risk-taking and avoidance, with attention to the tone across all levels.
2. A dedication to ethical standards, shown through focus on individuals’ ethical profiles, ethical decision-making, and consideration of broader stakeholder perspectives.
3. Widespread recognition within the organization of the need for ongoing risk management, with defined accountability and ownership for specific risks.
4. Open, prompt sharing of risk-related information throughout the organization, where bad news travels quickly without fear of reprisal.
5. Promotion of risk event reporting and whistleblowing, with a proactive approach to learning from errors and near misses.
6. Clarity around risks, ensuring no process, activity, or complexity obscures their understanding.
7. Recognition and rewards for appropriate risk-taking, alongside challenges to and consequences for unsuitable behaviors.
8. Valuing and nurturing risk management expertise, supported by a well-funded risk management team and broad engagement with professional networks.
9. Support for professional credentials and technical training, paired with diverse viewpoints to continually question the norm.
10. Integration of culture management with employee engagement and HR strategies, balancing social support with task focus.

These ten components—from a unified leadership tone to aligning culture with people strategies—form the backbone of an effective risk culture. The paper notes that analyzing corporate failures often reveals the absence of many of these traits. To achieve their desired risk culture, boards are encouraged to ask themselves ten reflective questions, largely tied to these components, to evaluate their expectations and aspirations:

1. What example do we set from the top? Are we consistently and visibly guiding how our people should handle risk?
2. How do we define clear responsibilities for risk managers and ensure they’re held accountable?
3. What risks does our current culture pose, and what cultural shift is needed for our goals? Can staff speak freely without fear?
4. How do we uphold our stated values in resolving risk challenges? Do we regularly address this and let it shape decisions?
5. Do our structure, processes, and rewards bolster or undermine our ideal risk culture?
6. How do we proactively gather insights from risk events and near misses—ours and others’—and embed lessons learned? Do we humbly view ourselves through stakeholders’ eyes?
7. How do we handle whistleblowers and legitimate concerns? When did we last face this?
8. How do we encourage balanced risk-taking and address extreme tendencies (overly cautious or reckless)?
9. How do we ensure new hires adopt our cultural values quickly and veterans maintain aligned attitudes and actions?
10. How do we foster risk awareness and skills development at all levels? What risk training have we, as a board, undertaken?

Measuring risk culture

Various models exist to assist organizations in understanding, evaluating, and enhancing their risk culture, with a simple online search revealing tools and methods from numerous consultants. These typically involve posing a series of questions to individuals at different roles and levels within an organization to assess its risk culture, often through surveys or interviews. To gain a comprehensive view of culture across all levels, an organization-wide survey can be employed. However, for some, this might feel overly demanding, so targeted surveys sampling individuals or using a ‘proxy’ (someone authorized to represent others) from each level and team can suffice. Alternatively, some organizations opt for a more tailored, personal touch by conducting interviews with key personnel. Surveys offer a broad, diverse snapshot of organizational culture, providing a structured, measurable way to tackle a subjective topic. This allows for comparisons between teams or against industry peers, using mostly ‘closed’ questions with preset answer options, though some may include ‘open’ questions for free-text responses to capture answers in respondents’ own words. Interviews, on the other hand, delve deeper into the drivers of risk culture, enabling interviewers to seek clarification, ask follow-ups, and probe further. To ensure reliability, interviews should follow a standardized question set, with interviewers taking care to avoid bias in both the questions and their delivery. They’re particularly valuable for capturing insights from senior leaders, like executives or board members. Some organizations combine surveys and interviews, ensuring questions across both methods align for consistent results. Regardless of the approach, questions should be customized to the organization or segment under review and kept concise to boost participation and quality of responses. From a financial services standpoint, the UK’s Prudential Regulator stresses the importance of using diverse data sources and assessment methods to gauge risk culture. The paper also recommends that organizations regularly evaluate their risk culture, pinpoint issues, and address them as frequently as practical.

One framework for assessing risk culture organizes eight elements into four key themes:

• Tone from the Top
  • Risk leadership – providing clear guidance
  • Dealing with bad news – openness to unfavorable updates
• Governance
  • Accountability – well-defined responsibility
  • Transparency – timely and clear risk information
• Decisions
  • Informed risk decisions – the quality of decision-making insight
  • Reward – recognition for suitable risk-taking
• Competency
  • Risk resources – the standing, support, and authority of the risk function
  • Risk skills – integration of risk management expertise

This Risk Culture Aspects model connects to the Double ‘S’ model, where ‘Dealing with bad news,’ ‘Reward,’ and ‘Risk Skills’ primarily influence sociability, while the remaining five elements contribute more to strengthening solidarity.

Changing risk culture

Evaluating an organization’s risk culture should pinpoint issues and their underlying causes, paving the way for cultural improvements. However, such changes hinge on first assessing the existing culture and defining the target culture. Transforming risk culture is often a gradual, extended effort. The Association for Federal Enterprise Risk Management (AFERM) indicates that establishing a compliant risk management framework may take 1-2 years, while developing a fully mature risk management process could span 5-10 years. By comparing the current risk culture to the desired state, organizations can identify quick wins and impactful, visible shifts. Per the ABC model, risk attitude drives risk behavior, which shapes risk culture, subsequently reinforcing both behavior and attitude. Positive adjustments can spark a ‘virtuous’ cycle, while unchecked negative attitudes and behaviors perpetuate a ‘vicious’ cycle.

Steps to transform risk culture include:

• Assessing the existing risk culture (Where are we now?).
• Evaluating its effects (Where do we aim to be?).
• Pinpointing areas for enhancement (What must change?).
• Designing and executing the cultural shift.
• Tracking progress and adjusting as needed.

5.4 Risk appetite and tolerance

In exploring risk evaluation, we address a critical ‘so what?’ question in the risk management process. Having established our operational context and objectives, and identified and ranked the risks we face to prioritize the most significant ones, we must decide: do these risks require action, or are they tolerable as they stand? To answer this, we first need to define what ‘acceptable’ means for us. For an organization to maintain a uniform risk management approach enterprise-wide, those handling risks must know the severity threshold that triggers a response. Without clarity on when to act or accept a risk, inconsistencies arise, inflating the organization’s overall risk exposure as staff react to risks of similar magnitude based on personal risk attitudes rather than a cohesive organizational stance. While we typically assess acceptability from a threat perspective, we must also evaluate acceptable opportunities, recognizing that organizations won’t manage risks—whether threats or opportunities—at unlimited cost.

This acceptability hinges on a threshold, known as risk appetite, which is the level of risk an organization is willing to take to meet its goals. This threshold rests on four core principles:

1. Interconnectedness – what’s tolerable in one area may not be in another.
2. Measurability – the ability to quantify risk appetite for a consistent understanding of acceptability.
3. Variability – the necessity for different appetites across various risks.
4. Maturity – how the sophistication of an organization’s enterprise risk management (ERM), in both comprehension and execution, shapes its risk-taking willingness.

Key terms tied to risk appetite include Risk Capacity, Risk Tolerance, and Risk Appetite, alongside the concept of the Risk Universe. These terms are often intertwined and used synonymously, though they carry distinct nuances. The push to define this acceptability or risk appetite stems not just from the internal need to resolve the ‘so what?’ question, but also from external pressures, notably the UK Financial Reporting Council’s 2014 ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.’ The guidance highlights risk appetite in several areas:

• Section 2 – states that boards are tasked with ‘determining the nature and extent of principal risks and those the organization is prepared to accept to achieve strategic objectives (its “risk appetite”)’.
• Section 5 – suggests that annual reviews of risk management and internal control effectiveness should consider ‘the company’s risk appetite, desired culture, and whether that culture is embedded.’
• Appendix C – poses questions for boards, starting with risk appetite and culture, such as ‘How has the board set the company’s risk appetite?’ and ‘Who has it consulted?’

Though aimed at premium listed UK companies, risk appetite gained broader relevance post-2008 financial crisis, which exposed excessive risk-taking cultures in global financial services. UK charities are prompted to assess their risk appetite, the UK Government released a 2021 Risk Appetite Guidance Note, and the COSO 2017 ERM Framework lists ‘Define risk appetite’ as Principle 7, among others.Risk appetite being the positive, opportunity aspects of risk that organisations seek, such as the development of new products that will bring high returns but carry the potential to fail and result in losses. Risk appetite refers to the core mission or strategy of the organisation. Tolerance refers to the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long- term objectives. It provides limits to the amount of risk an organisation is willing to accept before taking some further risk treatment action to address the underlying drivers of risk. It also provides limits to the amount of opportunity an organisation is willing to pursue.Risk appetite being the positive, opportunity aspects of risk that organisations seek, such as the development of new products that will bring high returns but carry the potential to fail and result in losses. Risk appetite refers to the core mission or strategy of the organisation. Tolerance refers to the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long- term objectives. It provides limits to the amount of risk an organisation is willing to accept before taking some further risk treatment action to address the underlying drivers of risk. It also provides limits to the amount of opportunity an organisation is willing to pursue.

1) Risk Capacity

Within our risk universe, certain risks are manageable. Risk capacity refers to ‘the threshold beyond which risk becomes unacceptable’—the point an organization cannot or chooses not to exceed. It is the amount of risk an organization should or can afford to bear. Historically linked to the insurance sector, risk capacity has been tied to decisions about deductible sizes or maximum insurance coverage relative to financial resources. Beyond finances, an organization’s risk capacity also hinges on factors like the resilience of its infrastructure, the strength of its reputation and brands, the competitiveness of its market, the skills of its workforce, and the reliability of its controls, among others. While we’ve framed risk capacity as the boundary we won’t cross, it also serves as both a springboard for calculated risk-taking and a buffer against losses. For instance, an organization may lack the capacity to absorb all risks in its universe—a health insurer, limited by financial constraints, might cap coverage levels to avoid exposure to costly conditions. To craft a solid risk management framework, leadership must clearly articulate and document which risks they’re prepared to accept and which they’ll reject. They must also stay attuned to the organization’s risk-bearing capacity—its financial stamina. Even if investors and directors push for a bold strategy, a risk event (like a failed product launch) exceeding available reserves could lead to insolvency if capacity isn’t adequately gauged.

2) Risk Tolerance

Risk tolerance is frequently conflated with risk appetite, yet they are distinctly different. Risk tolerance is defined as ‘the limits of risk-taking beyond which an organization will not venture in pursuit of its long-term goals.’ This definition elaborates that risk tolerance encompasses risks an organization might reluctantly endure if circumstances force its hand. It’s often framed in absolute terms, such as ‘we will not engage with specific customer types.’ These descriptions present a subtle tension: one views tolerance as risks that can be borne or allowed within a certain range, while the other aligns it more with a breaking point akin to risk capacity. In reality, risk tolerance occupies the ‘range’ between risk appetite and risk capacity. It represents a zone where risks can be temporarily withstood while proactive risk management works to reduce them to an acceptable level—sometimes called the ‘wiggle room’ beyond the preferred risk threshold. The UK Government’s risk guidance clarifies that risk tolerance, or a tolerable risk stance, differs from deliberately choosing to tolerate a risk as a management response.

3) Risk appetite

Risk appetite is characterized as ‘the extent of risk an organization is prepared to pursue or accept to achieve its long-term goals.’ This definition encompasses two aspects: risks the organization actively seeks and those it is willing to tolerate. Organizations aim to meet objectives—typically positive ambitions like boosting profits, expanding market share, or enhancing services. Boards generally embrace appropriate risks to realize these goals and thus have an appetite for them. Risk appetite covers risks an organization deliberately engages with, reflecting its strategic choices and methods. Conversely, it also includes risks it must accept as inherent to its operations, such as regulatory shifts beyond its control. In visual depictions, risk appetite isn’t centered within risk tolerance, showing that tolerance varies by risk type. For instance, at point A, there’s minimal tolerance for risks like health and safety or corruption, while between points B and C, there’s greater leeway for risks like project delays. Risks nearing capacity demand more effort to manage down to an acceptable level, while those closer to appetite require less. These risks are only tolerated temporarily, with active management to align them with appetite. Diagrams often portray risk appetite, tolerance, and the risk universe as zones or ranges, rooted in risk impact scales established early in risk management and tied to appetite and tolerance. If these are defined later in an organization’s risk maturity, appetite statements should shape impact scales, with adjustments made for alignment.

Though often shown in red, amber, and green, these diagrams don’t mirror a risk matrix’s positioning. During evaluation, risks in or near the matrix’s top-right (red) zone might still fall within appetite—either because they’re actively managed despite high likelihood and impact, or because they’re uncontrollable, like regulatory changes. In both cases, they’re acceptable for business operations and should be acknowledged as such. These visuals offer a top-down perspective on the risk universe, capacity, tolerance, and appetite, akin to a cross-sectional view linking them to performance over time. Within risk appetite lie two concepts: an optimal risk position, ‘the risk level an organization targets’ (aligned with appetite), and a tolerable risk position, ‘the risk level it can bear under current constraints’ (aligned with tolerance). These parallel the broader notions of appetite and tolerance. Regardless of terminology, clarity in defining these concepts within an organization is crucial. Risk appetite provides a decision-making framework, delineating both ideal and acceptable risk levels to support strategic goals. The guidance highlights benefits like reduced uncertainty, enhanced consistency in governance and decisions, sharper focus on priorities, and better resource allocation.

5.5 Risk appetite Statements

Establishing risk appetite is a cornerstone of effective corporate governance. The board holds the responsibility for defining the nature and scope of major risks it is prepared to embrace to fulfill the organization’s strategic aims. Thus, during strategic planning, directors and senior leaders must deliberately assess their risk appetite and tolerance—or the flexibility they have—in executing the strategy and meeting objectives. Some strategic elements may feel familiar and comfortable, or involve mandatory compliance (e.g., legal requirements), where the organization prefers to stick close to its established practices. Other elements may demand bolder moves and greater risk-taking. Risk appetite statements capture this distinction, outlining where the organization opts for more or less risk.

Consider a farm machinery manufacturer aiming to branch into electronically controlled indoor dairy equipment (‘robots’) to boost dairy yields, shifting from traditional outdoor milking. This aligns with a growing farming trend and offers expansion potential. However, moving from mechanical to high-tech electronic products introduces risks, potentially stretching beyond the company’s expertise and risking costly setbacks. If the company pursues this, it must evaluate the technical hurdles, investment needs, projected sales, competitive landscape, and profit margins. This analysis determines the total capital at stake if the venture fails, which is then weighed against the organization’s pre-set risk appetite and its risk-bearing capacity.

Risk appetite statements document these choices regarding appetite, tolerance, and capacity across the organization and its various levels. The steps to craft them are:

1. Identify stakeholders and their expectations.
2. Assess the organization’s overall risk exposure.
3. Set the preferred level of risk exposure.
4. Determine acceptable variation ranges for each risk type.
5. Align current and target risk appetite and tolerances.
6. Finalize, approve, and share the risk appetite statement.

These statements should tie into the organization’s risk classification system but can also be organized by risk sources (causes), impacts (effects), objectives at risk (linked to effects), or the risks themselves. The structure may reflect the organizational level—strategic, tactical, or operational—where the statements are developed.

Six guiding principles shape an effective risk appetite framework:

1. Complexity – Simplifying too much can distort meaning.
2. Measurability – Without it, statements lose practical value.
3. Fluidity – Appetite varies across risks and evolves over time.
4. Maturity alignment – It must match the organization’s risk management sophistication and be clearly supported.
5. Multi-level perspective – It should span strategic, tactical, and operational viewpoints.
6. Control integration – It must balance risk-taking and control, ensuring effective risk management and internal controls.

With these principles in mind, an approach to dissecting risk appetite elements can center on risk capability—a blend of risk capacity (the ability to absorb risks) and risk management maturity (the ability to handle them):

• Capacity – Encompassing financial resources, infrastructure, reputation, and workforce expertise.
• Maturity – Covering business context, risk systems, risk culture, and risk processes.

The list the requirements for risk appetite statements:

• provide a structure for an organisation to work within. When correctly applied, statements describe acceptable outcomes relating to decisions being taken.
• drive thinking about results and outcomes the organisation seeks to realise, as well as about what would need to change if outcomes were not acceptable
• describe the organisation’s typical challenges and the basis on which different outcomes are justified
• describe the organisation’s acceptable behaviour in reasonable circumstances. In circumstances where a decision is to be made and there are no directly comparable situations, risk appetite statements can provide illustrative guidance that can be adapted, documented and applied
• be set against a sliding scale, with descriptors which are relevant to the organisation. This scale should demonstrate and reinforce the range of outcomes that are acceptable in different situations, and should be separate from scales used to assess the likelihood and impact of a risk
• be dynamic and updated as necessary to reflect any significant changes in the context their organisations operate within, whether driven by societal, economic or political changes, for example.

These requirements are a useful checklist when designing risk appetite statements.

Developing a clear risk appetite and tolerance profile for an organization demands significant time from senior leaders to deliberate on the various risks it encounters, ensuring they provide clear guidance on which risks are acceptable. This overarching risk strategy might be summarized in a broad mission statement, such as one for a fictional budget airline: ‘We aim to be the top regional low-cost airline, targeting private and tourist travelers with modern, nearly new aircraft.’

This translates into a high-level risk appetite strategy, signaling that the airline avoids the risks of entering the long-haul market, sacrificing potential revenue from business travelers, while embracing the risk of investing in high-quality aircraft to enhance its brand and reputation. Such a statement serves as a qualitative, narrative expression of the organization’s risk appetite. Organizations might also craft more detailed narrative risk appetite statements. For instance, a charity might first assess risk appetite across different risk categories, then derive an organization-wide appetite by averaging these. This charity adopted a generally cautious stance on acceptable risk levels, though it allowed higher risk in certain categories. It stopped short of evaluating individual risks, however. Caution is warranted when averaging risk scores, especially if based on subjective opinions rather than hard data, as this can mask significant risks if the ‘average’ falls within an acceptable range, potentially overlooking critical outliers.

Tangible risk appetite statements

From the mission statement of the fictional budget airline—‘Our goal is to be the leading regional low-cost carrier, targeting private and tourist travelers with modern, nearly new aircraft’—a risk appetite statement is crafted, typically tied to relevant risk categories or specific risks.

This broad appetite statement must be distilled into practical segments. For instance, the airline’s risk appetite and tolerance might state:

• We won’t accept operating routes with seat fill-rates below 50%, though we’ll allow a 5% deviation from this target.
• We won’t tolerate fuel costs exceeding our business plan, but we’ll accept up to a 2% increase.
• We have no interest in paying travel agent fees, yet we’ll permit direct booking service costs up to 3% of revenue.

On the opportunity side, it might add:

• We aim to grow our route network to boost fare income by 20% over three years, accepting up to $5 million in additional expenses to make it happen.

Risk appetite statements can be detailed and tied to risks listed in the organization’s risk register. Some use key risk indicators as stand-ins for these statements, marking thresholds where approval is needed before proceeding further. For external stakeholders, high-level narrative statements are typically shared, balancing transparency about the organization’s risk direction with discretion over sensitive details. These often appear in annual reports.

To guide internal staff on acceptable risk levels and enable risk-informed decisions, risk appetite statements should span the organization and be concrete, measurable reflections of appetite and tolerance. These are commonly compiled into a Risk Appetite Statement document, part of a broader set of risk management materials alongside the Risk Management Policy and Manual. At a detailed level, these statements reflect delegated authority, setting risk-taking boundaries for individuals. Once specific statements are set, it’s wise to review them with staff and HR to ensure alignment with authority levels.

5.6 Risk appetite criteria

A critical element of risk appetite and tolerance lies in the criteria used to formulate risk appetite statements and how they’re established. Earlier in this unit, we discussed using:

• Ranges to define risk appetite and tolerance
• Risk impact rating scales to prioritize risks
• A sliding scale for appetite and tolerance
• Key risk indicators as early warnings of shifts in specific risks

Various metrics can shape risk appetite statements and criteria, but whether they target objectives, risk categories, or specific risks, the focus remains on determining what’s acceptable, unacceptable, and the range between these points. Risk appetite limits help convert strategic goals into actionable risk-taking boundaries and controls across an organization. It’s not just about capping risk beyond capacity but understanding appetite as a spectrum of desired outcomes—balancing excessive risk-taking against insufficient ambition. Some organizations adopt a ‘three-leg’ limit system (upper limit, trigger, lower limit or risk target), while leading practices favor a ‘four-leg’ system (upper and lower limits with corresponding triggers). Notably, these limits also act as triggers, prompting escalation and corrective steps. The UK Government’s 2021 risk appetite guidance proposes a ‘five-leg’ system, offering descriptive terms for these levels, which are then fleshed out in narrative statements:

• Opposed/averse (upper limit) – risk avoidance
• Minimalist – favoring safe, low-inherent-risk options
• Cautious – preferring safe options with minimal residual risk
• Mindful/open – open to all options, favoring likely success
• Enterprise/eager (lower limit) – keen to innovate and seize opportunities, accepting uncertainty

Triggers, defined as ‘the point where escalation to a higher authority is needed due to proximity to the appetite limit,’ align with both upper and lower limits. In health and safety, such triggers are common, embedded in operational processes with pre-set acceptable risk levels and escalation protocols. In mining, these are called Triggered Action Response Plans (TARPs), akin to triggers in Deloitte’s risk appetite framework, typically using a ‘three-leg’ system:

• Green – manageable by the workplace team (lower limit)
• Yellow – work halts, a support team steps in to resolve and approve resumption
• Red – work stops, senior managers intervene to address and authorize continuation

In health and safety, organizations often claim ‘zero’ risk appetite or tolerance. If taken literally, this would halt operations, as eliminating all risks with safety implications is impossible. While ‘zero’ makes a bold external statement, operational triggers with a narrow range between limits are essential, reflecting limited tolerance for such risks. A more practical approach uses triggers based on reducing risks to ‘as low as reasonably practicable’ (ALARP). Caution is needed, however, when triggers focus solely on the ‘red’ zone of a risk matrix (high impact, high probability), as this overlooks uncontrollable yet acceptable risks (e.g., regulatory changes) that are part of doing business and monitored regularly. This ‘red’ zone focus also neglects high-impact, low-probability risks (HILPs), like the Covid-19 pandemic, which wasn’t a true ‘black swan’ but was dismissed as too improbable by many, becoming an ignored ‘elephant.’ Some organizations adjust risk matrices to prioritize impact over probability, elevating HILPs’ visibility. Unit 3, Section 4’s Impact versus Action map also flagged high-impact risks lacking sufficient control. Whatever method is chosen, risk appetite criteria must address key individual risks. Ignoring HILPs in appetite discussions risks unwanted headlines. Crafting risk appetite statements is often the toughest part of ERM, but without clear, measurable tolerances, the risk management cycle and framework stall.

Monitoring risk appetite and tolerance

Crafting an organization’s risk appetite and tolerance is a time-intensive process, requiring substantial effort to establish meaningful limits and triggers that enhance decision-making and the proactive management of both opportunities and threats. Yet, these statements are merely a moment-in-time reflection and must be periodically revisited and refined, particularly when the organization undergoes significant shifts. Incorporating testing and monitoring into the risk appetite framework is therefore valuable. Five key tests can assess its effectiveness:

• Does the framework offer actionable guidance to aid managers in decision-making?
• Are executives aware of the cumulative and interconnected risks to judge what’s acceptable?
• Do the board and executives grasp the aggregated and linked nature of risks?
• Do managers and executives recognize that risk appetite evolves over time?
• Are risk decisions weighed with a clear view of potential rewards?

Meeting all these criteria indicates a robust risk appetite framework.

The core idea is that such frameworks are effective up to a point, ensuring:

• Risk-takers understand the objectives they’re advancing and stay within set boundaries.
• All major risks are identified and comprehended.
• A risk-aware mindset infuses the organization’s language, decisions, and performance evaluation, embedding it in the risk culture.

The framework outlines varying risk appetite levels across the organization:

• High-level – Broad risk capacity, overarching risk appetite statements, measures, and limits.
• Directional – Focus on key risk drivers with related appetite statements, measures, and limits.
• Specific – Principles and policies to put risk appetite into practice.
• Detailed – Precise risk appetite measures and limits.

You need to use proper controls to handle and reduce risks to an acceptable level. Monitoring and reviewing processes ensure these controls work well and that any changes in the situation, risks, or risk management process are noticed and addressed. This helps with risk reporting, making sure important information is shared clearly and supporting decisions based on risks. Setting up and using real controls to manage risks within an organization’s risk appetite and tolerance is a key step in risk management. Monitoring, reviewing, and reporting on these risks and controls gives confidence that the organization can meet its goals, given its context and the risks it faces. If this isn’t possible, the organization can decide to put more effort into managing the risks or, if that’s not practical, adjust its goals. The Orange Book (HM Treasury, 2020, page 20) explains risk treatment as choosing the best option by weighing the benefits of achieving goals against the costs, effort, or downsides of putting those options in place. It says the reasons for designing risk treatments and using internal controls go beyond just financial factors and should consider the organization’s duties, promises, and stakeholder opinions. But this focuses more on the “why” and “what” rather than the “how.” ISO 31000:2018 says the goal of risk treatment is “to select and apply options for dealing with risk.” The Orange Book builds on this ISO guidance but gives less detail.

Looking at the COSO ERM (2004), the “risk treatment” step fits into two stages:

• Risk Response: Management picks responses like avoiding, accepting, reducing, or sharing risk, and creates actions to match risks with the organization’s risk tolerance and appetite.
• Control Activities: Policies and procedures are set up and used to make sure the risk responses are carried out properly.

Lastly, the COSO ERM (2017) model talks about “Implementing Risk Responses.”

After understanding our working context and objectives, identifying and analyzing risks to see their impact on those objectives, and evaluating if more action is needed to make the risks acceptable, the next step is to manage, respond to, treat, or control those risks. Organizations use some kind of risk prioritization—like likelihood versus impact, action versus impact, or another method—to decide which risks to tackle first. Keep in mind that while organizations want to remove all major threats and seize all big opportunities, this might not be practical or cost-effective. Also, mistakes in the risk analysis process can lead to overly negative or positive risk ratings, causing us to focus on less important risks. We’ll explore this more in Unit 5 on risk culture. For the risk management process to work well, we need to include a feedback loop, like this:

• We treat a risk by comparing its current rating to the target rating (usually our risk appetite). If the current rating is above the risk appetite, we take action to manage it.
• After treatment, we re-analyze the current risk. If it still exceeds the risk appetite, we treat it again to bring it closer to the target.
• We re-analyze the risk again. We stop adding new actions only when the current rating matches the target rating. If we can’t reach the target rating in a practical or affordable way, we might need to rethink our objectives and restart the whole risk management process.

This feedback loop should be ongoing because the context, risks, controls, and risk appetite are always changing. This feedback step is part of the monitoring and review stage in the full ISO 31000 risk management process. In the simple four-step process, the final arrow highlights this feedback loop, as shown in the four easy steps.

Considering the situation we’re in, the risks we face (whether opportunities or threats), and how well they’re managed (or can be managed), can we still achieve the goals we set earlier?

If the answer is “yes,” the system is balanced, and no changes are needed.
If the answer is “no,” there are two choices: a) Put in more effort and resources to manage the risks better (like adding more controls). Or, if that’s not possible or not wanted, b) Adjust the goals (if we can), because the current ones are either too hard or too easy to achieve for the best balance.

During the Covid 19 pandemic there were many controls developed to try to prevent people from contracting the disease and the spread of the disease. These controls were mainly of two types:

• Data collection – for example, lateral flow test results, hospital admission data.
• Guidance – for example, advice on self-isolation, training for vaccination staff.

However, if no use were made of the data collected or no one followed the guidance given then the controls highlighted would have changed the risk of the spread of Covid 19.

4.1 Risk Control

ISO 31000:2018 defines a control as a “measure that maintains and/or modifies risk,” with two additional notes:

• Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain and/or modify risk.
• Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

The accompanying flowchart highlights the distinction between genuine controls and mere data collection or guidance, helping organizations assess the true effectiveness of their controls. Risk checks (sometimes referred to as tests, verification, or reviews) should confirm that an active control is performing as expected and designed. This process provides insight into how well the control is working and whether it has successfully modified the risk as intended. Thus, controls are intended to manage and adjust risk—either by addressing its root causes to alter the probability of it happening or by mitigating its effects to reduce the impact if it does occur. However, in practice, many controls assigned to risks are merely data-gathering efforts or advisory measures. While both data collection and guidance play a role in actively managing risks, they must be applied effectively to actually alter the risk. A simple online search can uncover numerous cases where individuals, teams, or organizations failed to act on available data or adhere to provide guidance.

ISO 31000 emphasizes that choosing the best strategies for managing risks involves conducting a benefit analysis to ensure a well-rounded approach. Risk management should not come at an excessive cost. The standard highlights that multiple strategies can be employed simultaneously, potentially incorporating one or more of the following methods:

• Steering clear of the risk by opting not to initiate or persist with the activity causing it.
• Accepting or amplifying the risk to seize a potential opportunity.
• Eliminating the source of the risk.
• Adjusting the probability of occurrence.
• Modifying the potential impact.
• Distributing the risk (e.g., via contracts or insurance).
• Retaining the risk through a deliberate, informed choice.

Certain methods are better suited to threats—such as risk avoidance—while others align more with opportunities, like embracing or heightening the risk. The central idea is that all these approaches should actively alter the risk, whether it represents a threat, an opportunity, or a combination of both.

The 4Ts

Different strategies are applied to threats and opportunities. For threats, response approaches are often grouped into the “4 Ts”:

• Terminate: To eliminate a risk, an organization might need to stop the activity linked to it. Termination is typically a last resort, chosen reluctantly when the remaining risk severity is deemed too high after exploring other cost-effective options (like transfer or treat).
• Transfer: This involves shifting risk exposure to a third party, such as an insurer, thereby allowing an organization to mitigate potential losses associated with various liabilities and uncertainties. However, fully offloading a risk is rare, which is why “risk sharing” is a more accurate term that reflects the collaborative nature of managing risks. Examples include joint ventures, outsourcing arrangements, and innovative risk financing strategies, topics covered in later modules that delve deeper into effective risk management practices.
• Treat: Here, an organization keeps the risk internally and takes steps to adjust its severity, likelihood, or impact. Treating risks is the most widely used response strategy.
• Tolerate: An organization may accept a risk if its perceived severity falls below the risk appetite. Low-severity risks are commonly tolerated, though some high-severity risks might also be accepted—such as when risks are unrecognized or their severity is underestimated. Tolerating high-severity risks leaves an organization particularly exposed, and some argue it’s the unrecognized, quietly tolerated risks that pose the greatest threat to an organization’s survival.

For opportunities, some organizations adopt a “take” strategy, akin to tolerate but more proactive, involving deliberate engagement with a risk to pursue a reward. In certain cases, terminating even the most severe threats isn’t feasible—especially in public services, where obligations persist despite high risks, or when abandoning an activity could trigger reputational damage seen as a greater risk. When termination isn’t an option, organizations may have no choice but to tolerate risks that exceed their risk appetite. The 4 Ts are often mapped to a risk matrix, but this method can be seen as overly simplistic and is best viewed as an initial step before exploring more tailored solutions. It struggles particularly at the boundaries of high and low risk levels, especially near the matrix’s center, where distinctions blur. Moreover, the idea of transferring risks with low likelihood but high impact—such as through insurance—may work for financial risks, but transferring management to a third party doesn’t always shield an organization from the fallout if that party underperforms. Increasingly, the 4 Ts are considered outdated as a framework for crafting risk response strategies.

The 5Es

For opportunities, a framework of 5 Es is to categorize response strategies. Unlike the likelihood-versus-impact matrix used for threats, these strategies align with a simplified business lifecycle:

• In start-up operations, opportunities are Explored to evaluate whether the risk is worth taking.
• During the growth phase, the operation Expands the opportunity—perhaps by securing investment or boosting sales—keeping the risk level steady while increasing the potential reward.
• The operation might then choose to Exit the opportunity, either by profitably selling it off (“cashing out”)—maintaining the same risk but reaping a substantial reward—or by abandoning it entirely if the investment exceeds the risk appetite.
• In a mature operation, the opportunity is Exploited further, such as through investors or acquisitions, reducing the risk while the reward remains constant.
• For operations in decline, opportunities merely Exist due to a failure to adapt to market changes, resulting in both low risk and low reward, with dwindling sales in a contracting market.

Similar to the 4 Ts for threats, this model offers a fairly basic perspective on handling opportunities, as not all organizations or opportunities follow this sequence or trajectory. You may notice that your organization has distinct procedures for managing risks in project activities versus operational ones, with project processes often emphasizing hazards over opportunities. In contrast, strategic risk management is typically a separate, possibly less formal process, driven by the board of directors. To address this effectively, consider examining whether your organization has specific procedures in place for managing risks at the strategic level

Preventive, Corrective, Directive and Detective Controls

According to ISO 31000, controls can be implemented to adjust either the probability of a risk occurring or the extent of its impact if it does occur, applicable to both threats and opportunities.

When addressing threats, loss control is a treatment approach divided into three components:

• Loss Prevention: Controls aimed at stopping a risk from happening by tackling its causes.
• Damage Limitation: Controls that minimize the impact of a risk immediately after it occurs, focusing on consequence management.
• Cost Containment: Controls that lessen the long-term effects of a risk, such as through business continuity planning.

A related framework, known as control theory, offers an alternative way to classify responses to threats, organizing them into a hierarchy: preventive, corrective, directive, and detective (abbreviated as “PCDD”). This model suggests when each type of control might be suitable. Though PCDD was featured in the 2004 version of the Orange Book, it’s no longer mandated in the updated version and isn’t widely applied in enterprise risk management. Here’s a brief summary:

• Preventive Controls: Hopkin and Thompson argue these are the most critical, but they may not always be cost-effective, particularly for low-probability risks. For risks beyond our control—like certain external factors—prevention might be unfeasible, leaving only the other three options viable. Thus, a cost-benefit analysis is essential for preventive controls, which work before a risk materializes.
• Corrective Controls: These step in when preventive measures aren’t practical, desirable, or cost-effective, though they can also serve as a backup if preventive controls fail. Their value, adequacy, and effectiveness must be evaluated. Corrective controls are prepared in advance but activate after a risk occurs.
• Directive Controls: A common approach, these involve issuing instructions to individuals or parties on how to act in specific situations. Their reliability hinges on human behavior, making them less dependable. As noted earlier, directive controls alone don’t qualify as true controls. Contracts, for instance, are directive, as they outline expected actions in defined scenarios.
• Detective Controls: These identify when a risk has occurred, such as a fire alarm or an audit revealing a project veering off course six months in.

PCDD aligns with the 4 Ts framework, where it’s categorized as a method to treat risks. However, neither the 4Ts nor PCDD are recommended by standards or industry best practices for direct integration into the risk matrix.

A simplified version of PCDD can be outlined as follows:

Preventive Control: An internal mechanism designed to avert unwanted incidents, mistakes, or other events that a company identifies as potentially harmful to a process or final outcome.
Corrective Control: A measure intended to address and fix errors, oversights, or unauthorized actions and breaches after they’ve been identified.
This simplified model also notes that preventive and Directive Controls take effect before an event occurs (pre-event manifestation), while Corrective and Detective Controls activate afterward (post-event manifestation). This approach aligns with ISO 31000, which distinguishes between controls that address causes to alter the likelihood of a risk and those that manage consequences to adjust the impact on objectives. These strategies can be further grouped as proactive (pre-event, requiring action to establish controls before a risk emerges) or reactive (post-event, activating after a risk occurs). This proactive-reactive split is reflected in tools like the risk bow-tie.

Additionally, some control theorists introduce the concept of anticipatory controls. These are forward-thinking, akin to directive controls but with a longer-term, strategic focus. Set in place ahead of potential future scenarios, anticipatory controls aim to equip an organization to adapt effectively and promptly if those scenarios unfold. They’re particularly useful for risks with a distant time horizon (long risk proximity). The key distinction between anticipatory and directive controls lies in their scope: directive controls respond to the organization’s current internal and external context, while anticipatory controls look ahead, preparing the organization for anticipated shifts in those environments.

For example, Considering the controls in the case of fraud risk:

• Proactive controls could include suitable vetting of candidates’ backgrounds at job interview stages, or a range of penalties that could be invoked on any members of staff who are found to be defrauding the company, thus reducing the incentive to be fraudulent
• Reactive controls could include a review of new suppliers set up by staff on the organization’s accounting system, to try to detect any false or ghost suppliers to which money could be channeled.

Another example would be the encouragement of confidential whistleblowing arrangements and fraud hotlines. Additionally, media handling activities, designed to mitigate any damage that might arise through reputation and bringing in the police to take charge of the fraudsters to remove the cause of the fraud from the business. Many businesses will find it much easier to estimate the cost of risk management rather than the benefits that come from managing risks.

