Risk governance refers to the frameworks, processes, and structures that organizations use to identify, assess, manage, and communicate risks effectively across all levels. It integrates risk management into decision-making, ensuring that risks are aligned with the organization’s objectives and that stakeholders are informed and involved. Risk governance establishes accountability and responsibility for risk-related decisions. It is rooted in principles of transparency, fairness, accountability, and inclusiveness, ensuring that risk management practices are not only systematic but also aligned with ethical standards and the organization’s overall goals. At its core, risk governance provides a structured approach to managing risks that could affect the organization’s ability to achieve its objectives. It emphasizes clear communication, consistent evaluation of risks, and the integration of risk considerations into strategic and operational planning. By doing so, it ensures that risks are proactively managed rather than reactively addressed, supporting sustainable growth and resilience.

Corporate governance

Corporate governance aims to ensure accountability and responsibility for running an organization efficiently, effectively, and ethically. It helps protect executives and employees as they perform their duties and builds trust among stakeholders by showing that the organization can achieve results that matter to them. Corporate governance involves many aspects, with risk management being a key part of an organization’s success. Most countries have rules requiring organizations to follow corporate governance standards. These rules are particularly strict for publicly listed companies, registered charities, and government entities. For example, companies listed on the London Stock Exchange must follow the UK Corporate Governance Code issued by the Financial Reporting Council. The goal of corporate governance is to ensure accountability, efficient performance, and ethical practices, and to protect employees and executives in their duties. It also builds stakeholder trust by demonstrating the organization’s ability to meet goals that matter to them. Countries take different approaches to enforcing corporate governance. Some use a “comply or explain” system, where organizations either follow the rules or explain why they didn’t and describe alternative methods used to achieve the same outcome. Other countries require full compliance with strict rules, allowing little to no flexibility. Corporate governance standards are responsibilities placed on the board of directors through laws and codes of practice. To improve governance, organizations might create a code of ethics for directors, establish delegation of authority documents, and require annual conflict-of-interest declarations. Board members may also receive governance training. Organizations typically form specialized committees with clear roles and memberships to support governance. These committees, often sub-groups of the board, might include a risk management committee, audit committee, disclosures committee, nominations committee, and remuneration committee. Regular reports on governance matters are presented at board meetings, often by the company secretary.

OECD principles of corporate governance

The OECD Principles of Corporate Governance are internationally recognized guidelines aimed at improving corporate governance practices worldwide. First introduced in 1999 and regularly updated, these principles provide a framework for companies, regulators, and policymakers to promote transparency, accountability, and fairness in corporate operations. The principles are designed to help organizations build trust with stakeholders, including investors, employees, and the public.Corporate governance refers to the system used to direct and manage organizations. It involves processes, controls, decision-making, and accountability at all levels, particularly at the highest level of an organization. Corporate governance ensures that senior management carries out their responsibilities effectively and ethically, with a strong focus on risk management as part of the overall structure. Good corporate governance emphasizes openness, honesty, and accountability in decision-making. This applies to all types of organizations, whether they are large or small, public or private. The Organization for Economic Cooperation and Development (OECD), an international body, has developed principles for corporate governance. These principles highlight the importance of protecting stakeholder rights, treating all stakeholders fairly, and ensuring their role in governance. They also stress the need for transparency and disclosure, with boards of directors being responsible for implementing these principles. The BS 13500 governance standard emphasizes that effective governance contributes to the success of both organizations and society. This standard encourages organizations to go beyond merely avoiding problems by defining responsibilities to different stakeholders and serving as a checklist for establishing a strong governance system. While having a governance framework does not guarantee success, it helps promote positive values and behaviors that support organizational effectiveness. Here is an overview of the OECD principles:

• A robust framework should promote transparent markets, uphold the rule of law, and clearly define responsibilities among authorities, regulators, and stakeholders. It must also be adaptable to the legal, institutional, and cultural context of the country.
• Protect the rights of shareholders, including the ability to vote in general meetings, transfer shares, and participate in major corporate decisions. Facilitate effective shareholder engagement and provide mechanisms for addressing grievances.
• All shareholders, including minority and foreign shareholders, should receive equal treatment. Prevent insider trading and abusive practices. Ensure that voting rights are clearly defined and properly executed.
• Recognize the rights of stakeholders as established by law or mutual agreements. Encourage active cooperation between the corporation and stakeholders to create sustainable wealth and employment.
• Ensure timely and accurate disclosure of all material matters regarding the company, including its financial situation, performance, ownership, and governance. Provide access to information about policies on business ethics, related-party transactions, and risk management practices.
• The board should guide corporate strategy, monitor management, and be accountable to shareholders and stakeholders. Board members should act in good faith, with due care, and in the best interests of the company. Boards should ensure compliance with legal and ethical standards, manage conflicts of interest, and oversee the integrity of financial reporting and risk management.

OECD principles of corporate governance

• Effective corporate governance framework: Promote transparent and fair markets, efficient allocation of resources and be consistent with the rule of law and support effective supervision and enforcement
• Rights and equitable treatment of shareholders: Protect and facilitate the exercise of shareholder rights and ensure equitable treatment of all shareholders, including minority and foreign shareholders
• Institutional investors, stock markets and other intermediaries: Sound incentives throughout the investment chain and provide for stock markets to function in a way that contributes to good corporate governance
• Role of stakeholders in corporate governance: Recognize the rights of stakeholders established by law or through mutual agreements and encourage active co-operation between corporations and stakeholders
• Disclosure and transparency: Timely and accurate disclosure is made on all material matters, including the financial situation, performance, ownership and governance of the company
• Responsibilities of the board: Strategic guidance of the company, the effective monitoring of management by the board and the board accountability to the company and the shareholders

London Stock Exchange Corporate Governance Framework

The London Stock Exchange (LSE) Corporate Governance Framework is built to guide companies in achieving high standards of transparency, accountability, and ethical behavior. This framework emphasizes the importance of robust governance structures for listed companies to build investor confidence and maintain market integrity. Companies listed on the LSE are expected to adhere to key principles outlined in the UK Corporate Governance Code, developed by the Financial Reporting Council (FRC). The UK Corporate Governance Code focuses on principles such as:

• Leadership: Companies must have a clear division of responsibilities within the board to ensure leadership accountability and effective decision-making.
• Effectiveness: Boards should include a balance of skills, diversity, and experience, with regular evaluations of performance to maintain effectiveness.
• Accountability: Companies must implement sound systems of internal controls and risk management, with transparent financial reporting.
• Remuneration: Executive pay should align with company performance, shareholder interests, and long-term success, avoiding excessive or inappropriate rewards.
• Engagement: Companies should foster constructive relationships with shareholders and consider the interests of wider stakeholders, including employees and customers.

Listed companies must either comply with the principles of the UK Corporate Governance Code or explain any deviations in their annual reports, following the “comply or explain” approach. This ensures flexibility while promoting high governance standards. Additionally, the LSE encourages listed companies to integrate Environmental, Social, and Governance (ESG) considerations into their governance practices. This aligns corporate governance with broader societal goals and sustainability objectives, reflecting evolving investor priorities and global best practices.

The London Stock Exchange (LSE) provides guidance on corporate governance with a focus on making boards more effective. According to the LSE, corporate governance is about managing the organization efficiently and defining the roles and responsibilities of senior managers and board members. The LSE framework emphasizes two key aspects:

1. The duties, obligations, and rewards of board members.
2. Meeting stakeholder needs, which include their rights, involvement, and open communication.

The guidance highlights several important aspects of board responsibilities, including:

• Deciding who sits on the board.
• Ensuring board members are accountable.
• Setting clear limits on authority delegated by the board.
• Fairly compensating board members.

Board members are expected to fulfill their duties in five key areas to meet stakeholder expectations:

• Developing and implementing strategies.
• Promoting corporate social responsibility.
• Managing risks effectively.
• Overseeing audits and ensuring risk assurance.
• Providing complete and accurate disclosures.

This framework ensures that boards operate responsibly while addressing the needs of stakeholders and maintaining organizational transparency.

The OECD principles and the LSE corporate governance framework outline the key requirements and structure for implementing corporate governance. However, the specific actions taken to meet stakeholder expectations in areas like strategy, corporate responsibility, audit, risk management, and disclosure may differ between organizations. Risk management should be seen as part of the broader corporate governance system. While the LSE framework identifies risk management as a distinct component, it also plays a role in supporting other areas like strategy, social responsibility, auditing, and reporting. Non-executive directors have a crucial role in corporate governance. The audit committee, typically made up of non-executive members, acts as the third line of defense. To be effective, non-executive directors are expected to:

• Uphold the highest ethical standards.
• Support executives in leading the organization.
• Oversee and evaluate the actions of executives.
• Question, discuss, and make decisions impartially.
• Consider different perspectives from both inside and outside the board.
• Build trust and respect among board members.
• Advocate for strong corporate governance practices.
• Ensure compliance with relevant governance codes.

These efforts help strengthen the organization’s governance and maintain accountability.

Corporate governance for a bank

Corporate governance in a bank refers to the framework of rules, practices, and processes through which the bank is directed and controlled. It ensures the bank operates efficiently, ethically, and in the best interests of its stakeholders, including depositors, shareholders, regulators, and the broader financial system. For banks, corporate governance is especially critical because they manage public funds and play a vital role in the stability of the economy. Good governance in banks helps build trust, reduce risks, and promote financial integrity.Corporate governance and risk management in financial organizations, like banks, are tightly controlled and regulated. Most financial institutions create their own corporate governance guidelines. These guidelines usually cover the qualifications and responsibilities of directors, the roles and authority of board committees, and plans for evaluating board performance and managing senior leadership succession. The corporate governance structure typically includes principles to guide the board of directors. These principles outline how board members should handle conflicts of interest, maintain confidentiality, and comply with laws and regulations. To ensure good governance, it is crucial to provide proper training and orientation for board members. New board members usually go through a program that covers:

• Legal and regulatory requirements
• Risk management practices
• Capital management and financial reporting
• Human resources and compensation policies
• The roles of internal and external audits and the audit committee
• Communication strategies, including branding

The global financial crisis pushed banks and financial institutions to reassess their corporate governance standards. For example, a review of a major national bank highlighted criticisms and governance failures, prompting improvements in their approach. Key elements of corporate governance in a bank include:

1. Board Oversight: The board of directors is responsible for guiding the bank’s strategy, approving risk policies, and ensuring that management performs its duties effectively. A mix of executive and non-executive directors enhances objectivity and accountability.
2. Risk Management: Banks face unique risks, including credit, market, operational, and liquidity risks. A sound governance framework requires robust risk management systems, with a risk management committee often overseeing these efforts.
3. Regulatory Compliance: Banks are subject to stringent regulations to ensure financial stability and protect customer interests. Corporate governance ensures that banks comply with laws, standards, and guidelines from regulatory bodies like central banks or financial authorities.
4. Transparency and Disclosure: Timely and accurate financial reporting and disclosure of key information are essential for maintaining trust and meeting regulatory requirements. Banks must provide clarity on their financial health, risk exposures, and governance practices.
5. Stakeholder Interests: Governance practices in banks must balance the interests of various stakeholders, including shareholders seeking returns, depositors requiring safety, and regulators ensuring systemic stability.
6. Ethical Conduct and Culture: Promoting an ethical work culture and holding leadership and employees accountable for their actions is critical in preventing fraud, misconduct, or conflicts of interest.
7. Internal Controls and Audit: Strong internal controls help safeguard assets, detect irregularities, and ensure the accuracy of financial reporting. The audit committee, often comprising non-executive directors, oversees internal and external audits.

By adhering to strong corporate governance principles, banks can foster financial stability, enhance stakeholder confidence, and contribute to economic growth.

Corporate governance for a government Organizations

Corporate governance in government organizations focuses on ensuring transparency, accountability, and ethical behavior in the management and operations of public sector entities. These organizations are responsible for delivering public services and managing public funds, making effective governance essential to maintain public trust and achieve their objectives.

Government organizations often follow specific governance frameworks or codes established by national laws and regulations. These frameworks typically outline the roles and responsibilities of key stakeholders, such as board members, senior executives, and oversight bodies. Government organizations often have boards or governing councils responsible for strategic oversight. These boards may include independent members who bring expertise and objectivity to decision-making. Training and capacity-building for board members and staff are crucial to maintaining high governance standards. By adhering to these principles, government organizations can ensure the efficient use of resources, build public confidence, and achieve their goals effectively while maintaining accountability and integrity.

Key elements of corporate governance in government organizations include:

1. Accountability: Public sector organizations must demonstrate accountability to taxpayers and stakeholders. This involves clear reporting structures, regular audits, and compliance with laws and policies.
2. Transparency: Decisions and processes should be open and accessible to the public, ensuring that the organization’s actions are understandable and justifiable.
3. Ethical Conduct: Government organizations are expected to uphold high ethical standards. Codes of conduct and ethics policies guide behavior and decision-making to prevent conflicts of interest and corruption.
4. Risk Management: Identifying, assessing, and managing risks is critical to ensuring that public funds are used effectively and that services are delivered without unnecessary disruptions.
5. Performance Management: Setting goals, monitoring progress, and evaluating outcomes are vital for maintaining efficiency and effectiveness in delivering public services.
6. Stakeholder Engagement: Actively involving citizens, employees, and other stakeholders in decision-making processes ensures that the organization remains aligned with public needs and expectations.

For government organizations, strong corporate governance is often a requirement. In many cases, the main reason for focusing on risk management is to ensure that these governance systems are effective. This means the primary goal of risk management in government organizations is to support their governance frameworks. In contrast, for commercial organizations, corporate governance and risk management help achieve broader objectives, such as business goals or market success. Government departments, however, have a narrower focus, prioritizing accountability, value for money, and avoiding misconduct. Corporate governance in government organizations creates a system of control that promotes innovation, integrity, accountability, and strong management practices. Within this framework, staff responsibilities are clearly defined, and the process for reporting risk-related issues is established. Connecting risk management with corporate governance allows organizations to prioritize specific risks, such as ensuring value for money, maintaining business continuity, preventing fraud, and securing IT systems. The foundation of these governance efforts in government organizations is often based on the Nolan principles, which emphasize ethical behavior and public accountability.

Nolan principles of public life

1. Selflessness: Holders of public office should act solely in terms of the public interest and should not seek benefits for themselves, their family or friends.
2. Integrity: Holders of public office should not place themselves under any financial or other obligation to outside individuals or organizations.
3. Objectivity: In carrying out public business, the holders of public office should make choices on merit.
4. Accountability: Holders of public office are accountable for their decisions and actions to the public and must submit themselves to appropriate scrutiny.
5. Openness: Holders of public office should be as open as possible about all the decisions and actions that they take and give reasons for their decisions.
6. Honesty: Holders of public office have a duty to declare any private interests relating to their public duties and to take steps to resolve any conflicts.
7. Leadership: Holders of public office should promote and support these principles by leadership and example.

Risk Management Policy of ABC

Purpose

The purpose of this policy is to establish a structured approach to identifying, assessing, mitigating, and monitoring risks that could impact the agency’s ability to achieve its objectives and deliver public services effectively. This policy supports accountability, transparency, and the efficient use of public resources.

Scope

This policy applies to all employees, contractors, and stakeholders involved in the agency’s operations, programs, and projects. It includes risks related to operations, finances, compliance, reputation, and information security.

Policy Objectives

1. Protect Public Interest: Ensure the agency operates with integrity and delivers value for money.
2. Promote Accountability: Clearly define roles and responsibilities for risk management.
3. Support Decision-Making: Provide a framework for informed and confident decision-making.
4. Enhance Resilience: Improve the agency’s ability to respond to unforeseen events and challenges.
5. Ensure Compliance: Meet legal, regulatory, and governance requirements.

Risk Management Framework

The agency adopts a systematic process for managing risks, which includes:

1. Risk Identification: Regularly identifying risks that could impact the agency’s goals and operations.
2. Risk Assessment: Evaluating risks based on likelihood and potential impact, using a risk matrix.
3. Risk Mitigation: Developing and implementing strategies to minimize or manage risks, such as control measures, contingency planning, and resource allocation.
4. Risk Monitoring and Reporting: Continuously monitoring identified risks and emerging risks, with regular reporting to management and oversight bodies.
5. Review and Improvement: Periodically reviewing the risk management process to incorporate lessons learned and improve effectiveness.

Roles and Responsibilities

• Board or Oversight Committee: Provide strategic guidance on risk management and review significant risks.
• Risk Management Team: Oversee the implementation of the policy and ensure consistent practices across the agency.
• Managers and Staff: Identify and manage risks within their areas of responsibility and report significant risks to the risk management team.
• Internal Audit: Independently review the effectiveness of risk management practices and provide recommendations for improvement.

Priority Risk Areas

The agency prioritizes the management of risks in the following areas:

1. Compliance Risks: Ensuring adherence to laws, regulations, and policies.
2. Operational Risks: Maintaining business continuity and service delivery.
3. Financial Risks: Safeguarding against budget overruns, fraud, and inefficiencies.
4. Reputational Risks: Protecting public trust and confidence in the agency.
5. Information Security Risks: Securing data and IT systems against breaches and cyberattacks.

Governance and Reporting

The risk management process is integrated into the agency’s overall governance framework. Reports on risk management activities and key risks are presented regularly to the board or oversight committee. Significant risks requiring immediate attention are escalated as needed.

Review and Updates

This policy will be reviewed annually or when significant changes occur to ensure its relevance and alignment with the agency’s objectives.

Evaluation of board performance

Evaluating board performance is a vital part of maintaining strong corporate governance. It ensures that the board operates efficiently, fulfills its responsibilities, and aligns with the organization’s objectives. By assessing performance, the board can identify its strengths and areas needing improvement, enabling better decision-making, fostering accountability, and building trust with stakeholders. An effective evaluation helps the board refine its processes, adapt to changing circumstances, and align more closely with its strategic goals. The evaluation process examines various aspects of board function, such as strategic oversight, governance practices, risk management, decision-making, and individual contributions. It also looks at whether the board has the right mix of skills, diversity, and independence to perform its role effectively. The board’s relationship with senior management is another critical factor, as clear communication and appropriate delegation are essential for smooth operations. Evaluating these areas provides a comprehensive view of how well the board supports the organization. Different methods can be used to evaluate board performance. Self-assessments allow board members to reflect on their collective and individual contributions, while peer reviews offer valuable feedback from colleagues. External evaluations, conducted by independent experts, bring an unbiased perspective and can provide in-depth insights. Performance metrics, such as predefined key performance indicators (KPIs), can also help measure the board’s success in meeting its objectives. These methods ensure that the evaluation is thorough and balanced. The process typically begins with planning, where objectives and criteria are defined, followed by data collection through surveys, interviews, or reports. Analyzing the collected information helps identify trends, strengths, and gaps. Findings are then presented in a report, which outlines recommendations for improvement. Developing an action plan to address these gaps and monitoring progress ensures that the evaluation leads to meaningful change. Regular follow-up ensures continuous improvement and adaptability. Conducting regular board evaluations brings numerous benefits. It enhances accountability, transparency, and stakeholder confidence while fostering a cohesive and effective board team. It also highlights skill gaps and training needs, ensuring the board remains equipped to meet future challenges. Ultimately, board performance evaluation is an ongoing process that supports robust governance and organizational success.