The costs are here and now. We can estimate much of them by the amounts we spend on staff who spend time managing risks, administering the ERM (Enterprise Risk Management) framework, providing assurance and the payments for running controls or paying for insurance. So, while the total cost of risk might be not too difficult to calculate, calculating the costs of managing individual risks will be much harder to compute because of the need to allocate those total costs to the management of individual risks. (Think, for example, how you would allocate your time to all the individual risks that the organisation faces.) Assessing the risk management benefits are more elusive than the costs because risks are future events: they may never actually occur (in which case the value of the control is zero). Moreover, it may be impossible to calculate how much any individual control helped to reduce the likelihood or impact of a risk,      since you never know what would have happened if the risk had occurred and you had no controls in place. Nor can you isolate the individual contribution of one control if one risk is managed by several controls. Even if the risks do or do not occur, the sense of assurance that people feel that things are under control is very valuable, but it is also extremely hard to calculate. It is therefore most likely that the weighing of the risk cost-benefit scales is an intuitive one, like so much in risk management.

Role of insurance and business continuity

When a threat becomes reality, it carries a cost for the organization, but there’s also a cost tied to addressing or mitigating that risk. Even the process of identifying, analyzing, and assessing the risk (risk assessment) comes with expenses. The lower an organization’s risk appetite, the more risk-averse it becomes, leading to a lower acceptable target risk—and, consequently, higher costs for risk responses. However, this increased cost is balanced by a reduced exposure (or expected loss) from the risk itself. Likewise, when pursuing an opportunity, there’s a cost to investing in or managing it. The higher the target risk, the more expensive the response becomes. For threats, at the inherent risk level—before any controls are applied—the organization’s total risk exposure is extremely high, while the cost of response is zero. As controls are implemented, the expected risk exposure decreases (often rapidly at first, as efforts target the most severe risks), but the cost of these responses rises. Eventually, the cost of additional responses reaches a point where further investment becomes impractical: the added expense of controls no longer justifies the reduction in threat exposure or the potential gain from an opportunity. This reflects the concept of diminishing returns in threat response investments—a persuasive idea due to its logical foundation and the need for judgment in deciding when to stop spending on responses and accept some level of risk exposure. This cost-benefit analysis is key to evaluating control effectiveness. As highlighted earlier, the goal isn’t to manage all risks regardless of cost, nor to control all costs regardless of risk.

4.2 Control Effectiveness

When a threat becomes reality, it incurs a cost to the organization, but addressing or mitigating the risk also comes with expenses. Conducting risk assessments—identifying, analyzing, and evaluating risks—carries its own costs. The less risk an organization is willing to accept (lower risk appetite), the more cautious it becomes, leading to a lower acceptable risk threshold. Consequently, the cost of managing the risk rises. However, this increased cost is balanced by a reduced likelihood of loss from the risk itself. Similarly, pursuing opportunities involves costs to seize or manage them, and as the desired risk level increases, so does the expense of the response. For threats, an organization’s total risk exposure starts extremely high at its inherent level, with no initial cost for response. As resources are allocated to controls, the expected risk exposure decreases—often rapidly at first, as efforts target the most critical risks—while the cost of implementing these measures rises. Eventually, the expense of additional responses reaches a point where further investment becomes impractical, as the added cost outweighs the benefits of reducing risk exposure for threats or enhancing it for opportunities. The idea of diminishing returns from threat management is persuasive due to its straightforward reasoning. It suggests that a judgment call is necessary to determine when to stop pouring resources into risk responses and accept some level of risk. This cost-benefit evaluation is key to assessing control effectiveness. As highlighted earlier, the goal isn’t to eliminate all risks regardless of cost, nor to minimize costs at the expense of all risks. Control effectiveness shouldn’t be judged solely on financial metrics. Many organizations take a broader view, with The Open University emphasizing that controls should first be well-designed. Beyond that, factors like the ease of designing, implementing, and sustaining controls matter—harder-to-manage controls tend to be less effective. A comprehensive checklist for control effectiveness should evaluate the design, implementation, and upkeep of controls, their impact on the probability and consequences of risks (both threats and opportunities), and the associated costs.

Hierarchy of controls

From a health and safety standpoint, there exists a structured hierarchy of controls. The personal protective equipment (PPE) should only be used as a final measure to safeguard against risks. The HSE identifies elimination (either by terminating or preventing the risk) as the most effective strategy, followed by four other control methods ranked in descending order of effectiveness. These include:

• Elimination – completely removing the hazard.
• Substitution – swapping the hazard for something less dangerous.
• Engineering controls – separating individuals from the hazard.
• Administrative controls – modifying how people perform their tasks.
• PPE – equipping workers with protective gear.

The top three controls—elimination, substitution, and engineering—do not depend on human interaction with the hazard, making them more reliable at preventing risks from materializing.

The Swiss cheese model of control effectiveness

Another angle on evaluating control effectiveness in health and safety is the Swiss Cheese Model, developed by James Reason in 1991. Originally designed to analyze accidents, this model can also assess the strength of any set of controls. It has its strengths and limitations, but at its core, it views all controls as having flaws (or “holes”) and emphasizes the need for multiple layers of controls to manage a risk effectively, in case one or more fail. Take the risk of contracting Covid-19 as an illustration: the Swiss Cheese Model highlights various controls to lower the chances of infection and others to limit its impact and spread. Vaccines, for instance, serve as both proactive and reactive measures, offering protection before and after exposure. The model also encourages organizations to explore alternative controls. For example, while most organizations maintain strong cybersecurity measures, some go further by hiring ethical hackers to probe for vulnerabilities. Similarly, in securing physical assets, certain organizations enlist former thieves to test the robustness of their security systems.

Verification of real controls

As mentioned earlier, genuine controls are those that actively manage and alter risks. On their own, data collection and guidance don’t qualify as real controls—only when that data informs decisions and the guidance is put into action do they influence risks. Yet, in many organizations, efforts to verify or assess control effectiveness are often limited to reviewing the quantity and nature of collected data, along with existing procedures, manuals, and training programs. These checks are straightforward to perform, but an excessive focus on testing the wrong or incomplete controls has historically contributed to numerous incidents. The tougher task is confirming whether controls are being applied effectively, not just whether they exist. Revisiting the Covid-19 example, deeper questions are needed to evaluate the true impact of a control. For instance, in 2021, the UK provided free lateral flow tests to all. To gauge this control’s effectiveness, one might ask:

• Are enough tests available?
• Is requesting tests a simple process?
• Are tests delivered promptly?
• Are results reported to the UK government?
• Are individuals with positive results contacted by phone?
• Are physical inspections conducted at the locations of those testing positive?

If any of these elements fall short, additional effort is needed to address the gaps and ensure the control works as intended. It’s worth noting that a control might perform perfectly if a risk unfolds as anticipated, but if the risk emerges in an unexpected way, the control’s effectiveness could be uncertain—or it might fail entirely, potentially even worsening the situation. Experts on unintended consequences suggest that all risk responses generate side effects for organizations, much like medications do for patients. A measure designed to reduce exposure to one risk might inadvertently heighten exposure to another. The severity (or benefit) of these side effects isn’t always immediately clearThis discussion ties into risk assurance and the role of internal audits, which independently evaluate the efficiency and effectiveness of controls. This is a critical field, and it’s important to grasp how internal audit activities contribute to successful risk management.

4.3 Monitoring Risks

ISO 31000 (2018) integrates the concepts of monitoring and reviewing risks, explaining that their goal is to ensure and enhance the quality and efficiency of the design, execution, and results of risk management processes. The standard highlights that monitoring is a continuous activity, while reviews occur at set intervals. Although many authors and organizations use “monitoring” and “reviewing” as if they were the same, we will distinguish between them and examine them individually. Monitoring involves continuously observing the state of risks, controls, causes, effects, and any shifts in these elements, as well as changes in the surrounding context and goals. Reviewing, on the other hand, entails evaluating the success of existing controls and the overall risk management process, typically conducted less frequently. Consistently monitoring risks enables us to adapt to updates in the condition of risks, controls, causes, consequences, context, and objectives. To detect changes in our risks, we might ask:

• What is currently happening in our internal and external environments?
• What changes do we anticipate?
• What recent events offer lessons for us?
• Answers to these questions can be gathered from various sources.

Three fundamental approaches to risk monitoring include employing key risk indicators, key control indicators, and tracking the overall risk status.

A) Key Risk Indicator

Risk managers continually strive to validate the resources allocated to risk management by emphasizing how it enhances organizational performance. Typically, they aim to rely on concrete, quantifiable metrics, such as financial outcomes or other measurable results. However, assigning a monetary value to the benefits of risk management can be challenging, especially when it involves assessing the worth of preventing a risk event. Various methods exist to evaluate improvements in business performance, including key performance indicators (KPIs)—like retail sales growth or passenger increases in aviation—which have evolved into key risk indicators (KRIs). Risk reporting is a vital component of the risk management process, and organizations tailor their KRIs to meet their specific requirements within this framework. Beyond customized KRIs, there are also universal risk indicators that can be adapted to suit any organization’s needs.

Staff turnover can serve as an example for multiple types of risks. For instance:

• Threat: We may struggle to hire and retain enough qualified staff in area A. If staff turnover hits a critical threshold in any of the example organizations, it could signal an increased likelihood of this threat materializing.
• Opportunity: We could attract new employees who introduce fresh, innovative coding ideas. However, if staff turnover stalls, it might indicate a reduced chance of seizing this opportunity.

The key point is that the risk control measures in place must prove effective in keeping the risk profile aligned with the board’s expectations, and these controls should be rigorously evaluated for their performance. The perceived benefit lies in ensuring safe, compliant, lawful, and competitive operations that drive organizational success—however that success is measured—while far outweighing the costs of implementing risk management practices.

B) Key control indicators

While key risk indicators (KRIs) track shifts in risk levels, key control indicators (KCIs) assess the performance of controls and how they evolve over time. This connects to earlier discussions about control effectiveness, where controls are established and evaluated to either maintain risks at their current state or play a role in altering their magnitude. Examples of key control indicators might include tracking:
• The number of unauthorized trades.
• The proportion of staff under supervision.
• The frequency of disaster recovery plan testing.

Key control indicators can complement compliance and internal audit assurance processes, offering a potentially quicker alert that risks might be shifting due to controls becoming more—or more often, less—effective.

C) Leading and lagging indicators

KPIs, KRIs, and KCIs are all performance metrics, each serving a slightly distinct role. Some indicators reflect past performance, while others signal what might happen in the future. Leading indicators, which focus on future trends, offer early alerts about potential shifts—examples include metrics like customer engagement or brand reputation. Lagging indicators, by contrast, analyze historical data and measure results, such as financial outcomes like profit and loss, recurring audit findings, or findings concentrated in a specific organizational area. Typically, KRIs lean toward being leading indicators, while KCIs are more lagging in nature. Nonetheless, both types play a valuable role in identifying changes in risk levels.

D) Different datasets

When tracking risks, it’s ideal to leverage all available datasets to detect shifts in risks, controls, context, objectives, and more. These datasets can be organized into four quadrants based on two axes: internal versus external data and human versus machine-generated information, as outlined in Risk Datasets. Most organizations rely on a limited pool of data, primarily from the top-left quadrant—internal, human-sourced information. Some expand to include external data from the top-right quadrant. However, as technology matures, data mining advances, and information needs evolve, more organizations are tapping into diverse, complex, and voluminous sources like the Internet of Things (IoT) or Big Data.IBM describes the Internet of Things as the practice of linking any device to the internet and other connected devices, facilitating the collection and exchange of data about device usage and their surrounding environment. This is particularly helpful for organizations gathering internal data, though some also use it for external insights. Oracle defines Big Data as information characterized by variety, growing volume, and higher velocity—commonly referred to as the 3 Vs. This data is often so extensive that traditional processing methods fall short, yet it holds immense value for organizations equipped and motivated to harness it for risk understanding. Key steps to leverage Big Data include integrating internal information systems, providing technology to store and manage the data, and analyzing it effectively.

E) Risk Status

We’ve explored monitoring changes in risks, controls, context, and objectives, and there’s an additional method to keep attention on risks needing active oversight. This method involves analyzing the lifecycle or status of a risk. The risk status approach outlines the different phases a risk goes through, and by slightly adjusting key status levels, it helps prioritize risks appropriately across their lifecycle:

• Draft: The risk is newly identified and requires evaluation to confirm its validity and relevance to the activity in question.
• Active: The risk is confirmed as real and demands ongoing efforts to reduce it to an acceptable level. Active risks and their controls should be frequently monitored to verify control effectiveness and progress toward the target risk level.
• Ongoing: The risk has been brought to an acceptable level but remains open and subject to potential shifts. These risks are reviewed less often, with KRIs and KCIs developed to detect subtle changes.
• Closed/Managed: The risk is resolved through effective management, allowing lessons to be drawn for handling similar risks in the future.
• Closed/Occurred: The risk has materialized and can now be closed, with lessons learned to improve future management of similar risks.

Additional risk status categories include:

• Rejected: Risks identified as mere issues or problems rather than true risks.
• Escalated: Risks that don’t impact the current activity’s objectives but affect other parts of the organization, requiring reassignment to the relevant team.
• Deleted: Risks that can no longer occur due to shifts in context, scope, or objectives.
• Expired: Risks that are no longer relevant because their time frame has passed.

4.4 Reviewing Risk Management

Reviewing involves evaluating the effectiveness of controls implemented to manage risks and assessing the risk management process itself, typically conducted less frequently than monitoring. Unlike monitoring, a review is a structured, formal evaluation of risks and risk management practices, aimed at prompting changes when deemed necessary.

The purpose of reviewing risks and their controls is to ensure that risks are being managed successfully. Reviews are backward-looking, asking, “How did we perform?” They are generally scheduled based on organizational level or the timeline of the activity involved. Key factors influencing the timing of risk reviews include:

• Is this a planned review?
• Has monitoring revealed any changes?
• Have control enhancements been proposed?
• Have incidents or near misses occurred?
• Have internal or external reports or concerns been raised?

For instance, the UK Corporate Governance Code mandates that Boards review the effectiveness of a company’s risk management and internal control systems at least annually, encompassing all significant controls. Within this system, audits may assess controls across various business areas as part of annual audit planning. Many projects and operational tasks also require formal reviews aligned with project milestones or team updates.

While we’ve previously assessed whether controls are well-designed, risk reviews focus on whether those controls are being applied effectively. The verification of actual controls emphasizes their execution, not merely data collection or guidance provision.

Risk reviews complement data from key control indicators (KCIs) and are often guided by them. Many organizations, particularly in financial services, conduct “self-reviews” of controls and key risks using structured methods like Risk Control Self-Assessment. Others rely on internal risk experts to evaluate risks and controls, while most engage internal audit for an independent assessment of control effectiveness. Some organizations combine all three approaches. The UK Corporate Governance Code reiterates the need for an annual Board review of risk management and internal control systems, including the risk management process itself.

Principle 17 of the COSO:2017 ERM framework emphasizes the need for organizations to continuously improve enterprise risk management, while ISO 31000:2018 Principle (h) stresses ongoing enhancement through learning and experience.

Beyond being a requirement, regularly reviewing the risk management framework and process is a best practice adopted by many organizations, often on a three-year cycle. This timeline allows for the review, identification and agreement on improvements, their implementation, and sufficient time to observe their impact. Longer intervals might fail to keep pace with evolving risk management practices as organizations and professionals refine their approaches.

Such reviews are frequently conducted by external, independent experts, either in place of or alongside internal audit reviews. These assessments are typically benchmarked against:

• Applicable regulations, such as those for health and safety, environmental protection, or financial stability.
• Risk management standards and frameworks like ISO 31000:2018 and COSO:2017.
• Industry or sector-specific best practices, informed by the expert’s expertise and experience.

The review process generally involves a desktop analysis of relevant risk management documents and interviews with key personnel across all organizational levels, using a tailored set of questions to evaluate the framework, process, and implementation. Surveys may also be employed, depending on the review’s scope. Outcomes typically include:

• The purpose of the review.
• Benchmarking standards relevant to the organization.
• Interview and/or survey questions.
• Key findings, including notable discussion points.
• Opportunities or suggestions for improvement.
• Primary recommendations.

Lessons learnt and near misses

Learning from both successes and setbacks is crucial. When we initially design and apply a control, its ability to mitigate a risk is uncertain, and the range of possible residual risk outcomes can be broad and hard to predict. By monitoring and reviewing these controls, we gain insight into their performance, allowing us to refine them for greater effectiveness and more consistent residual risk results. During a control review, we should address two core questions:

• Is the chosen control truly the best option for managing this risk?
• Is it working effectively in practice?

A third question could also be considered:

• Does the control offer good value relative to its cost?

The primary goal of monitoring and reviewing is to foster learning and enhance our risk management efforts. However, just as developing and implementing responses incurs costs, so too does the process of monitoring, reviewing, learning, and improving them. With limited resources, we can’t continuously assess every control. This raises the question: Which controls are most critical to learn from? Key controls—sometimes called “critical” controls in certain industries—are those that address the organization’s most significant risks. If these fail, the consequences could be severe, making it essential to monitor, review, learn from, and improve them more often than less critical controls.

Learning through review shouldn’t be confined to controls alone. Most risk management standards suggest applying lessons across the entire risk management process and framework. Reviewing the full process offers several benefits, such as:

• Ensuring responses are both effective and efficient, addressing any weaknesses or gaps in our control measures.
• Recognizing and mitigating unintended consequences or adverse effects of our actions.
• Enhancing knowledge to improve risk identification and analysis.
• Strengthening the connection between risks and objectives, key dependencies, core processes, and stakeholder needs.
• Anticipating shifts in internal or external contexts.
• Identifying trends and changes in existing risks.
• Preparing for new or emerging risks.
• Highlighting effective risk management practices to share and replicate across the organization.

Our final point on learning focuses on reviewing actual events—risk incidents and near misses—that can occur in any organization. When a threat or opportunity materializes, resulting in a problem or a less favorable outcome than anticipated, the event itself offers valuable lessons. Likewise, when a risk is managed exceptionally well, those insights can serve as best-practice examples to share with less risk-mature parts of the organization. Near misses—situations where a risk nearly becomes reality but doesn’t cause significant harm (positive or negative)—also provide learning opportunities. Examples of negative near misses include:

• A small fire extinguished before causing damage.
• A minor fraud detected before financial loss.
• An airplane forced to make an emergency landing.
• A disaster impacting a competitor that could have easily affected us (e.g., lessons for oil and gas firms from BP’s 2010 Deepwater Horizon incident, or for individuals, organizations, and nations from the COVID-19 pandemic).

Reviewing near misses helps us understand:

• What caused the event.
• Whether it was previously identified as a potential risk.
• Why it didn’t lead to a major impact.
• Whether our assessments of its likelihood and impact were accurate.

In conclusion, risk incidents and near misses offer the richest opportunities for learning and refining our risk management framework. Given the wide array of risks and controls in any organization, there’s always room for continuous learning and improvement.

4.5 Communication and Consultation

ISO Guide 73:2009, the standard on vocabulary for risk management, defines communication and consultation as follows:

“Continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.2.1.1) regarding the management of risk (1.1)

Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.6.1.1), significance, evaluation, acceptability and treatment of the management of risk.

Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue.

Consultation is:

a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making.”

As highlighted in its definition, communication is fundamental to risk management. Without timely and effective interaction with relevant stakeholders to collect the most accurate and current information on risks and controls, risk management efforts fall short. Risk management is a dynamic, ongoing process that demands active participation and commitment to safeguard, sustain, and generate value for an organization. Central to this process is communication, which facilitates the collection and dissemination of risk-related information across all organizational levels. ISO 31000:2018 emphasizes that communication and consultation must be coordinated to ensure a “factual, timely, relevant, accurate, and clear exchange of information,” while respecting confidentiality, data integrity, and individual privacy rights. We’ve explored stakeholder mapping, a visual method for identifying and categorizing stakeholders based on their interest in and influence over an organization and its activities. According to ISO Guide 73, consultation is a process that shapes decisions by incorporating stakeholder input. Through stakeholder mapping, organizations pinpoint which parties need close engagement, regular updates, satisfaction, or simple monitoring. This analysis directly informs communication plans, which outline the who, how, why, what, and when of engaging with target audiences. Every organization should maintain communication plans, adaptable to include risk management considerations. A 2021 Forbes article identifies five key elements of a successful strategic communication plan, including designating who is accountable for communication. Like stakeholder mapping, these plans must address both internal and external audiences. While communication plan formats may vary, they generally align with the core questions of who, how, why, what, and when.

Communication plans are often scarce within organizations, typically limited to external plans managed by the communications team or project-specific plans that mandate stakeholder analysis and communication strategies. An effective communication plan should address:

1. What is the goal of the communication plan?
2. Who is the intended audience, and what message resonates with them?
3. What methods will be used to deliver the message?
4. When is the best time for the communication—immediately or at a later point?
5. Who will take ownership of executing the communication?

All teams, departments, and functions should create communication plans to ensure meaningful engagement with stakeholders or interested parties. These plans must incorporate appropriate communication and consultation regarding risk information. Instead of crafting entirely new plans, risk management should be integrated into existing communication processes.

Reporting feedback loops

We explored feedback loops, highlighting their role in integrating risk management into the regular rhythm of meetings and reporting, which forms a key element of the risk architecture. Feedback loops are vital to effective communication. Often, risk information is passed up through various management levels via risk reports, only to seemingly vanish without a trace. This lack of response undermines engagement in the risk management process, as sharing information with management becomes a one-way street without reciprocal feedback. In the absence of a feedback loop, the individual providing the information is left uncertain about whether it was received, comprehended, or acted upon. An illustration of effective feedback can be found earlier in the Table of Example Communication Plan. ISO 31000:2018 elaborates on communication and consultation, stating that communication aims to raise awareness and comprehension of risks, while consultation focuses on gathering feedback and insights to inform decision-making. Similarly, an employment website’s article, “Creating a Positive Feedback Loop in Your Business (with Examples),” suggests that a positive feedback loop can enhance processes, products, and services within an organization, while also positioning it to make more informed, strategic decisions.

Internal reporting

o evaluate the effectiveness of risk management within an organization, directors need regular, detailed insights into risks, controls, and the structure of the risk management framework. As mentioned previously, some regulations mandate an annual risk review by boards, but it’s typical for board meetings to include a recurring agenda item featuring a report from the head of risk management. Once risks are identified and their overall impact on the organization is evaluated—considering not just their risk ratings but also how risks and controls interrelate—decisions must be made about investing in measures to alter those risks. This requires the board or senior management to weigh the costs and benefits of establishing a control framework. While some risks undeniably require controls, there’s often flexibility in selecting them, and senior leaders bear the responsibility for these choices. To support this, the risk management function must provide comprehensive risk analysis reports, including control options, their costs, and their impact on processes (interventions). The risk management process enables an assessment of the risks faced, the capacity to manage them within the given context and objectives, and whether those objectives remain achievable. If objectives can’t be met, leaders may need to seek approval or resources to further mitigate risks or adjust goals. Risk reporting should enable these discussions.

To ensure risk reporting is thorough, the risk management function should establish a framework for consistently delivering risk information, developed through dialogue with senior managers and board members to determine their preferred data and presentation style. Many of these leaders bring insights from other organizations about what’s effective and visually appealing. This risk reporting framework should be woven into the organization’s broader risk management communication plan and, as noted earlier, integrated into the existing reporting rhythm and structure—part of the risk architecture within the risk management framework. Risk information is shared not only to aid decision-making—ranging from individual control adjustments to shifts in organizational strategy—but also to empower managers to challenge and decide appropriately. Yet, many organizations simply share risk registers with senior leaders or highlight the “top 10” risks using color-coded risk matrices. This can misdirect focus, either by overwhelming leaders with all risks or by overlooking risks with potentially massive impacts that aren’t flagged as “red” but remain uncontrolled.

Useful risk report content might include:

• Confidence levels in achieving objectives.
• Notable changes in risks, controls, context, or objectives.
• Emerging or significant new risks, themes, or trends.
• Progress on actions to reduce risks to acceptable levels.
• Further actions required to manage risks.
• Updates on control effectiveness.

This data is compiled into a report for senior managers and, ultimately, the board, allowing the risk management function to update leaders on the current risk landscape and seek approval for improvement measures. Beyond these regular updates, an annual comprehensive review of risk management is common, enabling the board to assess and approve its alignment with the organization’s risk strategy, appetite, and tolerances. Some organizations leverage IT platforms to streamline risk reporting, while others incorporate it into dedicated risk management information systems, if available. The risk register typically serves as the primary source for upward reporting, detailing all risks and control assessments. Additional risk insights often come from early warning tools tailored to the organization, such as key risk indicators (KRIs) and key control indicators (KCIs).

External reporting

Regulated entities like banks and insurance firms must provide their regulators with details about their risk management strategies, any violations of regulatory rules, and customer complaint information. Under the UK Companies Act 2006, nearly all companies must include their main risks and uncertainties in their annual reports and accounts, giving stakeholders insight into potential business risks, unless they qualify for an exemption. The Financial Reporting Council (FRC) expands on this in its ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting,’ expecting annual reports to disclose specifics such as:

• The primary risks facing the company
• Directors’ confidence in the company’s ability to continue operating and meet its obligations
• The use of the going concern accounting principle
• An evaluation of the risk management and internal control systems, including their key elements

The FRC emphasizes that such disclosures inform stakeholders about risks and risk management while promoting accountability and oversight by the board and shareholders. They advocate for reports to be clear, concise, tailored to the company, and overall fair, balanced, and comprehensible. Through its Financial Reporting Lab, the FRC also offers guidance on ‘Reporting on risks, uncertainties, opportunities, and scenarios,’ outlining what investors seek, including:

• Governance and processes – how risks are dynamically identified, tracked, and managed by the board and leadership
• Nature of risks – their context, significance, and how they are recognized and categorized
• Management’s approach – concrete responses to risks, their interrelations within the organization, and their impact on viability and resilience
• Scenarios and stress testing – emerging risks and their incorporation into risk management

Even organizations outside the FRC’s scope often adopt similar reporting practices. For instance, the UK Charities Commission mandates that audited charities include a risk management statement in their trustees’ annual report. Aligned with the Orange Book, the UK Government’s ‘Good Practice Guide – Risk Reporting:2021’ outlines risk reporting principles and details four report types: the principal risk report, the deep dive report, the risk radar, and the risk moderation report.

Severn Trent Water plc’s 2021 annual report highlights key risks the company faces. The directors have carefully assessed these risks, though the list is not complete or ranked by importance. The risks include threats to health and safety, unsafe drinking water, poor wastewater treatment, supply chain issues, cyber threats, stricter regulations, pension funding problems, financial liquidity risks, climate change challenges, and environmental impact. Additionally, emerging risks include rising energy costs, geopolitical tensions, supply chain disruptions, and changing customer expectations. The report provides more details and stresses the need for accurate and complete information.

4.6 The decision-making process

We have considered the simple four step risk management process, noting that the last arrow is the most   important one as it ‘closes the loop’ and ensures that we use the process in decision-making.   The central question of risk management is “Given the context in which we are working, and the risks (be they opportunities or threats) that are faced, and the extent to which they are managed, is it possible to achieve the objectives previously set?”. As such, decisions made on the basis of the risks that affect or can be affected by that decision are an important output from the risk management process.

Effective decision making ,that the decision-making process has a sequence of six steps:

1. Classify the problem – is it new, unique or exceptional, or is it generic
2. Define the problem – what is the situation
3. Specify the answer to the problem – what are the boundaries
4. Decide what is right, rather than what is acceptable, in order to meet the boundaries
5. Build the decision into the action to carry it out – what is the action and who needs to know
6. Test the validity and effectiveness of the decision – how was the decision implemented and is appropriate

The decision-making process, as set out here, is threat based – dealing with the problem.  However, decision-making deals with situations that can have both good and bad outcomes.  Risk management can be related to all steps in this process, guiding and informing each one.  At the heart of this process is the need to not only decide what to do, but to then implement that decision. As such, there is no reason to use the term risk-based decision making.  However, this does perhaps require a higher level of maturity in the risk management process, where the focus on risk is embedded and a natural part of organisational thinking.  Where you are trying to improve that maturity level, it may be useful to focus attention on the need to consider risks when making important decision.

People in the decision-making process

When making decisions, it is important to determine who should be responsible for them. Key decisions are needed when considering whether to allocate more resources to managing a risk, adjust objectives, or accept that certain goals cannot be achieved. These decisions must be escalated to those with the appropriate level of authority, with strategic choices made by executives or the board, while operational decisions occur at other levels. However, decision-making is not just about authority—it is also influenced by perception, experience, knowledge, and biases. A Harvard Business Review (2012) article found that despite having access to large amounts of data, organizations do not always use it effectively. Employees were grouped into three decision-making types: unquestioning empiricists (who rely only on data), visceral decision-makers (who trust instincts alone), and informed skeptics (who balance analysis with judgment). Only 38% of employees and 50% of senior managers fell into the informed skeptic category, indicating that many decisions may not be made effectively. Decision-making styles also vary. These styles can be classified into four categories: directive, analytical, conceptual, and behavioral, based on whether a person focuses on tasks or social aspects and their tolerance for uncertainty. Understanding these styles is important for ensuring that decisions are well-supported with data and that sensitive decisions are handled appropriately. An organization’s risk culture and its willingness to take risks also influence decision-making. Recognizing different styles can help provide individuals with the right support and information to improve decision quality.

3.1 Establishing internal and external context

By understanding the evolving context in which you operate and the objectives you aim to achieve, you can identify and assess the uncertainties that are important (risks). This will give you the necessary information to determine if further action is required or if the risks fall within the organization’s acceptable levels of risk appetite and tolerance. Understanding the context for risk management is a part of most risk management processes. However, many organizations still view the first step as risk identification, assuming that those involved already understand the context in which they are working. ISO 31000 (2018) explains that “defining the scope, context, and criteria is essential to tailor the risk management process, ensuring effective risk assessment and appropriate risk treatment. This involves setting the process’s scope and understanding both the external and internal environment.”

There are three key components of context:

1. The organization’s risk management context,
2. The internal context, and
3. The external context.

The risk management context refers to the overall risk management framework, including the Risk Architecture, Strategy, and Protocols (RASP framework). Customizing the risk management process can be considered when developing the RASP framework.

Internal Context

The internal context looks at the environment within an organization or team where they work to achieve their goals. This includes governance and reporting structures, operational setups, roles and responsibilities—many of which fall under the Risk Architecture. The internal context covers the organization’s structure, objectives, policies, strategies, processes, culture, and the values of its people. It involves:

• The organization’s divisions, departments, systems, processes, accountability, culture, leadership, strengths, and weaknesses,
• Internal stakeholders like staff, managers, and the board,
• Its approach to corporate governance, resources, skills, capabilities, culture, and behavior,
• Factors that influence how the organization sets and achieves its objectives, which is the main focus of risk management.

Understanding the internal context also helps answer questions such as:

• What are our objectives?
• What is our capacity?
• What are our business processes?
• How do we make decisions?

Changes in the internal context can create challenges for specific parts or the entire organization, depending on the nature of the change. From a risk management perspective, these changes can impact the risks identified, their priority, how they are managed, and even the overall risk management approach. When conducting a risk assessment for a single team or task, the internal context may focus only on what that team controls, rather than the broader organizational context. COSO (2017) emphasizes strategy setting as the core of the ERM process and highlights how changes in internal and external contexts can affect strategy development and the ability to achieve it.

External Context

The external context looks at the environment outside the organization that can influence its ability to achieve its objectives. This includes factors like external stakeholder expectations, industry regulations, competitor behavior, and the broader economic climate.You can think of the organization’s “world” (or external context) as having two dimensions. First, there’s the inner world, which focuses on the organization’s competitive environment, including competitors, suppliers, and customers. Second, there’s the outer world, which involves broader macro-level factors like economic, technological, ethical, and legal trends in the wider society where the organization operates.

The external context covers:

• Social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive factors, whether at an international, national, regional, or local level,
• The industry, products, markets, competitors, suppliers, customers, logistics, and the regions or countries where the organization operates,
• Key trends and drivers that impact the organization’s goals,
• Relationships with external stakeholders, as well as their perceptions and values.

Understanding the external environment helps answer questions such as:

• What does the world around us look like?
• What factors are shaping our strategic direction?

Changes in the external environment can significantly affect organizations, as seen during events like the global financial crisis and the COVID-19 pandemic. However, even smaller-scale events can have a major impact on organizations, industries, or entire countries. It’s important to note that when analyzing the external context, we should not only consider how it affects the organization but also how the organization might influence the external environment. This two-way perspective aligns with the concept of ‘double materiality’ and is increasingly relevant when addressing risks, especially those related to sustainability.

Tools to understand internal and external context

There are numerous tools and techniques available to help us understand the internal and external context in which an organization operates. These tools can offer valuable insights into various aspects of the organization, such as its day-to-day operations, behaviors, dependencies, trends, expectations, strengths, and weaknesses. Like many risk management tools, they can be applied for different purposes and at various stages of the risk management process.

The tools and techniques we will explore to better understand internal and external context include:

1. The Extended Enterprise,
2. PESTLE Analysis,
3. Stakeholder Mapping, and
4. Horizon Scanning.

1)The extended enterprise

An extended enterprise is a structure where a number of organisations come together in a joint endeavor in order to achieve outcomes that none of them could have achieved on their own.The concept of the extended enterprise can be applied at any level within an organization. To grasp this idea, there are four essential components to consider:

1. Core Activities: Identify the primary functions of the team, department, project, or organization in question—what is their main purpose or role?
2. Key Inputs: Determine the critical resources or elements required to carry out these core activities—what is needed to perform these functions effectively?
3. Key Outputs: Define the results or deliverables produced by these core activities—what outcomes or value do they generate? These three steps outline a basic value chain for the organization.
4. External Influences: Recognize the external factors that can impact the inputs, core activities, and outputs—what outside forces might affect the process or results?

By examining these elements, one can better understand the dynamics of the extended enterprise.

The diagram represents a process flow of core activities within an organization, showing the relationships between inputs, core activities, outputs, and external influences.

Key Elements:

1. Core Activities (Center of the diagram)
   • This represents the main tasks or processes performed by an organization, project, or team.
   • It requires understanding what the organization does.
2. Inputs (Left side of the diagram)
   • These are the resources needed for core activities to function.
   • Examples: raw materials, skills, capital, electricity, and demand for products.
3. Outputs (Right side of the diagram)
   • The results or outcomes of core activities, which can be both positive and negative.
   • Examples: products, waste, improved skills, and taxes.
4. External Influences (Surrounding the process)
   • Factors outside the organization that impact inputs, core activities, or outputs.
   • Examples: government policies, foreign exchange fluctuations, and extreme weather events.

Flow:

• Inputs feed into Core Activities
• Core Activities produce Outputs
• External Influences impact all stages of the process

2) PESTLE Analysis

PESTLE analysis is a framework designed to help organizations assess their external environment by using predefined categories as guides. The acronym PESTLE represents:

• Political
• Economic
• Social
• Technological
• Legal
• Environmental/Ethical

This technique is useful for identifying external factors that may impact an organization’s performance. Additionally, PESTLE serves as a tool for classifying and evaluating potential risks.

3) Stakeholder Mapping

Every organization interacts with a diverse range of stakeholders—individuals or groups with whom they have relationships, interactions, or influence. Stakeholders can be both internal and external, including shareholders, partners, owners, employees, customers (both current and potential), suppliers, consultants, regulators, investors, creditors (such as banks), and parent or sister companies. The nature of the relationship with each stakeholder group depends on their specific needs. For instance, frequent communication with employees is typical, regular engagement with shareholders is common, and periodic interaction with regulators may suffice. A critical responsibility of the risk manager is to ensure that all internal and external stakeholders are identified, which can sometimes be challenging. For example, should an insurance company consider individuals without a policy as stakeholders? A regulator might argue yes, as the insurance industry aims to serve as many individuals and organizations as possible. If certain groups cannot access insurance, this becomes a shared concern for regulators and the insurance market. Senior managers often face the task of resolving conflicts between stakeholder groups. For example, in a banking context, regulators may push for higher solvency capital, while investors may prefer lower capital levels to maximize returns. Managers must strike a balance, maintaining enough capital to satisfy regulators while ensuring shareholders receive adequate returns to retain their investment. Identifying all stakeholders requires thorough research. A structured approach might involve assembling a team to review business flowcharts, manufacturing processes, and relationship diagrams. Additionally, brainstorming with executives can help broaden the perspective on the types of stakeholders involved.

In addition to identifying all stakeholder groups, it is important to evaluate the significance of each group in relation to the organization’s goals. For instance, in a healthcare setting, patients, doctors, and other staff are clearly key stakeholders. Similarly, the importance and influence of funding providers should be assessed, as they may also rank as critical stakeholders. Given that senior management has limited time and resources, prioritizing stakeholder groups ensures that risk management efforts are appropriately allocated to the most relevant parties. Stakeholder mapping or analysis involves listing all key internal and external stakeholders and then plotting them on a matrix based on two dimensions: their level of influence over the activity and their level of interest in it, ranging from low to high. Once these factors are considered, a third element can be introduced by marking each stakeholder with a plus or minus to indicate their attitude toward the activity—whether they are supportive (plus) or resistant (minus). This approach helps provide a clearer understanding of stakeholder dynamics.