The board is ultimately responsible for setting the organization’s strategy and ensuring proper governance. The executive management, led by top executives, is responsible for running the organization. In many cases, executive directors are also members of the board, forming a unitary board. Some organizations have a supervisory board made up only of non-executive directors, and the executive directors meet separately as the executive committee. This separation of executive and non-executive directors is called a two-tier board structure, which is more common in certain countries, charities, and public-sector organizations. Regardless of the structure, the board has a range of responsibilities and typically identifies issues it will retain control over, called matters reserved for the board. One important responsibility that is not delegated is setting the organization’s risk appetite. After determining what matters will remain under the board’s authority, the board will decide how to delegate responsibility for other areas. Large organizations often create a delegation of authority statement, which outlines how authority is shared within the governance structure. Within the organization, executive directors, managers, and staff are the first line of defense in ensuring proper governance, including risk management and internal controls. The board should be aware of the risk management functions within the organization and their role as the second line of defense. Non-executive directors, typically members of the audit committee, represent the third line of defense in ensuring strong risk governance.

Evaluating the effectiveness of the board

1. Membership and structure
   • Does the board have the necessary range of knowledge, skills and experience?
   • Is there appropriate turnover of board membership to ensure new ideas?
   • Are the sub-committees of the board effective, with appropriate delegated authority?
   • Are board decision-making processes satisfactory, with adequate information available?
   • Do communication processes exist between board members outside board meetings?
2. Purpose and intent
   • Do all board members understand and share the vision and mission?
   • Do members of the board understand the objectives and position statements?
   • Is there sufficient knowledge and understanding of the significant risks?
   • Are board members sufficiently involved with the development of strategy?
   • Have measurable budget and performance targets been put in place?
3. Involvement and accountability
   • Does the board have shared ethical values, including openness and honesty?
   • Are the established policies unambiguous and consistent with the ethics?
   • Do board members understand their duties, responsibilities and obligations?
   • Is there a feeling of mutual trust and respect at board meetings?
   • Are adequate delegation and authorization procedures in place?
4. Monitoring and review
   • Is there sufficient monitoring of performance using appropriate measurements?
   • Does the board challenge planning assumptions when and where appropriate?
   • Does the board demonstrate the ability to respond rapidly to changes?
   • Is there a mentality that demands continuous improvement in performance?
   • Does the board assess financial and other controls and seek assurance on compliance?
5. Performance and impact
   • Is there a satisfactory level of attendance at board, committee and other meetings?
   • Are board decisions and actions fully recorded and actions tracked and confirmed?
   • Are the agreed targets and performance indicators evaluated and assessed?
   • Is the impact of board decisions and actions evaluated in a timely manner?
   • Is there an emphasis on accuracy, honesty and open reporting to external agencies?

Evaluation of board performance is a critically important part of the corporate governance arrangements for any organization. The areas for evaluation are as follows:

• membership and structure;
• purpose and intent;
• involvement and accountability;
• monitoring and review;
• performance and impact.

The checklist focuses on corporate governance effort and on the level of performance of the board. When deciding issues related to strategy, tactics, operations and compliance, the board will need to ensure that adequate procedures are in place for reaching decisions. These decisions will result in a course of action and the implementation of that course of action needs to be monitored. The course of action will result in some outputs, and these need to be evaluated in terms of the impact that is achieved. When evaluating the effectiveness of the board, the impact of its decisions is the ultimate test. The level of impact can then be evaluated against the vision, mission and objectives of the organization.

A good organizational structure helps manage risk effectively. The structure should be suitable for the organization, but generally, it includes three levels of governance for managing risk:

1. The first level involves those directly responsible for managing and controlling risk, such as staff, management, and the board within the operational business units.
2. The second level focuses on coordinating, supporting, and overseeing the effectiveness of the risk management framework, such as through a risk committee or a risk management function.
3. The third level provides independent assurance and oversight to ensure the risk management framework is effective and reliable, such as through internal and external audits.

Interested parties of stakeholder’s Expectations

In Enterprise Risk Management (ERM), stakeholder or interested parties’ expectations refer to the needs, concerns, and priorities of individuals, groups, or entities that are affected by or can affect the organization’s activities, decisions, and overall performance. Stakeholders can include customers, employees, investors, regulators, suppliers, community members, and any other parties with a vested interest in the organization’s operations and outcomes. Understanding and addressing these expectations is vital for successful ERM, as stakeholders influence the organization’s reputation, decision-making processes, and long-term sustainability. In ERM, stakeholders’ expectations often guide the identification and management of risks that could affect the organization’s ability to deliver value or meet its objectives. Organizations must balance competing priorities, such as ensuring profitability for investors, maintaining compliance for regulators, and upholding ethical standards for the community. Effective ERM frameworks integrate these expectations into risk management processes to ensure the organization not only avoids harm but also capitalizes on opportunities to enhance trust, performance, and value creation.

Organizations have many stakeholders, including some they might not prefer. For example, if a distribution company plans to expand its depot, local residents might object. Even if the company doesn’t want to recognize them, these residents are still stakeholders because they are affected by the company’s activities. According to ISO Guide 83, the term “interested party” is preferred, but “stakeholder” is also acceptable. ISO Guide 73 defines a stakeholder as any person or group concerned with, affected by, or believing they are affected by an organization. A typical organization has various stakeholders, which can be grouped as CSFSRS: customers, staff, financiers, suppliers, regulators, and society. These stakeholders often have conflicting expectations. For instance, employees may want higher wages, while shareholders prefer maximizing profits. It is the management’s role to balance these competing interests and find solutions that work for all parties. Different organizations will have different types of stakeholders. In government agencies, the general public is a key stakeholder, with specific groups depending on the agency’s purpose. For companies with environmental impacts, like energy firms, environmental activists may also be stakeholders, even if they are seen as unwelcome. For example, a coal-based power company might face opposition from local communities concerned about pollution, leading to conflicts between the company’s goals and the community’s expectations.Business process re-engineering (BPR) is a method to make an organization’s processes and operations as effective and efficient as possible. BPR often begins by identifying stakeholders and their expectations. The organization’s core processes, which are the main activities essential to its operations, are then designed to meet these shared expectations. For example, in a power company, generating electricity is a key process. This process matters to various stakeholders, including customers, employees, and investors. By focusing on a few critical processes that cover strategy, operations, and compliance, the organization can evaluate potential risks to these processes and embed risk management into its overall structure. The type of stakeholder involved will determine the questions asked about the organization’s risk awareness, efforts to improve risk management, and governance systems. Stakeholders have the right to know about the organization’s risk profile, plans for risk improvement, and how risk performance is monitored. They also need information on the organization’s risk appetite and how it incorporates risk considerations into its strategies. Understanding the different expectations of various stakeholders, even if they conflict, can help create better alignment and communication within the organization.

Example of stakeholder expectations related to ERM for an oil and gas company

In an oil and gas company, stakeholder expectations related to Enterprise Risk Management (ERM) vary widely and often intersect with critical areas of business strategy, operations, and sustainability. Here’s an example:

1. Customers: Customers expect a reliable supply of oil and gas products at competitive prices. They also increasingly demand environmentally friendly practices, including a commitment to reducing greenhouse gas emissions and adopting cleaner energy solutions.
2. Employees: Staff expect a safe working environment, especially given the hazardous nature of oil and gas operations. They also look for fair compensation, career development opportunities, and transparent communication about risks that may affect job security or workplace safety.
3. Investors and Financiers: Shareholders and lenders expect strong financial performance and stable returns on investment. They also prioritize the company’s ability to manage risks such as fluctuating oil prices, regulatory changes, and the transition to renewable energy. Demonstrating effective risk management practices is critical to maintaining investor confidence.
4. Regulators: Government authorities and regulatory bodies expect compliance with local and international laws, including health and safety regulations, environmental standards, and anti-corruption measures. Failure to meet these requirements can result in fines, legal actions, or reputational damage.
5. Suppliers: Vendors and contractors expect timely payments and long-term relationships. They also look for clear terms regarding safety protocols and quality standards to minimize risks in the supply chain.
6. Society and Communities: Local communities, especially those near extraction sites, expect responsible operations that minimize environmental damage, provide economic benefits such as jobs, and respect cultural and social norms. Public pressure for sustainable and ethical business practices is also growing.
7. Environmental Groups: Advocacy organizations expect the company to reduce its carbon footprint, adopt renewable energy solutions, and manage risks related to pollution, biodiversity, and climate change.

The ERM framework for an oil and gas company must address these diverse expectations. It involves identifying, assessing, and managing risks that could affect the company’s ability to meet stakeholder needs. Examples include developing emergency response plans for oil spills, implementing safety measures in drilling operations, and diversifying investments into renewable energy to address long-term market shifts and environmental concerns.

Communication with Stakeholder

Communication with stakeholders is about sharing information and maintaining a good relationship based on mutual understanding of the organization’s goals. The board has the ultimate responsibility for ensuring that these communications are effective, although specific staff members may handle day-to-day interactions with certain groups. The type and amount of information shared depend on the stakeholder’s interests. For example, shareholders typically want updates on financial performance, while lenders may focus on the organization’s financial stability and repayment plans.

Effective communication helps the organization understand stakeholder expectations and address any conflicting interests. This dialogue also supports transparency and trust, which are critical for maintaining strong stakeholder relationships. In addition to regular communication, organizations should encourage open channels like whistleblowing, as it can provide valuable insights and help identify potential risks or issues early on. Talking to stakeholders should involve a shared understanding of the organization’s goals. The board is responsible for making sure this communication is effective. While certain employees may handle regular interactions with specific stakeholder groups, the board has overall responsibility for these relationships. Most of the communication will center around providing clear and accurate financial information. The type of information shared will vary depending on what each stakeholder group needs. For example, shareholders want different details compared to banks that fund the organization. To fully understand the risks an organization faces, it’s important to analyze stakeholders and what they expect. Identifying stakeholder expectations is a key part of assessing the external factors affecting the organization. Sometimes, stakeholders may have conflicting or opposing demands. Clear communication with stakeholders is essential, including mechanisms like whistleblowing. Whistleblowing can provide valuable insights to the organization and should be encouraged.

• General
  • A clear statement of strategy and vision
  • Corporate profile and principal markets
• Financial data
  • Annual report and financial statements
  • Archived financial information for the past three years
• Corporate governance and CSR
  • Information related to compliance with Combined Code
  • Information on the company CSR policies
• Shareholder information
  • Shareholder analysis by size and constituent
  • Information on directors’ share dealings
• Relevant news
  • Access to all news releases and presentations
  • Developments that might affect the share value

Whistleblower policy

A whistleblower policy in Enterprise Risk Management (ERM) is designed to encourage employees and other stakeholders to report unethical behavior, misconduct, or violations of policies and regulations without fear of retaliation. It plays a critical role in identifying risks related to fraud, corruption, or non-compliance that may not be detected through routine controls or audits. The policy is an integral part of good governance and risk management, as it fosters transparency and accountability. The policy typically outlines the procedures for reporting concerns, ensuring confidentiality, and protecting whistleblowers from retaliation. It should specify the channels available for reporting, such as a hotline, dedicated email, or an independent third-party service. Additionally, the policy includes provisions for investigating reported concerns, taking corrective actions, and ensuring that whistleblowers are not penalized for raising genuine concerns. For example, in an oil and gas company, a whistleblower policy might help address risks related to environmental compliance. Suppose an employee notices illegal dumping of hazardous waste by a contractor. The whistleblower can report this activity through the established channels. The company investigates the matter, takes corrective action by terminating the contractor’s services, and reports the violation to the relevant authorities. Simultaneously, the whistleblower is protected from any retaliation, reinforcing a culture of openness and ethical behavior. Such a policy not only helps mitigate risks but also builds trust among employees, stakeholders, and regulators, contributing to the overall integrity of the organization’s risk management framework.

Managing Interested parties’ or Stakeholder’s expectations by Core processes, strategy, tactics and operations.

Managing stakeholder expectations involves aligning the organization’s core processes, strategies, tactics, and operations with the interests and needs of its stakeholders. Core processes represent the essential activities that deliver value to stakeholders, while strategies, tactics, and operations define how these processes are executed to meet organizational goals and stakeholder expectations. Core processes focus on delivering the organization’s primary value. For example, in a manufacturing company, the core processes could include product design, production, and distribution. Each of these processes directly impacts stakeholders such as customers, employees, suppliers, and regulators. By optimizing these core processes, the organization can ensure that stakeholder expectations, such as high-quality products, timely delivery, and compliance with standards, are consistently met. Strategy sets the long-term direction for meeting stakeholder expectations. It defines overarching goals and the approach to achieve them. For instance, an organization may adopt a sustainability strategy to address societal and environmental concerns, thereby aligning with societal stakeholders’ expectations while maintaining profitability for shareholders. This strategic alignment ensures that stakeholder needs are considered at the highest decision-making level. Tactics translate strategies into actionable plans, detailing specific initiatives and programs to address stakeholder concerns. For example, if a company’s strategy involves enhancing customer satisfaction, a tactical approach might involve launching a customer feedback program to improve products and services. These tactical measures help in balancing diverse stakeholder interests, such as those of customers and shareholders. Operations focus on the day-to-day activities that implement tactical plans and core processes. Efficient operational management ensures that the organization consistently meets stakeholder expectations. For instance, maintaining high operational standards in a service company can ensure customer satisfaction and loyalty, fulfilling the expectations of both customers and employees. By integrating stakeholder expectations into core processes, strategy, tactics, and operations, organizations can create a cohesive approach to managing these relationships. This not only builds trust and alignment with stakeholders but also strengthens the organization’s ability to achieve its objectives while minimizing risks.

1.Core Process :

Core processes are essential to meeting stakeholder expectations and are influenced by the organization’s internal and external context. A risk can be seen as an event that could impact the ability to meet these expectations. This perspective helps identify both internal and external stakeholders, as well as their expectations in the short, medium, and long term. Core processes can be categorized into strategic, tactical, operational, and compliance processes (STOC). While compliance processes are separate, they also support and reinforce the other types of processes. Strategic processes focus on setting the organization’s future direction, tactical processes turn strategy into actionable changes, and operational processes deal with day-to-day activities like managing people, information security, health and safety, and business continuity. Compliance processes ensure adherence to regulations and ethical standards, forming the foundation for all other processes. A stakeholder-focused approach has several benefits. It enables a thorough review of core processes in relation to what stakeholders expect, helping balance these sometimes conflicting expectations. Risks associated with meeting stakeholder expectations can be identified, analyzed, and managed effectively. This method is also a cornerstone of business process re-engineering (BPR), which aims to refine core processes to align with shared stakeholder expectations. By analyzing expectations, organizations can identify shared goals and adjust their processes to meet them. However, this approach requires significant time and effort. BPR, in particular, can be a demanding process if done thoroughly. Despite this, the benefits include identifying core processes most vulnerable to risks and determining which stakeholders are most likely to feel dissatisfied if their expectations are not met. This allows organizations to prioritize risk management efforts and improve overall performance in meeting stakeholder needs.

2. Strategy:

Research has shown that poor risk management decisions about strategy can harm an organization more than mistakes in managing operations or projects. Stakeholder expectations are met through the organization’s core processes, which can be categorized as strategic, tactical, operational, or compliance (STOC). Strategic core processes are the most critical and must be highly robust to satisfy major stakeholders like financiers and shareholders, who prioritize the organization’s long-term success. For example, workers might expect better cafeteria facilities. To meet this expectation, the organization may need a strategic core process to oversee the construction of a new cafeteria. This would require significant investment and backing from financiers. To gain their support, the organization must understand their expectations and ensure the plans for the cafeteria and its financial arrangements meet their requirements. The construction itself would be a major project, involving a different set of stakeholders whose expectations also need to be managed effectively.

Tactics

Tactical stakeholders often differ from those focused on an organization’s operations. For example, when tactics involve product improvements, new production methods, or responding to technological changes—typically requiring a project—financing is crucial. This makes financial institutions key stakeholders in such initiatives. Other stakeholders may include contractors and professional specialists like architects. Employees also play a vital role in implementing tactical changes. They have a strong interest in operational matters and are key stakeholders in the organization’s day-to-day activities. Successfully adopting new work practices or product changes depends heavily on staff support, which makes effective communication with them essential. It’s important to carefully consider how projects, developments, or changes will impact all stakeholders. By thoroughly evaluating these impacts, surprises can often be avoided. Both internal and external stakeholders affected by the project should be taken into account, including considerations like environmental effects during and after construction, and changes to staff working conditions. Involving individuals outside the organization in project planning can help identify potential issues and better understand the broader effects of the work. Ultimately, the success of stakeholder engagement often depends on the level of detail considered. Even for successful projects, addressing key stakeholder concerns early can help minimize negative impacts and ensure smoother outcomes.

4 Operations:

Many groups of stakeholders are connected to an organization’s operational activities. For example, visitors are key stakeholders concerned with safety and communication. They are also interested in practical aspects such as transport, access, and the facilities provided by the organization. Pharmaceutical companies, being large organizations, deal with a wide range of stakeholders. For instance, a company producing essential medication has a responsibility to ensure its continuous availability to patients. Patients should be considered important stakeholders with clear expectations about the medication’s availability and effectiveness. Operational stakeholders often include customers, suppliers, and others impacted by disruptions to the organization’s smooth functioning. For instance, customers may face inconvenience if a hazard risk occurs. Similarly, suppliers rely on the organization’s regular operations, as disruptions could mean their products or services are no longer needed, causing them to suffer as well.

5. Employee representation on the board

Board-level employee representation means having employee representatives on the company’s supervisory board, board of directors, or similar governing bodies. These representatives are usually elected by the employees, appointed, or chosen to represent the workforce’s interests. They might be company employees, union officials, or others acting on behalf of employees. Unlike workplace groups like works councils, board-level representation focuses on providing employee input into the company’s overall strategic decisions rather than just dealing with day-to-day operational matters. In most Western European countries, employee representatives are usually in the minority on the board. Their role typically involves gaining information, understanding the company’s strategy, and sharing opinions and arguments about its direction. However, in some cases, where employee representatives have equal numbers to shareholder representatives, they may have significant influence over company strategy, including the ability to veto decisions. This is sometimes referred to as “co-determination.” Employee representation on the board is valuable in Enterprise Risk Management (ERM) because it ensures that employee perspectives and insights are integrated into the organization’s strategic decision-making and risk management processes. This inclusion benefits ERM in several ways:

1. Improved Risk Awareness: Employees often have firsthand knowledge of operational risks, safety concerns, and process inefficiencies. Their representation ensures these insights are communicated directly to the board, leading to more informed risk management strategies.
2. Enhanced Communication: Employee representation fosters open communication between the workforce and the board. This helps in understanding risks from different levels of the organization and ensures that risk mitigation strategies are practical and well-received by employees.
3. Alignment of Interests: Including employees in board discussions ensures that decisions align with the workforce’s needs and expectations. This reduces the risk of decisions that could negatively impact morale, productivity, or workplace culture.
4. Support for Implementation: Employees are key stakeholders in implementing risk management initiatives. Their representation can ensure that planned actions are realistic and feasible, increasing the likelihood of successful execution.
5. Ethical and Sustainable Decisions: Employee representation can help the board consider broader social and ethical implications of strategic decisions, ensuring a balance between profitability, employee welfare, and long-term sustainability.
6. Early Warning of Risks: Employees can often detect emerging risks or operational issues before they escalate. Their input at the board level provides an early warning system, allowing for proactive risk management.