Horizon Scanning

Horizon scanning is a structured approach designed to:

• Identify potential sources of uncertainty
• Ensure proper preparation
• Capitalize on opportunities
• Mitigate and withstand threats

It is important to note that horizon scanning is not about predicting the future. Instead, it supports the development of organizational resilience and is one of several tools that help professionals understand and prepare for future risks.Horizon scanning is a valuable technique that enables individuals to examine complexity, question assumptions, and explore various ways events might unfold, thereby enhancing the resilience and reliability of their organizations. It is not about predicting the future but rather about evaluating different scenarios to support evidence-based decision-making. It has been defined in various ways, including as a method to “explore potential future scenarios to better understand uncertainties and assess whether an organization is sufficiently prepared for possible opportunities and threats.” The horizon scanning process can range from simple to complex, depending on the stakeholders involved and their level of engagement. According to the UK Government’s Futures paper, horizon scanning typically involves three time horizons: near-term, mid-term, and long-term. These timeframes vary depending on the organization and its activities. For instance, a tech start-up might view the near term as a month and the long term as a year, while the nuclear industry might consider the long term in terms of decades. Recent events over the past three years have highlighted the growing challenge of assessing risks with a long-term perspective.

• Horizon 1: Where you are currently taking action
• Horizon 2: Visible trends for strategic consideration
• Horizon 3: Little trend information today but planning needed

In addition, a risk radar may also be used to illustrate emerging risks’ time horizon and assessment. This risk radar presents an analysis of several risk sources categorized in a manner which is appropriate for the organization and indicating the near, mid and long range risks which may be impacting society as a whole.

3.2 Objective and Purpose

Understanding both the internal and external context is crucial because it provides a clearer picture of potential risks. For something to be considered a risk, it must be significant—something that truly matters. This means we also need to define what we aim to achieve, what is important, and how we measure success. These are our objectives. As highlighted in the ISO 31000 definition, risk is the “effect of uncertainty on objectives” or uncertainties that have a meaningful impact. However, it’s not just about achieving the objectives of our activities; it’s also about ensuring these objectives align with the organization’s values, mission, vision, and strategy. As discussed in Units 1 and 2, COSO:2017 emphasizes that enterprise risk management is as much about understanding the implications of strategy and the potential misalignment of strategy as it is about managing risks to achieve set objectives. Organizations must focus on their core purpose and address key questions: Why do we exist? Why are we here? Whose needs are we here to meet? Inspirational statements alone are insufficient. Without active board involvement, there is a risk that the organization’s purpose will remain confined to hollow declarations, and the gap between the stated purpose and the actual experiences of employees will only widen.

Setting business objectives can be challenging for several reasons. Some argue that the process of defining objectives can either introduce risks if mishandled or help mitigate risks if done well. Firstly, even when an organization agrees on its overarching mission, selecting a set of appropriate objectives to support it can be difficult. Balancing the diverse and often competing expectations of stakeholders complicates this task, potentially leading to compromises or contradictory goals. Secondly, because an organization’s internal and external environment is always evolving, its strategies and objectives must be regularly reassessed—what seems like a valid mission now may not hold up in the future. Thirdly, if the strategic mission is poorly defined, misunderstood across the organization, or not effectively translated into actionable tactical and operational goals, employees may interpret it inconsistently, resulting in confusion and chaos. Fourthly, even if objectives are distributed to staff, they may not be fully embraced by those responsible for achieving them, creating a disconnect between official goals and the informal ones people actually pursue, which introduces risks early on. Fifthly, setting easily attainable objectives might temporarily lower risk, but overly ambitious ones could heighten it. In the end, risk management efforts tied to flawed, ambiguous, or misaligned objectives might excel at addressing the wrong issues. A flawed objective-setting process can, by itself, become a risk factor.

A strategy outlines how an organization plans to succeed, breaking down into goals set at various levels within the company. Risks tie directly to these goals, since failing to manage them could mean missing targets and ultimately derailing the broader strategic aims. Ideally, these goals should follow the SMART framework:

• Specific: Clearly define what you aim to achieve.
• Measurable: Set concrete metrics to track whether the goal is met.
• Achievable: Confirm you have the necessary resources or skills—or identify steps to get them.
• Relevant: Make sure the goal supports the organization’s overall strategy.
• Time-Bound: Establish a practical deadline for completion.

The idea of setting objectives at three levels means goals can be made at different stages in a company:

First, the company sets big, overall goals that cover the whole organization. These are called strategic objectives, and everything else should line up with them to support the company’s main mission and purpose. Next, through passing down responsibilities, the company sets tactical goals for departments, divisions, or business units. These focus on putting the strategy into action and usually cover one to three years. Finally, those tactical goals get broken down further into operational goals for teams or even individual workers. These cover shorter time frames, like days to months. Keep in mind that different companies might use words like “strategy,” “tactics,” and “objectives” in their own ways.

ISO 31000 says companies should set rules to figure out how important risks are and to help make decisions. These rules, called risk criteria, should look at what kinds of uncertainties might affect goals, and how to measure the chances and results—good or bad—of those risks. In simple words, risk criteria show how much risks matter to a company’s ability to reach its goals. They connect to analyzing risks, judging them, and deciding how much risk the company is okay with. Every goal should be SMART—specific, measurable, achievable, relevant, and time-bound. This means there should be ways to check how well the company is doing on those goals. These ways are called Key Performance Indicators (KPIs). KPIs are important signs that show if the company is moving toward its goals. They help focus on improving big plans and day-to-day work, give a clear basis for decisions, and highlight what’s most important. If you measure something, it’s more likely to get done. Companies use lots of KPIs to check how they’re doing at all levels—big-picture plans (strategic), mid-level goals (tactical), or daily tasks (operational). When goals have clear KPIs (sometimes they don’t), those can help set up categories for analyzing risks. They can also shape Key Risk Indicators (KRIs) and statements about how much risk the company can handle. So, instead of making new ways to measure risks, most companies already have these measurements from their goals. Working with the people in charge of those goals to create risk measures is key. It makes sure the measures focus on what matters, helps fit risk management into the company, and gets support from important people. The “scope, context, and criteria” part of risk management is about tailoring the process to spot risks well and deal with them right (ISO 31000). Setting up these measures first keeps everything consistent and makes it clear how much risks matter and how much risk the company can take.

Some companies have a list of KPIs they check regularly, sometimes called a balanced scorecard. These KPIs are simpler to set up for goals that are easy to measure, like money stuff. They get trickier for things that are harder to pin down, like people’s feelings or values. A KPI tied to a goal might also show risks after they’ve already happened—like if the goal was met or missed because of a risk. Depending on how a company organizes its big plans, mid-level goals, and daily tasks, a KPI for one goal could also warn about risks coming up. This makes it a Key Risk Indicator (KRI), which ties into how much risk the company is willing to take. KPIs aren’t always perfect for tracking risks, but they’re usually a solid, trusted set of numbers companies already use. Using these existing numbers is an easy way to show how risk management connects to everyday work. It proves risk management should be a core part of the business, not just something tacked on. Sticking with numbers the company already has, instead of making new ones, helps get teams on board with Enterprise Risk Management (ERM) and makes it part of their routine. Still, a lot of times, companies overlook KPIs when figuring out risk impact scales, key risk indicators, or how much risk they’re okay with.

One popular way to define risk is how uncertainty affects goals. Risks definitely mess with a company’s main objectives, but they can also hit other important stuff like key dependencies, core processes, and what stakeholders expect. This idea is called the “attachment of risk,” and companies should figure out how risks connect to each of these things to really understand their effects. Let’s break down these three extra areas:

• Key dependencies are the must-haves for a company to do well. They could be inside or outside the company, but basically, they’re what the business needs to keep going and succeed later on.
• Core processes are the essential ways a company gets things done. They’re how the business carries out its big plans and keeps running smoothly. You can think of a core process as “the steps that make sure stakeholders get what they expect.”
• Stakeholders are the people who care about the business or are affected by it—like investors, suppliers, customers, the community, or the government.

The point of “attachment of risk” is that companies need to map out what happens when risks pop up so they can see the full picture of their impact. This idea also ties into something called the Extended Enterprise. When you compare the two, they line up pretty well:

• Key dependencies show up in the whole value chain, especially in the stuff the company relies on to start with.
• Core processes are like the main activities that keep things moving.
• Stakeholder expectations fit into the value chain too, covering both inside and outside views—external influences focus on people outside the company.
• Objectives usually pop up in the results part of the extended enterprise.

3.3 Identification of Risk

You can pinpoint relevant risks and goals within a specific situation by employing suitable risk identification methods. It’s useful to recognize that Risk Assessment involves three key phases: Risk identification – what risks exist? Risk analysis – how significant are they? Risk evaluation – what should we do next? Is action necessary? According to ISO 31000, “the goal of risk identification is to identify, acknowledge, and outline risks that could either support or hinder an organization from reaching its objectives.” When outlining risks, there’s often uncertainty about what qualifies as a risk or if it’s truly a risk at all. Therefore, before delving into risk identification, it’s helpful to think about what details should be collected to offer a clear and comprehensible risk description—both for those involved in identifying it and those who weren’t. Take the word “fire,” which frequently appears in risk registers. What does it really signify? Depending on the situation and the reader’s perspective, it might imply:
• A fire is burning in the building, and I need to escape.
• I can start a fire in the room for warmth.
• I can ignite the barbecue for a party.
• You can terminate someone’s employment.
• Someone can discharge a firearm.
A precise description that accounts for the context in which the risk arises, along with its potential impact if it materializes, will aid the reader in grasping not only the risk itself but also its origins and consequences.

An example of a clear risk description for Risk of Equipment Failure in Offshore Drilling Operations can be as follows:

• Description: “Due to aging infrastructure, there is a risk that a critical component of an offshore drilling rig in the Divided Zone fails, leading to a suspension of oil production for up to 60 days, costing an estimated $10 million in lost revenue and requiring $2 million in repairs.”
• Context: Offshore rigs face harsh marine conditions, and equipment reliability is critical.
• Impact: Production delays and financial losses, plus potential safety hazards for workers.

Exploring the outcomes of a risk enables us to grasp its effects on specific parts of our organization, such as goals, essential operations, critical dependencies, and stakeholders; it reveals potential pitfalls stemming from an adverse risk event. By pinpointing where risks might emerge, we can identify the most susceptible areas and implement measures to safeguard them. For instance, if we rely on a single supplier for a vital component, we might seek an additional supplier, or if a lone specialist handles a crucial task, we could train a backup. This approach is fundamental to business continuity planning (BCP). The origins and impacts of risks can also be depicted with a ‘bow-tie diagram,’ known as the risk bow-tie. The risk itself sits at the center, with immediate and root causes branching to the left and immediate and broader consequences extending to the right. The risk bow-tie method further allows us to:

• Extend the analysis of risk causes and consequences beyond a single layer to multiple levels, aiding in root cause analysis.
• Map multiple contributing factors for a single risk and demonstrate how one risk can lead to various outcomes.

This latter aspect strongly supports an Enterprise Risk Management (ERM) approach, as it compels us to examine risk causes across all organizational facets and chart their company-wide repercussions. Notably, the risk bow-tie can be applied to both threats and opportunities.

Example: Risk of Oil Spill During Offshore Operations

Central Risk Statement (Center of the Bow-Tie):

Risk: “An oil spill occurs during offshore drilling operations in the Divided Zone.”

This is the core event we’re analyzing, placed at the center of the bow-tie diagram

Causes (Left Side of the Bow-Tie):

The left side represents the immediate and underlying threats or causes that could lead to the risk event. These are the factors that might trigger the oil spill.

• Immediate Causes (closer to the center):
  • Equipment Malfunction: A failure in the blowout preventer (BOP) system on the drilling rig, which is meant to seal the well in case of pressure surges.
  • Human Error: An operator misinterprets pressure readings and fails to activate safety protocols in time.
• Underlying Causes (further to the left):
  • Inadequate Maintenance: The BOP system has not been inspected or serviced according to the recommended schedule due to budget constraints.
  • Insufficient Training: Operators lack recent training on updated safety procedures, leading to errors in high-pressure situations.
  • Poor Vendor Quality: The BOP system was sourced from a supplier with a history of providing substandard equipment, but this was overlooked to cut costs.

In the diagram, these causes would be represented as boxes on the left side, with arrows pointing toward the central “Risk” node. Immediate causes would be closer to the center, while underlying causes would be further out, showing the deeper root issues.

Consequences (Right Side of the Bow-Tie):

The right side represents the immediate and ultimate impacts if the risk event (oil spill) occurs. These are the outcomes that KGOC would face.

• Immediate Consequences (closer to the center):
  • Environmental Damage: 10,000 barrels of crude oil spill into the Persian Gulf, contaminating marine ecosystems and coastal areas.
  • Operational Shutdown: Drilling operations are halted for 45 days to contain the spill and repair the rig.
• Ultimate Consequences (further to the right):
  • Financial Loss: Cleanup costs, fines, and lost production amount to $20 million, impacting KGOC’s annual revenue.
  • Reputational Harm: Public backlash and media coverage damage KGOC’s reputation, leading to strained relations with stakeholders and potential loss of future contracts.
  • Regulatory Action: Kuwaiti and international environmental agencies impose stricter regulations, increasing operational costs by 15% over the next five years.
  • Legal Liabilities: Local fishing communities file lawsuits for loss of livelihood, resulting in $5 million in settlements.

In the diagram, these consequences would be shown as boxes on the right side, with arrows extending outward from the central “Risk” node. Immediate consequences would be closer to the center, while ultimate consequences would be further out, reflecting longer-term impacts.

Mapping to the Bow-Tie Diagram:

• Center: “An oil spill occurs during offshore drilling operations in the Divided Zone.”
• Left Side (Causes):
  • Immediate: “Equipment Malfunction,” “Human Error.”
  • Underlying: “Inadequate Maintenance,” “Insufficient Training,” “Poor Vendor Quality.”
• Right Side (Consequences):
  • Immediate: “Environmental Damage,” “Operational Shutdown.”
  • Ultimate: “Financial Loss,” “Reputational Harm,” “Regulatory Action,” “Legal Liabilities.”

The timeline at the bottom of the diagram indicates that causes lead to the risk event, which then results in consequences over time.

Using the Bow-Tie for Threats and Opportunities:

The bow-tie can also highlight opportunities. For example:

• Opportunity from Mitigation (Left Side): By addressing the underlying cause of “Insufficient Training,” KGOC could implement a robust training program, reducing the likelihood of human error not just for this risk but for other operations as well.
• Opportunity from Consequences (Right Side): The “Regulatory Action” consequence could lead KGOC to adopt cutting-edge environmental technologies, positioning the company as a leader in sustainable oil production and attracting eco-conscious investors.

Risk Description

We have explored how to express risks by identifying their causes, the risk itself, and its consequences, supported by various examples. However, as highlighted in the Orange Book, caution is needed when defining risks to ensure that consequences are not mistaken for the risks themselves, or that risks are not framed as the opposite of the objectives. The project management field has established a method to correctly position each element of a risk statement: the causes are current or past events that could lead to the risk (the facts), the risk represents the uncertainty, and the consequences are the effects on objectives. Risks can be articulated using a risk ‘metalanguage,’ which provides a three-part structured format that distinguishes between cause, risk, and effect. This risk description aligns with the structure of the risk bow-tie.

When outlining risks, it’s crucial to examine the causes and consequences of risk events, their interconnections, and the challenges they pose for effective risk management. We start with Examples of Good Risk Descriptions and Examples of Poor Risk Descriptions, where we evaluate different risk descriptions, distinguishing between those that are well-crafted and those that require refinement. Additionally, we explore how inadequate risk descriptions can create obstacles for successful risk management.

To enhance risk description, it’s essential to use language that clearly distinguishes between causes, risks, and consequences:
• Causes are events that have occurred or are occurring, so they should be described using factual, concrete language.
• Risks represent uncertainties, so they should be expressed with language that reflects this uncertainty.
• Consequences are the effects on objectives that would arise if the risk materializes, with positive effects signaling an opportunity and negative effects indicating a threat.
It’s worth noting that a single risk can have multiple causes and multiple consequences.

In summary, employing this risk metalanguage and effectively articulating and describing risks offers several advantages:

• Awareness of Causes: Understanding the context helps gauge the likelihood of the risk occurring, aiding in risk analysis.
• Identifying Weaknesses in Causes: Recognizing vulnerabilities in the causes highlights areas that can be addressed to alter the probability of the risk happening.
• Clear Risk Statement: A well-defined risk statement ensures clarity.
• Awareness of Consequences: Understanding the potential impacts on objectives if the risk occurs provides insights into the severity of the impact, supporting risk analysis.
• Identifying Weaknesses in Consequences: Pinpointing vulnerabilities in the consequences reveals areas that can be managed to mitigate the impact if the risk materializes.
  This deeper understanding of likelihood, impact, and vulnerabilities enhances the ability to determine the effort required to manage the risk further and identify the appropriate risk owner

Known and Unknown

When identifying risks, some teams may have a tendency to refer back to previously identified risks and ask, “What are we overlooking?” While this can be helpful, it may also cause teams to miss or fail to propose risks that might otherwise seem apparent, as they focus on filling gaps in an existing list rather than approaching the process with a completely open perspective. Additionally, certain organizations tend to sharply distinguish between issues and risks. An issue is a risk that has already materialized, eliminating any uncertainty. Understanding issues is critical for risk management because they may recur or spark new risks as a consequence of their occurrence. The concept of “known unknowns” can be a valuable tool to help teams differentiate between issues and risks, as well as between acknowledged risks, unacknowledged risks, and unexpected surprises. To apply this approach, teams should ask the following questions:

1. What do I know with certainty?
2. What do I know I don’t know, but recognize as a gap?
3. I accept that there will always be unforeseen surprises, but to minimize this possibility, I will seek to uncover:
4. What do I know I don’t know, but am failing to acknowledge? (i.e., the “elephants in the room”).

Encouraging teams to openly discuss what they are not currently acknowledging can uncover a broad range of risks while also fostering a robust risk culture within the team and the wider organization. In risk management, the “known unknowns” framework is an adaptation of the Johari Window, which categorizes knowledge based on what is known or unknown to oneself and others. This concept has been effectively utilized by various politicians and is a widely adopted tool in military and scientific fields. Ignoring the “elephants in the room” can quickly erode organizational value. As William Wilberforce, a UK Member of Parliament who spearheaded the abolition of slavery in the early 1800s, famously stated, “Having heard all of this, you may choose to turn away, but you can never again claim ignorance.”

Risk Identification Techniques

Having established that we are focusing on identifying actual risks—rather than just causes, issues, incidents, or consequences—we can now select the most suitable identification technique based on the context and participants involved. Risk identification should be conducted systematically to ensure that all major activities within the organization are recognized, and the risks arising from these activities are clearly defined. Any related volatility associated with these activities should also be identified and classified. Risk identification is a critical component of risk management, with some arguing it’s the most vital step. If risks are not identified, the entire risk management process halts, as you cannot address risks you are unaware of. Even if staff only identify risks without taking further action, this awareness can subconsciously prompt them to prepare for those risks, thereby reducing their potential impact. The goal of risk identification within a risk management framework is to create a thorough list of risks stemming from events or uncertainties that could either hinder or support the achievement of objectives. If a risk goes unidentified, there’s no chance to prevent or mitigate it.

Risks can be identified both consciously and subconsciously. For instance, conscious identification often occurs through risk assessment techniques, which we’ll explore soon. Subconscious identification happens in everyday scenarios, like when driving a car and instinctively scanning for hazards without realizing it—a phenomenon referred to as a ‘directly perceived’ risk. There are five key techniques for risk assessment, which cover identifying risks, assessing their severity (risk analysis), and determining whether they require action (risk evaluation):

1. checklists and questionnaires;
2. workshops and brainstorming;
3. inspections and audits;
4. flowcharts and dependency analysis; and
5. crowdsourcing technology.

The suitability of these methods varies depending on factors like organizational culture, structure, industry, and operational locations. Beyond these, numerous other risk identification techniques exist, some of which can also be applied to the later stages of risk assessment—namely risk analysis and risk evaluation. For additional examples of such techniques, refer to the further reading in this study guide. Certain techniques are better suited for quantitative risk analysis, while others align more with qualitative analysis. We’ll delve into risk analysis in the next section, so there’s no need to understand the distinction just yet. Your organization likely employs a variety of risk identification methods, and different teams or specialties may use distinct approaches depending on their objectives. Based on what your organization already has in place, you might consider adopting a range of techniques tailored to your needs.

Emerging Risks

The International Risk Governance Council describes an emerging risk as “a risk that is new, or a known risk appearing in a new or unfamiliar context, or re-emerging under new circumstances.” These risks are seen as potentially significant but are not fully understood or evaluated, making it challenging to develop confident risk management strategies. While there are various definitions of emerging risk, there is no universal consensus on the term. At the time this material was written, the ISO standard on emerging risk was still in draft form. A straightforward way to view emerging risks is as those about which little is known when they are first identified. A concise definition of an emerging risk is “a risk that is developing in areas or ways where the available knowledge is limited.” Emerging risks differ from ‘business as usual’ risks due to characteristics such as being ambiguous, chaotic, complex, having a shifting time horizon, and being uncertain, uncontrollable, and volatile. Over the past decade, the need to understand emerging risks has grown, largely due to the constantly evolving internal and external environments in which organizations operate. Addressing emerging risks helps organizations build and sustain resilience, increasing their chances of surviving—and potentially thriving—in highly uncertain times. Fundamentally, an emerging risk is simply a risk, and many organizations do not use the term “emerging,” choosing instead to incorporate these risks into their standard risk management processes.

Risk Classification

Organizations classify risks for several reasons, as risk classification:

• Offers a structured framework for risk identification, which can help uncover more risks—for instance, during a risk management workshop—than would be identified without such a system.
• Promotes the use of consistent risk terminology across the organization, a key requirement for effective Enterprise Risk Management (ERM).
• Allows the organization to group similar risk types from across its operations, which can: enhance organizational knowledge, assign clear responsibilities for specific risk types, estimate total risk exposure by category using the expertise of relevant professionals, determine acceptable risk levels for each type, and bundle risks for uniform treatment (e.g., using a single insurance policy for a specific risk type), thereby improving risk management efficiency.

Risks can be categorized based on their time horizon as short-, medium-, and long-term:

• Short-term risks: Risks with immediate impacts, typically tied to operational activities.
• Medium-term risks: Risks related to tactics, with impacts emerging between a few months and a year.
• Long-term risks: Risks tied to strategy, with impacts manifesting between one and five years after the event.

The FIRM scorecard classifies risks into Financial, Infrastructure, Reputational, and Marketplace categories. This framework can also serve as a tool to define the organization’s objectives, assess the consequences of risks, and identify risk sources. A secondary dimension in the FIRM model involves classifying risks based on their origin:

• Internally derived risks: Originating within the business (e.g., staff fraud), often linked to financial and infrastructural risks, with the internal context as the source.
• Externally derived risks: Originating outside the business (e.g., exchange rate fluctuations), typically associated with reputational and marketplace risks, with the external context as the source.

Risk identification should encompass risks regardless of whether their sources are within the organization’s control. External risks are often more likely to be overlooked than internal ones, as people are generally more familiar with their organization’s internal dynamics, leading to fewer surprises.

The FIRM model and the IRM Risk Management Standard can be viewed as high-level risk classifications, which can then be broken down into subcategories. For example, financial risks might be subdivided into Treasury risks, sales management risks, purchase management risks, payroll risks, financial reporting risks, and financial forecasting risks.

These can be further divided into sub-subcategories. For instance, purchase risks might include supplier risks, payment risks, delivery risks, authorization risks, and so on. Numerous other risk classification systems exist, starting with The Orange Book. The Orange Book (2020, P19) includes a supporting principle on risk classification in its Section D2, Risk Identification and Assessment. It emphasizes that “risk identification activities should provide an integrated and holistic view of risks, often organized by taxonomies or categories of risk (see Annex 4), to understand the organization’s overall risk profile.” The World Economic Forum, in its annual Global Risk Report, categorizes risks as Economic (blue), Geopolitical (orange), Environmental (green), Societal (red), and Technological (purple). Many industries and sectors have specific requirements for risk categories. For example, the finance sector classifies risks into types such as market, credit, operational, and insurance risks, influenced in part by regulatory frameworks like BASEL III and Solvency 2, which further break down operational risk into multiple subcategories. This approach is common in financial institutions because their business model revolves around accepting risk, making risk understanding and management a core competency essential for success. Your organization may have its own tailored classification system based on specific needs (e.g., regulatory guidance) or industry standards. Sometimes, operating in a state of blissful ignorance may seem preferable: “‘The more we’re aware of risks, the more we fear their occurrence. This can lead to paralysis, as we worry these risks will materialize, and there’s too much work and not enough resources to manage them all’” (BBC Radio 4, Today program, 28 July 2010).

Risk networks

Risks and their solutions don’t stand alone. One person’s risk might be another’s cause or result. Controls and new steps can apply to many risks and different parts of a company. So, risks and their management are part of a connected, networked system with many links. Risk systems and lists that organize data in a strict, layered way can’t see these connections. Risk classification tools can help us think about risks but may lead to narrow, isolated thinking when identifying and handling them. Companies have gotten better at watching risks across all activities and thinking about the total risk level. But more can be done to understand how risks and their solutions are linked. Looking at risk networks can help companies:

• Better understand how decisions about risks affect things.
• Spot secondary risks that come from managing risks.
• Improve how risk management is built into the company.
• Increase awareness, ownership, and responsibility for risks.
• Encourage more involvement in the process.

3.3 Risk Analysis

Risk analysis helps an organization understand the size and type of risks it faces. It does this by looking at how likely a risk is to happen and its possible impact. According to ISO 31000, the goal of risk analysis is to understand risks and their characteristics, including their level. It also helps in deciding whether risks need to be managed and how to do so. Different organizations define risk analysis in various ways. The Chartered Institute of Internal Auditors (CIIA, 2005) describes it as using available information to determine the chances of an event happening and its impact.ISO defines the purpose of risk analysis as being ‘The purpose of risk analysis is to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk’. Therefore, you might define risk analysis as being an analytical tool that helps you to comprehend the nature of risk and its characteristics, including, where appropriate, the level of risk’ Risk analysis is therefore far broader than just using impact v likelihood matrices to measure the relative importance of a risk to an organization. The Orange Book 2020 states that risk analysis should also consider:

• sensitivity and confidence levels, based on the information available.
• complexity and connectivity.
• time-related factors and volatility; and
• the effectiveness of existing internal control.

Risk Analysis and Risk Assessment

• The Orange Book (2020) and COSO (2017) consider risk analysis as part of a broader risk assessment process.
• It helps prioritize risks based on their importance.
• It ensures a common understanding of risks across the organization.
• It guides decisions on resource allocation.
• It supports choices about new strategies, projects, or investments.

The Orange Book also highlights that risk analysis can be simple or detailed, depending on the available data and its purpose. It can be qualitative (descriptive), quantitative (numerical), or a mix of both. Additionally, ISO 31010 (2019) outlines various risk assessment techniques. These techniques help analyze risks by considering their likelihood, impact, and overall level using both qualitative and quantitative methods.

Prioritizing technique

Risk analysis is tough. You need to collect information from many places and use different ways to gather it. Then, you must process that information to get dependable results. To figure out how important your risks are, you can:

• Check past records.
• Use your own relevant experience and gut feeling.
• Look at the industry’s experience with the risk.
• Read published studies about the risk.
• Run tests or experiments, like market research.
• Use economic or statistical models to predict outcomes.
• Ask experts in that risk area for their opinions.

To rank the importance of risks, you can compare:

• How much the risk could affect your goals.
• How likely the risk is to happen.
• How fast the risk might impact you.
• How vulnerable different parts of your company are to the risk.
• How exposed different parts of your company are to the risk.
• How soon the risk might happen.
• How much effort or control is needed to manage the risk to a safe level.
• How hard it is to manage the risk.
• How one risk might affect other risks (like a domino effect).

There are many other ways to prioritize risks, but this list is a starting point that companies often use.

1.Impact

The impact of a risk refers to how it might affect an organization or team’s goals. Even if an organization doesn’t have clear goals, the impact can still be measured. Impact can be assessed using simple or complex methods. These range from basic qualitative descriptions (like low to high impact) to advanced quantitative techniques, such as Value at Risk or Monte Carlo simulation. Most organizations use a mixed approach. They apply risk criteria and measure impacts on goals using qualitative scales (low to high), while adding some quantitative measures for consistency. For example, a high financial impact might be over $1 million, while a low financial impact might be under $1,000. Some risks, like financial risks (e.g., losses or gains) and marketplace risks (e.g., income or market share) on the FIRM scorecard, are easier to measure with numbers than infrastructural or reputational risks. We’ll explore more about the criteria for measuring impact later in this section. As mentioned, predefined criteria can be used to analyze a risk event’s impact, especially when dealing with different types of risks in a matrix. This ensures consistency and comparability in rating risks. Examples of these scales are shown in the table below, titled “Examples of Risk Impact Criteria.”

The examples of risk impact criteria given are focused on threats. When evaluating opportunities, most of these scales can be viewed positively. For instance, instead of measuring reputation by complaints, you could use compliments. For finance, you could measure gains instead of losses. For staff, you might look at better retention and recruitment. However, some scales don’t work for opportunities. For example, legal impacts—you get penalized for breaking the law, but you don’t get rewarded for following it. That said, from a compliance or regulatory angle, you might measure positive feedback from regulators or awards for being the best in your field. The key is that once opportunities are identified, you can measure them in the same way as threats. This allows you to handle both positive (upside) and negative (downside) risks using the same method, instead of creating two separate approaches.

Likelihood

Traditionally, risk analysis has centered on two main aspects: risk likelihood and risk impact. We’ll explore these first before looking at a different approach that’s becoming more popular in the risk management field. Likelihood measures the chance of a specific event happening. It includes both the expected probability and frequency of an event:

• Probability: This is shown as a number between 0 and 1 (or 0% to 100%) to indicate the chance of something happening. For example, “There is a 5% chance that KGOC’s supervisory control and data acquisition (SCADA) system will experience a cyberattack in the next year” Probability is often used for risks that might happen only once within the time period being considered.
• Frequency: This is shown as a frequency measurement, like, “A critical component failure in KGOC’s offshore drilling rigs in the Divided Zone occurs once every 10 years on average” To convert this frequency into a probability, we calculate the chance of it happening in a given year: 1 event ÷ (10 years × 365 days per year) = 1 ÷ 3,650 days, which is approximately a 0.027% chance of failure on any given day. For a year, it’s 1 ÷ 10 = 10% chance per year.. Frequency is typically used for risks that might happen more than once in the given time period.

It’s important to watch out for misunderstandings that can come from poor numerical risk analysis. For example, if a likelihood is stated as one in two million, does that mean two million years or two million events? You need to be clear about what the numbers actually represent.

Prioritizing techniques – impact and likelihood

Organizations often combine their impact and likelihood scales to form a “risk matrix.” An organization can have multiple risk matrices and design them however they prefer. It doesn’t matter which axis is used for impact or likelihood. About half of the organizations using this method put impact on the x-axis, while the other half place it on the y-axis. Some organizations use separate matrices for opportunities and threats, while others combine both by ensuring the descriptions of potential impacts can be positive or negative. Some keep their risk matrices simple, with no gridlines and few metrics. Others make them more detailed, numbering each position on the grid and using different colors for cells to prompt specific reactions. When rating risks, organizations can consider: the risk with no controls in place; its current position; its position if all planned controls were fully effective; and the desired position after management. This will be covered more later. The placement of risks on the impact versus likelihood matrix helps prioritize them. This shows the organization where to focus efforts in actively controlling and managing the risks.

Impact and Action

A new way to prioritize risks is becoming popular in the risk management field. Rating risks based on likelihood is getting harder because our internal and external environments keep changing. Plus, understanding and predicting likelihood is very tricky. There are examples where even experts struggle to explain the chances of events in a way that their audience—or even they themselves—can understand. This issue can happen for many reasons, like the illusion of uncertainty or how people interpret numbers. One solution is to stop focusing on likelihood, or only use it when it’s really helpful, like for engineering risks. Instead, you can use other scales alongside impact, such as the amount of action needed to make the risk “acceptable.”

This approach is called “Impact versus Action” and is used because it:

• Avoids pointless arguments about likelihood.
• Focuses on risks that need attention right away.
• Encourages strong discussions and steps to decide how much a risk really needs to be managed.

The Impact versus Action method ranks risks by looking at their potential impact on the organization (or project/task) compared to the level of action needed to manage them to an acceptable point. It clearly shows where action is needed. This visual tool highlights risks that go beyond the acceptable level (sometimes called the organization’s appetite or tolerance) and points out risks that need immediate action or have weak controls.

Proximity

Risk proximity means how close we are to a risk happening or how soon it might occur. For example, if we’re talking about a key staff member getting sick, especially during the Covid pandemic, the risk could be very close. But if we’re looking at project risks for shutting down a nuclear power plant, the risk might be far off. Using proximity helps organizations prioritize risks in a new way. However, this method can create issues. For instance, a risk with a distant proximity might seem less urgent, but if managed now, it could lower the chance of it happening and reduce its impact—or increase the benefits for opportunities. Take climate change: if action had been taken earlier, the effects we see now and those expected in the future might be less severe. Another timing concept for risk is risk velocity. Risk velocity measures how quickly a risk can affect an organization after it happens. Risk velocity is the “timescale of risk impact.”

Risk Clockspeed

Another timing term is risk clockspeed. Risk clockspeed refers to how quickly the information needed to understand and manage risk becomes available. There are two main types:

• Slow Clockspeed Risks: These are risks where there’s enough time to think and plan (what’s “enough” depends on the situation).
• Fast Clockspeed Risks: These happen in or near real-time, leaving little time to react.

The Risk Clockspeed Window is the range between how well an organization can handle Fast Clockspeed Risks and Slow Clockspeed Risks while still operating effectively.One last point: some organizations use these timing terms interchangeably.

Level of risk rating

The three main terms for rating risk levels are:

• Inherent: This is the risk level before any controls or actions are applied to change its likelihood or impact. It shows the true risk exposure if controls fail and helps identify if risks are over- or under-managed. It’s also called “raw,” “gross,” or “total.”
• Current: This is the risk level after considering the controls currently in place and their effectiveness. It’s sometimes called “net” or “residual.”
• Target: This is the desired risk level to make the risk acceptable. Many organizations overlook this, but it’s key to understanding how much effort is needed to manage risks to an acceptable level.

The inherent rating is useful for assessing major or principal risks in an organization but less helpful for risks deeper within the organization.

To summarize the risk rating terms:

• Inherent is the same as total, gross, raw, or initial.
• Current is the same as net or some versions of residual.
• Target is closely tied to risk appetite.

The most important ratings for most parts of an organization are the current (where the risk is now) and the target (where the risk needs to be to be acceptable).

Some warnings about rating levels:

• The term “residual”: Some organizations see residual as the risk level with current controls at their current effectiveness—we’ll call this residual (current). Others see residual as the risk level if current controls were fully effective or after planned actions—we’ll call this residual (design).
• The term “target”: Hopkin and Thompson say this is the level achieved after adding more controls, which aligns with what we called residual (design).
• The term “initial”: Some organizations keep the first rating a risk was given as its initial rating. This helps track how much a risk has changed, but it’s not always needed for reporting or reviews.

Rating levels are often mixed up during risk prioritization sessions. For example, one person might rate at the inherent level, another at the current level, and another at residual (design). To avoid confusion, it must be clear at the start of any risk prioritization which level is being used for rating.For an auditor it is generally more useful for them to know about the inherent and current risk rating as it is their job to ascertain if the controls in place to move the risk from inherent to current are truly effective and risk manager are more interested in the current and target risk ratings as they want to ascertain how much work is needed to manage a risk to the desired level.

RISK HEAT MAP

A risk matrix helps analyze a risk’s likelihood and impact. The matrix design and the best scoring system depend on the organization’s specific needs and characteristics. A typical risk matrix uses five levels for both impact and likelihood. In a colored version, it would use red (top right corner), amber (middle), and green (bottom left corner) to show the size of risks. Color coding is a popular way to display a risk matrix, which is why it’s sometimes called a “risk heat map”—red signals the danger zone. It’s also called a “risk map” or “RAG diagram,” where RAG means red, amber, and green. In this example, the scores aren’t multiplied, so 1 x 5 doesn’t equal 5. The scoring is simple and gives more weight to impact than likelihood. For instance, a “rare” likelihood with a “major” impact scores 15, while an “almost certain” likelihood with an “insignificant” impact scores 11. If the scores were multiplied, both would be 5, making it hard to decide which risk needs more attention.

The second example risk matrix includes risk numbers plotted on it. For instance, the risk in the top right box is risk number 32, while the top left box has risks 18 and 27—Risk Matrix with Risks Plotted. The main benefit of a risk matrix is that it visually shows which risks need the most attention, which is why it’s widely used. However, be cautious about accepting these risk ratings as they appear. This view doesn’t clearly show if action is needed to manage a risk. For example, risk number 32 might be in the top right corner, but that could be its target level, meaning it’s already at an acceptable level. On the other hand, risk number 19 might have a target to reduce it to “unlikely” with a “moderate” impact, meaning it needs a lot of attention to reach an acceptable level. So, risk number 19 should be the focus, not risk number 32, because it requires more action. While the typical matrix uses five levels for likelihood and impact, some organizations use different sizes like 4×4, 5×5, or 6×4. Some also use more detailed ratings to help with decision-making in their organization.