By integrating employee representation into ERM, organizations create a more inclusive, balanced, and comprehensive approach to identifying and addressing risks, fostering a culture of trust and collaboration.

The culture of an organization can be hard to define, but it generally reflects the attitudes and behaviors of everyone in management. It shapes how individuals act in different situations and sets expectations for their behavior in all circumstances. A strong risk culture stems from shared values, attitudes, and behaviors that align with the organization’s risk management goals. In organizations with a risk-aware culture, communication is based on mutual trust, and there’s a shared understanding of the importance of managing risks. People also have confidence in the chosen control measures and are committed to following established risk procedures. According to recent research by the UK Health and Safety Executive (HSE), the key elements of a risk-aware culture are Leadership, Involvement, Learning, Accountability, and Communication, forming the acronym LILAC. Developing a culture where effective risk management is part of everyday work is a long-term goal for many organizations. For example, if an organization wants to improve security awareness, it could launch a campaign highlighting risks and how to manage them. To be effective, this campaign should use various communication methods and incorporate the LILAC principles. Activities might include risk awareness training, posters, site inspections, reporting systems for defects, and distributing informational materials like leaflets and brochures.

4oA risk-aware culture refers to an organizational environment where employees at all levels understand the importance of risk management and actively integrate it into their daily decision-making processes. It emphasizes awareness, responsibility, and proactive engagement with potential risks to achieve organizational goals effectively. Key characteristics of a risk-aware culture include:

1. Shared Understanding: Employees and management recognize the organization’s risk appetite and understand how their roles contribute to managing risks.
2. Open Communication: Risks are openly discussed, with employees encouraged to report potential risks without fear of blame or retaliation.
3. Proactive Risk Management: Risks are identified, assessed, and addressed before they escalate, rather than reacting only after issues arise.
4. Leadership Commitment: Senior leaders model and promote the importance of risk management, ensuring it is embedded in strategic planning and operational processes.
5. Continuous Learning: The organization regularly reviews past incidents, learns from them, and improves its risk management practices.

In a risk-aware culture, the focus is on balancing risk and opportunity. Employees understand that taking risks is necessary for growth, but those risks must align with the organization’s overall objectives and risk tolerance.

A risk-aware culture is achieved by LILAC:

1. Leadership: Strong leadership within the organization in relation to strategy, projects and operations
2. Involvement: Involvement of all stakeholders in all stages of the risk management process
3. Learning: Emphasis on training in risk management procedures and learning from events
4. Accountability: Absence of an automatic blame culture, but appropriate accountability for actions
5. Communication: Communication and openness on all risk management issues and the lessons learnt

A risk management program can only succeed if the organization’s culture supports it. For this to happen, the organization needs a risk-aware culture. Senior management plays a key role in fostering this culture by setting clear risk management goals and demonstrating their commitment through both verbal and written communication. Senior management must also be actively involved. This includes participating in training to fully understand their responsibility for managing risks. Risk specialists should act as advisors, and there should be systems in place to provide employees with updates on decisions that impact them. A learning culture is essential for a risk-aware environment. It helps organizations identify and correct poor risk behaviors. Analyzing incidents in detail and providing clear feedback are crucial steps. Workshops on risk-related topics are also an important part of building this culture. Accountability is critical, but it should not lead to a blame culture. The organization should shift to a “just culture,” where accountability is balanced with fairness. When incidents happen, management should show empathy and encourage employees to report issues without fear of personal blame or punishment. Lastly, strong communication is key. Senior management must ensure that risk information flows freely. This includes welcoming reports from employees and external sources and sharing updates on risk performance regularly.

• Barrier- Lack of understanding of risk management and belief that it will suppress entrepreneurship.
• Action- Establish a shared understanding, common expectations and a consistent language of risk in the organization.

• Barrier- Lack of support and commitment from senior management.
• Action- Identify a sponsor on the main board of the organization and confirm shared and common priorities.

• Barrier- Seen as just another initiative, so relevance and importance not accepted.
• Action- Agree a strategy that sets out the anticipated outcomes and confirms the benchmarks for anticipated benefits.

• Barrier-Benefits not perceived as being significant.
• Action-Complete a realistic analysis of what can be achieved and the impact on the mission of the organization.

• Barrier- Not seen as a core part of business activity and too time-consuming.
• Action- Align effort with core processes and achievement of the mission of the organization.

• Barrier- Approach too complicated and over-analytical (risk overkill).
• Action- Establish appropriate level of sophistication for risk management framework and undertaking risk assessments.

• Barrier- Responsibilities unclear and need for external consultants unclear.
• Action- Establish agreed risk architecture with clear roles and accepted risk responsibilities.

• Barrier- Risks separated from where they arose and should be managed.
• Action- Include risk management in job descriptions to ensure that risks are managed within the context that gave rise to them.

• Barrier- Risk management seen as a static activity not appropriate for a dynamic organization.
• Action- Align risk management effort with the mission of the organization and with the business decision-making activities.

• Barrier- Risk management too expansive and seeking to take over all aspects of the company.
• Action- Be realistic: do not claim that all the business activities within the organization are risk management by another name.

Steps to successful risk management

There are three (complementary) styles of risk management, related to the nature of the risk under consideration. Hazard management, control management and opportunity management define and describe the approach and, to some extent, the level of sophistication that is applied to risk management by an organization at a point in time. Hazard risks will always have a negative outcome associated with the risk. The maximum exposure to the risk that is acceptable to the organization is the hazard tolerance. Control risks will have a cost associated with controlling the risks, and this cost can be described as the control acceptance. Opportunity risks have a range of possible outcomes from highly positive to highly negative. The intended and planned outcome is, of course, positive. The organization will be willing to put resources at risk in pursuit of opportunity risks, and this is the opportunity investment. The type of risk under consideration helps determine the style of risk management that will be applied. However, some risks may need to be managed using all three styles of risk management, at different stages in the lifecycle of the risk. In summary, the four styles of risk management can be viewed as follows:

• Compliance management: based on fulfilling legal obligations, such as health and safety
• Hazard management: ‘total cost of risk’ approach developed by the insurance world
• Control management: based on the internal control approach of internal auditors
• Opportunity management: interface between risk management and strategic planning

The hazard tolerance, control acceptance and opportunity investment are the values that the organization is willing to put at risk. These three components added together are the risk appetite of the organization and represent the total acceptable risk exposure of the organization. The total risk exposure is the sum of the risk exposures for the individual risks and this actual risk exposure may differ from the risk appetite of the board and/or the risk capacity of the organization. The insurance risk manager will normally manage motor vehicle risks as a loss minimization or ‘total cost of risk’ issue. The avoidance of internal fraud will normally be managed as an internal control issue and will be monitored and reviewed by the internal audit department. Risks associated with a merger or acquisition should be managed as an opportunity issue by the CEO or a nominated senior executive.To improve an organization’s risk management, a dedicated initiative is needed. The approach will depend on the size, complexity, and nature of the organization, as there is no one-size-fits-all solution. Different organizations will have different reasons for implementing risk management and will expect different results. The key first step is securing support from a board member or senior executive to lead the initiative. Guidance for successful implementation can be found in various risk management standards and frameworks. As risk management evolves, the steps organizations take will also change. With the rise of governance, risk, and compliance (GRC), risk management now operates in a broader context. Risk professionals must ensure their efforts align with the organization’s overall activities and internal environment. While having a clear implementation plan is important, it’s equally vital to identify potential barriers. Common obstacles include:

• Influence of senior management within departments
• External factors like corporate governance
• The organization’s business nature, products, and culture
• Attitudes shaped by past risk management experiences
• The origins of the risk management function within the company

Understanding these barriers allows for strategies to overcome them. Successful risk management relies on the commitment of everyone involved, as weak links can undermine progress. Analyzing these challenges helps pinpoint the best methods to ensure risk management delivers maximum benefits. There is no fixed timeline or single action to guarantee full implementation. Many organizations find that achieving complete implementation can take 2 to 5 years. The timeframe may be longer if a comprehensive risk management information system (RMIS) is part of the plan.

Achieving successful enterprise risk management

1. Engage senior management and board of directors to provide organizational support and resources.
2. Establish an independent ERM function reporting directly to a board member.
3. Establish the risk architecture at executive and board levels, supported by internal audit.
4. Develop the ERM framework that incorporates an appropriate risk classification system.
5. Develop a risk aware culture fostered by a common language, training and education.
6. Provide written procedures with a clear statement of the risk appetite of the organization.
7. Agree monitoring and reporting against established objectives for risk management.
8. Undertake risk assessments to identify accumulations and interdependencies of risk.
9. Integrate ERM into strategic planning, business processes and operational success.
10. Contribute to the success of the organization by delivering measurable benefits

Measuring an organization’s risk culture can be challenging, but it’s essential. Audit committees often ask how seriously different departments or locations approach risk management. While it’s easy to provide a general, qualitative answer, quantitative measurements are necessary to pinpoint weak areas and plan improvements. The Canadian Criteria of Control (CoCo) framework is one way to measure risk culture. Another method is for the audit committee to assess the level of risk assurance provided by specific units or divisions. Risk culture can also be evaluated by examining the organization’s risk maturity, which provides measurable insights into its risk awareness and management practices. The quality of a risk management policy and the details in risk guidelines or protocols can also reflect the organization’s risk culture. For many organizations, improving risk culture is a strategic objective, particularly when weaknesses in risk awareness are identified. Improving risk management processes alone doesn’t guarantee a better risk culture. For example, enhancing internal audits might boost compliance but won’t necessarily strengthen the organization’s risk culture. True improvements in risk culture should lead to better risk assurance and greater overall benefits. Frameworks like ISO 31000 emphasize the importance of understanding an organization’s context—external, internal, and risk management—because context is closely tied to risk culture. Similarly, both the CoCo and COSO ERM frameworks focus on the control or internal environment, which are key indicators of risk culture and awareness. A better risk culture can lead to improved risk performance by enhancing the organization’s internal environment, control environment, and risk management practices. Using tools like the balanced scorecard helps align risk management with the organization’s broader strategies, making it easier to embed risk management into daily operations and foster a risk-aware culture.

Risk awareness campaign: Risk management has been integrated into the organization through three main steps: a risk awareness campaign, new risk identification processes at the directorate level, and ongoing improvements to existing risk processes at the strategic level. The awareness campaign aimed to help staff understand their responsibilities regarding risk. At the directorate level, introducing risk registers was done collaboratively and inclusively. Strategically, the corporate risk register is being further developed to improve risk control and provide clear evidence to the board that risks are being effectively managed.

Risk Maturity

Risk maturity in Enterprise Risk Management (ERM) reflects how effectively an organization incorporates risk management into its operations, decision-making, and culture. It demonstrates the organization’s ability to recognize, assess, manage, and monitor risks systematically. The concept also gauges how well risk management aligns with organizational goals and how deeply embedded it is within the corporate structure. An organization’s risk maturity is often evident in its leadership and governance. When senior management and the board actively support risk management, it reinforces its importance across the organization. This commitment fosters a culture where employees at all levels understand their role in managing risk and are encouraged to take ownership. A mature risk culture emphasizes communication, where information about risks flows freely and transparently, enabling informed decisions and fostering accountability. Processes and frameworks also play a crucial role in risk maturity. Organizations with higher risk maturity have standardized procedures that are consistently applied across all departments. Risk management becomes an integral part of strategic planning, operational workflows, and project management, ensuring that risks are considered at every decision-making level. Over time, these practices evolve through continuous improvement, driven by regular reviews and feedback. Achieving a high level of risk maturity benefits organizations in multiple ways. It enhances their ability to anticipate and respond to risks proactively, leading to better resilience in the face of uncertainty. Stakeholders, including investors, regulators, and customers, gain greater confidence in the organization’s stability and foresight. Ultimately, a mature approach to risk management positions the organization for long-term success by aligning risk management with its broader strategic objectives.

Risk management activities, along with the organization’s risk structure, strategy, and protocols, should align with its core business processes. When risk information flows effectively through the risk management framework, it can generate several key benefits. These include meeting mandatory obligations, providing assurance, improving decision-making, and enhancing the efficiency of core processes—summarized as MADE². Many risk management standards emphasize not only managing threats but also leveraging opportunities. Managing risks in specific areas, like projects, has evolved into a specialized field with its own guidelines. To maximize the value of risk management, organizations need to decide whether their efforts will focus on strategy, projects, operations, or a combination of these. This decision helps integrate risk management into the organization’s broader activities, ensuring it becomes a natural part of daily operations rather than a separate task. Embedding risk management into regular business processes improves efficiency and fosters acceptance. Similarly, internal audit functions should align with the organization’s context and culture. Risk-based audit programs typically focus on high-risk areas and consider the organization’s risk maturity. In less mature areas, internal audits may increase their scope to provide additional oversight. A useful way to measure how well risk management is embedded is through the FOIL model: Fragmented, Organized, Influential, and Leading. In the fragmented stage, different departments manage risks separately without coordination. As processes become more organized, risks are managed collectively, often through a comprehensive risk register. When ERM becomes influential, it starts shaping decision-making by ensuring risks are fully considered in strategic and tactical planning. In the leading stage, risk management drives strategy development, with risk managers playing a central role in senior leadership, ensuring risks are proactively managed from the outset.

Four levels of risk maturity

Level 1

Status (4Ns): Naïve

Level 1 organizations are unaware of the need for enterprise risk management and/or do not understand the benefits that will arise

Characteristics (FOIL): Fragmented

Risk management activities are fragmented and focused on legal compliance activities, such as health and safety

Level 2

Status (4Ns): Novice

Level 2 organizations are aware of the benefits of enterprise risk management, but have only just started to implement an ERM initiative

Characteristics (FOIL): Organized

Actions are planned to co-ordinate risk management activities across all types of risk, although plans may not have been fully implemented

Level 3

Status (4Ns): Normalized

Level 3 organizations have embedded ERM into business processes, but management effort is still required to maintain adequate ERM activities

Characteristics (FOIL): Influential

Embedded ERM processes are influencing processes and management behaviours, but this may not yet happen consistently or reliably

Level 4

Status (4Ns): Natural

Level 4 organizations have a risk- aware culture with a proactive approach to ERM and risk is reliably considered at all stages to gain competitive advantage

Characteristics (FOIL): Leading

Consideration of risk is a substantial factor in making business decisions and decisions about strategy are led by ERM considerations

Risk maturity can be measured by looking at how well risk management is integrated into an organization. The more mature an organization’s risk management practices, the more they become a natural part of daily operations. A risk maturity model helps assess how advanced these practices are and the benefits that can be achieved. Risk maturity is not just about the sophistication of risk management but also about how processes and capabilities are developed and applied. In organizations with low maturity, risk management is informal, and there may be a blame culture or lack of accountability when things go wrong. Resources allocated to manage risks may not be appropriate for the level of risk faced. As an organization matures in risk management, it begins to adopt more structured processes. There is open communication and learning, and risks are better managed with support when needed. However, if an organization becomes overly focused on risk management processes, it may hinder its ability to make effective decisions, leading to a reliance on rules rather than judgment, and people may become overly cautious. The four levels of risk maturity, known as the “4Ns” (naïve, novice, normalized, and natural), describe an organization’s progression. A naïve organization is unaware of the need for effective risk management, while a novice organization recognizes this need but has not yet made significant improvements. As the organization matures, it moves to a normalized stage where desired behaviors are achieved, and finally, at the natural stage, risk management becomes automatic and embedded in the organization, with minimal effort needed to maintain it. The level of risk maturity an organization reaches depends on its risk exposure and the effectiveness of its risk management processes. While achieving higher risk maturity can bring benefits, it doesn’t always guarantee greater sophistication or better results. However, organizations often set the goal of improving their risk maturity as part of their overall strategy, and using a risk maturity model helps guide this process. Models like the CoCo framework or the EFQM model focus on improving the risk culture and strategy to ensure good risk management.

Everyone in an organization, including contractors and suppliers, must understand their role in managing risks. Many professionals in large organizations are knowledgeable about risks and can contribute significantly to managing critical risks. However, there isn’t always a shared understanding of risk management or what’s most important to the organization. It’s crucial to assign ownership of key processes, dependencies, and risks. This allows risk management and audit committees to track actions and responsibilities effectively. Although ownership is important for all risks, the audit committee typically focuses on the most significant ones. Clear communication of responsibilities and reporting structures is essential to avoid confusion. For each major risk, responsibilities should be clearly defined in three areas:

• Setting risk standards
• Implementing those standards
• Monitoring performance

A detailed responsibility framework ensures everyone, including risk owners, process owners, staff, contractors, and outsourced providers, knows their specific role. Committee roles, responsibilities, and reporting structures should also be outlined in their terms of reference. The risk register should specify who owns each significant risk. It’s important that risk managers, risk committees, and auditors don’t undermine local ownership of risks. Managers must view risk ownership as part of managing their core business processes, not as a separate task handled by risk management or audit specialists.

Examples of the range of risk management responsibilities of line management, the main functional departments and individual employees involved in risk management.

Risk management responsibilities

1. Main risk management responsibilities for the CEO:
   • Determine strategic approach to risk
   • Establish the structure for risk management Understand the most significant risks
   • Consider the risk implications of poor decisions
   • Manage the organization in a crisis
2. Main RM responsibilities for the location manager:
   • Build risk-aware culture within the location
   • Agree risk management performance targets for the location
   • Evaluate reports from employees on risk management matters
   • Ensure implementation of risk improvement recommendations
   • Identify and report changed circumstances/risks
3. Main RM responsibilities for individual employees:
   • Understand, accept and implement RM processes
   • Report inefficient, unnecessary or unworkable controls
   • Report loss events and near-miss incidents
   • Cooperate with management on incident investigations
   • Ensure that visitors and contractors comply with procedures
4. Main risk management responsibilities for the risk manager:
   • Develop the risk management policy and keep it up-to-date
   • Facilitate a risk-aware culture within the organization
   • Establish internal risk policies and structures
   • Coordinate the risk management activities
   • Compile risk information and prepare reports for the board
5. Main RM responsibilities for specialist risk management functions:
   • Assist the company in establishing specialist risk policies
   • Develop specialist contingency and recovery plans
   • Keep up-to-date with developments in the specialist area
   • Support investigations of incidents and near misses
   • Prepare detailed reports on specialist risks
6. Main risk management responsibilities for internal audit manager:
   • Develop a risk-based internal audit programme
   • Audit the risk processes across the organization
   • Provide assurance on the management of risk
   • Support and help develop the risk management processes
   • Report on the efficiency and effectiveness of internal controls

Responsibilities for managing risk are distributed across various levels within an organization. At the top level, the board and executives are accountable for overseeing risk management, ensuring that it aligns with the organization’s overall objectives. Middle management, including department heads, is tasked with managing risks within their specific areas, translating the organization’s risk strategy into actionable measures. Staff members, on the other hand, carry out specific risk management responsibilities as part of their daily roles. Together, these three levels form the first line of defense in maintaining effective risk management and internal control. The risk manager plays a pivotal role in coordinating risk management efforts across the organization, ensuring that risk-related activities are consistent and effective. In addition, specialized functions, such as health and safety or business continuity, provide targeted support, helping to address specific risk areas. These specialized roles form the second line of defense, offering expertise and monitoring to reinforce risk management practices. Internal audit serves as the third line of defense, with the internal audit manager responsible for independently reviewing and evaluating the organization’s risk management and control systems. By providing an objective assessment, internal audit ensures that risk management practices meet the required standards. External parties, such as insurance brokers, auditors, and consultants, also contribute to risk management by offering insights and solutions that enhance the organization’s resilience. While collaboration among risk professionals is crucial, the ultimate aim is to embed effective risk management into the organization’s core operations, making it a fundamental part of everyday business activities. It’s important to ensure that risk management is given enough attention within an organization. Typically, a board member will take the lead in promoting awareness of risk management at the board level and will present related reports. The risk manager usually reports to this board member and is responsible for overseeing the organization’s risk framework, strategy, and processes. A key role in risk management is that of the “risk owner.” According to ISO Guide 73, a risk owner is someone who has the authority and responsibility to decide whether or not to address a specific risk. The guide also emphasizes that anyone responsible for achieving a particular objective is also accountable for managing the risks linked to that objective, including implementing controls to mitigate those risks.

The goal of operational risk management is not to eliminate all risks but to manage them to an acceptable level. This involves balancing the cost of reducing the risk with the benefits of minimizing exposure. Common strategies for managing operational risks include avoiding, transferring, accepting, or reducing them through controls. To clarify roles and responsibilities in managing, reporting, and escalating operational risks, the organization follows a “three lines of defense” model. This framework defines clear principles and accountability for operational risk management throughout the group. The model and policy standards apply across all areas of the business, tailored to the specific nature and size of each operation. These standards provide guidance on effectively managing operational risk by consistently identifying, assessing, monitoring, and reporting risks. Their main goals are to protect the organization from financial loss, safeguard its reputation, ensure the well-being of its customers and staff, and comply with legal and regulatory requirements.

Statutory responsibilities of management

In many countries, there’s been a growing effort to clarify the responsibilities of company directors. Over time, common law has shaped these duties, which are now often formalized in regulations. Directors are expected to:

• Fulfill their assigned responsibilities.
• Follow the company’s constitution.
• Act in the best interest of the company’s success.
• Make independent decisions.
• Use reasonable care, skill, and diligence.
• Avoid or disclose conflicts of interest.
• Not accept benefits from third parties.

Risk management plays a key role in helping directors meet these obligations. Managing risks effectively supports the company’s success and ensures directors exercise proper care and diligence. Therefore, directors need a solid understanding of risk management to fulfill their legal and professional duties. Typically, a company’s board includes both executive and non-executive directors. Executive directors, who are full-time employees, handle specific operational areas and manage risks directly. Non-executive directors, on the other hand, focus on oversight functions like audit, compliance, and assurance. While they contribute to strategy and performance monitoring, they usually don’t get involved in day-to-day risk management. This separation helps avoid conflicts with their oversight roles and ensures that executive directors, who are more familiar with the company’s operations, handle specific risks. Non-executive directors mainly assist in shaping strategy and monitoring its implementation, which remains the responsibility of executive directors.

Role of the risk manager

Traditionally, risk managers have focused on shaping risk policies and procedures, often with the board’s approval. They’ve handled insurance-related matters, such as managing insurance coverage and analyzing claims data. However, shifts in the insurance market, including rising premiums and advanced risk financing methods, have led many organizations to reduce the amount of insurance they purchase. This reduction has often resulted in lower insurance budgets and less spending on premiums. Risk managers don’t have a fixed reporting structure within organizations. They might report to departments like finance, human resources, or even directly to the CEO. Despite this variability, the role of risk management remains crucial. Large organizations still need a dedicated risk management coordinator to apply risk management practices across various business areas. Historically, risks have been categorized as either insurable or non-insurable, but this distinction is becoming less relevant as organizations recognize the importance of managing all risks comprehensively. The risk manager plays a key role in helping the organization learn how to leverage risk management for better outcomes. They are responsible for establishing risk strategies, systems, and procedures to achieve the organization’s risk management goals. Traditionally, risk managers were less involved in strategic decision-making, but the role is evolving. Today, they are expected to participate more actively in project management and strategy development. This expanded role offers risk managers deeper insights and a broader impact within the organization. Given these changes, the term “risk manager” may no longer fully capture the scope of the role. A more fitting title, such as “risk and resilience manager,” could better reflect the growing focus on organizational resilience. In industries like finance and energy, companies are increasingly integrating the management of credit, market, and operational risks. This shift has led to the emergence of the Chief Risk Officer (CRO) role, with the CRO often reporting directly to the CEO. However, not every organization needs a CRO. The level of risk faced by the organization should dictate the seniority and scope of the risk management role. For some, a CRO is essential and can make a significant contribution. While the CRO title is not yet universal, it is becoming more common, particularly in sectors where managing complex risks is critical.

Role of non-executive directors

The role of the non-executive director has the following specific key elements:

1. Strategy– constructively challenge and help develop proposals on strategy
2. Performance– scrutinize the performance of management
3. Risk– challenge the integrity of the financial information
4. Controls – seek assurance that financial controls and systems of risk management are robust and defensible
5. People – determine the appropriate level of remuneration for the executive directors and have a prime role in succession planning
6. Confidence –  seek to establish and maintain confidence in the conduct of the company
7. Independence – be independent in judgement and promote openness and trust
8. Knowledge – be well informed about the company and the external environment in which it operates, with a strong command of relevant issues

Role of the chief risk officer

The Chief Risk Officer (CRO) plays a crucial role in unifying different risk management processes to ensure the company uses its resources wisely. According to the COSO ERM Framework, the CRO works with other managers to implement effective risk management, tracks progress, and helps share important risk information throughout the organization. Internal auditors collaborate with the CRO as part of their responsibilities in risk management. Their job is to review the accuracy of ERM reports and offer independent, useful suggestions to improve the organization’s risk management practices. The IIA International Standards emphasize that internal auditing should cover evaluating how reliable reporting is, how efficiently operations run, and whether the company complies with relevant laws and regulations.

Role of the insurance risk manager

• Develop a strategy to protect the company’s assets and employees.
• Oversee the company’s insurance program through its captive insurance provider.
• Collaborate with the captive insurance manager to maximize its effectiveness.
• Manage relationships with insurers, monitor service providers, and ensure insurance contracts are cost-effective.
• Track and evaluate the group’s overall risk costs and those of individual companies within the group.
• Ensure all insurance contracts and agreements are properly stored and retained.
• Supervise service provider activities and handle the placement of group and global insurance policies.
• Coordinate property surveys, risk management practices, and incentive programs.

Risk committees

Most large organizations already have an audit committee, typically chaired by a senior non-executive director. Some organizations choose to expand the audit committee’s role to include risk management, while others set up a separate risk management committee (RMC) led by an executive director. There’s a strong case for making the RMC an executive group rather than part of a non-executive audit committee. This is because managing risks proactively requires executive oversight, while audit committees tend to focus on compliance and reactive assurance. Separating executive responsibility for managing risks from non-executive auditing aligns with good corporate governance. In some cases, the RMC operates as a sub-committee of the audit committee. However, this setup can create unnecessary bureaucracy and shift the focus from active risk management to compliance checks. To avoid this, organizations need to ensure that risk management remains an executive responsibility, even if the RMC reports to the audit committee. Membership of the RMC depends on the organization’s structure and its purpose. It can be a small group of senior executives focused on setting strategy or a larger group involving representatives from various departments to share knowledge. The structure and role of the RMC should align with the organization’s needs and risk profile. The RMC’s terms of reference and its position within the organization’s risk management framework are critical. In some sectors, such as banking, deciding on risk appetite and monitoring risk exposure are strategic board-level responsibilities. In these cases, the RMC might include both executive and non-executive members as a board sub-committee. However, it typically remains an executive-focused function to maintain the integrity of the “three lines of defense” model. Ultimately, the risk management structure should fit the organization’s specific context and risk profile. While a dedicated RMC may not always be necessary, its responsibilities must still be assigned to a senior committee, such as the executive or finance committee. The goal is to improve risk management practices through effective oversight and mutual support between the RMC and audit committee. Combining these committees is generally not advisable, as it risks weakening the three lines of defense, which provides a stronger safeguard.

Responsibilities of the RM committee

The role involves advising the board on risk management and promoting a culture that highlights the benefits of a risk-based approach. It includes recommending strategies and policies related to risk management and ensuring the board is informed about significant risk matters. Responsibilities also include monitoring the performance of the company’s risk management systems and reviewing reports from relevant parties. This involves evaluating the effectiveness of the company’s risk management framework by:

• Assessing risk procedures in response to changes in the business environment.
• Reviewing risk audit reports on key business areas to understand the level of exposure.
• Considering major findings from risk management reviews and how management responds to them.
• Evaluating risks associated with new projects, ventures, and strategic initiatives.

Additionally, the role requires reviewing the company’s risk exposure to ensure it aligns with the board’s risk appetite and the company’s capacity to handle risks. It involves considering improvements to the risk management approach and advising the board accordingly. Finally, it includes ensuring that risk disclosures meet financial reporting standards and provide accurate information about risk policies and key exposures.

Risk architecture

The figure illustrates the risk structure of a typical large corporation governed by the Sarbanes–Oxley Act. This framework should be clearly documented in the organization’s risk management manual. The manual should also include the terms of reference for various committees and a schedule of their activities, ensuring these align with the organization’s broader corporate calendar. For large companies with non-executive directors, the audit committee plays a key role in the risk framework. Both the audit committee and the head of internal audit are crucial in supporting the organization’s risk management strategy. Under Sarbanes–Oxley, companies must ensure that all disclosed information is accurate. This often leads to the formation of a disclosures committee, which verifies the sources and accuracy of all released information. Financial disclosures, in particular, are subject to rigorous scrutiny under this law. The risk architecture outlines the hierarchy of committees and roles responsible for managing risks and maintaining internal controls. In this setup, the corporate risk management committee oversees executive-level risk activities. At the divisional level, responsibility for risk management lies with divisional managers. They handle identifying significant risks, maintaining the division’s risk register, and ensuring appropriate controls are in place. Divisional managers receive guidance from the group risk management committee. If a divisional committee exists, it must report to the group committee, allowing for a consolidated corporate view of risk management priorities.

In public-sector or charity organizations, the risk structure differs from that of private companies. A typical setup focuses risk management on a governance and risk committee. The diagram shows how information flows and risk management activities are controlled, highlighting the central role of governance. For charities, risk governance is often more prominent than in other sectors. Reports suggest that many charity trustees prioritize governance over fundraising, indicating that risk management concerns sometimes overshadow the organization’s core mission. This can distort the organization’s focus. Risk reporting structures can vary based on the organization’s risk level and complexity. In high-risk sectors like finance, the risk committee often reports directly to the board and is typically chaired by a senior executive, such as the finance director, with other top-level representation. In general, risk management committees should consist of executive directors, as risk management is an executive responsibility. Non-executive directors focus on audit and assurance, reviewing risk performance through reports from the risk committee to the audit committee. For lower-risk organizations, the risk committee might report to an executive or operations committee rather than directly to the board. The structure should match the organization’s size, complexity, and risk exposure. There is no single “correct” risk architecture. As long as the risk committee meets its goals, the organization can decide its structure and terms of reference. However, the key distinction remains: managing risk is an executive function, while audits should be overseen by non-executive directors.

In recent years, there has been growing interest in resilience, initially driven by governments and local authorities. This focus emerged in the 1990s and 2000s, as it became clear that society and communities needed to be better prepared for civil emergencies and natural disasters like earthquakes and extreme weather. Although resilience was first seen as a way to handle large-scale events, it has since expanded to cover a broader range of concerns. This shift is reflected in the development of standards. For example, British Standard BS 25999:2006, which focused on business continuity, was replaced by ISO 22301:2012, emphasizing societal security and business continuity management. Other international standards are also being created, including the Organizational Resilience Standard (ASIS SPC.1-2009) from the American National Standards Institute. This standard promotes an enterprise-wide view of risk management, helping organizations prepare for, respond to, and recover from disruptions. It integrates with ISO 31000 and aligns with other ISO standards like ISO 9001 and ISO 27001. The key idea is that a resilient organization must “prevent, protect, and prepare” while also being ready to “respond, recover, and review” when crises occur.

Resilience is defined in ISO 22300 as an organization’s ability to adapt in a complex, changing environment. However, resilience also involves how an organization handles crises. A broader definition could be the capacity to maintain or return to a desired state after changes or disruptions. This view includes crisis management and the ability to handle less severe but disruptive events. The rise of resilience provides an opportunity for risk management and business continuity professionals to work together more effectively. To achieve resilience, organizations should focus on three key behaviors: staying aware of changes in their environment, protecting and preparing their resources (such as assets and relationships), and being able to respond quickly and adapt after disruptions. Another trend is the adoption of the “plan–do–check–act” (PDCA) approach in risk management and resilience standards. This method aligns well with the “plan, implement, measure, learn” (PIML) approach in ISO 31000, which emphasizes a more comprehensive and analytical process. As resilience becomes increasingly important, organizations are receiving more guidance on how to strengthen it, such as advice provided by the UK government’s Cabinet Office. Integrating organizational resilience into governance helps ensure that risks to critical infrastructure—such as those from natural disasters, major accidents, or intentional harm—are properly addressed by the board. This approach ensures that resilience is factored into key decisions, including investments, procurement, risk management, and discussions with supply chain partners. It allows infrastructure owners and operators to better understand how resilient their systems are, regularly assess the effectiveness of their strategies, and make adjustments as needed to maintain operations or align with changing goals. Integrating organizational resilience into governance helps ensure that risks to critical infrastructure—such as those from natural disasters, major accidents, or intentional harm—are properly addressed by the board. This approach ensures that resilience is factored into key decisions, including investments, procurement, risk management, and discussions with supply chain partners. It allows infrastructure owners and operators to better understand how resilient their systems are, regularly assess the effectiveness of their strategies, and make adjustments as needed to maintain operations or align with changing goals.

Business continuity management

British Standard BS 31100 defines BCP as “[An] holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response to safeguard the interests of its key stakeholders, reputation, brand and value-creating activities.” Business Continuity Management (BCM) plays a critical role in Enterprise Risk Management (ERM) by ensuring that organizations can withstand and recover from unexpected disruptions. ERM focuses on identifying, assessing, and managing risks across an organization to achieve strategic objectives. Within this framework, BCM is a vital component that addresses operational risks related to business interruptions. BCM provides structured plans and processes to maintain critical business functions during and after a disruption. These disruptions could stem from natural disasters, cyberattacks, equipment failures, or supply chain interruptions. BCM complements ERM by not only mitigating the impact of these risks but also aligning continuity strategies with the organization’s overall risk appetite and objectives. In practice, BCM involves identifying essential business processes, assessing potential threats, and developing strategies to maintain or quickly restore operations. It includes creating and testing Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs). These plans ensure that essential services continue with minimal downtime, safeguarding the organization’s reputation, customer trust, and financial stability.

Integration of BCM within ERM enhances organizational resilience. By embedding continuity planning into governance structures and risk assessments, organizations can proactively address vulnerabilities and improve decision-making. This integrated approach helps prioritize resources, optimize response strategies, and ensure alignment with long-term goals, making BCM an indispensable part of a comprehensive ERM framework. Recently, there’s been growing interest in business continuity planning (BCP) and disaster recovery planning (DRP). Many global standards emphasize the role of BCP in risk management. This concern is fueled by the potential for major disruptions from extreme weather, terrorism, civil emergencies, or pandemics. Essentially, BCP prepares organizations for incidents that could threaten their operations. These incidents range from local issues like fires to larger events such as earthquakes, security threats, or global crises. For severe incidents, like losing access to premises or a key part of the business, having a clear and tested disaster recovery plan is crucial. DRP often focuses on restoring IT systems, finding alternative facilities, and ensuring clear communication with employees, customers, and the media. BCP complements this by planning for a return to normal operations, reducing the impact of incidents, and controlling recovery costs. Disaster recovery is a subset of BCP, focusing on infrastructure restoration, such as recovering lost data or fixing system failures. Crisis management, on the other hand, deals with the broader response, including external communications and managing public perception. For example, a printing firm might prepare for IT failure by contracting a mobile emergency computer service to ensure business continuity. Different organizations debate whether BCP and DRP are primarily corrective or directive controls. Regardless, they are essential for managing the aftermath of incidents rather than predicting their likelihood. Just as seat belts protect passengers during accidents without assessing accident risk, BCP and DRP prepare organizations for when disruptions occur. Many organizations now view BCP in three stages. First, a crisis management plan is activated to address the immediate crisis and communicate with stakeholders. Next, the disaster recovery plan is implemented to restore critical systems and operations. Finally, the focus shifts to long-term business continuity, ensuring full recovery and a return to normal operations. An example of this approach is a major road accident. Initially, emergency services handle the crisis by addressing injuries and securing the scene. Once the immediate danger is under control, the disaster recovery phase involves clearing wreckage and repairing the road. Only after these steps is normal traffic flow restored, addressing the continuity aspect. For companies involved in such incidents, like transport firms, crisis management extends to demonstrating social responsibility and supporting affected stakeholders, such as injured drivers’ families. Throughout the disruption, clear communication and effective crisis management are vital to minimize reputational damage and support recovery efforts.