A risk can have multiple impacts. Take the example of a vehicle crashing into a road maintenance site, damaging assets and personnel, despite existing safety measures. If this risk happens, the impacts might be rated as:

• Safety: High (one fatality)
• Financial: Moderate ($100k to $1m)
• Production: Minor (3 hours to 1 week of lost time)
• Reputation: Insignificant (less than 50 negative social media comments)

As you can see, the impacts vary depending on the risk and its context. When a risk has different impact levels, use the highest impact score to plot it on the risk matrix. Averaging the scores hides the true effect of the risk. Risk registers that capture these different impact levels and use the highest score to plot on the matrix provide useful data. This helps focus management efforts. In the example above, the priority would be reducing the safety impact. Without this detail, the focus might wrongly shift to the financial impact.

You can use the risk matrix to show different risk levels:

• Inherent or gross risk: The risk before any controls are applied.
• Current or net risk: The risk after considering existing controls.
• Target risk: The level the risk needs to reach to be acceptable.

You can also plot inherent, current, and target risks on one matrix and draw a line between them to show the effect of risk management actions. Risk isn’t just about threats and negative outcomes. Managing risk can also lead to positive results and opportunities. Entrepreneurs often take bigger risks because they see the chance for big rewards, even though there’s uncertainty about achieving those benefits. Managing risks to increase the chance of positive outcomes can be as important as managing risks to lower the chance or severity of negative outcomes. When assessing risks, heat maps or RAG charts (red, amber, green) usually focus on threats. To include opportunities, some organizations use a double-sided matrix. This matrix can be shown in different ways. Sometimes, upside risks (opportunities) are on the right side, and downside risks (threats) are on the left. For upside risks, the goal is to move the risk to the top left corner of the upside risk matrix by increasing its likelihood and/or positive impact.

Risk Evaluation

We now turn to the last part of risk assessment: risk evaluation. The main idea of risk evaluation is that after analyzing a risk to understand its effect on our goals, we decide whether to:

• Take action to lower our exposure (for hazard risks), reduce uncertainty (for control risks), adjust the investment (for opportunity risks); or
• Accept the risk level as it is without doing anything more.

So, risk evaluation is basically a decision point where we choose whether to act on the risk or not.

Risk appetite differs between organizations—some are more willing to take risks (risk-aggressive), while others avoid risks (risk-averse). Even within the same organization, different departments may have different risk appetites.

An Enterprise Risk Management (ERM) approach requires organizations to understand their overall risk appetite and apply it consistently across all areas. This helps them make uniform decisions about how to handle a specific risk. Risk appetite should be determined based on the organization’s overall business strategy, tactics, operations, and its need to follow laws and regulations. However, boards often focus on business goals and strategic priorities, which can lead to decisions that don’t fully account for the actual risk exposure or the organization’s willingness to accept that level of risk. In a typical risk matrix, the red, amber, and green zones often show whether risks are within the organization’s appetite or tolerance. These colored zones might shift depending on the organization’s risk appetite. However, using likelihood in scoring and colored zones on a matrix can create issues when deciding how much attention a risk needs. For example, some risks might have a high likelihood and high impact but still be within the organization’s risk appetite.

Consider an organization that maintains major road networks used by the public. They might face a risk of vehicles hitting their work zones, damaging assets, and injuring workers. They likely have many controls in place—like barriers, signs, speed limits, training, guidance, and equipment. But there’s still a high chance that a public vehicle could cause an accident in the work zone, affecting assets and workers. This risk and its controls are constantly monitored, reviewed, and improved, but the organization might not be able to do more and accepts it as part of doing business. On a traditional impact versus likelihood matrix, this risk would be in the red zone, yet it’s within the organization’s risk appetite.

On the other hand, risks with a very low likelihood but very high impact—called High Impact Low Probability (HILP) risks—are often ignored. Because they’re seen as unlikely, they don’t get much attention. An example of a HILP risk is Covid-19. A low likelihood doesn’t mean a risk won’t happen. The impact versus action map we discussed earlier offers a different way to focus on risks. In this approach, risks (both opportunities and threats) are plotted on a slightly different matrix. The plotting is based on the potential impact of the risk compared to other risks and the amount of additional action needed to manage it to the desired level. If no further action can be taken to manage the risk, it’s placed at the bottom of the axis, marked as “no action needed.”

The tolerance line marks the point where more action is needed beyond what’s already being done to manage the risk. If a risk is below this line, it means no extra action is possible or wanted. If a risk is above the line, it shows that action is needed to bring the risk back into the tolerance zone. Using the impact versus action map helps focus on risks properly. Risks that would usually be in the red zone of a traditional matrix—and seen as “unacceptable”—can be given the right attention. Meanwhile, risks with a big impact on the business that need a lot of action can be highlighted. For example, a risk like Covid-19 would get more focus because it would show as having a major impact on the organization and, in most cases, would require significant action to manage it to an acceptable level.

Risk management is important for all organizations and offers many benefits. Its principles are based on the idea that it adds value by using practices aimed at achieving the best results, which helps reduce uncertainty and unpredictability. To deliver these benefits, most recognized standards, like ISO 31000, COSO, and the Orange Book, include a section on principles. In short, risk management principles focus on delivering value by using practices that aim for the best outcomes, reducing uncertainty and instability. For example:

1. ISO 31000 Principles: The eight principles of ISO 31000 fall under the theme of “Principles – Value Creation and Protection.” The standard highlights the importance of a structured and integrated approach to risk management. It also acknowledges the role of human and cultural factors. ISO 31000 states that the purpose of risk management is to create and protect value. It outlines eight principles, which can be summarized as follows::
   • Framework and processes should be customized and proportionate.
   • Appropriate and timely involvement of stakeholders is necessary.
   • Structured and comprehensive approach is required.
   • Risk management is an integral part of all organisational activities.
   • Risk management anticipates, detects, acknowledges and responds to changes.
   • Risk management explicitly considers any limitations of available information.
   • Human and cultural factors influence all aspects of risk management.
   • Risk management is continually improved through learning and experience.
2. COSO (2017) Principles: The framework has five parts. It includes 20 principles. These principles describe practices for implementing enterprise risk management. It works for all organizations, no matter their size, type, or sector. Below are the components and principles of the COSO (2017) ERM Framework:
   • Governance and culture
     • Exercises Board Risk Oversight
     • Establishes Operating Structures
     • Defines Desired Culture
     • Demonstrates Commitment to Core Values
     • Attracts, Develops, and Retains Capable Individuals
   • Strategy and objective-setting
     • Analyses Business Context
     • Defines Risk Appetite
     • Evaluates Alternative Strategies
     • Formulates Business Objectives
   • Performance
     • Identifies Risk
     • Assesses Severity of Risk
     • Prioritizes Risks
     • Implements Risk Responses
     • Develops Portfolio View
   • Review and revision
     • Assesses Substantial Change
     • Reviews Risk and Performance
     • Pursues Improvement in Enterprise Risk Management
   • Information, communication and reporting
     • Leverages Information Systems
     • Communicates Risk
     • Reports on Risk, Culture, and Performance
3. Orange Book ( 2020) Principles: The Orange Book outlines key principles for effective risk management. It applies to all UK government departments and public bodies. These principles help government organizations follow the UK Corporate Governance Code. There are 5 main principles. They explain the “what” and “why” but not the “how” for creating, running, and maintaining a strong risk management framework.
   • Governance and Leadership
   • Integration
   • Collaboration and Best Information
   • Risk Management Processes
   • Continual Improvement.

PACED Attributes

The principles of risk management can be grouped into five key features of effective enterprise risk management. These features are summarized by the acronym PACED:

1. Proportionate – The process is tailored to fit the organization and its activities. “One size does not fit all.” However, the overall process and language used should be consistent for clear understanding of risks, controls, and actions.
2. Aligned – The process connects with other organizational activities. This ensures business runs smoothly while ERM acts as a link to these activities. It also allows for effective risk reporting and management.
3. Comprehensive – The process ensures consistency and considers risks and controls across the organization and beyond. This helps in understanding the overall risk profile and identifying existing, new, and emerging risks from both internal and external factors.
4. Embedded – The ERM framework encourages a shift in risk attitudes, behavior, and culture. This helps improve risk management maturity and awareness of its value to the organization.
5. Dynamic – The process doesn’t end with creating a risk register. While collecting risk information is important, it’s just “register writing,” not risk management. The process must stay active to support decision-making and add value to the organization.

2.1 Risk Management Process:

1) ISO 31000 Process: The ISO 31000 process consists of eight key risk management steps:

• Recording and reporting.
• Communication and consultation.
• Scope, context, criteria.
• Risk assessment – risk identification.
• Risk assessment – risk analysis.
• Risk assessment – risk evaluation.
• Risk treatment.
• Monitoring and review.

Even though the standard begins with communication and consultation, most organizations using this approach start by defining the scope, context, and criteria. In the previous version of this standard, this step was called “establish the context,” a term you might still come across in various risk management resources and used by many organizations. One key difference from other standards is that it groups risk identification, risk analysis, and risk evaluation together under the broader section called risk assessment.

2) COSO Process:

In the 2004 version of the COSO ERM Framework, the process consists of eight key risk management steps:

• Internal environment.
• Objective setting.
• Event identification.
• Risk assessment. ( Risk assessment covers both analysis and evaluation steps)
• Risk response.
• Control activities.
• Information and communication.
• Monitoring.

In the 2017 version of the COSO ERM Framework, the risk management framework and process are integrated. The initial steps of understanding the context and objectives are included in the first two components of the framework: 1) Governance and Culture, and 2) Strategy and Objective Setting. The more familiar steps of the risk management process are found in the third component, 3) Performance, which involves:

• Identifying risks,
• Assessing the severity of risks,
• Prioritizing risks,
• Implementing risk responses, and
• Developing a portfolio view.

In this approach, the terms “assess” and “prioritize” align with the analysis and evaluation steps in ISO 31000.

The remaining parts of the risk management process are covered in the last two components: 4) Review and Revision, and 5) Information, Communication, and Reporting.

3) Orange Book Process:

The Orange Book comprises of a risk management framework, principles and the process,:

• Principle A – an essential part of governance and leadership.
• Principle B – an integral part of all operational activities.
• Principle C – collaborative and informed by the best available information.
• Principle D – have structure processes.
• Principle E – continually improved.

Principle D includes the main steps of the process which comprise:

• Risk identification and assessment.
• Risk treatment.
• Risk monitoring.
• Risk reporting.

In this approach, risk assessment corresponds to the ISO 31000 steps of analysis and evaluation. The Orange Book framework closely mirrors ISO 31000 in both its terminology and methodology.

Comparison using the four simple steps of risk management

As noted earlier, there are many different standards and frameworks for risk management, with four main approaches highlighted in the Standard: ISO 31000, COSO 2004 and 2017, and the Orange Book. Organizations may adopt these frameworks to meet regulatory, industry, or regional requirements, or simply because they are well-known to their risk management teams. Additionally, as risk management systems mature, advisory firms have developed their own frameworks and toolkit. While each organization, standard, or framework may promote different methods, the four core steps of risk management remain consistent:

1. Define Context and Objectives – Understand the external and internal environment in which the organization operates and clarify its goals and objectives.
2. Assess the Risks – Identify the risks faced, analyze their potential impact, and evaluate whether they are acceptable or require further action.
3. Manage the Risks – Implement controls and additional measures to address and modify the risks.
4. Monitor, Review, and Report – Continuously assess changes in risks, controls, and the overall context to ensure risks are effectively managed and new or emerging risks are appropriately considered.

A key difference in many standards is the focus on closing the loop in this four-step process. This involves regularly asking whether, given the current context, objectives, risks, and the organization’s ability to manage them, it is still possible to achieve those objectives.

2.2 Risk Architecture

The risk management framework, also called RASP, stands for Risk Strategy, Risk Architecture, and Risk Protocols. Risk architecture is about how the organization manages risk and its setup. It matches the organization’s structure and defines how risk management works. Risk architecture includes:

• Committee structure and terms of reference.
• Roles and Responsibilities.
• Internal reporting requirements.
• External reporting controls.
• Risk management assurance arrangements.
• Budget and agreement on resources..

Organizations usually shape their risk management based on their overall management style and structure. This setup depends on key relationships and task delegation, especially when there are conflicting interests. This idea comes from “Agency Theory.” Agency Theory explains the relationship between a “principal” and an “agent.” The principal relies on the agent to make financial decisions, which can have uncertain results. In businesses, these relationships exist between shareholders, members, trustees, executives, the board of directors, and the CEO. Some CEOs like a centralized structure, where a central team controls strategy and operations. Others prefer a decentralized approach, where unit or divisional managers handle decisions with little input from the center. Many organizations use a mix of both. They allow some freedom in certain areas but require a corporate approach in others, like brand management, health and safety, and banking. Understanding the organization’s structure is key to aligning the ERM process with roles, responsibilities, and reporting needs. No matter the structure, risk management is essential. The risk management team and activities will vary depending on whether the organization is centralized, decentralized, or hybrid.

Role and Responsibilities

Organizations have many roles and responsibilities tied to risk management. To make risk management work well, these roles must be clearly defined. Simply hiring more risk management staff doesn’t mean the process is effective. It might even backfire, making others feel less responsible or think, “I don’t need to worry about risk because there’s a risk manager or champion handling it.” Key staff and all employees play a part in risk architecture. Risk tasks are also given to experts who manage specific risks. Depending on the organization’s activities, these roles include:

• Head of legal.
• Business continuity manager.
• Head of internal audit.
• Head of clinical safety.
• Compliance officer.
• Money laundering reporting officer.
• Head of credit risk.
• Head of security.
• Corporate insurance manager.
• Head of human resources.

Each role has a job description outlining its duties. These specialists’ work is part of the organization’s risk architecture. Think about the roles in your organization that help manage risk. For projects, roles and responsibilities are often shown in a RACI chart. This chart lists stakeholders and their level of involvement: Responsible, Accountable, Consulted, or Informed.

For more on Roles and Responsibilities on ERM click here https://preteshbiswas.com/2024/12/04/responsibilities-for-erm/

Risk Management Planning

When starting ERM for the first time, remember:

1. Organizations often hire a risk manager or team to handle ERM setup and operations. In sectors like banking and finance, or in some countries, having a Chief Risk Officer is becoming a legal requirement.
2. The PACED principles of risk management are key to implementing ERM successfully and getting the most benefits.
3. Organizations can measure the benefits of a well-implemented ERM framework using FIRM (financial, infrastructural, reputational, and marketplace benefits) or the MADE2 model.

ERM implementation isn’t just about managing risk—it shows how mature an organization’s risk management is. Having ERM means the organization is more advanced in risk management. A successful risk management process follows four steps: planning, implementing, measuring, and learning (PIML). This is similar to the plan-do-check-act method used in many management standards. Setting up a fully working ERM program is a big task that involves the entire organization. The time needed to successfully implement ERM depends on several factors, such as:

• Starting point: What already exists that the organization can use?
• Leadership support: Strong commitment from top leaders speeds up the process.
• Size and complexity: Larger, more complex organizations take longer.
• Global reach: Organizations operating worldwide may need more time.
• Available resources: More resources can help speed up implementation.

One thing is clear: ERM is not a quick project. For large financial organizations, it can take 3-5 years. A basic ERM program with key elements like a risk board, governance structure, and risk appetite statement can be set up in 1-2 years. However, building a mature, fully integrated, and results-focused ERM program takes longer. In smaller, simpler organizations with strong leadership support, it might take 5-7 years. In larger, more complex organizations, it could take 5-10+ years. Don’t be discouraged by these timelines. Effective ERM is a long-term effort that evolves over time. Key factors to consider include:

• Governance structure and assurance.
• Risk appetite statements.
• Risk profiles.
• Organizational culture and openness to change.
• The number of countries the organization operates in.

In short, ERM is a long-term investment (likely over 3 years) that brings significant benefits to the organization. Many guides and resources offer advice on ERM implementation. Most agree that the approach depends on the organization’s risk characteristics and its internal and external environment. In other words, it depends on the organization’s specific context.

Risk Management Reporting:

A key part of risk planning is making sure risk management fits into the organization’s governance and reporting structure. This means risk discussions should happen during regular meetings that already exist. Ideally, risks and how to manage them should be reviewed and reported in these meetings, matching the organization’s usual schedule.

• Shows how reporting works, where some discussions and decisions happen as part of normal business and don’t need to be shared with higher management.
• Gives an example of regular team meetings, like every two weeks, where information is shared, decisions are made, and feedback is given to support day-to-day operations.
• Explains how important information from these team meetings is collected and shared with senior managers at their monthly meetings.
• Suggests that every quarter, key information from management is shared with the Board.

Often, what’s missing but very important is feedback from the Board back to the teams and operations about the outcomes of discussions and decisions (E). This is just an example of how meetings and reporting can work in an organization. For risk management to work well, it should fit into and follow this same cycle.

2.3 Risk Strategy

An organization needs a clear plan for managing risk. The key parts of a Risk Strategy include:

• Risk management philosophy
• Arrangements for embedding risk management
• Risk appetite and attitude to risk
• Benchmark tests for significance
• Specific statements/policies
• Risk assessment techniques
• Risk priorities

These parts show that the Risk Strategy reflects the leadership’s approach and the purpose of risk management. Is it just about meeting basic stakeholder needs, or is it about creating a process that adds real value, supports decision-making, and protects the organization? The Risk Strategy should match the organization’s agreed principles for managing risk.

Risk management policy

For a risk management strategy, it should be outlined in a risk policy approved by the board and used across the entire organization. In organizations with a decentralized structure, a hybrid risk management framework might involve a central policy, with unit or divisional managers responsible for implementing it. Most organizations have a short ERM Policy (usually no more than two pages). This policy explains the organization’s approach to risk management, assigns responsibility, and ensures resources are available to keep risks at an acceptable level. The policy is typically approved and owned by the Board or a Board Risk Committee. Many examples of such policies can be found online, but they should always be adapted to fit the organization’s culture and risk management style.

Risk Appetite

An organization’s decision on whether to act on risks is called its ‘risk appetite.’ The IRM defines it as: ‘The amount of risk an organization is willing to take to achieve its long-term goals.’ Risk appetite is usually mentioned in the risk strategy, but details on how to set it and apply it across the organization are often found in the risk manual or supporting guidelines. For an organization to manage risk consistently (ERM), staff need to know when to act on a risk. If they don’t know when to respond or when to accept a risk, the organization’s overall risk exposure will grow due to inconsistent actions. Staff might act based on their personal views of risk, rather than following the organization’s consistent approach. The main tool organizations use to help staff decide whether to act on risks is called ‘risk appetite.’ The board is responsible for setting this. Here’s what the key terms mean:

• Risk appetite: The level of risk the organization is okay with, where no action is needed except monitoring for changes.
• Risk tolerance: The level of risk the organization can handle for a short time while working to reduce it.
• Risk capacity: The maximum level of risk the organization can’t or won’t go beyond.

Risk appetite differs between organizations—some take more risks (risk aggressive), while others avoid risks (risk averse). Even within the same organization, different areas may have different risk appetites. An ERM approach requires organizations to understand their overall risk appetite and apply it consistently. This helps the organization make clear decisions about how to handle risks. Risk appetite must align with the organization’s business strategy, operations, and legal requirements. However, boards often focus on business goals and strategy, which can lead to decisions that don’t fully consider the actual risk levels or the organization’s willingness to accept them.

2.4 Risk Protocol

Organizations create and use risk protocols to put their chosen risk strategy and structure into action. These protocols can be gathered into a manual, standard, procedure, tools, templates, techniques, or a mix of these documents. Note that each organization may use different terms for its formal documents. Below, we use varied language intentionally. These documents explain “how” to deliver effective risk management. Often, a risk manual (or multiple manuals focusing on specific areas like financial, strategic, and operational risks) is developed and integrated into the organization’s operations. The protocols outline operating procedures and guidelines. For example, they may include:

• Methods for identifying risks.
• The format and content of the organization’s risk register, how to fill it out, and how often it should be updated.
• Rules for logging risk events and reporting significant events based on their importance.
• Reporting requirements, such as weekly or monthly reports, risk analysis, and tracking key risk indicators.
• Approval processes for spending on risk improvement actions.
• Steps for reviewing and approving new or renewed contracts.
• Templates for risk assessments and, if needed, certifications.

Risk protocols focus on practical, organization-wide practices that ensure the risk strategy is implemented and works effectively. If the policy explains the “what” and “why” of risk management, procedures explain the “how.” Organizations usually provide a detailed document that explains how to manage risk at a more detailed level. This document ensures a consistent approach to risk management, defines the terms and language to use, clarifies roles and responsibilities, and provides information on tools and techniques. The risk management function owns this document, allowing updates to keep practices current without needing board approval. Different organizations may call this document procedures, framework, manual, guidance, etc., depending on their document control system.

Tools and Technique

As part of risk management protocols, organizations typically offer distinct information on tools and techniques to ensure the effective implementation of risk management practices. Tools refer to devices, equipment, or applications that facilitate the completion of tasks, such as modeling software. Techniques, on the other hand, are methods used to carry out specific tasks, like the PESTLE analysis technique, which helps in understanding the context and identifying risks. Numerous techniques are employed in the risk management process. ISO 31010:2019, part of the risk management suite of international standards, specifically addresses risk assessment techniques, including risk identification, analysis, and evaluation. While tools and techniques are not typically integral to the risk management procedure itself, they are referenced within it. These documents are not consulted as frequently as policies and procedures but are available to assist individuals when performing specific tasks, particularly when the techniques are unfamiliar to organizational members or are rarely used. Examples include root cause analysis, Monte Carlo simulations, or scenario analyses. Information on tools and techniques is often presented in user-friendly formats such as factsheets, flowcharts, or toolboxes, providing step-by-step guidance to enable individuals to complete tasks with minimal or no support or supervision. The documentation maintained for risk management information can be broadly categorized into these resources, which serve as supplementary aids to the core risk management processes.

Risk Management Information System (RMIS)

This is often called a risk management information system (RMIS). It’s the tool that connects and supports the work done by the central risk team and the different operating divisions within the organization. Risk management data and information are frequently stored in spreadsheets and other file formats, often using templates provided by the risk team to various operating departments and divisions within the organization. However, many organizations opt for a structured IT system to store, analyze, and report risk-related information to senior management. A centralized risk repository helps in effectively analyzing and managing this information, especially when multiple divisions or departments contribute data to the central risk management team. For numerous organizations, the central hub for all risk management information is the risk register. A risk register can be as straightforward as an Excel spreadsheet, though it should not be maintained in Word or PowerPoint formats. While these tools help report risk information, they lack the functionality to sort, filter, or analyze large datasets. The risk register serves as the primary record of an organization’s current understanding of risks. A well-maintained risk register:

• Consolidates knowledge about risks and controls,
• Is customized to fit the organization’s needs,
• Is regularly updated,
• Supports informed decision-making, and
• Enables teams, projects, and the organization as a whole to prioritize and manage risks effectively.

There are many specialized RMIS (Risk Management Information System) software options available. Some focus on specific areas of risk, like managing corporate insurance and claims or handling project risks, while others aim to provide a comprehensive, organization-wide approach to risk management. The main advantages of using a structured RMIS include consistent data collection, storage, and analysis, as well as fewer errors and gaps compared to relying on multiple spreadsheets. Some organizations use a ‘GRC’ approach—Governance, Risk Management, and Compliance—as a single, unified process. Software systems, known as GRC platforms, are available to help manage these activities. For example, MetricStream, one of the providers, explains:

‘Companies are increasingly driven by the need to comply with regulations, manage risks, and meet quality standards. MetricStream’s GRC Platform offers a unified framework to support risk, compliance, and quality management processes, helping organizations improve risk management and corporate governance. The platform integrates these processes into a seamless system, making it easier to manage risks, regulations, and compliance issues.’

More advanced RMIS tools offer enhanced risk analysis capabilities by using risk data for predictive modeling, such as Monte Carlo simulations. They can also be set up to analyze cost and schedule forecasts in projects, which is crucial for project risk management. While a RMIS helps risk managers make better-informed decisions, it doesn’t replace their skills, experience, and expertise. It’s important to remember that a RMIS is a tool to support risk management, not the process itself. It serves as a central hub for risk information, aiding decision-making and action, but it doesn’t replace the need for a structured risk management process.

Conclusion

Enterprise Risk Management (ERM) integrates principles from various globally recognized frameworks, including ISO 31000, COSO, and the UK’s Orange Book, to provide a comprehensive and coherent approach to managing risk across an organization. At its core, ERM emphasizes the importance of aligning risk management with an organization’s objectives and decision-making processes. From ISO 31000, the principle of integration stands out—risk management should be part of all organizational activities and embedded in culture and practices. It also underscores the need for a structured, systematic, and customized approach that is inclusive, dynamic, and responsive to change. COSO complements this by highlighting the need for governance and culture that supports risk awareness, as well as a strong emphasis on performance, strategy, and accountability. COSO’s model revolves around understanding risk in the context of value creation and preservation, integrating risk considerations into strategy-setting, and driving better decision-making and performance outcomes. The Orange Book, tailored for public sector organizations, reinforces the importance of transparency, proportionality, and continuous improvement in managing risk. It introduces the concept of “risk appetite” in a structured manner, emphasizing clarity on the level of risk the organization is willing to accept in pursuit of its objectives.Together, these frameworks advocate a proactive, continuous, and people-centered approach that enhances resilience and supports better governance, strategic alignment, and sustainable performance in both public and private sector organizations.

Risk has been defined in many ways over the years. One widely accepted definition comes from the International Organization for Standardization (ISO 31000, 2018), which says that risk is “the effect of uncertainty on objectives.” An effect is a deviation from the expected. It can be positive, negative or both, and can address, create, or result in opportunities and threats.. David Hillson simplifies risk as “uncertainties that matter.” In other words, the world is full of uncertainties, but they only become risks if they impact what a person, group, or organization wants to achieve their objectives. The Institute of Risk Management (IRM) also sees risk as having both positive and negative sides. In their 2002 Risk Management Standard, they defined risk as “the combination of the probability of an event and its consequence,” where consequences can be good or bad.

Most definitions of risk include three key ideas:

1. Uncertainty – A risk must be something that is not certain to happen, so words like “uncertain,” “potential,” and “likelihood” are often used.
2. Positive and Negative Impact – Risks can bring both opportunities and threats, so definitions may mention “pros and cons” or “positives and negatives.”
3. Effect on Goals – A risk is only relevant if it affects what we are trying to achieve, whether as individuals, teams, organizations, or society as a whole.

It is also important to remember that risks are not just about how the world affects us but also how our actions impact the world, creating a cycle of cause and effect. Many organizations still think of risk only as a threat. Some focus only on negative risks (downsides), while others separate threats from opportunities. Risk can be divided into four types:

1. Compliance as a mandatory risk
2. Hazard risks as a negative risk
3. Control risks as uncertainty.
4. Opportunity risks as positive risk

Simplifying risks are considered simply as uncertainties that matter, or, the term risk is used to denote the effect of uncertainty on objectives, considering both – threats and opportunities. Any reference to compliance, hazard or control risks can be regarded as threats (negative) risks.

If risks are uncertainties that matter, then risk management is about taking action to deal with them. The main goal of risk management is to help organizations identify, understand, and handle risks based on their situation and what they want to achieve. ISO 31000 defines risk management as “coordinated activities to direct and control an organization with regard to risk.” Every organization faces different factors that create uncertainty about whether they will reach their goals. This uncertainty is what we call risk. Good risk management helps organizations recognize and manage risks, increasing their chances of success. That’s why it is an essential part of running any organization, just like general management or project management. Since risks are always changing, effective risk management involves planning for known risks while also preparing for unexpected situations. Risk management has grown to cover the whole organization and is now often called Enterprise Risk Management (ERM). ERM is the process of managing all types of risks—business, financial, operational, and risk transfer—to increase a company’s value. ERM helps a company succeed by creating a single, clear view of all risks and handling them consistently across the entire organization. Unlike traditional risk management, ERM understands that risks in one area can affect other areas, so it focuses on managing these connections, not just individual risks.

The COSO ERM Framework defines ERM as “the culture, capabilities, and practices integrated with strategy-setting and execution that help organizations manage risk while creating and protecting value.” This means that risk management isn’t just about having policies and procedures—it’s about building the right mindset, skills, and actions within the organization to effectively manage risks. Every organization that wants to manage risk properly should define what “risk” and “risk management” mean for them and ensure everyone shares the same understanding.Enterprise Risk Management (ERM) looks at risks in relation to an organization’s goals, from its mission, vision, and core values to creating value while achieving its objectives. ERM means that risk management should be built into every part of the organization, starting from the top leadership down to all business areas. For ERM to work well, organizations must invest heavily in risk management, have a high level of risk awareness, and use a strong system to ensure risks are properly managed. The board needs to be confident that the system in place is effective and consistent across the entire organization. ERM also focuses on how different risks are connected. By understanding these relationships, organizations can better assess the impact of risks both individually and as a whole (sometimes called risk exposure).

1.1 History of ERM

Risk management has changed a lot in recent years, and old ways of thinking about risk have had to adjust. In the past, risk management mainly dealt with the math behind hazards or financial risks. It often focused on specific risks rather than looking at risks across an entire organization. To understand where we are today and where risk management might go in the future, it’s important to know its history. The world is constantly changing, and new risks have emerged that don’t fit into old ways of thinking. By looking at the past, we can see how people handled new risks and learn from their experiences. This can help us prepare for the future. Risk management as a formal practice has only been around since 1995. Before that, the way people thought about risk evolved over centuries. For example, around 1500, people often saw risks as tied to religion, fate, or superstition. Between 1500 and 1900, education and new ideas started to change how people understood risk. From 1900 to 1970, specialized professions focused on risk began to develop. Between 1970 and 1995, risk management started to shift from being specialized to more general. After 1995, it became a more mature profession. From 1995 to 2004, risk management standards were introduced. Between 2004 and 2018, international frameworks and standards, like the COSO ERM Framework and ISO 31000, were developed and updated. Since 2010, issues like climate change, environmental and social governance (ESG), corporate social responsibility (CSR), sustainability, and resilience have become central to risk management discussions. These changes show how risk management continues to adapt to new challenges in our world.

This diagram illustrates the historical evolution of risk management, highlighting key events, frameworks, and global influences over time.

Timeline Breakdown:

1. Pre-1500s:
   • Risk was understood through religious beliefs, fate, and superstition.
2. 1600–1900:
   • Enlightenment led to a more scientific approach to risk management.
3. 1900–1950:
   • Specialist risk professions began to emerge.
4. 1950s–1980s:
   • Expansion of insurance in the US.
   • Focus on contingency planning, loss prevention, and safety.
   • Development of business continuity planning (BCP), captive insurance, and anti-corruption measures.
   • Increased corporate governance, control, and reporting.
5. 1990s:
   • Introduction of corporate governance and listing requirements.
   • Notable frameworks introduced:
     • 1985: Treadway Report
     • 1988: IRM (Institute of Risk Management)
     • 1992: COSO Framework, Cadbury Report
     • 1995: Greenbury, AS/NZS 4360, CoCo
     • 1998–1999: Hampel, Turnbull
6. 2000s:
   • Stronger internal controls and risk governance became essential due to financial crises.
   • Introduction of Chief Risk Officers (CROs) and risk management standards.
   • Major regulatory developments:
     • 2002: Sarbanes-Oxley Act (SOX)
     • 2002: IRM / ALARM / AIRMIC
     • 2003: UK Combined Code
     • 2004: COSO ERM
     • 2009: ISO 31000 (Global risk management standard)
7. 2010s:
   • Financial crisis influenced the maturity of the risk profession.
   • Increased globalization and market volatility.
   • Key frameworks:
     • 2017: COSO ERM Update
     • 2018: UK Corporate Governance Code, Wates Principles
     • 2018: ISO 31000 update
8. 2020s – Present:
   • Emerging challenges include COVID-19, COP26 (climate change policies), and rising international conflicts.
   • Continued evolution of risk governance models:
     • 2020: Orange Book (updated risk management guidance)
     • 2020: Three Lines Model
     • 2022: TCFD (climate-related financial disclosures)

Over the past few hundred years, there has been a major shift in how people understand risks. People have gained more knowledge about causes and effects by observing and learning about their environment. At first, this knowledge was passed down through stories, and later through written records. Over time, mystery and superstition turned into unknown uncertainty, and then into known uncertainty, especially during the Enlightenment period. This progress eventually allowed people to measure risk for the first time using statistics. Looking back at this history is valuable because it helps us understand how the field of risk management has developed and why the modern world looks the way it does, including some old superstitions and irrational beliefs that still influence us today.

In “A Brief History of Risk Management” (Kloman, 2010), the author traces the history of risk management from 1914 to 2008. It covers the development of specialized areas like insurance, actuarial science, and health and safety. While the material only scratches the surface of a very detailed subject, it helps highlight key events in the history of risk management. Since 2008, the world has seen significant changes in risk management. The focus has shifted from financial risks to environmental and social issues, as well as holding people and organizations accountable for their actions. While governance, risk, and compliance (GRC) were becoming important, especially in the financial sector, the spotlight has now turned to environmental, social, and governance (ESG) factors for most organizations worldwide. This shift has led to more regulations. For example, in the UK, laws like the Modern Slavery Act (2015) require companies to address human rights issues. Additionally, starting in April 2022, over 1,300 of the largest UK companies and financial institutions must disclose climate-related financial information using guidelines from the Task Force on Climate-related Financial Disclosures (TCFD). There are also broader requirements tied to ESG criteria, which focus on environmental, social, and governance practices. These changes show how risk management is evolving to address new challenges in our world.

1.2 Importance of ERM of Organization

Risk can be defined simply as uncertainty that matters because it can impact the goals we are trying to achieve. Because of this, managing risks—whether they could have negative or positive effects on our goals—is very important for any organization. Risk management can bring both “soft” benefits, like better teamwork and relationships, and “hard” benefits, like higher profits or returns on investment. Risk management is important when viewed through three key perspectives: organizational strategy (how the organization plans to achieve its goals), governance (how the organization is managed and controlled), and resilience (how the organization can adapt and recover from challenges).

Key Purposes of Risk Management:

1. Financial Benefits:
   • Higher return on investment (ROI): Effective risk management helps organizations optimize resource allocation, reducing losses and increasing profitability.
   • Keep within risk appetite limits: Ensures that the organization operates within acceptable risk boundaries, preventing excessive exposure to risks.
2. Operational Efficiency:
   • Reduce friction: By identifying and mitigating risks early, operations can run more smoothly without disruptions.
   • Increase quality of product/service: Proactive risk management helps in maintaining high standards and minimizing defects.
3. Strategic Decision-Making:
   • Provide a rational basis for business decisions: Risk management provides data-driven insights for making informed choices.
   • Consistency of decision-making: A structured approach to risk management ensures decisions are aligned with company policies and objectives.
4. Business Growth & Sustainability:
   • Increase ability to hit strategic targets: Reduces uncertainties impacting business goals.
   • Improve transparency of risk culture: Helps create a culture where employees are aware of risks and proactively manage them.
5. Reputation & Trust:
   • Increase confidence: Stakeholders, including investors and customers, gain confidence in a company that manages risks effectively.
   • Retain brand/reputation value: Avoids reputational damage due to risk-related failures.
6. Workplace & Relationship Management:
   • Improve working relationships: Encourages collaboration by reducing uncertainties in business processes.

Strategy

Risk management has grown more important over the past 15 years. It looks at how different risks in a company are connected. By understanding these connections, organizations can better see their overall risk exposure. A risk-aware strategy should be a top focus for the Board, and top executives expect ERM (Enterprise Risk Management) to play a bigger role in shaping and carrying out the company’s strategy. If ERM and strategic planning are not aligned, ERM can’t help the organization much. It won’t guide decision-making or make sure resources are used effectively to address the biggest risks.

Benefits

• Build confidence in stakeholders and the investment community
• Align risk appetite and strategy
• Link growth, risk and return

Governance

Governance is the system of rules, practices, and processes that guide and control how a company is run. It involves how companies are managed, who has the power and responsibility to make decisions, and how accountability is ensured. Good corporate governance also makes sure that the right practices and procedures are in place to help the organization meet its goals, giving stakeholders confidence that their trust is well-placed. However, boards should pay more attention to the rapidly changing business environment and keep an eye on new risks, rather than focusing only on financial reporting. To lead effectively and achieve goals while dealing with uncertainty, a combined approach to governance, risk, and compliance (GRC) is needed. This means integrating compliance, risk management, internal controls, and internal audit. Boards often assign the oversight of ERM (Enterprise Risk Management) to their audit committees, but their responsibilities now also include other areas like ESG (Environmental, Social, and Governance) issues and emerging risks such as geopolitical tensions, market changes, skill shortages, and supply chain problems. Because of this, ERM is more important than ever to help decision-makers understand risks and ensure that risks are managed well, and that internal controls and risk management processes are working effectively.