Business continuity standards

Business continuity standards provide a framework for organizations to develop, implement, and maintain effective business continuity management systems (BCMS). These standards are designed to help organizations prepare for, respond to, and recover from disruptions, ensuring the continuity of critical operations. Below are some key business continuity standards widely recognized across industries:

• ISO 22301: Business Continuity Management Systems (BCMS): ISO 22301 is the international standard for business continuity management. It provides a comprehensive framework for establishing, implementing, maintaining, and improving a BCMS. Key features of ISO 22301 include:
  • Identification of critical business functions and associated risks.
  • Development of business continuity and recovery strategies.
  • Clear communication and documentation of plans.
  • Regular testing, maintenance, and review of BCMS.
• ISO 22313: Guidance for Business Continuity: ISO 22313 provides guidance to support the implementation of ISO 22301. It offers detailed explanations of best practices and practical advice to help organizations establish effective business continuity processes.
• NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity: Developed by the National Fire Protection Association (NFPA), NFPA 1600 outlines criteria for disaster and emergency management, including business continuity. It emphasizes risk assessment, resource management, and crisis communication.
• . BS 25999 (Replaced by ISO 22301): The British Standard BS 25999 was one of the first comprehensive standards for business continuity management. It has since been replaced by ISO 22301 but laid the groundwork for modern business continuity practices.
• ASIS SPC.1-2009: Organizational Resilience: Published by the American National Standards Institute (ANSI) and ASIS International, this standard takes a broader view of organizational resilience, integrating business continuity with risk and crisis management.
• ITIL (Information Technology Infrastructure Library): While primarily focused on IT service management, ITIL includes guidance on disaster recovery and business continuity within IT systems, ensuring the continuity of digital operations.
• COBIT (Control Objectives for Information and Related Technologies): COBIT provides a framework for IT governance and management, including risk mitigation and business continuity for IT functions.
• 8. FIPS 199 and FIPS 200 (US Federal Standards): The Federal Information Processing Standards (FIPS), developed by the National Institute of Standards and Technology (NIST), focus on the security and continuity of federal information systems. These include guidelines for contingency planning and disaster recovery.
• DRII Professional Practices for Business Continuity Practitioners: Published by the Disaster Recovery Institute International (DRII), these practices provide a practical approach to developing and implementing business continuity and disaster recovery programs.
• ISO 31000: Risk Management: Though not solely focused on business continuity, ISO 31000 provides a general framework for risk management, complementing BCM efforts by integrating risk-based approaches.
• Local and Industry-Specific Standards: Many industries and countries have their own standards and regulations for business continuity, tailored to specific risks or compliance requirements (e.g., healthcare, finance, or energy sectors).

ISO 22301 follows a structure that is becoming standard for management systems. It uses a plan–do–check–act (PDCA) approach, similar to the plan–implement–measure–learn (PIML) method. The standard outlines a business continuity management system (BCMS) lifecycle with five key steps: identifying critical risks already affecting the organization, understanding its needs and obligations, establishing and maintaining the BCMS, evaluating the organization’s ability to handle disruptions, and ensuring compliance with the business continuity policy. Most large organizations see business continuity planning as essential. Governments also encourage businesses, particularly small ones, to develop and implement effective continuity plans. One major change in ISO 22301 compared to its predecessor, BS 25999, is its adoption of a high-level structure common to all new management standards. This makes it easier to integrate multiple systems. It also shifts from “preventive action” to “actions to address risks and opportunities” and emphasizes setting goals, monitoring performance, and using metrics to align business continuity with strategic management. For a business continuity plan (BCP) to succeed, it should be comprehensive, cost-effective, practical, effective, well-maintained, and regularly practiced. The plan must cover all the organization’s operations and locations to ensure a full return to normal business. It should also be proportionate to the risks the organization faces to ensure its cost-effectiveness.

A business continuity plan (BCP) should be straightforward and easy for staff and others involved to follow. It needs to clearly outline which business functions are urgent and assign responsibilities for getting things back to normal quickly. For the plan to work well, it must be regularly tested, updated, and practiced. Staff should understand how the plan works, and training should be provided. Any lessons learned during tests or practice sessions should be used to improve the plan’s effectiveness. Testing is crucial to make sure the plan will work when needed, but it can be time-consuming and sometimes disruptive or costly. For example, even a simple fire drill can interrupt daily operations, showing that testing plans will often affect regular activities

Key activities in business continuity planning

• Assess company activities to identify critical staff, materials, procedures and equipment required to keep the business operating.
• Identify suppliers, shippers, resources and other businesses that are contacted on a daily basis.
• Plan what to do if any important buildings, plant or store were to become inaccessible.
• Identify necessary actions to ensure continuity of critical business functions, especially payroll.
• Decide who should participate in compiling and subsequently testing the emergency plans.
• Define crisis management procedures and individual responsibilities for disaster recovery activities.
• Co-ordinate with others, including neighbours, utility suppliers, suppliers, shippers and key customers.
• Review the emergency plans annually and when the business changes and/or new members of staff are recruited.

A business continuity plan (BCP) should be simple and easy for employees and anyone else involved to follow. It must be effective by prioritizing critical business functions and assigning clear responsibilities to quickly get operations back to normal. To ensure the plan works, it must be regularly tested, updated, and practiced. Employees should be trained on how the plan works, and any lessons learned from these tests should be used to improve the plan. Testing the BCP is essential to make sure it is suitable and effective. However, testing can take time and may disrupt regular work, sometimes leading to additional costs. For example, even a basic fire drill can interrupt daily activities, showing how testing impacts normal routines.

Covid Pandemic

The COVID-19 pandemic highlighted the critical importance of Business Continuity Planning (BCP) for organizations worldwide. Here’s how BCP played a vital role during the crisis:

• Ensuring Operational Continuity: During the pandemic, lockdowns and social distancing measures disrupted normal business operations. Organizations with robust BCPs quickly shifted to remote working setups, ensuring continuity of essential functions. Companies without a BCP struggled to maintain operations, leading to significant financial losses and, in some cases, permanent closure.
• Managing Supply Chain Disruptions: Many industries faced supply chain issues due to global manufacturing shutdowns. Organizations with BCPs had contingency plans, such as alternate suppliers or stockpiling critical resources. This reduced downtime and ensured that businesses could continue to deliver products or services to customers.
• Safeguarding Employee Well-being: Companies with BCPs had pre-established health and safety protocols, including remote work policies and health monitoring, minimizing the risk to employees. Protecting employees ensured sustained workforce availability and maintained productivity during the crisis.
• Maintaining Customer Trust: Organizations that effectively communicated their continuity strategies and maintained service levels retained customer confidence. For instance, e-commerce platforms managed increased demand by leveraging their continuity plans. Consistent service during uncertain times builds long-term customer loyalty.
• Financial Resilience: BCPs often include financial contingency plans like maintaining cash reserves or securing lines of credit. During COVID-19, these measures helped businesses weather sudden revenue drops. Financial preparedness ensured survival during periods of reduced income or increased expenses.
• Adaptation to Changing Business Models: Restaurants pivoted to delivery and takeout services, while fitness centers offered online classes. Organizations with flexible BCPs adapted quickly to changing market demands. Adaptability allowed businesses to find new revenue streams during the pandemic.
• Post-Pandemic Recovery :Companies with effective BCPs recovered more quickly by implementing phased return-to-work plans and revising operations to align with the “new normal.” Faster recovery minimized long-term impact and positioned businesses for growth as markets stabilized.

• A- Major incident, such as a fire or long-term power cut
• B-Limited emergency operations commenced at a back- up site, as planned by the disaster recovery plan
• C- Start-up of operations at an alternative emergency site, but the back-up site operations are disrupted
• D-Full recovery from this point

This example shows how Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) work in practice. It focuses on a broadcasting company that faces a major disruption at its main facility (point A on the timeline). The disaster recovery plan allows broadcasting to resume quickly, but only as an emergency service (point B). This example doesn’t include the cost of fixing the damaged facility. After a short time of emergency operation, the company can switch to full operation from a backup location (Facility B). However, using this alternative means losing some capabilities. At point C, service improves but doesn’t fully return to the previous level because the original facility (A) is still out of service. The incident brings higher operating costs. These include the cost of implementing the disaster recovery plan, running emergency broadcasts, and moving to Facility B. While using Facility B, extra costs arise, such as temporary housing for staff and additional technical resources. Eventually, at point D, the damaged Facility A is repaired, and normal operations resume. This scenario illustrates the challenges organizations face after a major incident. Service levels may remain below normal for a while, and operational costs will be higher. Insurance might cover some of these extra costs, but only within the time limit set in the policy. However, insurance likely won’t cover losses due to reduced service unless specific types of losses were previously insured.

Business impact analysis (BIA)

BIA is the process of determining the criticality of business functions, assessing the potential impact of interruptions, and identifying the resources required for recovery. It helps prioritize recovery efforts by highlighting the most important processes and their dependencies.Business Impact Analysis (BIA) is a key process in business continuity planning. It identifies and evaluates the potential effects of disruptions to critical business operations, processes, and systems. The goal is to understand the impact of various disruptions, such as natural disasters, cyberattacks, or supply chain failures, on the organization’s ability to operate effectively. A key step in creating effective business continuity (BCP) and disaster recovery plans (DRP) is conducting a Business Impact Analysis (BIA). The BIA helps determine how critical each business function is by evaluating the consequences of any disruption. This information is essential for developing suitable strategies to maintain continuity for those functions. A BIA is similar to a risk assessment, but with a different focus. While risk assessments look at potential events that could cause disruptions, a BIA focuses on the importance and urgency of each business function. Despite this difference, both processes are connected and can be done together. For instance, a risk assessment identifies threats to business continuity goals, while a BIA ensures critical activities meet those goals, such as a TV company aiming for 99.9% broadcasting continuity. The BIA serves three main purposes:

1. Identify critical functions and recovery timeframes: Determine which activities are essential and how quickly they need to be restored after a disruption.
2. Assess recovery needs and potential impacts: Understand the resources required to recover critical functions within the set timeframe.
3. Align impacts with the organization’s risk appetite: Ensure that the expected disruptions and recovery plans fit the organization’s tolerance for risk.

A BIA often examines disruptions related to the 4Ps: People, Processes, Premises, and Products. Once potential sources of disruption are identified, the BIA process becomes more straightforward. The main focus is usually on business processes since maintaining these processes is crucial for protecting stakeholders, reputation, and the organization’s value.

Key Components of BIA

1. Critical Activities: Identifying essential business functions that must continue during a disruption.
2. Impact Assessment: Analyzing the financial, operational, reputational, and legal consequences of a disruption.
3. Recovery Time Objectives (RTO): Determining how quickly critical functions must be restored.
4. Recovery Point Objectives (RPO): Defining acceptable data loss in terms of time.
5. Dependencies: Identifying key systems, suppliers, and staff necessary for critical operations.

Importance of BIA

• Prioritizes Resources: Ensures focus on the most crucial functions.
• Informs Strategy: Guides the development of effective business continuity and disaster recovery plans.
• Minimizes Downtime: Helps organizations quickly resume critical operations.
• Supports Risk Management: Identifies potential risks and their impact, allowing proactive measures

Business continuity and ERM

Business Continuity Planning (BCP) plays a vital role within the broader framework of Enterprise Risk Management (ERM). While ERM aims to identify, assess, and mitigate risks that could impact an organization’s objectives, BCP focuses on ensuring that critical business functions can continue during and after a disruption. In this way, BCP complements ERM by providing practical strategies for maintaining operations when unforeseen events occur. ERM provides a comprehensive approach to managing risks across the organization, from strategic risks like market changes to operational risks such as IT system failures. BCP fits within ERM by addressing specific risks that could disrupt operations and detailing how to respond effectively. For instance, ERM might identify the risk of a cyberattack as a high-priority threat. BCP would then ensure that the organization has a disaster recovery plan in place to restore IT systems quickly, minimizing downtime and protecting critical data. Moreover, BCP and ERM share a common goal: safeguarding the organization’s core processes and stakeholder interests. While ERM emphasizes risk identification and mitigation to prevent disruptions, BCP ensures operational resilience by outlining the steps to take when disruptions occur. This dual focus on prevention and recovery strengthens the organization’s ability to withstand a wide range of risks. By working together, ERM and BCP create a robust framework for organizational resilience. ERM identifies potential threats and their impact, while BCP ensures that practical, actionable plans are in place to maintain operations during crises. This integrated approach not only protects the organization from financial and reputational damage but also helps it quickly recover and return to normal operations after an incident.

There is a clear connection between Business Continuity Planning (BCP) and Enterprise Risk Management (ERM). ERM focuses on managing risks across the entire organization, while BCP ensures that plans are in place to maintain operations during disruptions. BCP looks at how to keep the organization running as a whole, which aligns with ERM’s goal of maintaining core processes. However, BCP is just one part of ERM, not its entirety. Both approaches share a common goal: ensuring the organization’s critical processes remain effective and efficient. ERM emphasizes identifying risks that could affect core operations, while BCP focuses on determining which business functions must continue to keep the organization running. These methods complement each other and work well together in managing risks and ensuring continuity. For instance, a pharmaceutical company might treat the constant availability of prescription drugs as a core process. Using ERM, it identifies risks that could disrupt this process, blending ERM and BCP to meet stakeholder expectations. Scenario planning plays a key role in both BCP and ERM. It involves preparing for possible future events, including unlikely crises, and helps organizations build resilience. In financial institutions, this includes “stress testing,” where they assess how much capital they would need during severe financial difficulties, like those experienced during the 2007-2008 global financial crisis. By practicing scenario planning, organizations can better anticipate unexpected situations and improve their ability to respond effectively. This, in turn, strengthens the overall resilience of the organization.

Standards can be created to set a minimum level of resilience, ensuring that a system or network can continue running during extreme events without major disruptions to essential services. By outlining the worst-case scenarios that could reasonably happen, infrastructure owners and operators can evaluate how well their systems can handle such events. This helps them identify any weaknesses or gaps between what their systems are currently designed to handle and what might actually happen. For events more severe than these worst-case scenarios, the organization’s overall resilience will determine how well they can manage and respond. In addition, business continuity plans should include how quickly services can be restored after a disruption, even if the disruption comes from unexpected or more extreme events not specifically accounted for in the original scenarios.In many countries, local governments are required to help ensure that businesses can continue operating during major emergencies. These emergencies could be caused by natural disasters like floods or earthquakes, or by events such as terrorism, civil unrest, or health crises like pandemics. The ISO 22300 standards focus on societal resilience, highlighting the growing importance of helping communities and businesses prepare for such situations. Governments and trade associations often provide guidance to businesses on creating effective business continuity plans (BCPs). For example, the U.S. government offers useful resources online, while small business associations provide practical advice on how to respond during civil emergencies. Local authorities usually have legal responsibilities to respond to emergencies. Businesses such as factories and warehouses might have resources like equipment or facilities that can be useful, while retail shops can supply essential goods like food, bottled water, and blankets. Schools and other public buildings may also be repurposed as emergency shelters, especially during widespread disasters like flooding. Encouraging businesses to develop their own continuity plans helps reduce the burden on local authorities during emergencies. For small businesses, understanding which disasters pose the greatest threat allows them to prioritize protecting their most critical operations. This often includes safeguarding their premises, machinery, and other essential equipment, as these are vital for long-term survival.

Risk insurance plays a critical role in Enterprise Risk Management (ERM) by providing a structured mechanism for transferring certain risks that could otherwise have a significant financial impact on an organization. Within the framework of ERM, organizations seek to identify, assess, and mitigate risks across various categories, such as operational, financial, strategic, and compliance risks. Risk insurance offers a vital tool for managing these uncertainties by transferring the financial burden of specific risks to an insurance provider. This allows organizations to safeguard their financial stability and focus on their core operations even when unexpected events occur. One of the primary advantages of using risk insurance in ERM is its ability to protect against catastrophic losses. Events such as natural disasters, cyberattacks, or liability claims can lead to substantial financial losses and disrupt business continuity. By purchasing insurance coverage, organizations can ensure that these risks are managed without exhausting internal resources. This transfer of risk helps to mitigate the potential impact on cash flow, profitability, and long-term sustainability. Additionally, insurance policies provide organizations with predictability in managing risks, as they pay a fixed premium in exchange for coverage, helping to stabilize their financial planning. In practice, organizations integrate risk insurance into their overall risk transfer strategy by assessing which risks are best mitigated through insurance versus other methods, such as risk avoidance or retention. For example, a manufacturing company might insure its physical assets against fire and theft, while a technology firm may prioritize cyber liability insurance to protect against data breaches. Through this approach, insurance becomes a key component in balancing the organization’s risk portfolio, allowing it to focus on higher-return activities while protecting against low-probability but high-impact events. Moreover, the use of insurance aligns with an organization’s broader risk culture and governance. Insurance not only provides financial compensation but also often includes access to expertise, such as risk assessments and loss prevention advice from insurers. This can enhance the organization’s overall risk management capabilities. In sectors where regulatory requirements mandate certain types of insurance, such as workers’ compensation or liability insurance, compliance with these requirements also reinforces the organization’s commitment to responsible risk management. In summary, risk insurance is a vital tool within ERM, enabling organizations to transfer specific risks to an insurer and thereby reduce their potential financial exposure. It supports financial resilience, enhances strategic risk management, and allows organizations to focus on growth and operational excellence without being derailed by unforeseen events.

History of Risk Insurance

The integration of insurance into Enterprise Risk Management (ERM) is rooted in the long history of insurance as a tool for managing uncertainty. Insurance, in its earliest form, dates back thousands of years to ancient civilizations that sought ways to protect against financial loss from unforeseen events. Over time, as business practices and risk management evolved, insurance became a foundational element of modern risk strategies, eventually finding its place within the broader framework of ERM. The origins of insurance can be traced to ancient Mesopotamia, where merchants used contracts to spread the risk of their cargo being lost during transport. Similarly, maritime trade in ancient Greece and Rome saw the emergence of rudimentary insurance mechanisms to protect against shipwrecks and piracy. These early practices laid the groundwork for the development of formal insurance markets in the Middle Ages, particularly in marine insurance, as global trade expanded. By the 17th century, the insurance industry began to formalize with the establishment of the first modern insurance companies. For instance, Lloyd’s of London, founded in the late 1600s, became a key player in insuring maritime ventures. The Industrial Revolution of the 18th and 19th centuries further accelerated the growth of insurance as businesses sought to protect themselves against risks associated with industrialization, including fire, machinery breakdowns, and worker injuries. The concept of risk management as a distinct discipline emerged in the mid-20th century. Initially, it focused on identifying and mitigating operational risks, primarily through insurance. Organizations relied heavily on insurance to protect against losses related to property damage, liability claims, and business interruptions. However, as risk management matured, it became evident that insurance alone could not address all types of risks, particularly those that were strategic or financial. This realization gave rise to ERM in the late 20th and early 21st centuries. ERM represents a holistic approach to managing risks across an organization, considering a wide range of threats and opportunities. Within this framework, insurance continues to play a crucial role as a risk transfer tool, but its use is now more strategic. Rather than relying solely on insurance, organizations under ERM evaluate the cost-effectiveness of transferring certain risks versus retaining or mitigating them through other means. Today, insurance is an integral part of ERM, offering a safety net for risks that are difficult to predict or mitigate entirely. It complements other risk management strategies by providing financial protection and stability, enabling organizations to pursue their objectives with greater confidence. The evolution of insurance within ERM underscores its enduring importance as a mechanism for managing uncertainty in an increasingly complex risk environment.

Importance of insurance

Risk transfer is a key way to manage hazard risks, often achieved through insurance, which is also known as risk financing. Insurance works by having the insurance company agree to pay a specific amount if certain events occur. There are two main types of insurance contracts. First-party insurance covers the insured’s losses, such as property damage. Third-party insurance compensates others who suffer losses or injuries caused by the insured, such as motor third-party or general liability insurance. Insurance contracts are based on utmost good faith, meaning the insured must provide all relevant information. Failure to do so can lead to the insurer cancelling the policy or refusing to pay claims. Insurance offers several benefits. It provides financial compensation for unexpected losses, reduces uncertainty, and can be cost-effective if the loss exceeds the premiums paid. Additionally, insurers often provide specialized services like loss prevention advice. However, there are downsides, including delays in claim payments, disputes over coverage, and challenges in determining adequate coverage limits, which can lead to underinsurance. Organizations can also explore alternatives to traditional insurance for transferring risk. These options include contractual risk transfer, captive insurance companies, mutual insurance pools, financial derivatives, and other alternative risk financing methods. Companies may also retain some financial risk by opting for large deductibles, self-insurance, or creating captive insurance. Insurance primarily addresses risks with low likelihood but high impact, such as catastrophic losses or legal liabilities. Beyond covering physical damage, it can also help with disaster recovery, business continuity, and increased operational costs after a loss.

Different types of insurance are

• Mandatory, legal and contractual obligations
  • Employers’ liability – compensation to employees injured at work
  • Public liability – compensation to the public or customers
  • Motor third party – compensation following a motor accident
  • Product liability – compensation for damage or injury
  • Professional indemnity – compensation to the client for negligent advice
• Balance sheet/profit and loss protection
  • Business premises – damage to premises by adverse events
  • Business interruption – loss of profit and increased cost of working
  • Asset protection – losses, such as loss of cash, goods in transit, credit risk and fidelity guarantee (staff dishonesty)
  • Motor accidental damage – repair of own vehicles
  • Terrorism – compensation for damage caused by terrorism
  • Loss of a key person – compensation for the loss of a key staff member
• Employee benefit/protection of employee assets
  • Life and health – benefits to employees that can include: life cover, critical illness cover, income protection, private medical costs, permanent health cover, personal accident and travel injury/losses
  • Directors’ and officers’ liability – legal and compensation costs

In most cases, buying insurance is optional. However, many countries require insurance in specific situations, usually for liability. This includes insurance to compensate injured employees and cover damages in road accidents. Beyond these mandatory types, organizations can choose whether to buy insurance based on their risk assessment and whether the risks are manageable. They also consider the cost (premiums) and how much the insurance will cover.

Insurance is often purchased for risks that are unlikely to happen but could cause significant damage, like floods, hurricanes, or major fires. For example, a publishing company knows it must buy employers’ liability insurance and motor third-party insurance to meet legal requirements. Additionally, magazine wholesalers require the company to have libel and slander insurance. To protect its finances, the publisher also buys property damage and business interruption insurance, as well as credit risk and goods in transit insurance. The company might also offer staff benefits like life insurance, critical illness coverage, private medical insurance, and personal accident and travel insurance. To protect its directors, the company purchases directors’ and officers’ liability (D&O) insurance. By reviewing its needs with insurance brokers, the company ensures its insurance program covers only what is necessary, suitable, and cost-effective.

There are many types of insurance available, and the specific needs of an organization will help determine what coverage to buy. However, sometimes insurance isn’t easily accessible or is too expensive, even if the organization wants it. Recently, more organizations have started looking at all the risks they face through an enterprise risk management (ERM) approach. This involves carefully deciding how much insurance is actually necessary.

For example, if a project has significant risks but insurance only covers some of them, buying that limited coverage may not make sense. As a result, some organizations now rely less on insurance to manage risks. Insurance costs also change over time, depending on the market cycle. During a “soft market” (when premiums are low), organizations tend to buy more insurance because it’s more affordable. In a “hard market” (when premiums are high), they often buy less insurance and may use a captive insurance company instead. These cycles usually last between 6 and 10 years.

Features of the business insurance requirement includes

1. Business has employees –  Employers’ liability
2. Employees travel outside the country – Business travel
3. Members of the public could be affected – Public liability
4. Business supplies products or components – Product liability/recall
5. Business provides professional advice – Professional indemnity
6. Theft or dishonesty by employees could occur – Fidelity guarantee
7. Business occupies business premises – Premises insurance
8. Premises has machinery or other stock – Contents cover
9. Business depends on machinery or computers – Engineering insurance
10. Business could be disrupted by fire, flood etc – Business interruption
11. Business is involved in transporting goods – Goods in transit
12. Business provides life benefits to employees – Life and health
13. Certain staff are key to operation of business – Key person
14. Business would suffer in event of a bad debt – Trade credit
15. Business has directors and/or officers (D&O) – D&O liability

When deciding on insurance, organizations should consider the 6 Cs of insurance buying:

1. Cost: This includes the insurance premium and any amount the organization has to pay out-of-pocket for a claim (like a deductible or excess).
2. Coverage: Insurance policies often have limits, exclusions, and conditions. Organizations must check these carefully to ensure the policy covers their risks adequately.
3. Capacity: For large companies with valuable assets, a single insurer might not cover the full amount. They need to assess how much coverage the insurer is willing to provide.
4. Capabilities: Some insurers offer extra services, like risk management support or business continuity planning. These can influence the choice of insurer.
5. Claims: The main purpose of insurance is to ensure claims are paid when an insured event occurs. The insurer’s track record in handling and paying claims is crucial.
6. Compliance: Organizations need to comply with legal and tax rules, such as insurance premium taxes, which vary by country or region. Policies also need to be valid in every country where the company operates.

Other Important Considerations:

• Financial Stability: It’s important to choose an insurer with strong financial health. Insurers collect premiums upfront but may pay claims much later, so their financial stability and credit rating matter.
• Claims Handling: Filing claims can be complex, especially for business interruption losses, which are harder to calculate than property damage. Well-prepared business continuity plans can reduce disruptions and the size of claims.
• Contract Certainty: Policies should be finalized and issued before the coverage period starts to avoid disputes.

Some countries only accept insurance from approved (admitted) insurers, which can limit the use of captive insurance companies. Organizations must ensure their policies meet local regulations wherever they operate.

Captive insurance companies

A captive insurance company is a type of insurer created and wholly owned by a business or a group of businesses to provide coverage specifically tailored to their needs. Unlike traditional insurers, a captive primarily serves its parent company, offering more control over insurance policies, premiums, and claims management. This structure allows the parent company to address unique or specialized risks that may not be adequately covered by the commercial insurance market. One of the primary benefits of captive insurance is cost efficiency. By eliminating the profit margins and administrative costs of third-party insurers, captives can reduce the overall cost of insurance. Additionally, captives provide the flexibility to design custom policies, ensuring that the parent company’s specific risks are adequately covered. Over time, if claims are lower than expected, the captive retains the surplus funds, potentially boosting the company’s financial performance. Captives also grant access to the reinsurance market, where insurance is sold to insurers at lower rates. This allows companies to secure coverage for large or catastrophic risks more cost-effectively. Financially, captives can offer tax advantages in certain jurisdictions, further reducing costs. However, setting up a captive involves significant upfront expenses and ongoing management, including regulatory compliance and reporting. These insurance entities are often established in jurisdictions with favorable regulatory and tax environments, such as Bermuda, the Cayman Islands, or Vermont. Captives may insure a wide range of risks, including property damage, liability, business interruption, and cybersecurity. For large companies with complex risk profiles, captives provide a strategic tool for risk management and financial stability, helping them better control their exposure and insurance-related costs. A captive insurance company is an insurance provider owned by a business that doesn’t normally operate in the insurance industry. Its main purpose is to offer insurance coverage to its parent company by using the company’s own financial resources to cover expected losses or claims. The business that owns the captive is called the parent organization. Captive insurance companies are usually set up in locations with favorable regulations and tax benefits, such as Guernsey, Bermuda, or Ireland. These companies can sometimes provide insurance directly in other countries, but this might involve regulatory challenges with non-admitted policies. More commonly, captives work as re-insurers. This means they back up a traditional insurance company, known as the fronting insurer, which handles claims for the parent company. The fronting insurer pays the claims initially and then gets reimbursed by the captive for the part of the loss that falls under the captive’s coverage. The organization that owns the captive usually agrees to pay a portion of any loss (called a deductible or excess). The captive then covers the next layer of loss up to a specified limit, both for individual claims and for total claims during a policy year. If a loss exceeds the captive’s limit, the fronting insurer covers the rest. For legally required insurance, like workers’ compensation, the fronting insurer is responsible for paying the full claim and later recovers the covered amount from the captive. This setup poses a credit risk for the fronting insurer because it relies on the captive to reimburse it. To manage this risk, the fronting insurer may delay its payment to the claimant until it receives the necessary funds from the captive.

Some captive insurance companies not only provide coverage for their parent organization but also offer insurance to third parties. For instance, retailers of electrical goods might use a captive to offer extended warranty insurance. Similarly, travel agents might set up a captive to provide travel cancellation insurance to their customers. In these cases, the customer buys a policy from a well-known insurer, but the captive funds the coverage by acting as a re-insurer for the fronting insurer. This arrangement allows the business, like the travel agent, to earn extra income and profit from the insurance offerings. Captive insurance companies have several advantages. They often lower overall insurance costs by setting lower premiums and can access reinsurance markets with better rates and higher risk capacity. Captives also encourage greater risk awareness and loss control since the parent company directly bears the cost of claims. Additionally, they can provide broader coverage than what is typically available in the commercial market, and in some cases, offer tax benefits, although these have become less significant in recent years. However, there are downsides. Captives take on claims that would otherwise be handled by commercial insurers, which increases financial risk for the parent company. The parent must also allocate capital to ensure the captive’s solvency. Any large claims paid by the captive ultimately affect the parent company’s balance sheet. Operating in foreign territories can bring compliance challenges, particularly when policies are issued on a non-admitted basis. Managing a captive also requires significant administrative effort and resources from the parent organization. Despite these challenges, many organizations find captives advantageous. Popular locations for establishing captives include Guernsey, Ireland, and Malta, which offer favorable regulatory environments.

Benefits of captive insurance companies: For many years, large companies have gained significant advantages from running their own captive insurance companies. These captives were often created to provide insurance when coverage was either unavailable or too expensive. Many of them were set up in offshore locations like Bermuda or the Cayman Islands, which offered favorable conditions. While the main benefit of captives is improved risk management, the tax advantages have also been a key factor. A well-structured and properly managed captive can offer several benefits, including tax deductions for premiums paid by the parent company, the ability to accumulate funds in a tax-friendly location, and favorable tax rates on distributions to the captive’s owners. Captives also protect assets from business and personal creditors, help reduce the parent company’s insurance costs, provide access to lower-cost reinsurance, and insure risks that would otherwise be difficult or impossible to cover.

Risk strategy in Enterprise Risk Management (ERM) refers to a long-term plan that aligns an organization’s approach to managing risks with its broader goals and objectives. It establishes the organization’s risk appetite—the level of risk it is willing to take—and defines risk tolerance, which is the acceptable variation in outcomes. By focusing on creating a systematic framework, a risk strategy ensures that risks are identified, assessed, and addressed in ways that support business objectives, enabling value creation and resilience in the face of uncertainty. Risk strategy differs from risk tactics in scope and focus. While risk strategy outlines the overarching principles and framework for managing risks, risk tactics deal with the specific actions and methods used to implement the strategy on a daily basis. For example, a risk strategy may define the organization’s approach to mitigating operational risks broadly, while risk tactics involve the specific steps taken, such as implementing new controls or conducting targeted risk assessments. This distinction highlights the complementary nature of strategy and tactics, with the former offering direction and the latter providing execution. To establish an effective risk strategy, an organization must begin by understanding its goals and aligning risk management with its mission and objectives. The strategy must articulate the organization’s risk appetite and tolerance, providing clear boundaries for acceptable risks. A comprehensive assessment of the current risk environment is essential to identify internal and external threats, as well as opportunities. The organization should also build a governance framework that assigns clear roles and responsibilities for risk oversight and management, ensuring accountability at all levels. Promoting a risk-aware culture is critical to the success of the risk strategy. Employees and management alike need to understand the importance of effective risk management and their roles in achieving it. Training, communication, and leadership commitment are vital in fostering this culture. Objectives and metrics must be set to evaluate the success of risk management efforts, and processes should be integrated with strategic planning and daily operations. Finally, the strategy must be continuously monitored and reviewed to adapt to evolving risks and changes in the organization’s goals or environment. By taking these steps, an organization can establish a robust risk strategy that not only protects its assets but also positions it to seize opportunities and achieve sustainable growth.

Dynamic business models

Organizations often create separate documents for their business and strategic objectives. To ensure risk management fully supports the organization, it’s important to examine both sets of objectives and how they relate to each other. Business objectives typically align with the organization’s annual budget, detailing expected income from sales and costs of operations. These objectives are built on the organization’s business model, which outlines how it delivers value. For instance, a membership organization may rely on sponsorships from service providers and membership fees as key income sources. In return, it provides specific services to members and benefits to sponsors. The risks tied to business objectives often stem from the stability and efficiency of the business model. When assessing risks related to the annual budget, it’s crucial to consider events that could reduce sponsorship and membership income or hinder the delivery of promised services and benefits. Essentially, business objectives focus on the organization’s current operations and how it generates and delivers value. Risk management should therefore evaluate any factors that could disrupt this balance to help ensure the organization’s short-term goals are met effectively.

When a business is created, it either clearly or indirectly adopts a business delivery model, which outlines how it creates, delivers, and captures value. This model explains how the business provides value to customers, encourages them to pay for it, and turns those payments into profit. Essentially, it reflects the organization’s understanding of what customers want, how they prefer to receive it, and how the business can organize itself to meet those needs while remaining profitable. The business delivery model helps describe and categorize different types of businesses. Within a company, management uses this model to explore opportunities for growth and improvement. Enhancing the business delivery model involves implementing a business development plan. A solid model serves as a foundation for innovative organizations to build and refine their future strategies.

The business model is built on the organization’s objectives and annual business plan. Organizations also create plans to improve and evolve their business model in line with their long-term strategy. The current business model reflects the organization’s existing operations, or “where it is now,” and is shaped by the tactics used to achieve its strategic goals. However, most organizations understand that their current business model won’t remain effective indefinitely. To consistently meet their objectives year after year, they must adapt and grow. This could involve finding more sponsorship opportunities, offering new products or services to generate additional income, or improving efficiency in delivering their current offerings. The process of evolving the business model to achieve strategic goals is often referred to as the business development model.

To integrate risk management into business operations, it’s helpful to use a simple business development model. This model breaks down key steps in achieving business goals. The first step is for the organization to define its strategy, which is guided by its mission, corporate goals, and what stakeholders expect. The strategy should align with the mission and be designed to achieve objectives effectively and efficiently. After setting the overall strategy, the organization must identify the tactics to implement it. If the strategy involves changing existing processes or adding new ones, specific projects or programs will need to be carried out. These tactics should ensure that core processes are in place to achieve the desired outcomes in a cost-effective way. Operationally, the goal is to maintain efficient, uninterrupted daily operations without unexpected disruptions. Strategy outlines “where the organization wants to be,” while reviewing current operations shows “where the organization is now.” Tactics, in turn, describe “how the organization will get there.” This three-step model focuses on events, many of which represent potential risks. Another crucial aspect of this model is the reporting of operational results. These actions and events—whether positive, negative, or routine—help the organization track progress in relation to its strategy, tactics, operations, and compliance. They influence the organization’s ability to maintain effective, efficient, and compliant operations. Although compliance processes aren’t always explicitly mentioned, they are essential for ensuring that the organization meets its legal and contractual obligations. These processes are as fundamental as the operational ones and should support all organizational activities. Setting a strategy involves managing opportunities, while delivering tactics, often through projects, requires managing uncertainties and control risks. Ensuring effective and efficient operations also demands careful handling of hazard risks to maintain stability and performance.

Business processes

Every organization has existing processes that help it achieve its business goals by generating income and managing costs. These processes might work well, but for risk management to play a meaningful role in reaching those goals, the objectives must align with day-to-day operations. Unfortunately, organizations often fail to set clear, ongoing objectives. Instead, they focus on short-term goals tied to their strategic plans.

To fully benefit from risk management, an organization needs to establish goals at three levels: strategy, tactics, and operations. Core processes are crucial to the organization’s success, helping it meet its mission and satisfy stakeholders. These processes deliver value and address specific stakeholder needs. There are four main types of core processes:

1. Strategy development and execution
2. Managing tactics, projects, and improvements
3. Continuing and overseeing daily operations
4. Ensuring compliance with rules and regulations

Activities are individual tasks that make up these processes. While the processes aim to add value, extra tasks can increase costs. The challenge is to create processes that are both effective and efficient. Once stakeholder expectations are clear, the organization can design core processes to meet those expectations at an acceptable level. However, no organization can fully satisfy all stakeholders, as their needs may conflict. Weaknesses or gaps in core processes often fall into four categories:

1. Leadership gap: Issues in developing and delivering strategy, leading to a loss of market leadership.
2. Competition gap: Problems with managing projects or improvements, causing the organization to fall behind competitors.
3. Efficiency gap: Failures in maintaining smooth daily operations, leading to inefficiencies.
4. Compliance gap: Weaknesses in meeting legal or regulatory requirements, which can harm the organization’s reputation.

Strategy and tactics

A business strategy outlines what an organization wants to achieve and how it plans to do so. It is based on key decisions about the organization’s future. Having a clear strategy helps the organization meet its mission, objectives, and plans. Risk management plays an important role in strategy by ensuring decisions are effective and efficient, leading to the desired outcomes. The main way risk management supports strategy is through risk assessment. This involves evaluating the current strategy and any new strategies being considered. If there are different strategic options, each should be assessed individually for risks. In competitive industries with rapid technological change, businesses face significant risks and must make major strategic decisions. These often involve adopting new technologies, which may require large, uncertain investments. These investments can be risky because the technology might be untested or because multiple technology options exist.

Risk assessment for strategic decisions should include:

• Stakeholder expectations
• Customer needs
• Staff skills
• A SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis

Possible strategies might involve forming partnerships, outsourcing work, subcontracting, or investing in new technologies. Thorough risk assessments give the board the information it needs to make well-informed decisions. During risk assessment, the organization should also identify events or factors that could disrupt the strategy’s success. Based on this, it can decide what controls to implement to minimize potential negative impacts. Strategic objectives often focus on growing the organization’s presence in its industry and building its reputation. Enhancing reputation and developing individual brands are seen as opportunities, but they also come with risks. Tactics are the actions taken to achieve the business strategy. To ensure smooth and efficient operations, tactics must be carefully chosen, implemented, and managed. They should also ensure accurate financial reporting and compliance with laws and regulations. The goal is to create effective, efficient, and compliant core business processes. Projects drive changes to core processes. When managing projects, it’s important to address risks that could delay completion, exceed the budget, or fail to meet specifications. However, completing a project on time and within budget isn’t enough if it doesn’t lead to better core processes. For example, installing a new software system might be successful as a project, but if the system doesn’t deliver the expected improvements, the core processes won’t improve as intended. Risk management supports tactics and projects through risk assessments, improving risk responses, and ongoing reviews. The goal of risk assessment is to identify necessary controls. Once controls are in place, they need to be reviewed to ensure they are working effectively and efficiently. Effective tactics ensure the right core processes are in place to meet business needs. Even if core processes are efficient, they may not always be the best ones for achieving the organization’s goals. Projects aimed at improving core processes are essential for delivering the strategy. By developing more effective processes, the organization can continue to meet the needs of customers, investors, and other stakeholders. To maintain effective core processes, the organization may need to adjust its business model and objectives.