Benefits

• Comply with relevant legal and regulatory requirements
• Enhance corporate governance
• Embed the risk process throughout the organization
• Rationalize capital

Organizational Performance

Benefits

• Increase the likelihood of a business realizing its objectives
• Improve organizational resilience
• Embed the risk process throughout the organization
• Minimize operational surprises and losses —less fire-fighting
• Enhance risk response decisions
• Identify and manage cross-enterprise risks

People

Benefits

• Optimize allocation of resources
• Improve organizational learning

Resilience

n recent years, we’ve faced many major risk events, such as the Covid-19 pandemic, the war in Ukraine, mass migrations due to civil wars, scandals involving senior officials, political uncertainties like the election of radical leaders and Brexit, and more frequent and severe natural disasters like floods and hurricanes. These events have pushed companies, industries, healthcare systems, and even countries to their limits, testing their resilience. These challenges have also impacted the role of risk professionals. Risk management is about protecting organizations and making them stronger in the face of disruptions, big or small. While aiming high, it’s also crucial to safeguard the organization’s value. Managing “downside risks” – events that could have negative outcomes – helps organizations implement controls and achieve their goals. At the same time, many of the ambitious and meaningful goals humanity wants to achieve are complex and come with risks. Risk management helps organizations pursue opportunities that might otherwise seem too risky or uncertain. Good risk management is about being able to take risks and aim high. Today, organizations are increasingly required by laws, regulations, or stakeholder expectations to build strong risk management skills and provide reports proving these skills are effective. This focus has grown due to Covid-19 and the growing impact of climate change. There’s also more pressure on organizations to demonstrate their ability to anticipate risks, build resilience, and show their commitment to sustainability, corporate social responsibility (CSR), and environmental, social, and governance (ESG) practices. In the future, these reports may be audited similarly to how financial reports are audited today. In short, risk management is about protecting organizations and making them resilient to disruptions of any size. While striving for success, it’s equally important to protect the organization’s value. Managing downside risks helps organizations stay on track, while risk management also enables them to pursue ambitious goals that might otherwise seem too uncertain. Good risk management is about taking calculated risks and aiming high. With growing expectations, organizations must build strong risk management capabilities and prove their effectiveness, especially in areas like sustainability and resilience.

1.3 Approach to ERM

Risk management is the same no matter where or how it’s applied. Whether it’s in a business, industry, sector, or country, all risk management processes aim to answer one key question: given the risks we face, can we achieve our goals? This idea can be broken down into a simple four-step process, created by risk management and sustainability experts.

• Define context and Objectives – Know your internal and external environment and how it’s changing. Clearly define your goals within this context.
• Assess Risk– Look for both potential threats and opportunities (risks). Analyze them using the best methods and ask, “Do we need to take action on these risks?”
• Manage Risk – Where possible, manage the risks by implementing controls. A control is something that changes or reduces the risk. If it doesn’t affect the risk, it’s not a control.
• Monitor, Review and Report – Keep track of how risks are being managed, review their status, and share updates with others. Let people know what’s happening and what they might need to do.

This helps us ask and answer the key question: Considering the situation we’re in, the risks we face (whether they’re opportunities or threats), and how well we’re managing them, can we achieve our goals?

• If the answer is “yes” – the system is balanced, and no further changes are needed.
• If the answer is “no” – there are two options:

a) Put more effort and resources into managing the risks (add more controls); or, if that’s not possible or desired,
b) Adjust the objectives (if possible) because the current goals are either too hard or too easy to achieve for the best balance.

This simple risk management process works at every level of an organization and connects risk management across all areas. It helps answer the key question, whether at the board level or in day-to-day operations. The process stays the same, but how it’s applied can be adjusted to fit the situation. This approach is used in different ways at all levels of an organization.

The simple four-step process can connect with any other risk management process, whether it’s for financial, project, health and safety, reputation, environmental, or other risks. It gathers risk information to support integrated risk management and helps make risk-based decisions across the entire organization. This process serves as the foundation for managing risks in a consistent and unified way. This approach aligns with one of the main principles of the International Risk Management Standard, ISO 31000:2018, which emphasizes the importance of integrating Enterprise Risk Management (ERM) with other organizational activities. Consistency and integration are key to effective risk management.

1.4 Risk Management Specialism

1. Core Risk Management Process (Center Cycle)
   • The central cycle consists of four key steps:
     1. Define Context & Objectives – Establish the organization’s goals and risk framework.
     2. Assess Risks – Identify, analyze, and evaluate potential risks.
     3. Manage Risks – Develop and implement strategies to address risks.
     4. Monitor, Review & Report – Continuously track risk performance and make improvements.
2. Surrounding Risk Categories (Outer Circle)
   • Various risk management areas are shown surrounding the central process, indicating that risk management applies across multiple domains:
     • Sustainability Risk Management – Risks related to environmental and social responsibilities.
     • HR Risk Management – Risks associated with human resources, including talent retention and compliance.
     • Reputation Risk Management – Risks impacting the organization’s brand and public perception.
     • Operational Risk Management – Risks related to internal processes, systems, and daily operations.
     • Health & Safety Risk Management – Risks affecting employee well-being and workplace safety.
     • Project Risk Management – Risks associated with project execution, cost overruns, and deadlines.
     • Financial Risk Management – Risks involving financial stability, market fluctuations, and investments.
     • Etc. – Suggesting additional risk categories like cybersecurity, regulatory risks, or geopolitical risks.

Risk management involves many aspects and is done in various parts of an organization for different reasons. A key principle of the International Risk Management Standard, ISO 31000:2018, is the need for a consistent approach and integrating Enterprise Risk Management (ERM) with other organizational activities. When looking at risk management across an organization, some areas, like finance, health and safety, and project management, will have more visible risk management activities compared to others.

Risk management is often seen as an extra task that is separate from other processes and management activities in a company. However, Enterprise Risk Management (ERM) is different because it applies to the entire organization and connects with other operations. This doesn’t mean ERM replaces areas like Health & Safety or Financial Risk Management, which follow strict rules and laws. Instead, ERM helps bring together different types of risk information, collected in various ways, and presents it to managers in a clear and consistent format to support better decision-making. When risk management is handled separately in different departments (silos), it can lead to gaps, overlaps, or inconsistencies, making it harder for organizations to make effective decisions.Although this unit focuses on three specific areas, risk management happens in every part of an organization, with some areas having more structured approaches than others. When working on any task, it’s important to consider the situation, goals, risks, and our ability to manage those risks. We should always ask: Can we achieve our objectives? If the answer is no, this should be reported to higher management to request either more resources to manage the risks or changes to the objectives. This request can be escalated to the right level of management, and once a decision is made, the actions can be passed back down to the relevant team. In this way, Enterprise Risk Management (ERM) can connect with all organizational activities, no matter their risk management needs. ERM provides a consistent approach, using common risk language, to manage and report risks across the organization. This helps managers and senior leaders understand the risks the organization faces and supports better decision-making to manage those risks and achieve goals.

1.Finance: Financial activities and the financial industry are highly regulated, with a strong emphasis on managing risks that could affect an organization’s finances. These risks range from basic accounting and tax rules for small businesses to corporate governance and financial reporting for larger companies. Bigger organizations must also demonstrate their ability to continue operating in the long run. Additionally, strict laws and regulations vary by country and industry. For example, in the U.S., the Sarbanes-Oxley Act sets rules for financial record-keeping and reporting for corporations. In financial services, regulations include the Basel Accord for banks and the Solvency II rules for insurance companies in the European Union. Banks are also required to manage operational risks. According to the Basel Committee on Banking Supervision (2021), operational risk refers to potential losses caused by internal failures (such as process breakdowns, human errors, or system issues) or external events. This is reflected in Basel’s updated guidelines for effective operational risk management.

2. Health and Safety: Health and safety is one of the oldest and most developed areas of risk management. In the UK, laws protecting workers date back to the 1800s, with the Factories Act of 1833 playing a key role in safeguarding child workers in textile mills. Over time, more laws were introduced for industries like mining and farming, leading to the Health and Safety at Work Act (1974). This act serves as a foundation for many regulations covering different workplaces and risks, such as construction safety, working at heights, injury and disease reporting (RIDDOR), and the handling of hazardous materials like asbestos and chemicals (COSHH). Health and safety laws exist worldwide, though they vary by country. Some examples include the Occupational Safety and Health Act (1970) in the U.S., the Labour Code in France, and the Industrial Safety and Health Law (1972) in Japan. These regulations ensure workplace safety, though the level of strictness differs between countries, as noted in the HSE’s international study on company directors’ health and safety responsibilities.

3. Project risk management: People have been carrying out projects for thousands of years, from building the Great Pyramid of Giza in 2570 BC to the millions of projects happening today across different industries and countries. However, formal project management became more recognized in the 1950s, leading to the creation of professional organizations like the International Project Management Association (IPMA) in 1965, the Project Management Institute (PMI) in 1969, and the Association for Project Management (APM) in 1972. The APM defines a project as a unique and temporary effort aimed at achieving specific goals, which could be measured by results, benefits, or deliverables. A project is considered successful if it meets its objectives on time, within budget, and according to agreed criteria.

Common Features of Projects:

• Unique – No two projects are exactly the same.
• Temporary – They have a start and an end.
• Focused – They aim to deliver a specific change.
• Complex – They involve multiple tasks and challenges.
• Depend on Third Parties – Other people or companies may be involved.
• Based on Assumptions – Planning relies on predictions, which may change.

Because of these factors, projects come with a lot of uncertainty and risk. The importance of project risk management started growing in the late 1970s, with official guidelines being developed. Organizations like APM introduced the Project Risk Analysis and Management (PRAM) Guide, while PMI created its own standard for risk management.

1.5 Enterprise Risk Management standards

Risk standard can be defined as ‘A published guide for managing risk, usually comprising a risk framework and (especially) a risk process.’ Risk framework can be defined as ‘ Also known as the risk management context. This comprises the risk strategy, risk architecture and risk protocols and forms the risk context which helps to drive the risk process.’ Risk process can be defined as’ The stages in the process of managing risk, which is driven mainly by how you set up the framework (but also affected by the internal and external environment).’

All risk management standards and frameworks are fairly new. In fact, the first-ever risk management standard, AS/NZS 4360, was only introduced in 1995 (Standards New Zealand, 2013). This shows how young the risk management profession is and why even today, risk managers still discuss basic issues like the definition of risk. Organizations can choose to use one of these standards or frameworks to manage their risks, mix elements from different ones, or even create their own custom approach. Over time, risk management has evolved across different regions, industries, and professions to meet various needs. Having a clear risk management framework and standards can help create a more consistent and effective risk management process. This ensures risks are managed in a coordinated and efficient way across the organization. Some widely used risk management standards include:

• ISO 31000:2018, Risk Management – Guidelines
• COSO:2004, Enterprise Risk Management – Integrated Framework
• COSO:2017, Enterprise Risk Management – Integrating with Strategy and Performance

ISO 13000 (2018)

ISO 31000 (2018), Risk Management – Guidelines, is the global standard for risk management. It covers:

• What good risk management looks like – the Principles
• What’s needed to implement effective risk management – the Framework
• The steps in risk management – the Process

First published in 2009 and updated in 2018, ISO 31000 is one of the simplest and most widely accepted risk management standards worldwide. You should feel confident about its content and purpose, especially its process. The standard explains that managing risk is based on the principles, framework, and process outlined in the guidelines. It’s important to note that ISO 31000 cannot be used for certification (unlike standards such as ISO 9001 for quality management). However, it provides guidance for organizations and audit programs, both internal and external. It helps compare risk management practices against an internationally recognized benchmark, focusing on principles for effective management, assurance, and corporate governance. To explain the risk management framework, the acronym RASP (Risk Architecture, Risk Strategy, and Risk Protocols) has been created. RASP supports the risk management process by defining how it works.

COSO

The COSO (2004) Enterprise Risk Management – Integrated Framework, also known as the COSO ERM Cube, was created in the United States by COSO (Committee of the Sponsoring Organizations of the Treadway Commission). The idea of “enterprise risk management” (ERM) started around 2000 and gained global popularity in 2004 when COSO introduced its first ERM Framework. This framework was developed to address fraudulent financial reporting, not just to control fraud and regulatory risks but also to identify and assess risks that needed controls. Its importance became clear after corporate scandals like Enron.

The COSO ERM framework is shown as a cube with three main parts:

1. Front Face: The risk management process, made up of eight steps.
2. Top Face: The four categories of organizational objectives.
3. Side Face: How the standard is implemented, starting at the top level of the organization and spreading downward and across all areas. This means ERM must be part of every role, operation, and activity in the organization.

In 2017, the COSO ERM framework was updated, but the original “cube” remains influential. It provides a structure for assessing and improving risk management and internal control systems, making it a useful tool for managing risks.

The COSO (2017) Enterprise Risk Management – Integrating with Strategy and Performance, also known as the COSO ERM Rainbow Double Helix, is an updated version of the COSO ERM Cube. It reflects the growing complexity of risks and changes in the business environment. The new framework emphasizes that organizations integrating ERM across all levels can achieve greater benefits. The update was needed to better explain the connections between strategy, risk, and performance, and to highlight how risks are interconnected and how risk culture affects risk management. The COSO (2017) ERM Framework recognizes that ERM isn’t just about managing risks to achieve objectives but also about understanding how strategy and risks align. It focuses on improving performance in line with an organization’s mission, vision, and core values. The framework includes five interconnected components supported by 20 principles. Following these principles helps organizations understand and manage risks related to their strategy and goals.

The Framework itself is a set of principles organized into five interrelated components:

• 1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
• 2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
• 3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
• 4. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
• 5. Information, Communication, and Reporting: Enterprise risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

Components and Principles

1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.
3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.
4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.
5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.
6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.
7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.
8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.
9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.
10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.
11. Assesses Severity of Risk—The organization assesses the severity of risk.
12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.
13. Implements Risk Responses—The organization identifies and selects risk responses.
14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.
15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.
16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.
17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.
18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.
19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.
20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.

Orange Book: 2020

The Orange Book 2020 was created by the UK government for the public sector. However, its ideas and principles offer useful insights into risk management for everyone. The Orange Book focuses on the key principles to follow rather than detailed steps or methods. It explains the “what” and “why” of risk management but not the “how.” This makes it a helpful framework that other industries can also use. The Orange Book highlights five main principles of risk management:

1. Governance and Leadership – Strong leadership and clear governance are essential.
2. Integration – Risk management should be part of all activities and decisions.
3. Collaboration and Best Information – Work together and use the best available information to manage risks.
4. Risk Management Processes – Have clear processes in place to identify, assess, and manage risks.
5. Continual Improvement – Always look for ways to improve risk management practices.

Alternative Approach

The three main standards/frameworks for risk management are covered here, along with a look at some other approaches. In recent years, there’s been a trend to combine general risk management standards (like the ones we’ve discussed) with industry-specific ones. For example, COBIT is a specialized standard for managing IT risks.

There are also standards for specific industries, such as:

• Banking: Basel III
• Insurance: Solvency II
• Health and Safety: ISO 45000 family (Occupational Health and Safety)
• Legal: ISO 31022 (Guidelines for Managing Legal Risk)
• Business Continuity: ISO 22301 (Business Continuity)
• Projects: PRAM Guide by the Association for Project Management (Project Risk Analysis and Management)

There are three main approaches in risk management standards:

1. Risk Management Approach: Used by ISO 31000.
2. Internal Control Approach: Developed by COSO’s Internal Control Framework and the FRC (Financial Reporting Council) risk guidance.
3. Risk-Aware Culture Approach: Created by the Canadian Institute of Chartered Accountants, known as the CoCo framework.

Providing assurance is a formal part of corporate governance, especially for companies listed on stock exchanges. There’s also a specific standard for the UK charity sector, which you can explore further if interested. Lastly, we’ll introduce a framework designed for the public sector, showing that risk management applies to all types of organisations—whether private, public, or third sector. This highlights that risk management is relevant to any activity in any organization, no matter the sector.

PURPOSE:

The purpose of this document is to describe the risk monitoring and treatment process for ABCD. Specifically, this document shall guide the execution of the procedures for conducting Risk Monitoring and Treatment, resulting in detailed understanding of the existing status and exposure to risks.

SCOPE:

The processes mentioned in this document are internal processes and its implementation is applicable for all entity within ABCD.

• Customer: All entity within ABCD
• Outsourced Service: Not applicable.

RESPONSIBILITY FOR APPLICATI ON:

• Risk Oversight Committee
• Group Risk Management Manager
• Team Leader, Risk Management and Insurance
• Senior Risk Analyst
• Risk Analyst

CONDUCTI NG RISK MONITORI NG AND TREATMENT PROCESS:

Process Overview General Description

RMI and Risk Coordinators are constantly required to interact; to measure; aggregate; communicate; and treat risks. In order to perform comprehensive risk treatment activities, RMI is required to obtain and analyze internal as well as external data to ensure detailed understanding of the current status and exposure to risks. Centralized and local risk treatments activities should then be performed accordingly, with reference to the Risk Monitoring and Treatment Plan. Preparation and distribution of reports is required to ensure systematic monitoring of risk exposures, violations, and the completeness and effectiveness of risk treatment activities across ABCD. 

Process Objectives:

• To create risk specific guidelines for treatment & monitoring.
• To gather enough information to determine and analyze risk exposure across ABCD.
• To monitor and report risk exposures and risk limit violations.
• To perform and evaluate centralised and local risk treatment.
• To create and share risk monitoring  and treatment reports  (including information on risk exposure, effectiveness of risk treatment, etc.) with the ROC and ABCD Management

Participants:

The process has the following participants:

• RMI provides guidelines, calculates risk exposure, work with teams to facilitate identification of risk treatment plans, aggregate and evaluate risk treatment performance information, and distribute risk management reports.
• Teams provide inputs to RMI to calculate risk exposures, monitors risk management performance and perform local risk treatment.
• Risk Coordinators act as point of contact for concerned team.
• Portfolio Owners provide the status of risk treatment activities in progress and the aggregated monitoring data about risk metrics.
• Single Risk Owners provide all risk treatment related information and updates to the Portfolio Owners.

Triggers

This is an ongoing process and the monitoring and treatment plan for each risk portfolio has its own triggers (the process could be periodic or triggered by specific events, like: new contract; new counterparty, etc.).

Inputs to the Process

• Existing risk register.
• Existing risk monitoring & treatment plan.
• Inputs  from  Teams on risk management  (e.g., data on defined risk metrics,  results  of risk monitoring and treatment, etc.).

Outputs from the Process

• Guidelines on metrics/ limits/ risk treatment issued by RMI IAffiliated Teams to other teams.
• Risk management reports (risk exposure, results of risk monitoring and treatment).
• Treatment of risks.

Operation Procedures

1. Provide Guidelines

The procedure provide guidelines aims at studying the existing exposure of ABCD to risk and its causes and providing high level guidelines to Teams in order to measure and track risks.

• RMI team to study the current exposure(s) of ABCD risks and its causes.
• RMI team shall provide high level guidelines to teams in order to measure and track risks.

This is not a trigger for initiating a treatment plan but is essentially a starting step which allows ease of data collection post an event or trigger.

2. Collect Inputs

The procedure Collect Inputs focuses on producing clear, accurate, systematic and detailed documentation on internal and external information collected pertaining to risk measurements and current monitoring and treatment activities.

• Risk Coordinators from each team I group representative shall collect information requested and update/report them to RMI.
• Required items to be collected/conveyed for reporting such as Risk ID from existing risk, risk name, risk descriptions, risk likelihood and risk impact.
• RMI Team responsible to collect the team input, review and organize information received.
• RMI Team also responsible to collect external input (such as change in Political environment I generic analysis of political conditions)

3. Calculate Risk Exposure

The procedure Calculate Risk Exposure focuses on producing periodic reports on risk exposures and risk limit violations, based on sufficient and accurate information provided by respective teams.

• RMI team responsible and as the reviewer in calculating ABCD exposure to risk, utilizing data /information collected from teams as input to risk metrics/severity.
• RMI team responsible to monitor/ compare risk exposure to agreed limits.
• RMI Team has the responsibility to report risks exposure (include report on risk exposure and items exceeding the limit @ risks that is considered VH Risk) and share with ROC and Top Management.
• RMI Team needs to review the calculations and analysis as well prepare required reports.
• RMI team shall decide for any limit exceptions (Risk with severity in Very High Status),
• Risk needs to be treated (given prioritization I centralized or local risk treatment)
• Risk that has not exceed limit exceptions (Risk not in Very High Category) shall be reviewed and reported /documented as regular risk register at local risks treatment.

4. Treat Risks

The procedure Treat Risks focuses on performing central and local risk treatment activities by the relevant parties.

• Portfolio owner /Risk owner shall decide if the mentioned risk could be treated centrally (refer to specific risk monitoring and treatment plan), else it can be treated as Local risk treatment.
• Central Risk Treatment activities for risk that cannot be effectively treated by any single team shall be the responsibility of Portfolio owner.
• Activities and performing local risk treatment (risk mitigation with jurisdiction of the team) shall be under responsibility of the team (risk owner)

5) Track Performance

The procedure Track Performance focuses on tracking the performance of risk treatment activities, based on sufficient and detailed analysis of information provided by the respective teams.

• Risk Coordinators or Portfolio owners are responsible to provide performance information by collecting the performance and progress of risk treatment activities & reporting such information to ERM Team
• RMI team are responsible in tracking risk management performance by aggregating, evaluating, and reviewing the risk performance info and progress.
• In the event of further information required regarding risk performance, RMI to collect further info from Portfolio owner or Risk Coordinators (whichever applicable)
• RMI shall proceed to report /update report for all other risk

6. Report

The procedure Report focuses on producing periodic reports on ABCD’s risk management activities and outcomes for the ROG and ABCD Top Management. These reports should incorporate clear and concise documentation of all relevant information, either internal or external.

• RMI Team responsible for Reporting Risk Management Performance
• RMI team shall prepare and report risk management performance to ROC and ABCD Top Management & Portfolio Owner (if any). Key Risk / Very  High-Risk Report are requested by KPC on quarterly basis.

1. Forward

Enterprise risk management (ERM) is described as a risk-based approach to managing an enterprise integrating concepts of intern control, the Sarbanes-Oxley Act, data protection and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

For this reason, ERM aggregates and manages risks as a portfolio level, providing a comprehensive perspective of risk throughout the enterprise, and aligning risk management to the corporate strategy. This helps the company to make info decisions, to set priorities, and to  optimize the balance between risk and return.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunity related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances related to the organization’s objectives (threats and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identify and proactively addressing risks and opportunities, business enterprises protect and create value fo their stakeholders, including owners, employees, customers, regulators, and society overall.

ABCD value chain business by nature manage risks and have a variety of existing departments or functions (“risk functions”) that identify and manage part risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization’s ability to manage the risks effectively.

This document focuses  on highlighting the standards of Enterprise Risk management with the definition  of risk, risk management and the enterprise risk management applicable to ABCD. A comprehensive gap analysis has been conducted in order to find out the definitions as well as international standards and frameworks that are published and used by the present day decision makers in the risk management arena.

After a gap analysis that was conducted between the leading international standards COSO and ISO, we found out that ISO 31 000:2018 provides more strategic direction compared to its previous version as well as COSO and emphasize more on involvement of senior management on risk management and integration of risk management into the firms’ decision making process.

In order to evaluate the applicable standards of ERM to ABCD, ISO 31000, COSO and a recognized format is necessary. The GROUP COMPANY published a highly regarded guide to the format for management system standards. Overall, GROUP COMPANY ERM provide detailed guidelines on the plan, implement, measure and learn features of a risk management system, but less explicit information on the context, leadership and support features required of a management system standard.

2. Introduction

ABCD’s ERM Policy is based upon and is in line with GROUP COMPANY a Enterprise Risk Management guidelines as its guide, and elements from both frameworks have been incorporated into this policy. The policy is consistent with ABCD’s strategic objectives and business environment; as well as aligned with GROUP COMPANY’s ERM requirements. Managing risk is iterative and assists ABCD in setting strategy, achieving objectives and making informed decisions.

Managing risk is part of governance and leadership, and is fundamental to how ABCD is managed at all levels. It contributes to the improvement of management systems.

Managing risk is part of all activities associated with GROUP COMPANY and Sister Companies and includes interaction with stakeholders.

Managing risk considers the external and internal context of the ABCD, including human behavior and cultural factors.

Managing risk is based on the principles, framework and process outlined in this document, as illustrated in Figure 1. These components might already exist in full or in part within ABCD, however, they might need to be adapted or improved so that managing risk is efficient, effective and consistent The importance of adequate risk management draws the need for periodic review and updates of this policy. ERM Policy is reviewed and updated based on any possible changes, annually in the standard.

3 Scope

This Enterprise Risk Management (ERM) Policy defines all key elements of ABCD’s ERM practices at a high level and these elements include, as a minimum, context and objectives; strategies through its risk statements; processes; and, governance structure via a high-level description of roles and responsibilities. This document provides standards and guidelines on managing risk faced by ABCD. The application of these guidelines can be customized to any ABCD and its context. This document provides a common approach to managing any type of risk specific to ABCD. This document can be used throughout the life of ABCD and can be applied to any activity, including decision-making at all levels.

4 Strategy

As part of GROUP COMPANY  ERM Strategy, ABCD works with GROUP COMPANY and Sister Companies to implement risk management best practices in all activities related to GROUP COMPANY businesses. The GROUP COMPANY ERM Strategic Initiatives are:

• Enhance corporate-wide risk culture, awareness, and know-how of risk management.
• Demonstrate management commitment by effectively enforcing risk management in the decision making process throughout GROUP COMPANY and maximize it’s integration.
• Develop a highly skilled and motivated ERM workforce .
• Enhance and Support ERM eminence building program and promote the global presence of GROUP COMPANY as a leader in ERM.

5. Definitions

For the purposes of this document, the following terms and definitions apply.

• Consequence outcome of an event – affecting objectives, A consequence can be certain or uncertain and can have positive or negative direct or indirect effects on objectives. Consequences can be expressed qualitatively or quantitatively. Any consequence can escalate through cascading and cumulative effects.
• Control – measure that maintains and/or modifies risk. Controls include,but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain or modify risk. Controls may not always exert the intended or assumed modifying effect.
• Enterprise Risk Management (ERM) – a structured and disciplined risk management approach integrated with strategy, process, people, technology, and knowledge with the purpose of continually evaluating and managing risks to business strategies and objectives on an enterprise-wide basis.
• ERM Program – the processes, framework, roles and responsibilities used by ABCD for the management of enterprise risk.
• Event – occurrence or change of a particular set of circumstances, an event can have one or more occurrences, and can have several causes and several consequences. An event can also be something that is expected which does not happen, or something that is not expected which does happen.An event can be a risk source.
• Key Group Risks – the risks that ABCD as a whole considers to be above ABCD tolerance threshold (very high risks) these key group risks are to be monitored on a company level. It is expected that these risks will change over time. Key Group Risks are documented in the Risk Register.
• ABCD Business Unit – a corporate function within ABCD, such as Internal Audit, Corporate Finance, Legal, etc.
• GROUP COMPANY Subsidiary – a subsidiary company of Group company, such as Sub 1, sub 2, etc.
• Likelihood – chance of something happening “likelihood” is used to refer to the chance of something  happening,  whether  defined,  measured  or  determined  objectively  or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).
• Opportunity – the possibility that an event will occur and positively affect the achievement of objectives.
• Risk -the possibility that an event will occur and adversely affect the achievement of objectives, especially as relates to ABCD’s ability to achieve its business objectives as defined by the 2040 Plan. Risk is described in terms of its likelihood of occurrence and potential impact or magnitude. Categories of risk are defined in the Risk Definitions section of this document.
• Risk Aggregation -Quantitative approach to risk where a firm looks to measure multiple types or sources of risk collectively.
• Risk Appetite – Articulation of choice and breadth of risks ABCD is willing to accept in pursuit of value for the company. ABCD and Business Units’ Risk Appetite guides resource allocation within the corporation and each Business Unit. ABCD management allocates resources across Business Units with consideration of the entity’s Risk Appetite and Business Units’ strategy for generating a desired return on ABCD and its Business Units’ investments.
• Risk Assessment – the process by which ABCD and its subsidiaries consider how potential events and resultant risks might affect the achievement of its company objectives. ABCD assess events from perspectives: likelihood, impact Risk assessment includes identification of three risk elements: risk factors (root causes), risk events, and the consequences of the risk event.
• Risk Capacity – Amount of aggregated risk the company is able to take while meeting obligations to its stakeholders (or without causing financial distress) whilst ensuring long­ term stability.
• Risk Governance – the risk-related roles and responsibilities among various constituent groups such as stakeholders, board members, management and employees, and the rules and procedures for making risk-related decisions. ABCD’s stakeholders and influential parties have a number of risk-related roles and responsibilities that will evolve from year to year.
• Risk Mitigation/Risk Treatment actions or decisions by management that will change the status of a risk. Management alternatives include retaining the risk (either completely or partially), avoiding the risk (by withdrawing from or ceasing the activity), reducing the likelihood (by designing and implementing controls), reducing the impact (by emergency or crisis response), and/or transferring the risk (by outsourcing, insurance, etc.).
• Profile – the results of any Risk Assessment, assembled into a consolidated view of the significant strategic, regulatory, financial and operational risks inherent in a project, line of business or across the corporation.
• Risk Register- the systematic listing of risks for each Subsidiary and Business Unit of ABCD, as well as the risks common across the corporation.This includes the individual risks for each Subsidiary and Business Unit as well as the Key Group Risks.
• Risk Tolerance – the acceptable level of variation relative to the achievement of ABCD’s

Strategic Directions and is the set of quantitative parameters derived from the risk capacity and appetite, and focusing on selected areas, to serve as guidelines on corporate decision­ making.

6. ABCD Risk Appetite & Risk Tolerance

ABCD was established to ………………………. Considering the nature of ABCD’s business environment, ERM plays an important role in supporting ABCD in achieving its strategic goals and objectives.

ERM will help ABCD to manage the challenges and threats that could affect these objectives, and to better exploit opportunities in pursuit of the company’s strategic objectives. In alignment with GROUP COMPANY’s ERM mission, “to Embed enterprise risk management into GROUP COMPANY’s & subsidiaries business and influence ERM practice with our business partners to ensure the optimal balance of risk and reward whilst pursuing our objectives .”

ERM at ABCD adopts structured approach to managing risk through defined risk capacity, risk appetite and risk tolerance statements which help ABCD achieve its objectives. The relationship between risk capacity, risk appetite and risk tolerance is illustrated in the diagram  below:

Risk Capacity

Risk capacity is the amount of risk that ABCD is able to bear without financial or other distress (consequence of its financial situation and other commitments). ABCD assesses its capacity to bear risks both in terms of its crude and gas production; and, financial performance (cash flow). ABCD’s financial relationship is such  that all operating and capital costs are reimbursed as incurred, which is expected to continue for the foreseeable future. Nevertheless, ABCD shall use the value created in its business activities to determine its risk bearing capacity as defined herewith:

• Production levels (and hence production capacity and reliability) in a normal operating environment:
  • can with certainty (100% confidence) meets its share of the oil sector obligation to meet the internal energy demand
  • can deliver with 95% confidence the forecast production of the 5 year plan
• Financial risk is assessed using the cash flow at risk methodology (complemented by stress testing to assess impact of rare events, i.e., tailevents). It will operate so as to maintain a high level of confidence  that it can:
  • meet its agreed share of the value contribution to GROUP COMPANY and the State
  • ensure the value creation is sufficient to service the on-going investment after meeting State’s requirements
  • service its financial obligations as they become due (i.e., meet cash calls)

In this context, ‘high level of confidence’ means with 95% probability over any rolling 5 year period. Exceptional variations may only occur under specific circumstances (in any case not more than once in 20 years).

Evaluation of risk capacity for extreme events (e.g., war, significant global economic disruptions) will follow the same pattern (i.e., production capacity, financial terms) but will be assessed based on stress testing and scenario analysis.

Risk Appetite

ABCD risk appetite will be the amount of risk the company is willing to accept in pursuit of value for the company. Risk appetite is an essential component of ERM, as it provides the high level target for the amount of risk that the company should take.

Company activities should be conducted in accordance with the company’s risk appetite, so that the amount of residual risk is in line with expectations. ABCD’s risk appetite aligns to GROUP COMPANY’s risk appetite classification.

The following is ABCD’s Risk Appetite Statement

1. Unacceptable Risks: Risks that ABCD is not distinctively advantaged to manage or finds it unethical to be exposed to and hence bears no appetite for these risks. Typical actions ABCD will take for these risks are to avoid being involved in activities bearing such risks, or mitigate these risks to the extent reasonable, when they cannot be avoided
   • Political and stakeholder risk: ABCD seeks to avoid any reputational risk that could affect either itself, GROUP COMPANY.
   • Operational risk: ABCD actively seeks to avoid liability and HSSE (Health, Safety, Security & Environment) risks, and invests to avoid these risks whether or not it gains financially by doing so. ABCD closely monitors the FAR (Fatal Accident Rate) and the LTI (Lost Time Injury) rates and compares them to industry averages.
2. Acceptable risks within defined tolerance limits: Risks integral to ABCD’s business model that ABCD is advantaged to manage, and is willing to be exposed to provided they remain within set tolerance limits. ABCD will manage these risks to remain within set tolerance limits. ABCD will reduce or cap relevant business activity if risks cannot be managed adequately.
   • Project risk: Designing and executing projects is a core part of ABCD’s business, however ABCD will actively manage project risk to minimize delays and cost overruns
   • Market risks: ABCD accepts to be exposed to most market risks inherent in the oiland gas business, in particular crude and gas prices, to the extent they remain within set tolerance limits
   • Operationd risk: ABCD seeks to optimize operational efficiency (e.g., minimize downtime and outages)
3. Risks taken but no tolerance limit defined: Risks integral to ABCD’s business model for which are difficult to control. As a consequence, ABCD has no set tolerance limits for these risks, however it will engage with and influence stakeholder to manage these risks as relevant and may seek relief from GROUP COMPANY to extent risk limits ability to manage the business (e.g. capital funding):
   • Market/Financial Risk: ABCD has not set tolerance limits on risks such as correlation of crude and gas prices and KD/USD exchange rate.
   • Counterparty Risk: ABCD has not set tolerance limits on risks related to its partners.
   • Extreme events: ABCD has to accept that it is exposed to extreme events.  For such events ABCD will develop stress scenarios to define its appetite.

Table depicting ABCD’s aggregated risks according to its risk appetite classification is appended in the following

Risk Tolerance

Risk Tolerance refers to the ability of an organization to accept or withstand risk from a given source or event. It represents a threshold or measurement and it is defined as the economic and operating sensitivity the organization has to risk. ABCD’s risk tolerance is the acceptable level of variation relative to the achievement of the company’s strategic objectives. It is the choice of overall level of acceptable risk-taking for ABCD in pursuit of its objectives and never more than its risk bearing capacity. ABCD’s risk tolerance statement is derived based upon its risk bearing capacity and risk appetite.

The following is ABCD’s Risk Tolerance Statement:

• Limits on individual risks: ABCD will set risk tolerance limits for all risks which require such limits, as defined in the risk appetite section.  ABCD will continuously monitor these risks against the set limits and ABCD’s cash flow, and intervene as needed.
  • ABCD will limit the impact of project delays. For domestic political influence risk (approval delay), the cash flow tolerance limit is set at 10%; and, for execution delay risk, it is at 5%
  • ABCD delegates monitoring of crude and gas prices volatility to GROUP COMPANY International Marketing. In the same time, ABCD monitors it production costs based on the volatility of the crude and gas price. Crude and gas price volatility risk tolerance limit is set at 25%
  • ABCD will limit the impact of operational risk and the tolerance limit is set at 2%
  • ABCD will limit the impact technology risk and the tolerance limit is set at 0.5%
• Extreme events: ABCD assesses its cash flow and production capacity against extreme event scenarios and develops mitigation plans to reduce these risks to levels as low as reasonably possible.

Risk Taxonomy

ABCD establishes a common language for risk to promote effective communication. A risk taxonomyis a common structure for describing the categories and subcategories of risks, as well as the tools, metrics, and strategies for risk management.

• A taxonomy is useful for breaking the universe of risk down into manageable components that can then be aggregated for exposure measurement and reporting purposes.
• The development of a taxonomy is not a one-off process. It should be iterative and reflect the dynamic and changing nature of the business.
• The process of creating a risk framework specific to a ABCD risk profile generally starts with a generic template which can then be further refined.
• The categories are likely to decrease in number as some are eliminated or combined with others after the identification phase. Once defined, the risk framework can serve as the primary organizing principle for data collection and subsequent analysis.