Strategy Statement:
To establish a comprehensive Enterprise Risk Management (ERM) framework that enhances operational resilience, ensures regulatory compliance, and protects the company’s reputation, while supporting long-term growth and sustainability.

This strategy focuses on embedding risk management into every level of the organization to identify, assess, and mitigate risks that could impact the company’s ability to meet its strategic objectives, including those related to health, safety, environmental impact, and financial stability.

Tactics Statement:
To implement risk assessment tools, strengthen incident response protocols, and enhance real-time monitoring systems across all operational sites to proactively manage risks associated with health, safety, and environmental hazards.

These tactics aim to ensure that day-to-day operations align with the broader ERM strategy. They involve specific actions like deploying advanced monitoring technology, conducting regular risk audits, and providing staff training on emergency response and compliance.

Effective and efficient operations

The main goal of risk management in operations is to ensure processes run efficiently without unexpected disruptions. Such disruptions often result from hazard risks. Well-designed, disruption-free core processes not only help the organization operate smoothly but also provide a competitive edge or improve cost-effectiveness. Risk management plays a crucial role in keeping operations running smoothly. This includes identifying and assessing risks, responding to significant ones, allocating resources for controls, planning responses, reporting risks, and ongoing monitoring. A comprehensive risk management approach is essential for uninterrupted and efficient operations. Internal audit also contributes by evaluating how well controls work within operations. This ensures both the operations and their controls are effective and efficient. Internal audits provide valuable risk assurance and help confirm compliance where necessary. All organizations need their operations to be both effective and efficient, especially in tough financial conditions. Efficient operations are key to meeting annual budgets and achieving business goals. Improving operational efficiency often involves using fewer resources, which may include cutting costs. However, efficiency alone isn’t enough if the organization is using the wrong processes. For example, you could make traveling by car very efficient, but if taking a train is faster and cheaper, the train is the more effective choice. Similarly, in a busy city, taking a taxi might seem efficient, but the metro could be a quicker and more cost-effective option. An organization’s business model reflects its current operations and core processes. These processes define the value it delivers to customers, supported by its financial stability and reputation. Strategy and tactics aim to improve the business model by enhancing the effectiveness and efficiency of core processes. The business model represents the organization’s current operational state, which strategy seeks to improve.

Ensuring compliance

Risk management activities serve four key purposes: Mandatory requirements, Assurance, Decision-making, and Effective and Efficient core processes (MADE²). Core processes fall into four categories: Strategic, Tactical, Operational, and Compliance (STOC). There is a strong connection between the reasons for risk management and the efficiency and effectiveness of these processes. Mandatory requirements come from stakeholders like regulators, customers, or financiers. These requirements must be met, and organizations do so by maintaining effective and efficient compliance processes. Failure to comply can have serious consequences, such as losing a license, which could threaten the organization’s survival. While there are usually several ways to meet mandatory requirements, risk management plays a key role in designing compliance processes that are both effective and efficient. This can even turn compliance into a competitive advantage by minimizing costs and improving operations. Many organizations prioritize compliance and see it as part of their culture, which helps them meet mandatory obligations. However, if compliance processes are not efficient, it can lead to wasted resources and a loss of competitive edge. Risk management professionals help develop compliance processes that are both cost-effective and efficient. For example, health and safety regulations are mandatory for most organizations, enforced by law. Some businesses may try to avoid compliance, thinking there won’t be consequences. But a more risk-aware organization will recognize that complying with health and safety rules not only improves operational efficiency but also enhances its reputation. A strong safety record can attract new clients and secure contracts.

Reporting performance

Operational reports show how well the organization’s strategy is being carried out. Management needs regular access to this data to adjust core business processes when needed. These reports also help prepare performance updates for stakeholders. The organization must decide what information to share, how much to disclose, and the format for these reports. To ensure accuracy, proper controls need to be in place. In the U.S., the Sarbanes-Oxley Act (SOX) outlines requirements for ensuring accurate financial reporting to shareholders. Risk management supports performance reporting by assessing risks in reporting lines and data-handling processes. SOX has increased focus on controlling reporting procedures. Under Section 404, external auditors must verify that financial reports and reporting processes are accurate.

Components of the business model

Every organization has a business model that outlines how it delivers value to its customers. Even non-commercial organizations, such as public sector or third sector entities, have a system for fulfilling their mission or vision. The business model explains how the organization uses its resources to provide its customer offering while ensuring long-term sustainability and resilience. The business model consists of four key components, summarized as

CORR:

1. Customer: Identifying customer groups, attracting and retaining them, and deciding how to deliver products or services.
2. Offering: The value and benefits provided to customers.
3. Resources: The organization’s assets, data, capabilities, and partnerships.
4. Resilience: The organization’s ability to maintain operations, including financial stability and reputation.

The business model shows how operational and compliance processes work together to create a good customer experience. Organizations need to analyze their business model to identify strengths, weaknesses, opportunities, and threats (SWOT). Conducting a risk assessment helps pinpoint areas where the current system could fail or be improved, ensuring efficient delivery and finding new opportunities for growth. The business model reflects how things currently work and helps identify ways to enhance the customer offering or improve processes. Once improvements are identified, the updated business model sets the organization’s strategic direction, and specific tactics are developed to achieve that strategy. Business models can be complex, with multiple dependencies, such as suppliers and outsourced services. It’s crucial to identify any weaknesses or inefficiencies. Analyzing the business model also serves as a risk assessment tool, highlighting potential risks in areas like supply chains or ethical practices, which could harm the organization’s reputation. Corporate social responsibility, particularly in supply chains, is a growing concern for many organizations, as ethical risks can significantly impact their reputation.

Risk management and the business model

Every part of a business model can be analyzed for risks. The business model shows how an organization achieves its mission, vision, goals, and objectives. While the core focus is the offering (product or service), the process often begins with understanding the target customer segment. There are risks involved in identifying and retaining customers, as well as in providing customer service and support. Distribution channels also play a critical role in delivering the offering. The offering itself relies on the organization’s resources and capabilities to provide value and benefits to the customer. Evaluating how resources are structured and used helps identify risks that could impact performance. A key aspect of the business model is the organization’s resilience, which includes its reputation. While some business models overlook reputation, it is crucial since reputation often defines an organization’s success, particularly in its industry. Reputation also ties into sustainability—organizations aim to maintain and improve their reputation over time. Sustainability is essential in all business models, typically represented by financial health—balancing expenses and income. However, sustainability can also include environmental responsibilities. The organization’s sustainability goals must be part of the risk assessment, which will focus on operational hazards and compliance risks. To ensure the business model operates efficiently, operational risks must be mitigated, and compliance risks minimized. After assessing risks, the organization must decide if its current business model is sustainable. If improvements are needed, a new or modified business model will be developed, which becomes the organization’s strategy. Implementing this strategy involves specific tactics, executed through projects or programs to bring about the necessary changes. Strategic risks (improving the business model), tactical risks (implementing tactics), operational risks, and compliance risks must all be managed. This comprehensive approach is known as EM3. A strong business model not only attracts new customers but also deepens relationships with existing ones, ensuring long-term loyalty and higher satisfaction. Therefore, improving the business model should aim to both increase customer acquisition and retain existing customers while enhancing their experience.

Reputation and corporate governance

Corporate Social Responsibility (CSR) is a key part of an organization’s corporate governance. It applies to all types of organizations and involves acting responsibly toward society and the environment. Good CSR practices can boost an organization’s reputation and increase stakeholder value. On the other hand, poor CSR standards can lead to negative publicity and harm stakeholder value. Good CSR practices benefit organizations by:

• Protecting and improving their reputation, brand, and trust.
• Attracting, motivating, and keeping talented employees.
• Managing and reducing risks.
• Increasing efficiency and reducing costs.
• Securing their ability to operate.
• Opening up new business opportunities.
• Creating a safer and more stable business environment.

CSR covers a wide range of activities, including efforts to improve social, environmental, and local economic impacts. It also involves promoting human rights, ensuring fair trade, and combating corruption. Before CSR became common, similar concerns were grouped under Social, Ethical, and Environmental (SEE) issues. Today, CSR encompasses all those areas. CSR is relevant not only for large multinational corporations but also for small businesses, public sector organizations, and charities. According to the European Commission, CSR means that businesses are accountable for their impact on all stakeholders. It reflects a commitment to operate fairly and responsibly, contributing to economic development while enhancing the quality of life for employees, their families, and the wider community.

CSR and risk management

CSR covers a wide range of issues, from health and safety to broader topics involving employees, customers, suppliers, the community, the environment, and the organization’s products or services. Both CSR and risk management deal with a wide variety of concerns, and there is significant overlap between the two areas. Scope of issues covered by CS:

• Health and safety: Commitment to a programme of activities to achieve continuous improvement in health and safety performance
• Employees: Aim to deliver a competitive and fair employment environment and the opportunity to develop and advance – subject to personal performance
• Customers: Strive to provide high-quality service and products and good value for money in all dealings with customers
• Environment: Reduce impact on the environment, including factors contributing to climate change, through a commitment of continual improvement
• Suppliers: Working with suppliers to ensure that worker welfare/labour conditions and environmental practices meet recognized standards
• Community: Aim to be a responsible corporate citizen through support for appropriate non-political and non-sectarian projects, organizations and charities
• Products/services: Designed not to unintentionally or by design cause death, injury, ill-health or social disruption, hardship or detriment

Many CSR topics, like workplace safety and environmental impact, are risk-related. However, addressing these solely as risks doesn’t fully cover the CSR agenda, though it’s a good starting point. Risk assessment workshops often include CSR topics like social, ethical, and environmental issues. Risk managers can use their tools, such as risk assessments, control measures, and compliance audits, to tackle CSR and broader corporate governance. Most organizations view CSR as a reputational matter, treating its components as hazard risks. They often start by updating processes to meet CSR requirements. While this compliance approach is a good first step, what begins as a hazard risk can evolve into a control risk and eventually present opportunities. Organizations should aim to improve their CSR practices. Once compliance is achieved, they can explore opportunities, such as offering fair-trade products, which can boost sales and improve their public image. Public opinion often drives CSR issues faster than organizations can respond, making CSR a chance to gain reputational benefits. Treating CSR as an evolving and proactive effort helps organizations align with public expectations and gain a competitive edge. Some organizations, like energy companies, have stakeholders they might prefer to avoid, such as environmental groups. Despite this, these groups are legitimate stakeholders and can significantly influence the company’s activities. Environmental concerns fall squarely within the CSR agenda. Key CSR stakeholders include employees, customers, suppliers, and the broader community. When it comes to environmental issues, everyone becomes a stakeholder, as organizational behavior affects the environment globally.

Supply chain and ethical trading

Failing to ensure ethical behavior is now widely seen as a significant business risk. Stories about fraud or corruption can damage a company’s reputation and hurt future profits. With easy access to online information, companies engaging in unethical practices, such as exploiting workers or mistreating suppliers, can quickly be exposed. If unethical actions cross into illegal activity, the impact can be even more severe. Breaking the law or ignoring internal governance rules can threaten the company’s survival. For instance, offering bribes to officials, even in regions where it may be common, is both unethical and illegal. Unethical behavior can lead to damaged reputations, lost profits, and customers or suppliers refusing to do business with the company. Examples of such risks include:

• Violating regulations.
• Partnering with questionable foreign governments.
• Excessive political donations.
• Tax evasion or shady tax practices.
• Making false claims or accusations about competitors.
• Forming unethical alliances with competitors.

Another concern is sourcing products from factories with poor working conditions. Selling low-quality or unsafe products can also harm a company’s reputation and raise questions about its ethics. For instance, if a clothing retailer wants to ensure its products are made under ethical conditions, it could set strict requirements for its suppliers. The retailer might demand that suppliers provide regular reports detailing:

• Their policies on ethical labor practices.
• The working conditions and pay of their employees.
• Any subcontracting arrangements.
• Results of audits and inspections of production facilities.

The retailer could then promote its commitment to ethical sourcing, gaining public trust and encouraging competitors to follow suit. This proactive approach can boost the retailer’s reputation and highlight its leadership in corporate social responsibility (CSR). Positive CSR efforts, especially in industries with a negative public image, can greatly benefit a company. For example, a fast-food chain operating in a sector often criticized for health and environmental concerns could improve its reputation by adopting higher nutritional standards and sustainable sourcing practices. By exceeding industry standards, the company demonstrates a strong commitment to ethical practices. Many organizations now include CSR achievements in their annual reports or issue separate CSR updates. These reports help them show progress, moving from compliance with ethical norms to leveraging CSR for competitive advantage. Ultimately, demonstrating strong CSR practices can help companies meet stakeholder expectations and improve overall performance.A company’s annual report on Corporate Social Responsibility (CSR) should include the following:

• Key Risks and Opportunities: Explain the social, ethical, and environmental risks and opportunities that could significantly affect the company’s value in the short or long term, and how these might impact the business.
• Policies and Procedures: Outline the company’s policies and processes for managing risks related to social, ethical, and environmental issues.
• Compliance: Provide information on how well the company has followed its own policies and procedures for managing these risks.
• Verification Processes: Describe how the company ensures the accuracy and reliability of its social, ethical, and environmental disclosures, aiming for a high level of trustworthiness.

Reputation

Reputation is crucial for organizations and is often considered their most valuable asset. Since reputation is both vital and easy to lose, organizations need to understand what it’s built on. While reputation depends on the size, nature, and complexity of the organization, it helps to break it down into key components. The main elements of a good reputation can be summarized as CASE:

• Capabilities: The organization’s purpose and resources.
• Activities: Its processes and financial management.
• Standards: The quality of its products, services, and customer support.
• Ethics: Its values and commitment to integrity.

Reputation is also part of the FIRM risk scorecard and is often seen as a result of other events. A strong reputation encourages customers and clients to do business with the organization. Components of reputation are:

• Capabilities: Does the organization have a clear purpose or resolve, together with the commitment, vision, capabilities and resources to deliver that purpose?
• Activities: Which sector and what activities does the organization undertake and does it have the financial resources and stability to support those activities?
• Standards: What range of services or products does the organization offer and what are the standards of quality, delivery, support, execution, innovation and investment?
• Ethics: Does the organization adhere to appropriate CSR, integrity, values and governance, and continuously monitor performance to learn and achieve improvements?

Organizations should carefully assess both the reputation of their industry and their own standing within it. Many companies take intentional steps to improve their reputation, which can lead to greater success. To do this, an organization needs the right capabilities to plan strategies, implement tactics, maintain operations, and ensure compliance. These capabilities should be reflected in a clear statement of purpose or commitment. The organization’s activities will depend on its industry, and financial resources and stability are crucial to support those activities. Together, capabilities and activities shape the organization from the inside. Reputation also depends heavily on the quality of the products or services offered, along with the standards of service delivery. Additionally, business ethics play a key role in showcasing the organization’s integrity. This integrity can be demonstrated through regular performance monitoring and continuous improvement efforts. By using a chart to evaluate its reputation within its sector, an organization can assess its performance in four key areas (capabilities, activities, standards, and ethics). Each area can be scored on a scale from 1 to 4, ranging from poor to excellent. This helps identify which areas pose the biggest risks to its reputation.

Threats to reputation

• Capabilities: Failure to provide a clear indication to stakeholders that the organization recognizes its purpose. Failure to have adequate resources within the organization to ensure satisfactory governance and/or deliver quality services and products.
• Activities: Business sector in which the organization operates suffers adverse publicity. Finances are weakened, reducing the desire of customers to trade with the organization.
• Standards: Insufficient innovation in services and products so that customers go elsewhere. Reduction in quality of products and/or services or failure to deliver customer support.
• Ethics: Unethical behaviour by the organization (CSR) indicating unacceptable values. Failure to deal with customer complaints appropriately and with integrity.

Corporate social responsibility (CSR) is just one key factor in building a strong reputation, but reputation goes beyond ethics alone. In fact, customers may still choose to do business with a company even if they view its business practices as less ethical. Although this book provides only a brief overview of reputation, its critical role—especially in risk management—is well understood. The value of brand and reputation is recognized by all organizations. Many companies that interact directly with the public work hard to build trust and promote ethical behavior. For some, this isn’t a new approach but a core principle that shapes their entire customer experience.

Example of Monitoring Reputation:

1. Uniliver: A global business like Unilever faces many challenges in its daily operations across different countries. That’s why it’s important for the corporate responsibility committee to regularly review the systems and processes in place to handle these issues. The committee also requests an annual summary of key issues the company is addressing. In 2015, these included climate change, food and beverage taxes, responsible use of technology, and human and labor rights. To ensure Unilever’s reputation is well-managed, the committee may also seek independent feedback on how the company is viewed by society. One major survey, conducted annually by a research agency, gathers input from over 800 sustainability experts in more than 80 countries. The survey shows that more experts believe companies lead in sustainable development when they make sustainability a core part of their business. About 38% of respondents said Unilever is “integrating sustainability into its business strategy,” placing it well ahead of its competitors.
2. Starbucks: Starbucks regularly reviews its ethical sourcing practices for coffee, tea, and cocoa to ensure fair treatment of farmers and sustainable farming practices. The company tracks and reports on these initiatives through its Global Social Impact Report, which includes metrics like farmer support programs and community investments. Starbucks also engages with external auditors and sustainability experts to assess its impact.
3. Patagonia: Patagonia is known for its strong stance on environmental issues. The company monitors its reputation by openly sharing its progress and challenges in reducing its environmental footprint. Through its Footprint Chronicles and annual reports, Patagonia details its supply chain practices, including the use of recycled materials and efforts to reduce carbon emissions. It also invites independent reviews and feedback from environmental groups to stay accountable.
4. Johnson & Johnson: Johnson & Johnson monitors its reputation through customer feedback, surveys, and regulatory compliance reviews. The company’s Credo Values Survey gathers input from employees and stakeholders to ensure it is meeting its ethical and operational standards. Additionally, J&J collaborates with healthcare professionals and public health organizations to maintain trust in its products, especially during product recalls or safety concerns.
5. Microsoft: Microsoft closely monitors its reputation regarding data privacy and responsible AI. The company releases transparency reports detailing government requests for user data and compliance with privacy laws. Microsoft also engages with independent organizations to audit its AI ethics practices and ensures its tools align with privacy and human rights standards.
6. Coca-Cola: Coca-Cola tracks its reputation by focusing on water usage and conservation. The company has a Water Replenishment Program, where it reports on efforts to return more water to communities and the environment than it uses in its operations. Coca-Cola works with NGOs and local governments to verify its impact and builds its reputation as a socially responsible brand.