Risk Categories

• Credit- risk arising from inability of a counterparty to meet a payment or delivery commitment
• Environmental-  risk  arising  from  noncompliance  with  local,  regional, or  federal environmental laws or regulations
• Financial – risk arising from deviation of business financing costs from original estimates
• Health and Safety – risk arising from lack of or noncompliance with health and safety regulations, policies, or procedures
• Human Resources – risk arising from inadequate human resources or inappropriate use of available resources’
• Information Systems – risk arising from inadequate information technology resources or inappropriate use of available resources
• Legal – risk arising from contracts or other arrangements  that are not enforceable through available means
• Market – risk arising from unexpected changes in market supply, demand, or price
• Model  & Validation  –  risk arising from  incorrect  assumptions  or  data, or  the inappropriate application of a model
• Operational (Asset Failure) – risk arising from inadequate physical infrastructure
• Operational (Process Failure) – risk arising from inadequate risk control or failure of risk infrastructure
• Political – risk arising from the actions of local, regional, or federal governments or special interest groups
• Reputation – risk arising from changes in public opinion that impact earnings or access to capital
• Strategic – risk arising from ABCD inability to formulate and/or execute a successful business strategy
• Technology – risk arising from ABCD inability to implement or manage new technology
• Regulatory – risk arising from unexpected changes to local, regional, or federal law or regulatory policy

7. ERM Process

ABCD recognizes that an effective ERM entails a systematic process and thorough approach to its implementation. Implementing an integrated risk management approach requires a management decision and sustained commitment, and is designed to contribute to the realization of organizational objectives.

Appended below is an overview of ABCD’s risk management process:

Establish the Context

Establishing internal and external context helps ABCD  to articulate its objectives and defines the external and internal parameters to be taken into account when managing risk, and sets the scope and the risk criteria for the remaining process. This phase is about understanding the internal and external environment; activities and processes; company’s business model and objectives; governance structure; supply chain; etc. and relating it to the subsequent risk management process.

Risk Identification

ABCD shall identify sources of risk. areas of impact, events (including changes in circumstances) and their causes and their potential consequences. This can facilitate identifying events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives. Comprehensive identification is critical, because a risk that is not identified at this stage will not be included in further analysis. Best practice to identify risk would start from acknowledging our objectives and identifying elements that could affect these objectives either positively (upside) or negatively (downside). Accordingly, the key risk indicators or risk triggers are also identified at this stage. Key risk indicator serve as an early warning to ABCD,that a risk could potentially materialise and therefore,further actions such as a contingency plan must be activated.

Risk Analysis

This provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods. Risk analysis can also provide an input into making decisions when choices must be made and the options involve different types and levels of risk. Risk analysis involves consideration of the causes and sources of risk (root causes), their positive and negative consequences, and the likelihood that those consequences can occur. Factors that affect consequences and likelihoods should be identified accurately. Risk is analysed by determining consequences (impact) and their likelihood, and other attributes of risk. An event can have multiple consequences and can affect multiple objectives. Existing controls and their effectiveness should also be taken into account.

Risk Evaluation

Risk evaluation seeks to establish the risk rating of a risk based on the probability of each risk occurring and the severity impact of that risk. Once risks have been identified, an analysis of possible impact and probability of occurrence will be  made using consistent parameters that will enable the development of a corporate risk profile. A numerical measurement is given to rate the probability of occurrence of a risk and its impact (monetary and non-monetary).  Risk severity is derived as follows :Likelihood x Impact = Severity.

ABCD’s Likelihood Scale (Probability of Occurrence)

ABCD’s Impact Scale

ABCD has 2 impact scales, one is based on financial values and the other is a non­ financial impact.

Based on the likelihood and impact scales, ABCD’s risk heat map is tabled as below;

Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered. In some circumstances, the risk evaluation can lead to a decision to undertake further analysis. The risk evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing controls. This decision will be influenced by ABCD’s risk attitude and the risk criteria that have been established.

Risk Mitigation and Risk Treatment

Risk mitigation and risk treatment are actions taken by risk owners that will change the status of a risk. Management alternatives include the following possibilities:

• retaining the risk either completely or partially,
• avoiding the risk by withdrawing from or ceasing the activity,
• reducing its likelihood of occurrence by designing and implementing controls, reducing the impact by emergency or crisis response, and/or
• transferring the risk by outsourcing or utilizing insurance schemes.

Monitoring and Review

To ensure that ERM is effective and continuous to support organizational performance, ABCD shall:

1. Measure risk management performance against indicators, which are periodically reviewed for appropriateness;
2. Periodically measure progress against, and deviation from, the risk management plan;
3. Periodically review whether the risk management framework, policy and plan are still appropriate, given the external and internal context
4. ;Report  on  risk, progress with the  risk management  plan and  how well  the risk management policy is being followed; and,
5. Review the effectiveness of the risk management framework .

Communication and Consultation

Communication and consultation with external and internal stakeholders shall take place during all stages of the risk management process. This is especially important as they make judgements about risk based on their perceptions of risk. These perceptions can vary due to difference in values, needs, assumptions, concepts and concerns of stakeholders. Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.

Risk Index

ABCD focuses on the risk mitigation of its key group risks, which consists of ‘High & Very High’ risk severity. A number of these key group risks are selected by ABCD’s management annually and the risk mitigation is monitored on a monthly basis. These selected key group risks are known as Risk Index.

8 Framework

The purpose of the risk management framework is to assist the ABCD in integrating risk management into significant activities and functions. The effectiveness of risk management will depend on its integration into the governance of the ABCD, including decision-making. This requires support from stakeholders, particularly ABCD leadership and top management. Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across ABCD. Figure 9 illustrates the components of a framework .

ABCD evaluates its existing risk management practices and processes, evaluate any gaps and address those gaps within the framework . The components of the framework and the way in which they work together should be customized to the needs ABCD.

Leadership and commitment

ABCD Top Management and Risk Oversight Committe, ensure that risk management is integrated into all ABCD activities and demonstrates leadership and commitment by:

• customizing and implementing all components of the framework;
• issuing a statement or policy that establishes a risk management  approach,  plan or course of action;
• ensuring that the necessary resources are allocated to managing risk;
• assigning authority, responsibility and accountability at appropriate levels within ABCD.

Design

Understanding ABCD and its context

When designing the framework for managing risk, ABCD examine and understand its external and internal context. Examining ABCD external context may include, but is not limited to:

• The social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
• External stakeholders’ relationships, perceptions, values, needs and expectations;
• Contractual relationships and commitments;

Examining ABCD internal context may include, but is not limited to:

• Vision, mission and values;
• Governance, ABCD structure, roles and accountabilities;
• Strategy, objectives and policies;
• ABCD risk culture;
• Standards, guidelines and models adopted by the GROUP COMPANY as well as ABCD;
• Capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property, processes, systems and technologies);
• Data, information systems and information flows;
• Relationships with internal stakeholders,  taking into account  their  perceptions  and values;
• Contractual relationships and commitments.

Allocating resources

Top Management  and  Risk Oversight Committe, where  applicable, ensure allocation of appropriate resources for risk management, which can include, but are not limited to:

• people, skills, experience and competence;
• ABCD’s processes, methods and tools to be used for managing risk;
• documented processes and procedures;
• information and knowledge management systems;
• Professional development and training needs.

ABCD considers the capabilities of, and constraints on, existing resources.

Improvement

ABCD  continually  improves  the  suitability,  adequacy   and  effectiveness  of  the  risk management framework and the way the risk management process is integrated. ABCD develop and enhance its human capital skills and competency on ERM-related subjects. This encompasses ABCD’s risk practitioners; risk owners; risk coordinators; and, senior and top management. In the same time, other employees are also encouraged to learn and understandthe basic concepts of ERM. The knowledge gained from this activities would be beneficial and value-adding to ABCD as it shall support the development of a robust ERM culture for ABCD.

ERM Roles and Responsibilities

An effective risk governance structure, clearly assigning authority and responsibility for risk management in the company, is an essential component of ERM. The ERM Governance in ABCD is illustrated as below:

1) Board of Directors (BODs):

Responsibility

• Maintain an awareness and understanding of the principal risks in all aspects of the business.
• ERM Strategy Setting and ERM Decision Making

Role

• Approve the Enterprise Risk Management Policy.
• Approve limits of risk taking {Capacity, Appetite & Tolerance) for the company.
• Approve designation of Key Group Risks’
• Approve 5YR Risk Report.
• Monitor the Management of Key Group Risks.

2) Audit & Risk Committee:

Responsibility

• Provide assurance that the organization is compliant to prevailing regulations and guidelines.

Role

• Ensure the effective operation of the ERM Framework.
• Determine consistency with stated GROUP COMPANY Risk Appetite and Risk Tolerance.
• Monitor Business Unit risk management practices for consistency and conformance to the Policy.

Chief Executive Officer (CEO) and Leadership Committee:

Responsibility

• The owner of the ABCD’s ERM Policy.
• The ultimate accountability for the management of the corporation’s risks, including issuing directives for their management.

Role

• Ensure that there is a proper balance between risks and potential returns at the organization/Business Unit level.
• Ensure that there are policies and systems to effectively manage and monitor risks, with a view to the achievement of ABCD’s and hence GROUP COMPANY’s Strategic Directives.
• Ensure that appropriate processes and risk management capabilities are in place to identify, assess, measure, manage, monitor, and report risks within the Organization/Business Unit.
• Endorse Risk Limits (Capacity, Tolerance and Appetite) for the Organization after consultation with the BOD and Risk Management Group as necessary.
• Communicate the level and status of risk within the Organization Unit to the BOD.
• Initiating, where ever necessary, processes to improve the assessment, measuring, management, monitoring, and reporting of risk.
• • Report to the BOD on risks and opportunities in the Organization.
• • Ensuring Organizations’ risk reports are submitted to CRMD for monitoring purposes.

3) Risk Oversight Committee

Responsibility

The ROG is a permanent committee within KGOC, established by its Chief Executive Officer (CEO}, with advice from Risk Management Team. Its members have an overall knowledge of KGOC business and are responsible for tactical risk governance.

The ROC Chairman chairs a ROC meeting and inthe event he/she is not available, the Deputy Chairman shall preside the meeting. In decision­ makings where no consensus could be reached, the Chairman’s vote shall be the deciding vote. The ROG Chairman also represents ABCD in GROUP COMPANY’s ROC as a committee member.  The ROC chairman also represents ABCD in GROUP COMPANY HSSE steering committee

Role

• advises the CEO and LC on all matters related to ERM;
• monitors the effectiveness of ERM at ABCD and recommends actions to maintain and increase the effectiveness of ABCD’s ERM;
• continuously monitors and assess the Key Group Risks (KGR) and their treatment plans;
• selects and overlooks Risk Index target achievement;
• assesses ABCD’s risk tolerance thresholds on a periodic basis and recommend revisions, if necessary;
• secures and develops ERM resources and capabilities;
• reviews ERM Policy on a periodic basis.

ABCD’s ROC compositions are as below:

• ROC Chairman – Deputy CEO of Technical &Commercial Affairs.
• ROC Deputy Chairman – Risk Management Group Manager
• ROC Secretary – Sr. Risk Analyst
• ROC Members – ABCD Head Office Group Managers + Team Leader, Risk Management +Team Leader HSSE

The scope of ROG is explained descriptively in the ROC Charter, a separate document.

Risk Management Team

Responsibility

The Risk Management is responsible for on-going ERM activities

Role

• coordinates and facilitates Risk Management processes;
• supports ABCD Teams in the management of their risks;
• coordinates implementation of Risk Management procedures throughout ABCD by facilitating meetings and discussions with RCs;
• provides periodic reports to the ROC and implements the guidelines provided by the ROC;
• provide monthly report to the top management about Risk Management process;
• maintains communication with the GROUP COMPANY Corporate Risk Management Department; (and if required with GROUP COMPANY Internal Audit team for GROUP COMPANY Audit and Risk Committee)
• aggregates, analyses and reports the company’s overall risk portfolio;
• support ERM Integration of Head Office with Joint Operations; and,
• increases over time the capabilities of ABCD ERM and ensures that ERM continuously reflects the best fit for ABCD as the art and science of ERM improves over time.

Managers and Team Leaders

Managers and Team Leaders manage risks within the scope of their authority and accountability; make business decisions in accordance with GROUP COMPANY and ABCD risk policies and guidelines; implement risk management processes within their Team or Group, in collaboration with the Risk Management Team; ensure that employees have the information and skills required to manage risks; are aware of the interrelationships between risks faced by their Team and other Teams.

Risk Coordinators (RC)

RCs are selected and appointed by a Team Leader or Group Manager. RC would represent the Team/Group on matters pertaining to risk management. It is expected that each team should have at least one RC, and, a Group Manager may appoint a RC to represent his/her group. The principal basis for appointing RC:

• adequate knowledge and experience level on the team’s objectives and functions;
• provides risk mitigation updates and status to Risk Management Team;
• coordinate and organize risk assessment activities within his/her Team/Group by actively engaging respective colleagues to obtain the required information; and,
• obtains  approval  from  Tearn  Leader/Group  Manager  prior  to  adding  and/or removing risks from the risk register.

There may be instances where an RC is appointed by higher management-level authority, within managerial or team leader level, to assist in ABCD’s ERM process such as addressing risks at the portfolio level (ABCD-wide risks). The group of ABCD’s RCs are known as the Risk Management Work Group.

In general, ABCD’s employees and contractors should understand the basic principles of ERM and their own accountability for specific risks; contribute and actively participate in the continuous improvement of risk management in ABCD, according to the principle that ‘risk management is everybody’s business.’ This is vital for the evolvement and maturity of ABCD’s risk culture and in this regard, Risk Management Team shall conduct continuous learning sessions (i.e., awareness programs, ERM-related presentations and activities, etc.).Employees and contractors are encouraged to continuously communicate to the Team Leader of Risk Management Team about risks related to the company.

Enterprise Risk Management Policy Statement

ABCD has formulated the following Enterprise Risk Management (ERM) Policy Statement. It will be communicated to all relevant stakeholders by ABCD’s Chief Executive Officer.

To: All ABCD Employees and Contractors;

ABCD’s vision is to achieve a leading global position in Upstream Oil& Gas as an integrated and value-driven enterprise. This is to be achieved by maximising the strategic value from oil; realising the potential of gas; growing reserves for a sustainable future; be an employer of choice; optimising value from technology; strengthening commitment to HSSE; striving for excellence in performance; and, contributing to the enterprise and State of Kuwait.

To achieve this vision, we need to protect ourselves against the uncertainties that threaten our company objectives, and at the same time identify and capture the opportunities that would help us achieve our goals. ERM is the systematic approach that ABCD uses to manage all risks in the company, both threats and opportunities. It gives ABCD a better understanding of how internal and external factors affect company objectives, provides better support for decisions, reduces unwelcome surprises and improves opportunities. ERM helps ABCD to secure and achieve its strategic objectives and is aligned with our overall strategy.

ERM involves open discussion of risks, based on a common language and framework. Risks are managed as a portfolio, considering the relationships between them; every risk has an ‘owner’ who is accountable for managing it.

Effective risk management relies on a corporate culture where ‘risk management is everybody’s business.’ All ABCD employees and contractors are expected to:

• Understand the general principles of ERM;
• Identify the threats and opportunities that might affect company objectives;
• Report, discuss and analyse these risks frankly and openly;
• Understand their own accountability  for specific risks, and participate in risk monitoring  and treatment; and,
• Participate actively in the continuous improvement of risk management in ABCD.

ABCD management is committed to fostering a work environment where risks are discussed openly, and encourages employees and contractors to grow their risk management skills and apply them to their everyday work. For this purpose, ABCD’s ERM Policy shall be used as a guiding principle.

Risk assurance is the process of providing confidence to stakeholders that an organization’s risk management practices, internal controls, and governance frameworks are effective in identifying, assessing, managing, and mitigating risks. It involves evaluating whether these systems are aligned with strategic objectives, regulatory requirements, and industry standards, ensuring that the organization can achieve its goals while minimizing potential losses or disruptions. Risk assurance is an essential part of managing risks in an organization. It ensures that major risks are well-handled and that critical controls are effective and properly implemented. Audit committees often discuss how seriously departments handle risks and controls. While the risk manager and internal auditor can give their opinions, the audit committee relies on objective evaluations of each department’s performance and risk culture as the main source of assurance. Depending on the organization, the audit committee may use various sources for risk assurance, including internal and external audits. External auditors generally focus on validating financial and accounting processes, while internal audits assess broader risk management practices. Assurance also comes from reviewing and monitoring risk activities, which include:

• Checking how the risk management process operates.
• Assessing the quality of risk controls in place.
• Measuring success in reducing risks and achieving business goals.
• Analyzing why high-risk projects succeeded.
• Providing assurance across all these areas.

When a company seeks funding, such as a bank loan, it may need to demonstrate how its board ensures significant risks are managed. Assurance sources might include:

• Evaluating the organization’s risk culture.
• Reviewing internal audit reports and departmental reports.
• Assessing the success of individual departments.

Some organizations use control risk self-assessment (CRSA) to identify weaknesses, with findings reported to the executive committee for corrective action. These measures give the board greater confidence and improve the company’s ability to secure funding. Risk assurance varies depending on the focus—strategy, operations, compliance, or specific risks. For example:

• Hazard risks like health and safety often require annual reports.
• Fraud incidents, especially in cash-handling organizations, are typically reviewed yearly.
• Large projects may require post-implementation reviews to check if they were completed on time, within budget, and met expectations. Follow-up reviews might assess performance after the first year.

For risks tied to opportunities, like new business proposals, organizations are starting to perform risk assessments. Professional consultancy firms, for instance, often have committees to evaluate potential business opportunities. These evaluations include attaching a risk assessment to each proposal. In short, risk assurance involves multiple methods to ensure risks are managed effectively and decisions are supported by reliable evaluations.

Sources of risk assurance

• Culture measurement – by use of a recognized framework such as CoCo or COSO in order to gain a quantitative evaluation of the control environment.
• Audit reports – produced by internal audit and external auditors on a range of issues including risk assessment, implementation, compliance and training.
• Unit reports – on such issues as risk performance indicators, CRSA, response to audit recommendations and reports on incidents that have occurred.
• Performance of the unit – on risk-related issues, losses, significant weaknesses in control measures and details of any material losses suffered by the unit.
• Unit documentation – on topics such as the risk management policy, health and safety policy, business continuity plans and disaster recovery plans.

Key Components of Risk Assurance:

1. Evaluation of Controls: Ensures that internal controls are functioning as intended and effectively mitigating risks.
2. Risk Management Processes: Reviews the organization’s risk identification, assessment, response, and monitoring activities.
3. Compliance: Assures adherence to legal, regulatory, and policy requirements.
4. Reporting and Communication: Provides transparent and reliable information on the organization’s risk profile and control effectiveness.

Risk Assurance Techniques

• Internal Audits: Periodic reviews conducted by an internal audit team to assess the effectiveness of risk management, internal controls, and compliance. Focus on high-risk areas and provide recommendations for improvement.
• External Audits: Independent evaluations by third-party auditors to verify the accuracy of financial statements, compliance, and the effectiveness of internal controls.
• Risk Assessments: Systematic identification and analysis of potential risks to determine their impact and likelihood. Often includes scenario analysis, SWOT analysis, and risk heat mapping.
• Control Testing: Tests specific controls to ensure they are operating as intended (e.g., cybersecurity controls, financial controls). Includes both manual and automated control testing.
• Key Risk Indicators (KRIs): Metrics used to monitor changes in risk levels and provide early warning signals of potential issues. Examples include employee turnover rates, system downtime, or financial liquidity ratios.
• Compliance Reviews: Assessments of adherence to legal, regulatory, and internal policy requirements. Focus on areas such as data protection, anti-corruption, and industry-specific regulations.
• Enterprise Risk Management (ERM) Frameworks: Use of structured frameworks such as COSO ERM or ISO 31000 to ensure systematic risk management practices.
• Continuous Monitoring: Use of technology and analytics to provide real-time insights into risk trends and control effectiveness.
• Third-Party Assurance: Reviews of third-party service providers or supply chains to ensure their risk management and compliance align with organizational standards.
• Control Self-Assessments (CSA): A collaborative process where business units assess their own risks and controls. Encourages ownership and accountability for risk management.

Purpose of Risk Assurance

• Building Stakeholder Confidence: Demonstrates that risks are being managed effectively.
• Enhancing Decision-Making: Provides reliable information for strategic and operational decisions.
• Improving Resilience: Identifies gaps and areas for improvement to strengthen the organization’s risk posture.
• Ensuring Compliance: Avoids legal and regulatory penalties by demonstrating adherence to requirements.

Roles and Responsibilities

A risk management policy should clearly outline the roles and responsibilities for managing risks and internal controls. The main goals of risk management are to meet mandatory requirements, provide assurance, support better decision-making, and improve the effectiveness of core processes. When assigning responsibilities, it’s important to consider key risks and separate roles for:

• Setting strategy.
• Designing controls.
• Auditing compliance.

For example:

• A head office might decide the level of security needed for the organization.
• The production department could design the controls since security might be closely tied to their operations.
• Internal audit would typically check if the security measures are followed correctly.

In other cases, a specialist or a head of security may handle the design of controls. Even small organizations should separate responsibilities, such as having one person design controls and another audit compliance. For instance, in a small charity, a non-executive board member might review financial controls to ensure they are effective and efficient. The risk manager’s role is to guide and facilitate these efforts, such as organizing workshops to identify risks like fraud and assigning responsibilities for managing them. However, the risk manager should not implement controls or audit compliance. Their focus should be on evaluating the effectiveness of controls and suggesting improvements.

Adding Value Through Internal Audits
Internal audits provide value by identifying areas for improvement and ensuring controls are effective. Factors that help auditors maximize value include:

1. Understanding the organization – its culture, key people, and competitive landscape.
2. Innovating – introducing new ideas, even if stakeholders don’t initially expect or ask for them.
3. Adapting – exceeding stakeholder expectations by tailoring to the organization’s needs.
4. Knowing best practices – staying updated on what the auditing profession considers valuable.

While the first three factors involve skills and personal qualities, keeping up with industry best practices is an ongoing challenge for auditors.

Audit committees

An increasing number of organizations are setting up audit committees to oversee key aspects of governance, risk, and compliance. These committees are typically composed of non-executive directors, with senior executive directors attending meetings as needed. A non-executive director, often referred to as the lead non-executive director, chairs the committee, though this role is usually separate from that of the non-executive chairman. The audit committee holds a unique position within the organization; it is not considered a sub-committee of the board but has the authority and independence to evaluate all organizational activities, including those of the board itself. While the audit committee is often seen as the guardian of compliance, its scope extends far beyond ensuring legal and regulatory adherence. The board of directors retains responsibility for the organization’s governance and risk management, including overseeing the first and second lines of defense. In contrast, the audit committee focuses on evaluating governance standards, ensuring adequate attention to risk management, and seeking assurance on compliance levels. This responsibility also includes reviewing the governance arrangements of the board itself, ensuring that all strategic, operational, and compliance-related matters are appropriately addressed.

In large organizations, specialized committees such as the nominations committee and the remuneration committee handle specific responsibilities like senior appointments and the design of pay structures. These committees, often made up of both executive and non-executive members, report to the board. However, the presence of these committees does not diminish the audit committee’s role. The audit committee assesses the effectiveness of the board as a whole, including its sub-committees, while maintaining its position as the ultimate monitor of governance, risk, and compliance across the organization. The audit committee’s responsibilities include ensuring that significant risks are correctly identified and that critical controls are implemented effectively. Although the committee does not manage risks or implement controls directly, it validates the adequacy of the risk management processes and seeks assurance on their effectiveness. It also oversees the organization’s internal control system, which encompasses financial and operational controls designed to ensure efficiency, effectiveness, and compliance with laws and regulations. By fulfilling these duties, the audit committee provides the organization with a robust mechanism for ensuring accountability and enhancing stakeholder confidence.

Responsibilities of the audit committee

1. External audit
   • recommend the appointment and re-appointment of external auditors
   • review the performance and cost-effectiveness of the external auditors
   • review the qualification, expertise and independence of external auditors
   • review and discuss any reports from the external auditors
2. Internal audit
   • review internal audit and its relationship with external auditors
   • review and assess the annual internal audit plan
   • review promptly all reports from the internal auditors
   • review management response to the findings of the internal auditors
   • review activities, resources and effectiveness of internal audit
3. Financial reporting
   • review the annual and half-year financial results
   • evaluate annual report against requirements of the governance code
   • review disclosure by CEO and CFO during certification of annual report
4. Regulatory reports
   • review arrangements for producing the audited accounts
   • monitor and review standards of risk management and internal control
   • develop a code of ethics for CEO and other senior management roles
   • annually review the adequacy of the risk management processes
   • receive reports on litigation, financial commitments and other liabilities
   • receive reports of any issues raised by whistleblowing activities

Risk management outputs

Risk management and internal audit should focus on the results of the risk management process and the desired impact on the organization. Risk management aims to increase the likelihood of achieving organizational goals, which aligns with the purpose of internal audit. Together, their efforts contribute to improved performance in four key areas: strategy, tactics, operations, and compliance (STOC). This is achieved by minimizing disruptions from risks and choosing effective processes suited to the organization. These processes require informed decisions and successful project planning and implementation, which both risk management and internal audit support. Strategic decisions are among the most critical for any organization. Both risk management and internal audit play important roles in guiding these decisions. For instance, risk management ensures that risk assessment workshops address strategic concerns, while internal audit evaluates the quality of the processes used to make these decisions. By working together, they help create strategies that are both effective and efficient. The key outcomes of risk management and internal audit include meeting legal obligations, providing assurance, supporting decision-making, and ensuring the organization’s processes are effective and efficient (MADE2). Collaboration between the two functions is crucial for achieving these goals. However, it’s important to maintain the independence of internal audit from executive management. This independence ensures internal audit can objectively evaluate processes without becoming overly involved in the day-to-day management of risks.

Control risk self-assessment

Internal audit teams often use a process called self-certification of controls in addition to performing physical audits. In this process, local senior management regularly (often yearly) submit a report confirming the level of risk assurance achieved in their department. This approach, known as control risk self-assessment (CRSA), is usually completed electronically or via the organization’s intranet. The CRSA questionnaire is typically designed based on established internal control frameworks, such as COSO, CoCo, or guidelines like the UK Financial Reporting Council’s 2014 risk guidance. These self-assessments not only confirm adequate internal controls and risk assurance but also highlight significant weaknesses in controls. This information helps internal auditors identify areas where additional controls might be necessary. The CRSA return may also require details of any major control failures that have occurred. To ensure consistency, the organization provides a benchmark to identify what constitutes a material failure. This benchmark is usually stricter than the one used by external auditors. For instance, if the external materiality threshold is set at £1 million, the CRSA process might require departments to report any control failure resulting in a loss of over £100,000.An organization’s approach to Control Risk Self-Assessment (CRSA) should focus on ensuring it is a systematic, collaborative, and transparent process that strengthens internal controls and enhances risk management practices. For example The executive has recommended the use of an annual ‘control risk self-assessment’ (CRSA) exercise, to be conducted by internal audit, as part of the annual review of corporate governance. Each year a sample of the governance policies will be chosen by the governance panel for inclusion in the CRSA exercise. Policy custodians will be required to help formulate questionnaires and report back on the feedback received from services to internal audit. The findings from the CRSA exercise, together with the assessment of compliance against each of the supporting principles and work carried out by internal audit in accordance with the annual audit plan will be drawn together into the annual governance statement, for review by the governance panel, the audit committee and the executive committee.

Here’s how the organization should approach CRSA:

• Monitor and Improve: The organization should regularly review and refine the CRSA process based on feedback, changing risks, and evolving best practices. Continuous improvement ensures the process remains effective and relevant
• Define Clear Objectives: The organization should establish the purpose of CRSA, such as identifying control gaps, evaluating risk assurance levels, and ensuring alignment with internal control frameworks like COSO or CoCo. The process should aim to promote accountability and improve the effectiveness of controls.
• Engage Senior Management: Local senior management should actively participate in the self-assessment process, as they are closest to the operational risks and controls. Their involvement ensures that the process is grounded in practical realities and aligns with organizational objectives.
• Develop a Comprehensive Questionnaire: The CRSA process should use a well-structured questionnaire based on relevant internal control frameworks. This questionnaire should cover critical aspects, including the adequacy of existing controls, areas of significant weakness, and instances of material control failures.
• Leverage Technology: The process should be facilitated using electronic tools, such as online surveys or intranet portals, to streamline data collection, improve accuracy, and enable easy tracking and analysis of results.
• Set Materiality Benchmarks: The organization should establish clear thresholds for reporting significant weaknesses and material failures. These benchmarks should be stricter than those used by external auditors to ensure early detection of potential risks.
• Encourage Transparency: Employees and managers should feel confident to report weaknesses or failures without fear of blame. A transparent, non-punitive environment fosters honest self-assessments and helps in identifying genuine risks.
• Analyze and Act on Findings: The results of CRSA should be reviewed systematically by internal auditors to pinpoint areas requiring additional controls or improvements. Significant issues should be escalated to senior management for action.
• Provide Training and Guidance: Employees involved in the CRSA process should receive clear guidance and training on how to evaluate risks and controls effectively. This ensures consistency and reliability in the assessments.
• Integrate with the Risk Management Framework: CRSA should be part of the broader risk management and governance processes. It should provide valuable inputs for risk assessment, audit planning, and control improvements.

Benefits of risk assurance

Corporate governance is a key focus for organizations and their stakeholders, and risk assurance should not just be a routine or checklist task. Organizations need to show that corporate governance is a management priority. Many understand the importance of being open about risk reporting, which requires strong communication efforts at all times. Once effective communication is in place, the organization must ensure it has positive updates to share with stakeholders. Risk assurance activities help provide confidence to all stakeholders, such as employees, suppliers, customers, government agencies, and both internal and external auditors. Risk assurance plays a vital role in an organization’s corporate governance and supports its strategic, tactical, operational, and compliance (STOC) processes. The advantages of solid risk assurance include building trust with stakeholders, reassuring sponsors and lenders, showing regulators good practices, preventing unexpected financial or operational issues, protecting the organization’s reputation, fostering a strong risk-aware culture, and enabling safe delegation of authority.

Although the external auditor’s work is not primarily for the organization’s benefit, the audit and risk assurance committee should still engage with it. They should review the results of external audits, address any identified weaknesses, and understand the external auditor’s planned approach. The committee should also examine how well the external auditor works with internal audit to improve overall efficiency, reduce unnecessary duplication, and enhance assurance. Additionally, they should assess the potential impact of any broader work by the external auditor, such as value-for-money assessments or recommendations for good practices.

Internal audit activities

In Enterprise Risk Management (ERM), internal audit is an independent and objective function that evaluates how effectively the organization identifies, assesses, manages, and mitigates risks to achieve its objectives. It plays a key role in providing assurance that the ERM framework is working as intended and supports the organization in enhancing its risk management practices. Internal Audit Activities in ERM:

• Assessing the ERM Framework: Internal audit reviews the design and implementation of the ERM framework to ensure it aligns with the organization’s objectives and industry standards. This includes evaluating the structure, policies, and processes for risk identification, assessment, and response.
• Testing Risk Controls: Internal audit examines the effectiveness of controls put in place to manage specific risks. This involves testing key controls to verify whether they are functioning as intended and identifying gaps that need remediation.
• Reviewing Risk Assessments: Auditors evaluate the quality of risk assessments conducted by the organization. They verify that risks are being identified comprehensively, assessed consistently, and prioritized appropriately.
• Providing Assurance on Risk Reporting: Internal audit ensures that risk reporting is accurate, transparent, and timely. It checks whether risk information provided to management and stakeholders supports informed decision-making.
• Evaluating Risk Culture: Internal audit assesses the organization’s risk culture to determine whether employees and management understand and align their behavior with risk management expectations.
• Monitoring Emerging Risks: Internal audit examines how well the organization identifies and prepares for emerging risks. This includes reviewing mechanisms for scanning the external and internal environment for new threats or opportunities.
• Supporting Decision-Making: While maintaining independence, internal audit provides insights and recommendations to improve the organization’s risk management practices, contributing to better decision-making and strategic alignment.
• Auditing Risk Governance: Internal audit reviews the roles and responsibilities of the board, risk committees, and management to ensure accountability and oversight in the ERM process.
• Collaborating with Other Assurance Providers: Internal audit coordinates with external auditors, compliance teams, and other assurance functions to optimize efforts, reduce duplication, and provide comprehensive assurance over the risk management process.
• Continuous Improvement of ERM: Internal audit identifies opportunities to enhance the ERM process by recommending improvements in policies, frameworks, and practices based on its findings and industry best practices.

Risk management and internal audit need to work closely together, though their specific roles will depend on the organization’s type, size, and nature. This relationship is crucial because effective risk management relies on four key outcomes, known as MADE2: meeting mandatory requirements from laws, customers, and standards; providing assurance to management and stakeholders; enabling informed decision-making; and ensuring effective and efficient core processes across the organization. To achieve these outcomes, cooperation among all stakeholders, including risk management and internal audit, is essential. Risk assurance activities and the significant role of internal audit are explored further in related chapters. Internal control, which involves procedures, checks, and methods to help organizations meet their goals, is closely linked to risk management. In larger organizations, internal audit often evaluates these controls, and in some cases, external firms may handle the internal audit function. Although internal audit and risk management have distinct roles, they share common interests. Risk management is typically an executive function, managed by senior executives, with the risk management committee often chaired by a board-level executive. Internal audit, on the other hand, focuses on risk assurance, a responsibility overseen by a non-executive audit committee in larger organizations. Since internal auditors validate the effectiveness of controls and procedures for managing risk, they should remain independent and not take on executive tasks like designing or implementing risk control measures.

A good system of internal control helps reduce risks but cannot completely prevent issues like poor decision-making, human mistakes, employees bypassing controls, management overriding rules, or unexpected events. Such a system offers reasonable confidence, though not a guarantee, that a company can achieve its business goals and operate smoothly and lawfully under foreseeable conditions. However, it cannot completely protect against failing to meet objectives, significant errors, losses, fraud, or violations of laws or regulations.

Role of internal audit

To successfully implement an Enterprise Risk Management (ERM) initiative, several activities are essential and fall under the responsibility of the internal audit department. These activities include reviewing how key risks are managed, evaluating how those risks are reported, and assessing risk management processes. Key tasks also involve setting the organization’s risk appetite, establishing risk management processes, and making decisions on how to respond to risks. Internal audit can be involved in certain activities, such as helping to identify risks, coordinating ERM efforts, developing the ERM framework, and supporting the establishment of ERM, as long as appropriate safeguards are in place. This division of responsibilities supports the “three lines of defense” model, where management handles the first line, risk management specialists handle the second, and internal audit manages the third. An important task of the audit department is setting audit priorities, especially when it comes to testing controls in relation to risk management. While risk management professionals are good at assessing risks and recommending appropriate controls, the internal auditor’s role is to test and ensure those controls are properly implemented and effective. The goal is to confirm that the intended level of risk has been achieved. If controls are found to be ineffective, they must be improved. Although risk management and internal audit can discuss and facilitate control issues, it is up to the line management to make the final decisions about controls and their effectiveness.

• Core internal audit roles in regard to ERM
  • Giving assurance on the risk management processes
  • Giving assurance that risks are correctly evaluated
  • Evaluating risk management processes
  • Evaluating the reporting of key risks
  • Reviewing the management of key risks
• Legitimate internal audit roles with safeguards
  • Facilitating identification & evaluation of risks
  • Coaching management in responding to risks
  • Co-ordinating ERM activities
  • Consolidated reporting on risks
  • Maintaining & developing the ERM framework
  • Championing establishment of ERM
  • Developing RM strategy for board approval
• Roles internal audit should not undertake
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management’s behalf
  • Accountability for risk management

Undertaking an internal audit

Conducting an internal audit involves several steps. First, the audit must be planned. Then, the fieldwork is carried out, where controls are tested. Afterward, an audit report is created, and finally, follow-up actions are taken. During the audit, the auditor gathers relevant information to understand the areas being reviewed. This analysis helps the auditor set priorities and objectives for the audit. For example, if auditing the supply chain, the auditor would collect details about contracts with suppliers. Fieldwork is often considered the most important part of the audit. The auditor may need to visit various locations, including supplier sites, if the audit focuses on the supply chain. The goal of the fieldwork is to understand the risks and controls in place to manage them. The auditor will test these controls to check their efficiency and effectiveness, through discussions with managers and staff, as well as observing operations. After the fieldwork, the auditor writes the audit report. This report evaluates how well the controls are working and may include suggestions for improvements if needed. The auditor also forms an independent opinion on the level of control in place to provide assurance to the audit committee. If the report includes recommendations, they should be agreed upon by the relevant management to increase the likelihood of their implementation. However, if the internal auditor believes the controls are insufficient but management disagrees, the issue should be escalated.

Undertaking an internal audit

Conducting an internal audit involves several steps. First, the audit must be planned. Then, the fieldwork is carried out, where controls are tested. Afterward, an audit report is created, and finally, follow-up actions are taken. During the audit, the auditor gathers relevant information to understand the areas being reviewed. This analysis helps the auditor set priorities and objectives for the audit. For example, if auditing the supply chain, the auditor would collect details about contracts with suppliers. Fieldwork is often considered the most important part of the audit. The auditor may need to visit various locations, including supplier sites, if the audit focuses on the supply chain. The goal of the fieldwork is to understand the risks and controls in place to manage them. The auditor will test these controls to check their efficiency and effectiveness, through discussions with managers and staff, as well as observing operations. After the fieldwork, the auditor writes the audit report. This report evaluates how well the controls are working and may include suggestions for improvements if needed. The auditor also forms an independent opinion on the level of control in place to provide assurance to the audit committee. If the report includes recommendations, they should be agreed upon by the relevant management to increase the likelihood of their implementation. However, if the internal auditor believes the controls are insufficient but management disagrees, the issue should be escalated.

1. Planning
   • Initial contact: to inform the client (audit target) or involved association about the auditing and its objectives.
   • Initial meeting: conference meeting, so that the client can describe the areas for review and state the available resources and processes.
   • Preliminary survey: the auditors will gather all the needed data so they can have a good overview of the auditing.
   • Review internal control structure: the auditor will determine the priority areas for the audit to review.
   • Audit programme preparation: the audit programmes will outline the required fieldwork related to the audit topic/area.
2. Fieldwork
   • Testing for the critical internal controls: this process tests if randomly selected records are accurate.
   • Regular updates: the auditor will carry out financial reporting, mostly in oral communication and the client may help in resolving any issues raised.
   • Drafting the audit summary: when fieldwork is done, the auditor will summarize findings, conclusions and recommendations.
3. Audit report
   • Audit report: the report will be reviewed by the audit team before presenting it to the client for further review.
   • Creating the report: comments and suggestions on the first draft are taken into account in producing the final report. Distribution of the final audit reports to people involved, senior management, audit committee, as agreed.
4. Follow-up
   • Audit follow-up: response from the client will be reviewed, so that the findings may be tested and resolved.
   • Reporting the audit follow-up: the effects of resolved and unresolved findings will be included in the follow-up.

Three line of defense

In many large organizations, the relationship between risk management and internal audit can be challenging. Internal audit focuses on ensuring that effective controls are in place and works with an agenda centered around this goal. Typically, the head of internal audit reports to the highest-ranking non-executive member of the board, sometimes even the chairman. On the other hand, the risk manager usually reports to an executive member of the board, such as the company secretary or finance director. This difference in reporting levels can be frustrating for the risk manager, but the roles of risk management and internal audit complement each other, providing an opportunity to improve the implementation of risk management procedures. Both risk management and internal audit should seek ways to work together without interfering with each other’s objectives. For example, both should attend risk assessment workshops. While the risk manager may lead the workshop, the responsibility for managing risk lies with the manager of each department. Internal auditors’ presence should not be seen as a threat by department managers. Internal auditors focus on ensuring that control measures are well-defined and can be audited. They test the effectiveness of these controls by requesting and analyzing information to establish facts. In essence, internal auditors believe that information plus testing equals facts.

A popular approach in recent times is the “three lines of defense” model, which aligns with the role of internal audit in enterprise risk management. This model is based on three key ideas:

1. management has the main responsibility for managing risk,
2. specialist risk management functions assist management in fulfilling this responsibility, and
3. internal audit checks the effectiveness of the risk management process.

Management’s role is divided into three layers: top management (directors), middle management (managers), and staff. Specialist risk management functions may operate at the corporate level, supporting the development, implementation, monitoring, and improvement of the risk management framework. These functions, including business continuity and health and safety, perform a similar role as group-level risk management but focus on specific areas of risk

The three lines of defense approach also fits well with the concept of governance, risk, and compliance (GRC). The GRC approach sees the board as responsible for governance across the entire organization. In this role, the board relies on all three lines of defense to ensure that risk is properly managed. Non-executive directors, in particular, look to internal audit to provide assurance on a wide range of compliance matters within the organization. All organizations must maintain accurate financial records, often produced by an external accounting firm that also serves as the external auditor. These external auditors are required to confirm, or sometimes certify, the accuracy of the financial records, and they may be seen as the fourth line of defense. For organizations in highly regulated industries, regulators ensure compliance with rules and regulations and may be considered the fifth line of defense. The terminology used in these areas can vary from one organization to another, but the concept of dividing responsibilities into three lines of defense is a strong and effective way to ensure proper governance and compliance, and in some cases, the effective management of specific risks like tax risks. Risk management and internal control can collaborate in setting priorities for the upcoming year. When an organization creates a risk-based audit program, it focuses on the most significant risks facing the organization. The board may want both risk management and internal audit to work together to help make better strategic decisions, deliver projects more successfully, and improve efficiency in key processes.There are both advantages and disadvantages to having a close working relationship between risk management and internal audit. On the positive side, the two disciplines complement each other, and working together can help focus efforts and improve coordination in managing risk. It also allows for sharing best practices and useful risk management tools and techniques. However, there are some downsides to this close relationship. It’s important for line management to understand that the responsibility for deciding how much control is needed for a particular risk, for implementing those controls, and for auditing compliance are separate tasks. Additionally, risk management and internal audit often have different reporting structures within the organization. Lastly, internal audit values its independence, and getting too involved in risk management decisions could jeopardize that independence. To implement a risk-based audit program, internal audit should participate in risk assessment workshops, and risk management and internal audit should create a joint annual work plan. The goal is to make sure that the control measures discussed in risk assessments are clearly documented in the risk register as auditable controls, and that managers are aware of and meet their control responsibilities.

The “three lines of defense” is a concept that is becoming more popular in risk management. It is now widely used in financial services and is starting to be adopted in other areas, often through public sector procurement rules. However, it hasn’t yet been fully applied to risk management. Managing risk involves having clear roles and responsibilities for tasks like data management, transaction processing, gathering information, verifying it, and escalating issues when necessary. Here’s how the three lines of defense:

• First Line: This involves having the right people who understand the core business processes. These people ensure that information is gathered and processed accurately.
• Second Line: This is about monitoring the processes regularly. It includes creating frameworks and guidelines that the tax and finance teams work on together. These help in spotting problems early and identifying weaknesses in the process. Since people can make mistakes, these measures help catch them before they become bigger issues.
• Third Line: This provides independent assurance that the processes is working well through internal and external audits. Internal auditors should understand tax risks, and core processes should be open to audits, as it’s better to have internal auditors find mistakes than to deal with a authority finding them later.

Five lines of assurance

There has been a lot of discussion about how the three lines of defence model works. For example, in an organization using this model, head office functions may play a role in multiple lines of defence. These functions, such as treasury, might be part of the first and second lines, and sometimes even the third line. In a large company, the treasury function manages the organization’s treasury needs as part of the first line. It also helps decide the strategy and tactics for the organization. In some cases, the internal audit team does not review the treasury function, so external auditors take on this responsibility. One issue with the three lines of defence model is that it works well for operational risks and compliance risks, but it doesn’t address the “upside” of risk, such as identifying missed opportunities. As a result, the work of risk management and internal audit may not cover all aspects of enterprise risk management. Another point is the role of the board of directors. The board provides assurance but is not usually considered a line of defense. The board both receives and gives assurance, including from external sources like external auditors. While the three lines of defense model is well-established, some organizations extend it to five lines of defence by including external auditors as the fourth line and regulators as the fifth line. However, this is different from the “five lines of assurance” approach that is being developed to enhance the model. The five lines of assurance model includes the following sources of assurance:

1. The Board of Directors – Responsible for ensuring effective risk management and that risks are kept within acceptable levels.
2. Senior Executives and Managers – In charge of maintaining the risk management process and delivering accurate information on key risks.
3. Business Unit Leaders – Responsible for reporting on specific risks and ensuring objectives are met.
4. Specialist Units – Experts in specific risks like treasury, safety, environment, and legal, responsible for managing related risks.
5. Internal Audit – Provides independent and timely reports to the board on the effectiveness of risk management.

Organizations can adapt this model to fit their needs, but the main improvement of the five lines of assurance is that it divides the first line of defence into three groups: the board, senior executives, and business unit leaders. Each group is responsible for providing assurance in their areas. One of the benefits of the five lines of assurance model is that it requires better communication between the board, executives, and business leaders. It also encourages closer coordination between specialist risk units and internal audit. The focus is on providing overall assurance and promoting a risk-aware culture, rather than just designing and implementing controls. Because the five lines of assurance model emphasizes assurance, it is more relevant for managing strategic and tactical risks, including opportunities, than the three lines of defence model. However, external auditors and regulators still maintain their specific roles in both models.

Management responsibilities

An alternative way to assign responsibilities is that internal audit focuses on activities that are considered core to its role. Risk management should help and support these activities, ensuring they follow proper guidelines, while line management at the appropriate level takes responsibility for tasks that internal audit should not handle. The relationship between risk management and internal audit will vary from one organization to another, and the roles and responsibilities will reflect the structure that best fits the organization. It is important to clearly define the roles of risk management, internal audit, and line management so that ownership of risk is clear. In short, risk management can help with risk assessments and designing controls, while internal audit ensures these controls are working well and are properly implemented. However, the main responsibility for managing risk lies with the organization’s executive management. It’s crucial that the work of risk management and internal audit does not interfere with or take away from the management’s ownership of risk. This approach also aligns with the general principle in risk management standards that risks should be managed within the areas where the risks arise.

Allocation of responsibilities

1. Internal audit activities
   • giving assurance on risk management processes
   • giving assurance that risks are correctly evaluated
   • evaluating risk management processes
   • evaluating the reporting of key risks
   • reviewing the management of key risks
2. Risk management support
   • facilitating identification and evaluation of risks
   • coaching management in responding to risks
   • co-ordinating ERM activities
   • consolidated reporting on risks
   • maintaining and developing the ERM framework
   • championing establishment of ERM
   • developing RM strategy for board approval
3. Management responsibilities
   • setting the risk appetite
   • imposing risk management processes
   • management assurance on risks
   • taking decisions on risk responses
   • implementing risk responses on behalf of management
   • accountability for risk management

Risk Reporting

Risk Reporting refers to the process of communicating information about risks that an organization faces, their potential impact, and the actions being taken to manage them. It is a key component of risk management, ensuring that stakeholders, such as the board, senior management, and external parties, have a clear understanding of the organization’s risk profile and how effectively those risks are being managed.

Purpose of Risk Reporting

• Awareness: Inform stakeholders about key risks and their impact on organizational objectives.
• Decision Support: Provide accurate and timely information to facilitate risk-informed decision-making.
• Accountability: Demonstrate that risks are being actively managed and monitored.
• Compliance: Meet regulatory and governance requirements for transparency.
• Improvement: Highlight areas for enhancing risk management practices.

Types of Risk Reporting

1. Internal Risk Reporting
   • Board Reports: Summaries of key risks, trends, and the effectiveness of risk management strategies presented to the board or risk committees.
   • Management Reports: Detailed operational and strategic risk reports for executives and department heads to guide decision-making.
   • Operational Reports: Risk reports generated for specific business units or functions, focusing on risks impacting day-to-day operations.
2. External Risk Reporting
   • Regulatory Reports: Reports prepared to comply with legal and regulatory requirements, such as those for financial or environmental risks.
   • Stakeholder Reports: Disclosures to shareholders, investors, or customers about significant risks affecting the organization.
   • Public Disclosures: Risk information shared in financial statements, annual reports, or sustainability reports.
3. Risk-Specific Reports
   • Strategic Risk Reports: Focused on risks that could affect long-term goals and strategies, such as market competition or regulatory changes.
   • Operational Risk Reports: Cover risks associated with processes, systems, or human errors that impact day-to-day operations.
   • Financial Risk Reports: Highlight risks related to liquidity, credit, market fluctuations, or investments.
   • Compliance Risk Reports: Focused on risks of non-compliance with laws, regulations, or internal policies.
   • Emerging Risk Reports: Address new or evolving risks, such as technological disruptions, geopolitical instability, or climate change.
4. Ad Hoc Reporting: Reports generated for specific events or incidents, such as data breaches, supply chain disruptions, or health and safety issues.
5. Dashboard or KPI-Based Reporting: Visual summaries of key risk indicators (KRIs) or other metrics that provide a snapshot of risk status at a glance.
6. Scenario-Based or Stress Testing Reports: Analysis of how potential adverse events could impact the organization, often used for financial or operational risks.

Risk management involves creating and maintaining a variety of documents to support its activities. These documents can include:

1. Risk management administration documents
2. Risk response and improvement plans
3. Event reports and recommendations
4. Risk performance and certification reports

A risk management manual is essential for outlining the organization’s risk culture and control environment. It usually includes:

• Established procedures for risk management
• Action plans, like those in the risk register
• Incident reports and recommendations for improvement
• Performance reports showing how risks are managed

These documents ensure that risk management stays dynamic and responsive within the organization.

Importance of Risk Performance and Certification Reports

Risk performance and certification reports are increasingly critical, especially since the introduction of the Sarbanes-Oxley Act of 2002. These reports must meet the highest applicable standards while complying with specific regulations, such as:

• Sarbanes-Oxley requirements for companies listed on the New York Stock Exchange.
• Other regulations for organizations listed on different stock exchanges or operating in specialized sectors like charities or insurance.

These reports can include:

• Operational management summaries.
• Formal certifications by external auditors verifying financial results and the effectiveness of control systems.

Guidance and Communication

The Financial Reporting Council’s 2014 guidance emphasizes the board’s responsibilities in risk reporting. It highlights the importance of clear communication both to and from the board, covering internal operations and external disclosures.

Detailed Reporting and Special Reports

Organizations may need to produce multiple reports for different regulatory authorities. Some also publish special reports, like corporate social responsibility (CSR) reports, to highlight achievements in specific areas. For example, companies listed on the London Stock Exchange often include diverse risk-related topics in their disclosures. These reports ensure transparency, accountability, and alignment with regulatory and stakeholder expectations.

Risk management (RM) responsibilities of the board

The FRC risk guidance identifies the risk management responsibilities of the board and these
can be summarized, as follows:

1. Risk management processes
   ● Ensure that RM is incorporated within normal processes.
   ● Identify the principal risks facing the company.
2. Principal risks and risk appetite
   ● Assessment of risks to the business model and strategy.
   ● Risks the organization is willing to take or ‘risk appetite’.
3. Risk culture and risk assurance
   ● Risk culture is embedded throughout the organization.
   ● Adequate RM and assurance discussions take place at the board.
4. Risk profile and risk mitigation
   ● Risk profile of the company is kept under review.
   ● Measures to manage or mitigate the principal risks are taken.
5. Monitoring and review activities
   ● Monitoring and review of risk management is undertaken.
   ● Monitoring and review is ongoing and not just annual.
6. Risk communication and reporting
   ● Internal and external risk management communication takes place.
   ● Necessary risk information is communicated to and from the board

sarbanes–Oxley Act

The Sarbanes–Oxley Act (SOX) was introduced in response to corporate scandals in the U.S. involving false financial reporting. These scandals led to misleading financial statements. The main goal of SOX is to ensure that companies listed on U.S. stock exchanges provide accurate information.

Key Requirements of SOX

1. Accurate Reporting: SOX requires companies to have controls ensuring all reported information is accurate.
2. Validation of Data: Under Section 302, all company data must be validated to prevent errors or fraud.
3. Detailed Risk Assessment: Companies must analyze risks that could lead to financial misstatements and establish strict processes for preparing financial statements.
4. External Audit Attestation: As per Section 404, external auditors must review and confirm the accuracy of financial statements and the effectiveness of financial reporting systems.

Framework for Compliance

• Companies must use an approved risk management framework, such as the COSO Internal Control Framework, to meet SOX requirements.
• COSO’s ERM framework also covers these controls, helping organizations ensure accurate financial reporting.
• SOX applies to U.S.-based companies and their subsidiaries worldwide. It also applies to foreign companies listed on U.S. stock exchanges.

Disclosures Committee

Many companies establish a disclosures committee to review and validate all information disclosed. This committee ensures compliance with SOX and has become a standard part of corporate governance, even for non-U.S. companies affected by SOX rules.

Challenges and Criticism

• Cost and Complexity: Compliance with SOX is expensive and time-consuming, especially the detailed audits required.
• Effectiveness: Critics question whether SOX has improved the accuracy of financial reports and note that its focus is on reporting accuracy rather than broader risk management practices.

Despite its challenges, SOX has become a key framework for ensuring financial transparency and accountability in global organizations. CEOs across the U.S. see the Sarbanes–Oxley Act as a reactionary law that is overly burdensome. However, they still identify “improper accounting practices” as the top ethical issue in business today. A survey by Georgia State University, involving nearly 300 CEOs from private and public companies, revealed the following:

• Most CEOs believe the Sarbanes–Oxley Act has helped restore public and investor trust in corporate America.
• Despite this, they feel the law has not improved ethical standards within their organizations.
• Many also think the act was an overreaction to the unethical actions of a few executives and consider it unnecessary and overly demanding.

Risk reports by U.S companies

Companies listed on U.S. stock exchanges must provide detailed disclosures about potential risks. These reports focus on future risks rather than past incidents and are included in periodic filings like Form 10-K or Form 20-F. It’s common for these risk factor sections to span 3 to 10 pages. These sections often begin with a statement like, “Important factors that may cause future financial difficulties include, but are not limited to,” followed by a detailed list of risks, such as:

• Regulatory changes
• Market competition
• Economic conditions
• Customer loss
• Fluctuating fuel costs or currency rates
• Disruptions due to employee strikes, illness, or technology failures
• Compliance with laws and tax changes
• Impacts of weather, environmental regulations, and Sarbanes–Oxley costs

Each risk is typically explained further, with up to half a page of detail for each item. The Securities and Exchange Commission (SEC), which oversees U.S. stock exchanges, is also considering requiring companies to provide more detailed reports on their risk committee structures. This aligns with the SEC’s mission to protect investors, maintain fair and efficient markets, and support capital formation.

Risk report in a Form 20-F

In relation to industry, economic and environment risks, the following have been identified for further detailed comment:

• risk of expiration of patents or marketing exclusivity
• risk of patent litigation and early loss of patents, marketing exclusivity or trademark
• risk of expiration or earlier loss of patents covering competing products
• failure to obtain patent protection
• impact of fluctuations in exchange rates
• debt-funding arrangements
• the risks of owning and operating a biologics and vaccines business
• competition, price controls and price reductions
• taxation
• risk of substantial product liability claims
• performance of new products
• environmental/occupational health and safety liabilities
• developing our business in emerging markets
• product counterfeiting

Charities’ risk reporting

Risk reporting is mandatory for charities in most countries. Charities are generally expected to have robust risk management processes similar to those required for government departments or publicly listed companies. Below is a simplified version of the UK Charity Commission’s guidance on risk reporting:

Basic Reporting Expectations

Charities can use a simple narrative-style report that includes:

• Acknowledgment of trustees’ responsibility for risk management.
• Overview of how risks are identified.
• Confirmation that major risks have been reviewed or assessed.
• Assurance that control systems are in place.

Best Practices for Larger or Complex Charities

Larger charities may choose to provide more detailed reports. These should describe:

• How major risks relate to the charity’s goals and operations.
• Procedures that address not just financial risks but also operational and compliance risks.
• Assessment of risks based on their likelihood and potential impact.
• Ongoing monitoring and embedding of risk management into daily operations.
• Regular review by trustees of key risk management outcomes.

Common Practices and Challenges

Most charities already consider risks in their daily activities. However, many view risk management and governance requirements as significant challenges, leading to a focus on compliance over fundraising efforts.

Example of a Risk Report for a Small Charity

A small charity’s risk report might include:

• Processes to identify and prioritize significant risks.
• Policies and procedures integrated into daily operations.
• Analysis of strategy to highlight key risks to achieving objectives.
• Procedures ensuring legal compliance, with regular updates to trustees.
• Training for trustees on risk management and governance issues.
• Annual reports to trustees on risk management activities and control effectiveness.
• Additional reports highlighting major weaknesses or control failures.

This approach ensures that even smaller charities can effectively address and communicate their risk management practices.

Public-sector risk reporting

Risk management is mandatory for government departments and public sector organizations in most countries. Many government bodies provide detailed information about their risk management processes on their websites, which can be a valuable resource. However, these reports often do not include details about risk reporting to external stakeholders, as the information is already publicly accessible. The UK government has outlined key principles for risk reporting, including:

• Openness and transparency
• Involvement
• Proportionality
• Evidence-based decision-making
• Responsibility

Government organizations often provide detailed explanations of their internal risk-reporting processes. For example, a typical report from a UK local government authority might include:

• Monitoring of all strategic risks through quarterly risk review meetings.
• Forwarding of reports from these reviews to the executive committee twice a year.
• Including the strategic risk register in the annual strategic plan submitted to the full council.
• Service-specific risks being managed within service group plans and monitored through directorate performance reviews.
• Regular updates on these service risks provided to relevant council members twice a year.

This structured approach ensures transparency and accountability in managing and reporting risks within public sector organizations.

Government risk-reporting principles

• Openness and transparency: The government will be open and transparent about its understanding of the nature of risks to the public and about the process it is following in handling them.
• Involvement: The government will seek the wide involvement of those concerned in the decision process.
• Proportionality: The government will act proportionately and consistently in dealing with risks to the public.
• Evidence: The government will seek to base decisions on all relevant evidence.
• Responsibility: Government will seek to allocate responsibility for managing risks to those best placed to control them.

Government report on national security

Governments have become more open about security threats in recent years, which is a significant improvement in risk communication. Many governments conduct national security threat assessments and share the findings publicly. For instance, the UK government published the National Security Strategy of the United Kingdom in 2011, followed by the National Risk Register from the Cabinet Office. These reports detail threats to national security, including:

• Natural events: Extreme weather, coastal and river flooding, and outbreaks of human or animal diseases.
• Major accidents: Industrial and transport-related incidents.
• Malicious attacks: Targeting crowded areas, infrastructure, transportation systems, and electronic networks, including potential nuclear or unconventional attacks.

The reports also explain the measures in place to reduce these risks and analyze broader factors driving changes in risk levels, such as:

• Political dynamics.
• Climate change.
• Competition for energy resources.
• Poverty, inequality, and governance issues.
• Globalization in economics, technology, and demographics.

This risk assessment highlights how deeply risk management is integrated into national government operations, showing its recognition at the highest levels. Using a risk attitude framework, the UK government seems confident in managing certain risks, like transport accidents, cyberattacks, and animal diseases. However, it is more cautious about risks such as industrial accidents, attacks on infrastructure, and severe weather. The government is especially concerned about coastal flooding and attacks on crowded places while identifying pandemics as a critical threat to national security. Protecting national security had become far more complex than a century ago when governments primarily focused on land and sea defence. Modern national security efforts now require addressing various interconnected and evolving threats.

Some governments are starting to understand how complex national security is and have come up with terms like “the comprehensive approach,” hoping it will solve the issue. However, in reality, this idea is mostly theoretical and rarely applied effectively where it matters most. At the same time, government structures and mindsets remain outdated. Ministers are evaluated on how well they protect their department’s boundaries, budget, and staff, while senior officials take a similar approach. Cooperation with other departments is often seen as a threat rather than an opportunity. Though everyone recognises it’s necessary, traditional, rigid hierarchies and siloed thinking make collaboration difficult. To address these challenges, governments need a complete overhaul to adopt more modern and flexible structures

Operational, project, and supply chain risks are critical components of an organization’s risk landscape and play a significant role within Enterprise Risk Management (ERM). Operational risks arise from failures in internal processes, systems, people, or external events, directly affecting the organization’s efficiency and performance. These risks include process inefficiencies, employee errors, technology failures, and compliance breaches. Addressing operational risks involves identifying and assessing potential issues, implementing effective controls such as automation and regular audits, monitoring deviations, and responding promptly to minimize impact. Project risks are specific to individual projects and can threaten timelines, budgets, and objectives. These risks might include budget overruns, delays, resource shortages, and scope changes. Effective management requires proactive risk assessments, development of contingency plans, and clear communication with stakeholders. Post-project reviews are essential for learning from challenges and improving risk management in future initiatives. By addressing project risks, organizations ensure that their projects align with strategic goals and deliver intended value. Supply chain risks, on the other hand, involve disruptions in the procurement, production, or distribution process, potentially causing delays or shortages. Factors such as supplier reliability, logistics interruptions, natural disasters, and geopolitical issues can severely impact the supply chain. Organizations manage these risks by mapping vulnerabilities, diversifying suppliers, using technology for real-time tracking, and establishing contingency plans. Maintaining robust supplier relationships and ensuring compliance also enhance supply chain resilience. Integrating operational, project, and supply chain risks into the ERM framework allows organizations to adopt a comprehensive approach to risk management. This integration highlights interdependencies between different risk categories, improves awareness across all levels, and ensures resource allocation aligns with strategic priorities. By addressing these risks holistically, organizations can build resilience, maintain business continuity, and protect their ability to achieve long-term objectives.

Operational Risk Management

Operational risk management is the process of identifying, assessing, monitoring, and mitigating risks that arise from an organization’s internal processes, systems, people, or external events. These risks can disrupt business operations, reduce efficiency, or cause financial losses. The primary goal of operational risk management is to minimize the likelihood and impact of operational failures while maintaining the organization’s performance and resilience. This form of risk management involves a structured approach to understanding how day-to-day activities and processes could lead to potential risks, such as system outages, human errors, process inefficiencies, or compliance violations. Organizations use tools like risk assessments, process audits, and key risk indicators (KRIs) to identify vulnerabilities and monitor their operational environment. Operational risk management also focuses on implementing effective controls and responses, such as training programs, process improvements, automation, and contingency planning, to reduce or eliminate risks. Regular reviews, incident reporting, and lessons learned from past events help organizations continuously refine their risk management strategies. By effectively managing operational risks, organizations enhance their ability to achieve their goals, maintain compliance with regulatory requirements, protect their reputation, and ensure business continuity.

Managing operational risk has long been recognized as essential for maintaining business continuity and stability. Operational risks are the kinds of risks that can disrupt day-to-day activities, often tied to infrastructure issues as outlined in the FIRM risk scorecard. Historically, these risks have been managed through hazard mitigation techniques, like purchasing insurance. However, the definition of operational risk has expanded, particularly in financial institutions, where it now involves a more precise focus on quantifying potential financial losses. Financial institutions are required to hold enough capital reserves to cover potential losses from operational risks. This requirement is central to regulations like the Basel Accords for banks and the Solvency II Directive for European insurance companies. These frameworks were established to ensure organizations maintain sufficient financial stability, especially after the global financial crisis, where some banks failed to reserve enough capital for high-risk strategies. As a result, operational risk management in financial institutions includes identifying, measuring, monitoring, reporting, and controlling risks to meet regulatory standards. Capital adequacy regulations under Basel require banks to factor operational risk exposure into their capital reserves. This involves calculating “economic capital” to cover potential losses and using one of three regulatory methods to determine “regulatory capital.” Two methods are income-based, while the third requires a detailed statistical assessment of all significant operational risks. The Solvency II Directive applies a similar framework for insurance companies in the European Union. The Basel Accords, particularly Basel II and Basel III, provide global standards for banks to assess the capital required to protect against financial and operational risks. These frameworks aim to strengthen financial systems by ensuring banks and insurance companies maintain sufficient capital reserves to manage potential losses effectively.

Operational risks for banks and financial institutions are similar to the disruptive risks faced by other organizations, but they are often defined more broadly and require quantification. This is because financial institutions must have sufficient capital to cover operational risks, prompting them to reduce these risks to the lowest cost-effective level. While banks have traditionally focused on market and credit risks, the Basel and Solvency frameworks have expanded their scope to include operational risks. Initially defined vaguely as risks unrelated to market or credit risk, Basel later provided a clearer definition: “the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.” This definition includes legal risks but excludes strategic and reputational risks. Operational risks under Basel are categorized into internal fraud (e.g., embezzlement, tax evasion), external fraud (e.g., theft, hacking), employment practices, damage to physical assets, business interruptions, and failures in execution or process management. The risks are further grouped into people risks (e.g., non-compliance, lack of oversight), process risks (e.g., weak controls, process failures), system risks (e.g., inadequate applications or controls), and external risks (e.g., regulatory changes, vendor issues, or legal actions). While operational risk terminology and definitions may vary, this classification provides a structured approach. Market risk refers to the potential decline in the value of investments due to economic changes, while credit risk involves the possibility of clients failing to repay loans or debts. Insurance companies face underwriting risks related to their exposure through policies. Losses attributed to operational risks can be severe, such as those caused by rogue traders. These are often misclassified as market risks, but the actual issue is a lack of proper operational controls. For example, if adequate operational risk measures were in place, traders would not have been able to endanger significant assets. Thus, the root cause lies in operational risk management failures rather than market conditions.

Principles for the sound management of operational risk as per Basel framework(Basel Committee on Banking Supervision).

• Principle 1: The board of directors should take the lead in establishing a strong risk management culture, implemented by senior management. The board of directors and senior management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behavior, and ensure that staff receives appropriate risk management and ethics training.
• Principle 2: Banks should develop, implement and maintain an operational risk management framework that is fully integrated into the bank’s overall risk management processes. The ORMF adopted by an individual bank will depend on a range of factors, including the bank’s nature, size, complexity and risk profile.
• Principle 3: The board of directors should approve and periodically review the operational risk management framework, and ensure that senior management implements the policies, processes and systems of the operational risk management framework effectively at all decision levels.
• Principle 4: The board of directors should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk the bank is willing to assume.
• Principle 5: Senior management should develop for approval by the board of directors a clear, effective and robust governance structure with well-defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank’s material products, activities, processes and systems consistent with the bank’s risk appetite and tolerance statement.
• Principle 6: Senior management should ensure the comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.
• Principle 7: Senior management should ensure that the bank’s change management process is comprehensive, appropriately resourced and adequately articulated between the relevant lines of defense.
• Principle 8: Senior management should implement a process to regularly monitor operational risk profiles and material operational exposures. Appropriate reporting mechanisms should be in place at the board of directors, senior management, and business unit levels to support proactive management of operational risk.
• Principle 9: Banks should have a strong control environment that utilizes policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
• Principle 10: Banks should implement a robust ICT risk management program in alignment with their operational risk management framework.
• Principle 11: Banks should have business continuity plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. Business continuity plans should be linked to the bank’s operational risk management framework.
• Principle 12: A bank’s public disclosures should allow stakeholders to assess its approach to operational risk management and its operational risk exposure.

Basel II and Basel III are frameworks established by the Basel Committee on Banking Supervision (BCBS) to regulate and strengthen the global banking system. These frameworks aim to enhance the stability, resilience, and transparency of financial institutions by focusing on capital adequacy, risk management, and liquidity requirements.

Basel II

Introduced in 2004, Basel II built upon the foundation laid by Basel I and provided a more sophisticated approach to risk management. It is structured around three key pillars:

1. Pillar 1 – Minimum Capital Requirements
   Banks are required to maintain a minimum level of capital to cover three main types of risks:
   • Credit Risk: Risk of a borrower defaulting on a loan.
   • Market Risk: Risk of losses due to changes in market prices.
   • Operational Risk: Risk of losses due to failures in internal processes, people, systems, or external events.
   • Basel II allowed banks to use advanced internal models to calculate these risks, promoting a more tailored approach.
2. Pillar 2 – Supervisory Review Process
   This pillar emphasized the role of regulators in evaluating banks’ risk management practices. Banks were expected to assess risks not covered under Pillar 1 and hold additional capital as needed.
3. Pillar 3 – Market Discipline
   Basel II stressed the importance of transparency by requiring banks to disclose key information about their risk exposures, capital adequacy, and risk management processes. This aimed to improve market discipline and trust.

Basel III

Basel III was introduced in response to the global financial crisis of 2007-2008. It sought to address the shortcomings of Basel II and ensure a more resilient banking system. The main enhancements included:

1. Higher Capital Requirements
   • Increased the minimum common equity tier 1 (CET1) capital to 4.5% of risk-weighted assets (RWA), up from 2% under Basel II.
   • Introduced a capital conservation buffer of 2.5%, bringing the total CET1 requirement to 7%.
   • Added a countercyclical buffer of up to 2.5% to protect against periods of excessive credit growth.
2. Leverage Ratio
   Basel III introduced a non-risk-based leverage ratio to prevent banks from taking on excessive leverage. This ratio requires banks to maintain a minimum leverage ratio of 3%.
3. Liquidity Standards
   Basel III introduced two new liquidity requirements:
   • Liquidity Coverage Ratio (LCR): Ensures that banks maintain enough high-quality liquid assets to cover short-term obligations (30 days).
   • Net Stable Funding Ratio (NSFR): Promotes funding stability over a longer period (one year).
4. Improved Risk Coverage
   Enhanced the capital framework to better account for risks like counterparty credit risk and systemic risk.
5. Systemically Important Banks (SIBs)
   Basel III introduced additional capital requirements for globally systemically important banks (G-SIBs) to mitigate the risks they pose to the financial system.

Key Differences Between Basel II and Basel III

• Capital Requirements: Basel III significantly raised capital requirements and introduced new buffers.
• Leverage and Liquidity: Basel III added leverage and liquidity ratios to address weaknesses in Basel II.
• Focus on Systemic Risks: Basel III incorporated measures to address systemic risks and enhance the resilience of large, interconnected banks.

Together, Basel II and Basel III have improved risk management practices, promoted financial stability, and ensured banks are better prepared to withstand economic shocks. Operational risk is a significant concern for financial institutions because they must measure and quantify the level of operational risk they face. This measurement can involve various methods, often relying on historical data, simulated data, or a mix of both. The Basel Framework outlines three approaches for calculating operational risk for regulatory capital purposes. These methods aim to estimate operational risk exposure, but their accuracy can vary significantly for individual institutions:

• Basic Indicator Approach: Uses a single indicator to estimate the overall risk exposure and calculate the required operational risk capital.
• Standardized Approach: Applies a broad financial indicator multiplied by the institution’s operational loss history to determine the operational risk capital.
• Advanced Approach: Combines internal loss data with qualitative and quantitative methods for a more tailored calculation of operational risk capital.

Measuring operational risk requires a systematic approach. After identifying risks, quantification is only possible when the potential damage and likelihood of occurrence are determined. This is challenging because operational risks are difficult to quantify due to the lack of historical loss data and the nature of some risks being inherently harder to measure. Many banks have conducted detailed assessments of their operational risks. Generally, the size of the bank, often measured by the number of employees, correlates with the magnitude of potential losses. Larger banks tend to have larger clients, which could contribute to higher loss amounts. Another trend shows that the number of losses often aligns with the number of customers using the bank’s services.

Operational risk for a bank

1. Event: Internal fraud (Losses due to fraud, misappropriation or circumvention of regulations by internal party).
   • Risk- Unauthorized activity, theft and fraud.
   • Example:
     • Unreported transactions.
     • Unauthorized transactions.
     • Theft and fraud.
     • Tax non-compliance.
     • Insider trading/
2. Event: External fraud (Losses due to fraud, misappropriation or circumvention of the regulations by a third party).
   • Risk- Systems security, theft and fraud.
   • Example:
     • Theft/robbery.
     • Forgery.
     • Hacking/theft of information.
3. Event: Employees (Losses arising from injury or non-compliance with the employment legislation).
   • Risk- In a safe environment, damaged employee relations and discrimination.
   • Example:
     • Compensation claim.
     • Discrimination allegation.
4. Event: Clients (Losses arising from failure to meet professional obligations to clients).
   • Risk-Disclosure and fiduciary.
   • Example:
     • Fiduciary breaches.
     • Disclosure violations.
     • Misuse of confidential information.
5. Event: Physical assets (Losses arising from loss or damage to physical assets).
   • Risk– Disasters and other events.
   • Example:
     • Natural disaster losses
     • Terrorism/vandalism
6. Event: Systems( Losses arising from disruption of business or system failures).
   • Risk- Systems Failure.
   • Example:      
     • Hardware or software failure
     • Telecommunications Utility disruption
7. Event: Processes (Losses from failed transaction processing or process management).
   • Risk- Transaction capture, execution, documentation and maintenance.
   • Example:
     • Data entry, or loading error.
     • Missed deadline or responsibility.
     • Failed reporting obligation.
     • Incorrect records.

Operational risk in financial and industrial companies

Operational risk affects both financial and industrial companies, but its nature, measurement, and management can differ due to the distinct activities and environments in which these organizations operate. In financial companies, operational risk encompasses disruptions or losses arising from failed internal processes, people, systems, or external events. This risk is inherent in all banking and financial activities, such as payment processing, trading, lending, and compliance with regulatory standards. Financial institutions are required to quantify operational risk to ensure they have sufficient capital reserves to absorb potential losses. Frameworks like Basel II and Basel III establish guidelines for calculating operational risk capital through approaches like the Basic Indicator, Standardized, and Advanced Measurement approaches. Examples of operational risks in financial companies include internal or external fraud, legal risks, data breaches, and failures in transaction systems. Managing operational risk in these firms requires robust governance, compliance frameworks, and risk reporting mechanisms to ensure resilience. In industrial companies, operational risk typically revolves around physical processes, supply chains, safety, and infrastructure. Risks can include equipment failures, workplace accidents, supply chain disruptions, and environmental hazards. Unlike financial companies, the emphasis in industrial firms is often on mitigating tangible hazards and ensuring business continuity. For example, a manufacturing company must manage risks related to machinery breakdowns, worker safety, or delays in raw material delivery. Risk management in these settings relies heavily on preventive maintenance, health and safety protocols, and contingency planning. Both financial and industrial companies share some similarities in operational risk management, such as the need for strong governance and risk culture. However, the tools and focus areas differ. Financial companies prioritize compliance, data security, and fraud prevention, while industrial companies concentrate on physical safety, equipment reliability, and supply chain resilience. Despite these differences, the ultimate goal in both sectors is to minimize losses, maintain operational continuity, and enhance overall organizational resilience.

Difference

• In financial, Errors mostly arise when people reach their mental limits. In Industrial, Errors are mostly due to people reaching their physical limits.
• In financial, Systems are highly complex and widely distributed and the environment is only partly manageable. In Industrial, People work in relatively simple relationships and the environment is highly manageable
• In financial, Loss prevention is concerned with security of value and assets . In industry, Loss prevention is mainly concerned with physical safety, equipment protection and avoiding accidents.
• In financial, Loss prevention is aimed at avoiding financial loss. In Industrial, Loss prevention is aimed at avoiding physical harm to people or equipment and/or the manufacture of faulty goods (scrap).
• In financial, The main incentive for committing mistakes is personal financial gain or self-interest. In Industrial, The main incentive for making deliberate mistakes is reducing effort or (possibly) sabotage.
• In financial, Risk management is a key skill in financial services and has central importance to the organization. In Industrial, Risk management is not central to operations, although the aim is to avoid disruption to manufacturing processes

Interest in operational risk has grown because financial institutions need to measure and quantify it. However, quantifying operational risk is challenging. Even if the likelihood of a loss is known, estimating expected losses is difficult. While statistical methods have been developed, there is no universally accepted approach. Losses from operational risks include both direct costs, like financial losses, and indirect costs, such as losing customers. Losing a customer can result in significant financial impact, including the loss of all future revenue from that relationship. To manage these risks, internal controls and audits are essential. Internal audits ensure that procedures are followed and effective in minimizing operational risk. However, controlling employee behavior in financial institutions is more complex than in manufacturing settings. Operational risk measurement isn’t limited to financial institutions. For example, a transport company can assess the operational risks it faces, such as fuel price fluctuations, tax obligations, and delivery errors. Risks can also arise from traffic accidents, delays, or customer changes not reflected in delivery schedules. Among these, incorrect deliveries and traffic accidents are likely the most significant risks for a transport company. Quantifying these risks helps identify which ones have the greatest potential to disrupt operations. With this information, the company can implement control measures to minimize these risks and maintain efficient operations.

Operational risks are a concern for all organizations, not just financial institutions. While banks and financial institutions may have a specialized approach, the issues they face are similar to those in other sectors, including public, private, and nonprofit organizations. In non-financial organizations, the focus might be on protecting assets and determining appropriate insurance coverage. In contrast, financial institutions often ask how much capital needs to be reserved for their assets and whether they should purchase insurance to reduce the amount of non-productive capital held in reserve. Operational risk management is essential for financial institutions. Many institutions include risk management training for management trainees to build awareness before they move into higher roles. However, measuring operational risk remains challenging, especially after the global financial crisis, which revealed that many banks underestimated their exposure. Some financial institutions are adopting risk management standards like ISO 31000, the IRM standard, and the COSO framework, although Basel II does not mandate a specific framework. Any framework adopted must be conceptually sound and prioritize integrity. There are ongoing challenges in developing operational risk management in financial institutions. Some organizations treat operational risk quantification as a compliance task rather than a strategic opportunity. Since the process can be technical, there is a risk that management may rely entirely on operational risk managers instead of taking collective responsibility. Effective operational risk management requires line managers to implement controls and take ownership of risks. Without this integration, the financial institution could face severe consequences. Basel regulations require financial institutions to calculate operational risk exposure. Increasing regulatory demands and corporate governance pressures have made this a necessity. By raising awareness of operational risk, quantifying exposure, and educating staff about its significance, organizations can identify sources of risk and take cost-effective measures to manage them. This proactive approach helps optimize operational risk levels and benefits the organization overall.

Example of scope of Operational risk

The group risk department defines and prescribes the insurance, market and operational risk assessment processes for the business. It performs second-line reviews, including the reserving and capital modelling processes, and undertakes regular reviews of all risks in conjunction with management, with the results of these reviews recorded in risk registers.

Listed below are the principal operational risks that ABC has identified through its ERM framework:

• People risk: Failure to recruit, develop and retain suitable talent.
• Process risk: A failure in processes or failure of their associated controls.
• Technology risk: Failure to invest and successfully implement appropriate technology
• Cyber risk: Financial loss, data loss, business disruption or reputation damage from IT systems’ failure.
• Customer outcome risk: Failure of products, processes or services to meet customer and regulator expectations.

Example of Operational risk management in an oil and gas company

Operational risk management (ORM) in an oil and gas company is critical due to the high-risk nature of the industry, which involves complex operations, hazardous materials, and significant environmental and safety considerations. Here’s an example of ORM in practice:

Scenario: Managing Risks in Offshore Drilling Operations

Risk Identification
An oil and gas company identifies operational risks associated with offshore drilling, such as equipment failure, human error, adverse weather conditions, and environmental hazards like oil spills. Each risk is categorized based on its potential impact on operations, safety, and the environment.

Risk Assessment
The company assesses the likelihood and potential consequences of each risk. For instance:

• Equipment failure could lead to production downtime or a blowout.
• Human error during drilling operations might cause accidents or injuries.
• Adverse weather conditions could halt operations and damage infrastructure.

Risk Mitigation Strategies
To manage these risks, the company implements a range of measures:

1. Preventive Maintenance: Regular inspections and maintenance schedules are established for critical drilling equipment to reduce the likelihood of failure.
2. Training Programs: Employees, including offshore crew, undergo rigorous training on safety procedures, equipment handling, and emergency response protocols.
3. Advanced Monitoring Systems: The company uses real-time monitoring and data analytics to track equipment performance and detect early signs of potential issues.
4. Contingency Planning: Emergency response plans are developed for scenarios like oil spills or rig evacuations, ensuring swift action to minimize damage.
5. Weather Monitoring: Advanced forecasting tools are used to predict adverse weather, enabling preemptive shutdowns or adjustments to operations.

Implementation and Monitoring
The company embeds these risk management practices into daily operations. Supervisors regularly monitor compliance with safety standards, and the effectiveness of risk controls is evaluated through audits and incident reviews.

Incident Response Example
If an oil spill occurs, the emergency response team activates containment and cleanup measures, such as deploying booms and skimmers to limit the spill’s spread. Simultaneously, the company communicates with regulatory authorities and stakeholders to address environmental and reputational impacts.

Continuous Improvement
After addressing an incident or conducting routine reviews, the company analyzes what worked and what didn’t. Lessons learned are used to refine risk management practices, update training programs, and improve response strategies.

Example of operational risk management in a financial company

Operational risk management (ORM) in a financial company, such as a bank, involves identifying, assessing, and mitigating risks related to internal processes, people, systems, and external events. Here’s an example of ORM in practice

Scenario: Preventing Fraud in Online Banking Operations

Risk Identification

A financial institution identifies operational risks associated with its online banking platform, including:

• Unauthorized access to customer accounts due to weak authentication mechanisms.
• Fraudulent transactions executed by cybercriminals exploiting system vulnerabilities.
• Reputational damage resulting from data breaches or service disruptions.

Risk Assessment

The company evaluates the likelihood and potential impact of these risks:

• Unauthorized access: High likelihood and severe impact on customer trust.
• Fraudulent transactions: Moderate likelihood but can lead to significant financial losses.
• Data breaches: Low likelihood but extremely high potential impact due to regulatory penalties and reputational damage.

Risk Mitigation Strategies

The bank implements several measures to address these risks:

1. Strengthening Authentication:
   • Introduces two-factor authentication (2FA) for all online transactions.
   • Adopts biometric verification, such as fingerprint or facial recognition, for account access.
2. Enhancing Cybersecurity:
   • Deploys firewalls, intrusion detection systems, and regular vulnerability scans to protect systems.
   • Encrypts sensitive customer data both in transit and at rest.
3. Fraud Monitoring:
   • Implements AI-driven transaction monitoring systems that flag unusual activities in real time.
   • Sets up a dedicated fraud detection team to investigate suspicious activities.
4. Customer Awareness:
   • Launches awareness campaigns to educate customers about phishing attacks and secure banking practices.

Implementation and Monitoring

The bank integrates these controls into its operational framework. Key actions include:

• Continuous system monitoring to detect and respond to unauthorized activities promptly.
• Periodic penetration testing to uncover and fix system vulnerabilities.
• Employee training on fraud prevention and incident response protocols.

Incident Response Example

If the monitoring system flags a suspicious transaction, the bank freezes the affected account, notifies the customer, and conducts a thorough investigation. In case of confirmed fraud, the bank works to recover the funds, compensates the customer if applicable, and reports the incident to regulatory authorities.

Continuous Improvement

Following any fraud attempt or system breach, the bank performs a root cause analysis. Based on findings, it updates its ORM practices, such as strengthening fraud detection algorithms or revising customer verification processes.

Project Risk Management

Project risk management is a systematic process for identifying, analyzing, and addressing risks that could affect the successful completion of a project. It ensures that uncertainties are effectively managed to achieve project objectives, including scope, schedule, cost, and quality. By proactively addressing potential issues, project risk management helps to mitigate disruptions and maximize opportunities. The first step is identifying potential risks that could arise from various sources, such as resource limitations, technical challenges, or external factors like regulations. After identification, risks are assessed to determine their likelihood and potential impact. This prioritization enables teams to focus on the most critical risks, ensuring resources are allocated effectively. Once risks are identified and assessed, response strategies are developed. These may include avoiding the risk entirely, reducing its likelihood or impact through mitigation, transferring it to another party (e.g., through insurance), or accepting it with a contingency plan in place. Each strategy is tailored to align with the project’s goals and risk tolerance. Continuous monitoring of risks ensures timely detection of new threats or changes to existing ones. This phase also evaluates the effectiveness of implemented risk responses and allows adjustments as needed. Clear communication of risks, updates, and strategies with stakeholders fosters transparency and collaboration, increasing the likelihood of project success. Project risk management is closely tied to ERM by aligning project-specific risks with the organization’s broader risk appetite and strategic objectives. This integration ensures that project-level risks are managed in a way that supports the overall resilience and success of the organization.

Organizations undertake projects for various reasons. Often, when changes to strategy are planned, a project or a group of projects is needed to put the new strategy into action. Similarly, improving key operational processes usually requires changes that are carried out through projects. Choosing the right projects and programs helps an organization decide how to implement its strategy effectively. It’s important to understand the difference between managing risks within a project and the reasons the project exists. Project risk management focuses on delivering the project on time, within budget, and meeting the required standards. However, there are also broader risks about whether the project is the best use of resources and whether it will deliver the intended benefits. To evaluate this, you might ask:

1. Will the project deliver all the expected benefits?
2. Is this project the best way to achieve the organization’s strategy?

Project risk management is essentially an extension of regular project planning. Every project aims to meet deadlines, stay within budget, and achieve the expected quality or performance. Risk, in this context, is about uncertainty or deviation from these goals. Since variability in outcomes is undesirable in projects, risk management focuses on reducing this variability and managing any risks that might disrupt the project. Every project faces uncertainties related to events, conditions, or circumstances. Effective project risk management involves identifying potential sources of uncertainty and responding appropriately. The approach most suited to managing project risks is control management, which ensures that risks are addressed and outcomes stay on track. In addition to managing risks, project managers should also watch for unexpected opportunities that might arise during the project. For instance, if favorable conditions allow a task to be finished early, the project plan can be adjusted to take advantage of the time saved. For example, in a road construction project, if favorable ground conditions enable a bridge to be completed earlier than expected, this gain can be factored into the overall project plan. For large-scale projects, like building Olympic venues, certain variables—such as ground conditions or contamination levels—can greatly affect time and cost. Identifying and managing these uncertainties early is crucial to ensuring the project’s success.

Uncertainty in projects

Project risk management is a form of control management focused on ensuring projects meet their goals. Projects often involve specific tasks like building something new, developing products, implementing IT systems, adopting new technologies, or entering new markets. These projects are vital for organizations, usually undertaken to stay ahead of competitors or catch up with them. From a risk management perspective, a project can itself be seen as a way to reduce risk by meeting specific objectives. The main reason for investing in such projects is to create business advantages or achieve better value for money. Project risk management is a well-established field, with a strong focus on controlling risks and managing unexpected events. It is one of the most advanced and successful areas for using risk management tools and techniques. The goal for every project is to be completed within the agreed budget, timeline, and quality standards. Quality can mean meeting a specific specification, like using a particular material for a restaurant floor, or achieving a performance standard, such as ensuring the floor meets a certain level of slip resistance—or sometimes both. Since projects are unique, historical data about risks may not always be available. This means project risk management needs to look ahead to anticipate potential issues before they happen. To manage a project successfully, various types of risks must be addressed:

• Compliance risks: Failing to get required permissions or approvals.
• Hazard risks: Challenges that could delay the project or increase costs.
• Control risks: Problems affecting the final specification, performance, or quality.
• Opportunity risks: Positive developments, like materials arriving earlier than expected, which could benefit the project.

By managing these risks effectively, project managers can ensure projects are completed successfully and deliver the intended value.

To handle uncertainty in projects, organizations can choose from several approaches:

• Accept the risk: Proceed with the project despite the uncertainty.
• Adapt activities and procedures: Adjust processes or introduce controls to manage the risk.
• Adopt contingency plans: Prepare backup plans to deal with potential issues.
• Avoid the risk: Change plans to eliminate the risk entirely.

The response depends on the type of risk:

• For low-impact, low-uncertainty risks, organizations usually accept the uncertainty.
• For high-impact, low-uncertainty risks, they adapt processes, add controls, or even use insurance.
• For low-impact, high-uncertainty risks, they create contingency plans.
• For high-impact, high-uncertainty risks, they aim to avoid the risk altogether.

The figure shows how a risk matrix can be used to map out potential risks in a project. The matrix compares the possible time delays caused by each risk against the potential cost increases. This helps the project manager see if risks fall into one of four zones: comfort, cautious, concerned, or critical. The likelihood of each risk is shown by the size of the bubble representing it. For example, delivering the Olympic Games required a massive construction project. During this process, the global financial crisis occurred, forcing a renegotiation of the project’s financial structure. Despite the challenge, the project was completed successfully. Another common risk in construction is poor ground conditions, which can cause delays or cost overruns. A “bow-tie” model is often used to explain project risk management. This model shows the different stages of a project—starting with inception, then planning, execution, and closure. At the center of the bow-tie are the uncertainties, which are the core focus of risk management. The bow-tie illustrates how controls can be added to:

1. Reduce uncertainties at the center.
2. Manage uncertainties when they occur.
3. Limit their impact on the project’s quality, cost, time, and compliance.

This approach highlights the importance of controlling risks to keep projects on track.

Project Risk Register

A risk register or risk matrix should be regularly updated throughout the project. Using risk management software can save time and effort by automating updates and helping to prioritize risks. Once risks are identified and plans to address them are in place, it’s important to review them often. As the project progresses, both internal and external conditions can change. Some risks may disappear, while new, unforeseen risks could emerge. The risk register should be kept up to date, with reports generated regularly. These reports should clearly show the risks, help prioritize actions, and support decision-making.

A Project Risk Register is a formal document used in project management to record and track potential risks that could affect a project’s success. It serves as a central repository where all identified risks are documented, assessed, monitored, and managed throughout the project’s lifecycle. The purpose of the risk register is to provide a structured approach to managing risks, helping project teams to plan responses, minimize negative impacts, and take advantage of potential opportunities.

Key Features of a Project Risk Register

1. Risk Identification: Lists all potential risks related to the project, including those that might impact time, cost, quality, or scope.
2. Risk Assessment: Evaluates the likelihood and impact of each risk to prioritize and focus efforts.
3. Risk Response: Details strategies to mitigate, avoid, accept, or transfer risks and assigns responsibilities.
4. Ongoing Monitoring: Tracks the status of risks, updates assessments, and reviews the effectiveness of response actions.

Importance of a Project Risk Register

• Provides a clear view of potential threats and opportunities.
• Ensures proactive planning and decision-making.
• Helps stakeholders stay informed about risk status.
• Supports alignment with project objectives by minimizing unexpected disruptions.

In essence, a Project Risk Register is a practical tool for improving project outcomes by ensuring risks are identified, addressed, and managed effectively.

Example Project Risk Register Table

Risk ID: 01.
Risk Description: Delay in receiving materials.
Category: Operation.
Likelihood: High.
Impact: Medium.
Risk Level: High.
Mitigation Actions: Order materials in advance; find alternate suppliers.
Owner: Purchase Team.
Status: Open.

Risk ID:02.
Risk Description: Software compatibility issues.
Category: Technical.
Likelihood: Medium.
Impact: High.
Risk Level: High.
Mitigation Actions: Conduct compatibility testing early.
Owner: IT manager.
Status: In progress.

Risk ID:03.
Risk Description: Regulatory approval delay.
Category: Compliance.
Likelihood: Low.
Impact: High.
Risk Level: Medium.
Mitigation Actions: Consult regulators early; prepare documentation.
Owner: legal team.
Status: Open.

Project lifecycle

The Project Lifecycle refers to the structured phases a project undergoes from initiation to completion. It serves as a framework to ensure that all necessary activities are planned, executed, and finalized systematically. In the context of Enterprise Risk Management (ERM), the project lifecycle incorporates risk-focused strategies at each phase, ensuring risks are identified, assessed, and addressed proactively to enhance project success and align with organizational objectives. During the inception phase, the focus is on defining the project’s purpose, scope, and goals while identifying potential risks that could affect its feasibility. This phase also evaluates whether the project aligns with the organization’s risk appetite and strategic goals. Planning involves developing a detailed roadmap that includes timelines, budgets, and resource allocation, while integrating risk assessments to prioritize potential threats and establish mitigation strategies. Risk registers are created at this stage, documenting risks, their potential impacts, and assigned owners to manage them effectively. As the project moves into execution, risk monitoring and management become essential. This includes tracking the progress of risk responses, adapting to changes in the project environment, and managing emerging risks. Effective communication with stakeholders ensures transparency about risks and progress. Additionally, opportunities that arise during execution, such as cost savings or favorable conditions, can be leveraged to optimize outcomes.

Finally, during project closure, a review of the risks encountered and mitigation efforts is conducted to evaluate their effectiveness. This stage also involves documenting lessons learned to improve future risk management practices and ensure that all project deliverables meet the expected quality, budget, and timeline. By embedding ERM into the project lifecycle, organizations can not only minimize threats but also capitalize on opportunities, ensuring projects are delivered successfully while maintaining alignment with strategic risk objectives.Project risk management is one of the most advanced and well-regarded areas of risk management, which makes sense given the fast-paced and high-pressure nature of many projects. These projects can range from installing new software to constructing a large sports stadium. No matter the project’s size, all projects go through four key stages:

1. Inception
2. Planning
3. Execution
4. Closure

At every stage, the client’s needs and expectations should be the top priority, whether the client is external or part of the same organization. Understanding the project lifecycle is crucial so that risk management steps can be properly planned, executed, and aligned with the project’s goals. While project risk management follows the general risk management process, its framework may differ because projects are dynamic. Each stage comes with its own risks and uncertainties, such as:

• Defining the project clearly.
• Setting and agreeing on timelines and budgets.
• Confirming performance or specifications.

Plans must also be in place to handle changes, updates, or deviations from the original project scope or circumstances. By addressing these uncertainties, organizations can manage risks effectively and achieve the intended project outcomes.

The figure shows how uncertainty decreases as a project progresses, especially in terms of cost, time, and quality. However, making changes becomes more expensive as the project moves forward. It’s easier and cheaper to adjust plans at the beginning before any work starts. This highlights the importance of managing risks throughout the project to ensure it is delivered on time, within budget, and meeting quality expectations. Many organizations expand the traditional “project triangle” of cost, time, and quality by adding a fourth factor, such as compliance or sustainability. Compliance refers to meeting the expectations of stakeholders, including regulators, while sustainability focuses on environmental and long-term considerations. Some organizations combine compliance and sustainability under the broader goal of quality or performance. For example, consider refurbishing a block of flats. This type of project involves multiple stakeholders, including architects, contractors, and external agencies like planning authorities, building regulators, and utility providers. Managing such a project successfully requires risk management to be integrated into the process, identifying risks early, communicating effectively, and addressing both threats and opportunities. Key steps include clarifying responsibilities, prioritizing and analyzing risks, planning and implementing responses, maintaining a risk register, and monitoring risks and related actions.

Opportunity in projects

Projects are carried out to take advantage of opportunities or to solve challenges. Often, several projects run simultaneously, forming what is called a program. Effective project planning requires preparing for unexpected issues, which is known as contingency planning. This includes allocating extra time or budget to handle unforeseen problems, ensuring the project meets its required specifications. As the project progresses, any difficulties must be addressed, and opportunities to reduce their impact should be explored. It’s common for project specifications to change during the process. A well-managed project will use these changes to improve customer satisfaction and potentially increase revenue for the organization delivering the project. Undertaking projects also helps organizations achieve their strategic goals. In some industries, such as energy, projects are often approved only if they help reduce risks, such as improving efficiency, quality, or output. This can minimize risks related to resource waste, poor quality, or reduced productivity. In addition to meeting the project’s main goals, organizations can benefit from opportunities that arise during the project. These might include saving time, cutting costs, or improving quality. For example, if a construction project anticipates a high level of ground contamination but finds less than expected, it could finish earlier and at a lower cost. Some contracts even include provisions for sharing the savings in such cases. In older cities, construction projects may uncover historical artifacts during excavation. Careful companies plan for this possibility by including potential delays in their timelines and considering the cost of archaeological discoveries. This might involve purchasing archaeological insurance to cover any extra costs if it’s available at a reasonable price.

Project risk analysis and management

Project risk analysis and management is a process that enables the analysis and management of the risks associated with a project. Properly undertaken, it will increase the likelihood of successful completion of a project to cost, time and performance objectives. Risks for which there is ample data can be assessed statistically. However, no two projects are the same. Often things go wrong for reasons unique to a particular project, industry or working environment. Dealing with risks in projects is therefore different from situations where there is sufficient data to adopt an actuarial approach. Because projects involve a technical, engineering, innovative or strategic content, a systematic process is preferable to an intuitive approach. Project risk analysis and management (PRAM) has been developed to meet this requirement.

The Association for Project Management (APM) introduced the Project Risk Analysis and Management (PRAM) Guide in the mid-1990s. One key insight from the guide is that many projects lack prior experience or data to predict the impact of risks accurately. The PRAM Guide outlines a step-by-step approach to managing project risks, similar to standard risk management processes. The PRAM method is a continuous process that can be applied at almost any stage of a project’s lifecycle. It is particularly useful at five key stages: during feasibility, when the project is still flexible and changes to reduce risks can be made at a lower cost; at sanction, where the client evaluates the project’s risk exposure and ensures appropriate steps have been taken; during tendering, where the contractor identifies risks and sets contingencies; after tendering, when the client reviews the contractor’s risk assessment and confirms timelines are achievable; and during implementation, where identifying and managing risks increases the chances of delivering the project on time and within budget. The guide emphasizes the importance of continuous risk management throughout a project and offers advice on achieving successful outcomes. By addressing risks proactively at these stages, both clients and contractors can enhance their ability to manage uncertainty and achieve project goals.

Risk management embedded in projects

The Association for Project Management (APM) introduced the Project Risk Analysis and Management (PRAM) Guide in the mid-1990s. One key insight from the guide is that many projects lack prior experience or data to predict the impact of risks accurately. The PRAM Guide outlines a step-by-step approach to managing project risks, similar to standard risk management processes. The PRAM method is a continuous process that can be applied at almost any stage of a project’s lifecycle. It is particularly useful at five key stages: during feasibility, when the project is still flexible and changes to reduce risks can be made at a lower cost; at sanction, where the client evaluates the project’s risk exposure and ensures appropriate steps have been taken; during tendering, where the contractor identifies risks and sets contingencies; after tendering, when the client reviews the contractor’s risk assessment and confirms timelines are achievable; and during implementation, where identifying and managing risks increases the chances of delivering the project on time and within budget. The guide emphasizes the importance of continuous risk management throughout a project and offers advice on achieving successful outcomes. By addressing risks proactively at these stages, both clients and contractors can enhance their ability to manage uncertainty and achieve project goals.

Supply chain Management

Supply chain management (SCM) involves the coordination and oversight of the flow of goods, services, information, and finances from the origin of raw materials to the delivery of finished products to customers. It ensures that each step in the supply chain is efficient, cost-effective, and aligned with organizational objectives. In the context of Enterprise Risk Management (ERM), supply chain management plays a crucial role in identifying, assessing, and mitigating risks that could disrupt the supply chain. These risks might include supplier failures, transportation delays, geopolitical instability, natural disasters, or cyber threats. Effective supply chain management within ERM requires organizations to develop robust strategies, such as diversifying suppliers, enhancing transparency, and using predictive analytics to anticipate potential disruptions. By integrating ERM principles, organizations can proactively address vulnerabilities, protect their operations, and ensure continuity, ultimately strengthening their resilience and maintaining competitive advantage. ISO 28000 ‘Specification for Security Management Systems for the Supply Chain’ provides the following definition of supply chain:

A supply chain is a set of interconnected processes and resources that starts with the sourcing of raw materials and ends with the delivery of products and services to end users. Supply chains may include producers, suppliers, manufacturers, distributors, wholesalers, vendors, and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal or external to an organization.

Many organizations rely heavily on outsourcing for major operations and support services, such as cleaning, transportation, communication, and manufacturing. For instance, many fashion brands design their products and sell them through franchised retail stores, while outsourcing all manufacturing and distribution to third-party providers around the globe. This widespread reliance on outsourcing has made supply chain management increasingly critical.

In a globalized and competitive market, managing supply chains is challenging due to uncertainties in supply and demand, shorter product lifecycles, rapid technological changes, and globalization. These factors have increased the risks involved in supply chains. While it’s impossible to eliminate all risks, effective risk management can reduce the chances and impact of supply disruptions. As more organizations turn to overseas manufacturing, they also face growing corporate social responsibility (CSR) concerns, requiring them to address ethical and sustainability issues in their supply chains. For example, during the COVID-19 pandemic, Apple experienced significant supply chain disruptions when factories in China shut down, delaying iPhone production. This caused shortages of components and logistical challenges. To address this, Apple diversified its manufacturing to countries like India and Vietnam and invested in digital technologies to improve supply chain visibility and flexibility. This response demonstrates how proactive risk management can help minimize disruptions and maintain operations during global crises. Another example is an organization outsourcing its merchandise procurement. It aims to ensure that the products are desirable, high-quality, and cost-effective, while also meeting ethical standards. However, to balance the conflicting expectations of stakeholders—such as profitability versus CSR—the organization might choose a low-cost manufacturer through a third-party procurement agency. The agency is tasked with ensuring ethical sourcing while maintaining product quality and cost-efficiency. Despite this, risks like quality issues, supply delays, or CSR concerns could arise, potentially leading to dissatisfaction and reduced sales. The shift in supply chain strategies from focusing on “lowest risk at any cost” to “lowest cost at any risk” highlights the importance of managing both the risks and benefits of outsourcing. Organizations must assess and mitigate the potential downsides of outsourcing with the same care they apply to leveraging its advantages. Balancing these hazards and opportunities is key to a resilient and responsible supply chain.

Scope of supply chain

As outsourcing becomes more common, organizations are paying more attention to the risks of depending on third parties. Outsourcing is often pursued with the expectation of reducing costs and shifting risks to others. However, before deciding to outsource, it is crucial to carefully evaluate the balance between potential risks and rewards. Organizations must recognize that outsourcing not only requires managing their own risks but also considering the risks associated with every link in the supply chain. Supply chain management and risk management are closely connected, and supply chain decisions are becoming increasingly complex. Outsourcing is just one part of managing a supply chain. Success often depends on building strategic partnerships or even engaging in joint ventures. Supply chain risks are not limited to large-scale operations but also include smaller outsourcing decisions, such as hiring cleaning or catering services. During the 1980s, many organizations began outsourcing facilities management tasks, a trend that continues today. The scope of supply chain management can range from strategic collaborations and joint ventures to outsourcing transportation, warehousing, and even the operation of retail stores through franchise agreements. For example, Nike faced significant criticism in the mid-2000s over ethical sourcing issues. The company acted quickly to address these concerns and protect its reputation. This highlights the importance of managing risks throughout the supply chain, whether related to sourcing raw materials or delivering finished goods. Supply chain discussions often refer to “upstream” and “downstream” activities. Upstream refers to the goods or services received from suppliers, while downstream relates to the goods delivered to customers. However, these terms can sometimes cause confusion, so it may be simpler to think of the supply chain as what you receive from suppliers and the delivery chain as what you provide to customers. Regardless of terminology, most organizations rely on goods and services from suppliers or outsourced providers. They also act as suppliers to their own customers. To ensure smooth operations, organizations must evaluate risks associated with their suppliers and manage the risks involved in delivering products or services to their clients. Balancing these risks at both ends of the chain is essential for effective supply chain management.

An eample of supply chain challenges comes from Apple, which has faced labor and ethical concerns with its suppliers in China. One of the most well-known incidents involved Foxconn, a major supplier responsible for assembling Apple products like iPhones and iPads. Investigations revealed issues such as excessive working hours, unsafe working conditions, and underage labor. Reports also surfaced about falsified records, including manipulated work logs to comply with labor laws. Apple took steps to address these issues by working closely with its suppliers to improve conditions. The company implemented stricter oversight through regular audits and introduced initiatives to ensure compliance with labor standards. Apple also joined organizations like the Fair Labor Association to enhance its monitoring efforts. Moreover, the company encouraged its suppliers to adopt better grievance mechanisms, improve workplace safety, and reduce excessive overtime. This example highlights the complexities of managing a global supply chain, especially in countries with rapidly changing legal and economic environments. It also emphasizes the need for multinational corporations to maintain rigorous standards and continuously monitor their suppliers to uphold ethical and legal responsibilities.

Strategic partnerships

When outsourcing parts of its operations, an organization must carefully choose its strategic partners. For instance, if an organization decides to outsource the production of an in-house magazine, the level of importance placed on the magazine might lead to forming a strategic partnership with the publisher. Managing supply chain risks becomes even more critical when manufacturing is involved. A supermarket, for example, must evaluate whether its supply chain partner can consistently deliver goods on time, within budget, and sustainably. To secure a reliable supply, the supermarket might form a strategic partnership with its suppliers, ensuring priority treatment during disruptions. This guarantees the supermarket a steady supply and lower costs, while the supplier benefits from a secure market and long-term contracts. However, there are drawbacks. Suppliers may have to agree to fixed prices, even if higher prices could be obtained elsewhere. Additionally, suppliers might become overly dependent on a single customer for orders, increasing their vulnerability. The use of “just-in-time” delivery and single-supplier models can also heighten the risk of business interruptions. While insurance can cover financial losses, it may not fully protect the organization’s reputation or market share. To address these risks, organizations must develop business continuity strategies and build resilient partnerships. Strategic partnerships, which sometimes even involve competitors working together, are valuable alliances that benefit all stakeholders and enhance organizational resilience.

Joint Venture

To ensure a secure supply chain, organizations might seek priority status from their suppliers. However, for essential components or services, priority status may not be enough. In such cases, organizations often explore joint ventures with suppliers to guarantee priority access. Joint ventures allow organizations to gain some control over the supplier’s operations, reducing the risk of the supplier prioritizing competitors during challenging market conditions. They can also help prevent competitors from accessing the joint venture’s products, providing a strategic advantage. Additionally, joint ventures are a practical way to adapt to technological changes, as they spread the financial burden of adopting new technologies across both parties. Competition and technological shifts in the supply chain can be significant and may exceed the resources of individual organizations. Joint ventures can help maintain supply chain continuity while offering competitive advantages and minimizing the capital at risk. For organizations aiming to reduce dependency on suppliers, joint ventures offer a tactical alternative to fully acquiring a supplier. Instead of outright ownership, which demands significant capital and resources, a joint venture allows the risks to be shared between the parties. The main benefit of joint ventures is the shared risk and reward structure. Both parties distribute the venture’s risks and benefits by establishing clear agreements or forming a new company with shared capital. This arrangement is ideal for organizations that want to seize opportunities while minimizing their financial exposure, especially when they prefer not to fully fund the venture on their own.

Outsourcing

Outsourcing the manufacturing of components to specialized subcontractors offers many benefits, but it also comes with risks that need to be carefully managed. While outsourcing can transfer some responsibilities, it does not entirely eliminate the risks tied to the activity. To address this, a clear contract must be established to define how risks are shared, often including penalty clauses for poor performance and rewards for exceptional results to encourage collaboration. Outsourcing non-core operations can also introduce supply chain vulnerabilities, so organizations must carefully define the scope of services in the outsourcing arrangement. Additionally, in many countries, laws protect employee rights during outsourcing transitions. For instance, if cleaning or catering services are outsourced, the rights of the existing employees may be safeguarded, which can complicate cost-saving efforts. Despite these challenges, outsourcing is often a way to shift non-essential tasks to specialists, reducing costs while benefiting from their expertise. For example, an office might outsource cleaning, catering, or facilities management to achieve cost efficiencies and improved service quality. Outsourcing agreements should address key points such as the scope and duration of the arrangement, services provided, sub-contracting limits, pricing and performance expectations, monitoring and auditing processes, confidentiality and data security, default and termination conditions, dispute resolution, and insurance and liability requirements. These elements ensure that both parties clearly understand their roles, responsibilities, and expectations in the outsourcing relationship.

Most businesses outsource certain tasks, but deciding to outsource is a big decision, and the benefits are not always easy to define. Outsourcing can lower costs by reducing overheads and letting a professional handle the task. However, cost reduction alone shouldn’t be the only reason for outsourcing. The benefits of outsourcing can be grouped into two categories: direct and indirect. Direct benefits come from having a specialized company manage the outsourced tasks, while indirect benefits include the ability to focus more on the company’s core activities. Some key direct benefits include lower costs, faster processes, and better customer satisfaction. Specific advantages are:

• Greater focus on core business activities.
• Lower manufacturing and logistics costs.
• Fewer staff needed, reducing headcount and management responsibilities.
• Higher accuracy in operations.
• Flexibility and access to a broader range of services.
• Use of global networks and advanced technology.
• Better service quality and overall improvement.
• Reduced need for capital investment and better cash flow.

Contracts

Risk management is a key part of setting up supply chain contracts or outsourcing tasks. The complexity of these contracts depends on several factors, including the level of risk involved, the contract’s value, its scope and duration, the skills required for the job, and how critical the goods or services are to the organization. Organizations often outsource parts of their operations to save money and access specialized expertise while focusing on their main business activities. However, this has led to more complex and fragmented global supply chains, which are more vulnerable to disruptions caused by external factors like natural disasters, pandemics, or terrorism. Companies must carefully assess the risks of outsourcing and supply chain arrangements to ensure they are well-managed. Outsourcing doesn’t mean all risks are transferred to the third party. For example, if outsourced manufacturing produces poor-quality goods or operates unethically, the organization’s reputation could still be damaged. Outsourcing should only be done if it is cost-effective and efficient. Decisions based on the assumption that all risks are passed to the third party can be misleading. For instance, if goods produced in low-cost countries fail to meet safety standards, such as toys with lead-based paint, the risks and costs could outweigh the benefits. Organizations need to ensure that the risks associated with outsourcing fit within their risk tolerance and capacity. A detailed evaluation should be conducted to understand the risks of complex supply chain arrangements. While insurance may cover certain events like fires or natural disasters at the supplier’s premises, it usually doesn’t cover issues like poor quality, late deliveries, or supplier bankruptcy.

Oil and gas Supply chain

In the oil and gas industry, supply chain disruptions can have significant impacts on operations, similar to the challenges faced in the automotive sector. One notable example is the aftermath of Hurricane Harvey in 2017, which disrupted oil and gas production and supply chains in the U.S. Gulf Coast region. This area is a critical hub for refining and chemical manufacturing, accounting for a significant portion of the country’s fuel and petrochemical output. The hurricane caused widespread flooding, which led to shutdowns of refineries, pipeline disruptions, and delays in the transportation of raw materials and finished products. Many companies faced challenges in resuming operations due to damaged infrastructure, workforce availability, and logistical bottlenecks. In response, oil and gas companies adopted several risk mitigation strategies:

• Diversifying supply sources: Firms worked to secure alternative suppliers or increase inventory levels to reduce dependence on a single source for critical inputs.
• Investing in resilient infrastructure: Some companies upgraded facilities to withstand extreme weather events, including raising critical equipment above flood levels.
• Strengthening logistics networks: Businesses re-routed transportation and explored alternative ports and pipelines to minimize disruptions.
• Developing contingency plans: Suppliers must have disaster recovery plans, ensuring rapid recovery and continued supply during future crises.
• Expanding insurance coverage: Companies reviewed and enhanced their insurance policies, including coverage for business interruptions due to natural disasters.