Risk control techniques in Enterprise Risk Management (ERM) are strategies and methods used to mitigate or manage identified risks. These techniques aim to minimize the likelihood and/or impact of risks while supporting the organization’s objectives. Below are the key risk control techniques

Different types of controls are used to manage hazard risks, commonly categorized as preventive, corrective, directive, and detective. This classification creates a clear hierarchy, with preventive controls being the most effective. Preventive controls aim to stop hazardous events, such as using safer materials or enclosing activities to eliminate exposure to harmful substances. These are the most commonly implemented controls in organizations. Corrective controls focus on addressing problems or reducing risks after they arise, like using machinery guards to minimize accidents. Directive controls involve providing instructions or procedures to ensure specific outcomes, such as training employees to use protective equipment or outlining response plans for potential risks. Detective controls are designed to identify when a risk event has occurred, with examples including post-incident reviews to prevent further issues. Disaster recovery planning (DRP) and business continuity planning (BCP) are essential for managing crises but do not fit neatly into this framework. Some consider them directive controls because they provide guidance during a crisis, while others see them as corrective controls because they help limit damage and costs after a loss. Another perspective is that DRP and BCP form a separate category of controls, focusing on post-loss procedures to ensure minimal disruption. The effectiveness of controls generally follows a hierarchy: preventive controls are the most effective, followed by corrective, directive, and then detective controls. Preventive controls are preferred as they stop problems before they occur, while corrective and directive controls help manage risks during or after an event. Detective controls, being the least effective, only confirm that an event has happened. Despite their unclear classification, DRP and BCP are crucial for minimizing damage and ensuring continuity when a hazard risk materializes.

Take the example of an oil and gas company aiming to reduce the number of process safety incidents, such as equipment failures, leaks, or spills, per million operating hours. The company can utilize the preventive, corrective, directive, and detective control hierarchy to establish a structured approach:

• Preventive controls may include implementing rigorous hazard identification and risk assessment (HIRA) during project planning to ensure potential risks are addressed in design and operations. Additionally, introducing automated shutoff valves and pressure relief systems can prevent hazardous events caused by equipment overpressure or leaks.
• Corrective controls could involve enhancing maintenance schedules, such as adopting predictive maintenance techniques using sensors and analytics to identify wear and tear before failure occurs. Improved reporting mechanisms for employees to log near misses or equipment issues can also be part of corrective measures.
• Directive controls might focus on comprehensive training programs for process operators, emphasizing safe work practices and emergency response protocols. The company could also provide easy-to-follow operating manuals and procedures for handling critical equipment safely, ensuring all employees understand the steps to mitigate risks.
• Detective controls already in place might include gas detection systems to identify leaks and prevent escalation. To enhance this, the company could implement periodic audits of safety-critical equipment and processes, as well as conduct employee behavior assessments to ensure compliance with safety protocols.

Other controls the company might evaluate include routine inspections of pipelines and storage tanks to detect early signs of corrosion or damage and reviewing energy consumption patterns to identify inefficiencies or unsafe operating conditions. By integrating these measures into a structured and measurable loss-control program, the oil and gas company can effectively reduce the number and impact of process safety incidents while optimizing operational costs.

Hazard Risk Zone

The figure shows three zones in the risk matrix, with the cautious and concerned zones forming a central area. The comfort zone includes risks with low likelihood and low impact. There are always risks with such a low chance of happening or minimal impact that they remain in their comfort zone. As the likelihood and impact of a risk increase, a point is reached where a decision must be made about whether to accept the risk. This is the cautious zone, where organizations usually take steps to manage or transfer the risk. The boundary between the cautious and concerned zones represents the organization’s risk appetite, showing the level of risk the organization is willing to tolerate. Together, these zones reflect the organization’s tolerance for variability or uncertainty in managing that particular risk. When likelihood and impact increase, a critical point is reached where the risk becomes unacceptable, and the organization will aim to eliminate exposure to it. However, in some cases, these high risks cannot be avoided, either because they are essential for the business or tied to a high-risk, high-reward strategy approved by the board.

1. Preventive controls: Preventive controls are the most important type of risk control, and every organization uses them to manage certain risks. However, completely preventing or eliminating all risks may not be practical or cost-effective, and in some cases, it might not be desirable for maintaining key activities. Examples of preventive controls include measures like requiring approval from another person before making payments or preventing the same person from ordering goods and authorizing their payment. In health and safety, preventive controls aim to remove hazards or replace them with safer alternatives. For instance, a hazardous chemical used in cleaning might be swapped for a less harmful substitute. The main advantage of preventive controls is that they eliminate risks, removing the need for further management. However, this approach can sometimes be expensive or impractical for operational reasons. Additionally, eliminating certain activities might lead to outsourcing or replacing them with less efficient options. Health and safety experts often focus on eliminating risks “as far as is reasonably practicable.” This means balancing the time, effort, and cost of risk reduction against the benefits of lowering the risk. For example, underground mines can reduce the risk of collapse by installing support beams, but the cost and practicality of doing so must be weighed against the level of safety improvement achieved.
2. Corrective controls: Corrective controls are used when preventive controls are not practical, desirable, or cost-effective. These controls aim to reduce risks to a level that aligns with the organization’s risk appetite. In health and safety, examples of corrective controls include installing barriers or guards to contain hazards. For fraud prevention, measures like using passwords, access controls, rotating staff, or regularly changing supervisors are common corrective controls. Corrective controls have several advantages. They are often simple, cost-effective, and can be applied without needing to overhaul existing practices or procedures. They fit within current operations and processes. However, a challenge with corrective controls is that their benefits can sometimes be hard to measure or justify as cost-effective. In some cases, they may be overly complex or expensive compared to the benefits they provide. Often, corrective controls are implemented to meet regulatory requirements, which can add extra costs or inefficiencies for the organization. Organizations need to ensure these controls meet legal requirements without being excessive or ineffective. The design and implementation of corrective controls can lead to debates and disagreements. For instance, there is often discussion about installing sprinklers in buildings as a fire control measure. While sprinklers can minimize fire damage, some building occupants, such as those with computer installations, may argue that sprinklers are inappropriate due to the water damage they can cause. Fire safety experts typically counter this by emphasizing that water may cause damage, but fire results in total destruction. This highlights the need to carefully consider the potential downsides and unintended consequences of corrective controls before implementing them.
3. Directive Control: Organizations are familiar with directive controls because they involve guiding staff on how to perform tasks safely and correctly. For tasks with risks, directive controls include documented procedures, training, and instructions. These controls are often present for most risks, even if other types of controls are also used. An example of directive controls is requiring workers to wear personal protective equipment (PPE) for hazardous tasks. Employees must be trained in how to use PPE properly, and supervision is needed to ensure compliance. The benefit of directive controls is that they can be explained to employees during regular training sessions. However, these controls provide a lower level of risk management and often need constant oversight to ensure procedures are followed. On their own, directive controls are not very reliable or secure, but they are always part of an organization’s overall risk management strategy. Developing systems, procedures, and protocols is vital, but if these are not implemented, the organization may face criticism for poor risk management. Having procedures shows that risks are recognized and addressed, but failing to follow them leaves the organization vulnerable to claims of negligence. Directive controls are valuable and relevant. For example, contracts often include written instructions on how to respond to specific situations, such as an insurance claim. Additionally, directive controls are often the first step taken in response to unexpected events. While the ideal approach in stable situations follows a hierarchy of controls, in emergencies, directive controls or preventive measures are typically introduced first to address immediate risks, especially safety concerns. These initial actions create time to design and implement corrective controls as the situation becomes clearer and stabilizes.
4. Detective controls: Detective controls are procedures used to identify when a hazard has already occurred. While detecting risks after the fact is not ideal, it can be justified in situations where other controls cannot fully prevent the risk. Examples of detective controls include inventory or asset checks to ensure nothing has been taken without permission, bank reconciliations to spot unauthorized transactions, and post-project reviews to learn lessons for the future. These controls are closely tied to monitoring and review processes in risk management. Detective controls are often simple to implement and can provide early warnings when other risk controls fail. However, their downside is that the risk has already happened by the time it is detected. On the positive side, the presence of detective controls may deter people from bypassing other controls. For example, fraud can usually only be detected after it occurs, but early detection can reduce the damage, stop similar future fraud, and improve security. Even in health and safety, detective controls have a role. Some jobs expose workers to hazards that can cause serious long-term health issues. Early detection of symptoms, such as lung disease from dust, dermatitis from skin exposure, or hearing loss from noise, allows for timely intervention to prevent further harm. These examples highlight the importance of detective controls in managing risks effectively.

Cost of Risk Controls

The inherent level of risk is the risk that exists without any controls in place, often called the gross risk. The current level of risk is the risk after considering existing controls, sometimes referred to as residual risk. In this context, “current level” is preferred to emphasize a more dynamic approach to managing risks. When controls are applied, they reduce the risk level, which can be visualized as a “control effect” or “control vector.” For example, if an organization considers inherent, intermediate (when multiple controls are in place), and target risk levels, it must also account for the costs of implementing those controls. These costs are part of the total cost of managing risks and help determine whether the controls are cost-effective. Using a simple example: for Risk A, three controls (A1, A2, and A3) are needed to bring the risk down to the target level. For Risk B, only one control (B1) is sufficient. This shows that managing Risk A requires more effort and resources than Risk B. It’s essential for management and internal audit teams to ensure these controls work effectively and efficiently. The gap between inherent risk and current risk shows the impact of the controls. If the organization sets a lower target risk level, additional effort and controls will be required to bridge the gap from the current to the new target level. This example illustrates the relationship between risk levels and control efforts.

Risk treatment, also known as risk response or risk control, involves choosing and implementing actions to reduce the likelihood and impact of risks. Different types of controls should be considered in sequence when deciding how to manage risks effectively. Whenever possible, preventive controls should be the first choice, as they aim to stop risks from occurring. If prevention is not feasible, corrective controls can be applied to reduce the likelihood and impact of adverse events. Once risks are minimized as much as is cost-effective, directive controls can be introduced to guide the actions of those managing the risk. Finally, detective controls may be added to identify when a risk has materialized. These controls are commonly used in areas such as health and safety. It’s useful to assess risks at their inherent level (before controls are in place) to determine the necessary control efforts. By calculating the risk exposure at both the original and new levels, the effectiveness of each control can be measured. This allows the organization to conduct a cost-benefit analysis for each control and prioritize the most cost-effective solutions for managing risks.

Examples of key dependencies and significant risk for financial, infrastructural, reputational, and marketplace.

1 Financial

Availability of funds: Insufficient funds available from parent company
Correct allocation of funds: Inadequate profit because of incorrect capital expenditure decisions
Internal control: Fraud occurs because of inadequate internal controls
Liabilities under control: Higher than-expected liabilities arise in the pension fund

2 Infrastructure

People– Failure to achieve/maintain health and safety standards
Premises- Damage to key location caused by insured peril
Processes- IT control systems are not available because of viruses or hacker activity
Products- Disruption because of the failure of the supplier

3. Reputational

Brand– Product recall causes damage to product image and brand
Public opinion- Lost sales or revenue because of changes in public tastes
Regulators– Regulator enforcement action causes loss of public confidence
CSR– Allegations of unethical product sourcing cause loss of sales

4. Marketplace

Regulatory environment- Change in tax regime results in unbudgeted tax demands
Economic health- Decline in world or national economy reduces consumer spending
Product development- Changes in technology reduce product appeal and sales
Competitor behaviour- Competitor substantially reduces prices to win market share

The above examples cover the main hazard risks likely to concern an organization.It explains what could go wrong with the hazard and outlines the key factors and issues to evaluate. It then reviews the available control options for the risk and identifies which controls are needed and suitable.

The diagram illustrates the concept of cost-effective controls by balancing the cost of controls and the potential loss due to risk. Here’s a simple explanation:

1. Potential Loss Curve: This line shows how much risk or potential loss an organization faces without controls. As control improves, potential loss decreases.
2. Cost of Controls Curve: This line represents the cost of implementing controls. Initially, the cost of controls is low, but as more stringent controls are added, the cost increases significantly.
3. Total Cost of Risk: This curve combines both the cost of controls and the remaining potential loss. It shows the total expenditure related to managing the risk. The lowest point on this curve represents the optimum level of control, where the total cost of risk is minimized.
4. Judgment Area: Around the lowest point of the total cost curve, organizations need to decide the best level of controls.
   • To the left of this point: Controls are cost-effective since they significantly reduce potential losses at a reasonable cost.
   • To the right of this point: Further controls are not cost-effective, as the additional cost outweighs the benefits of reducing risk further.

The goal is to find the balance where controls are effective enough to minimize potential losses without incurring excessive costs. Beyond this point, adding controls results in diminishing returns and is no longer economical. When choosing and applying controls, it’s important to focus on those that are cost-effective. The diagram shows how increasing levels of control (horizontal axis) relate to the cost of controls and the reduction in potential losses (vertical axis). By adding the cost of controls and the potential loss at each level, the diagram identifies an optimal level of control where the total cost (controls + potential losses) is at its lowest.

• Cost-effective Controls: In the early stages, low-cost controls lead to a big reduction in potential losses, making them highly cost-effective.
• Judgment Zone: In the middle, spending more on controls reduces the overall risk cost, but organizations need to decide if the extra spending is worth the benefit.
• Not Cost-effective: On the far right, additional spending on controls only slightly reduces potential losses, making it uneconomical.

The goal is to find the balance where controls minimize total costs while keeping risks at an acceptable level.One key benefit of learning from controls is the ability to identify controls that are unnecessary or overly complicated. These controls can then be removed, adjusted, or replaced with simpler and more cost-effective options. Risk assessments should consider ongoing reviews of controls, as the level of risk depends on how effective and suitable those controls are. Monitoring controls is a well-established area of expertise, especially for internal audit teams.

Learning from controls mainly focuses on making them more efficient, but it’s equally important to ensure they are effective and appropriate. Internal audit plays a key role in assessing how well controls work and how efficiently they operate, helping organizations learn and improve their systems. When evaluating controls, it’s also essential to consider the level of reward being pursued. This means looking at both strategy and tactics, as well as how well hazard and compliance controls are functioning. Initially, as risk increases, organizations expect higher rewards, and the rewards typically grow faster than the risks. However, at some point, risks will continue to rise without any significant increase in reward, making it unwise to take on additional risks. In between these extremes, organizations may see small increases in reward with higher risks, and this is where management must decide if the additional risk aligns with the organization’s risk appetite. Sometimes, taking on extra risk for a small reward might be necessary to meet customer needs or achieve long-term goals. A similar evaluation applies to hazard risks, where the cost of adding controls must be weighed against the reduction in risk. When deciding on additional controls, organizations need to consider their risk appetite and make a careful judgment about the risks they are willing to accept to reach their strategic goals.

Example of Control of financial risks

1.Fraud: Fraud is a major financial risk for all organizations, and it can be committed by employees, customers, or suppliers. Sometimes, organizations themselves may commit fraud by falsely reporting their financial results, which is a focus of laws like the Sarbanes-Oxley Act. Fraud typically occurs when there is motivation, valuable assets to steal, an opportunity to commit fraud, and weak controls. To prevent fraud, organizations should also focus on reducing theft by implementing measures such as security fences, gates, guards, better lighting, and secure building access. It’s important to regularly assess how effective fraud controls are, an area where internal audits are often involved. This review should look for financial or asset losses and identify weak areas in current controls. It should include a proactive analysis of vulnerable assets, responsible personnel, potential methods of fraud, and the strength of existing controls. Additionally, organizations should conduct an annual review of all fraud incidents and share these findings with the audit committee. A corporate fraud policy should be established to outline the organization’s approach to fraud, responsibilities for managing it, investigation methods, and resources for fraud detection. The policy should also include whistleblowing procedures and guidelines for handling suspected fraudsters. Fraud prevention and control can be divided into preventive, corrective, directive, and detective measures. Here are some methods organizations can use to reduce fraud:

• Strengthen hiring procedures.
• Reduce motivations for fraud.
• Limit the number of assets that can be stolen.
• Minimize opportunities for theft.
• Increase supervision levels.
• Improve financial controls and management systems.
• Enhance fraud detection.
• Keep better records.

2. Historical liabilities: One of the most challenging financial risks organizations face is dealing with historical liabilities. These are obligations resulting from past activities or acquired through the purchase of other companies, including their old liabilities. For industrial companies, one difficult area is exposure to substances that can cause long-term health issues. A key example is asbestos exposure, which can lead to mesothelioma—a serious lung-related cancer. Claims for such illnesses often arise 30 to 40 years after exposure, making it hard to verify insurance coverage or working conditions from that time. Another major area of historical liability is related to pension plans. In the past, many companies offered defined benefit pension plans, where the employer guaranteed a pension amount based on the employee’s final salary. In these plans, the employer bears the financial risks tied to the pension fund’s value and payouts. Recently, there has been a shift toward defined contribution pension plans, where employees contribute to their own pension funds, and the risks of fund value and retirement income are transferred to the employee. However, for companies with defined benefit plans, a key concern is liabilities to former employees who are no longer with the company but still have pension entitlements (called deferred benefits). Organizations have several options to manage these deferred benefit liabilities:

• Offering former employees a payout to leave the pension scheme.
• Transferring liabilities to an insurance company by paying a premium.
• Moving deferred benefits into a captive insurance company.

Historical liabilities are particularly significant for long-standing organizations, as they may face claims from activities that occurred decades ago. These liabilities can be even harder to manage if the organization has become smaller or changed significantly over time. Companies involved in frequent mergers or acquisitions are also more exposed to these risks.

Examples of Control of Infrastructural Risks

1) Health and Safety at Work: One key concern for organizations regarding infrastructure risks is workplace health and safety. This area is heavily regulated and should be a top priority. While health and safety is a core part of risk management, it’s often handled as a separate function. The risks include legal action from regulatory authorities, lawsuits from injured employees, and disruptions caused by accidents or dangerous incidents. Many tools and techniques used in health and safety are also relevant to broader risk management, making collaboration with health and safety specialists crucial for success. Health and safety risk assessments have been standard practice for a long time. Simple assessments are used for low-risk activities, while high-risk activities require detailed, written evaluations. A risk assessment involves identifying hazards, understanding who might be harmed, and analyzing the severity of potential injuries. It should also document existing controls, additional steps needed, and ensure adequate safety measures to protect people. After assessing risks, organizations need to implement controls, including:

• Preventive controls: To minimize risks.
• Corrective controls: To manage hazards.
• Directive controls: To regulate staff and exposure.
• Detective controls: To spot early warning signs, such as stress affecting employees.

The specific workplace hazards to consider depend on the organization’s activities. Guidance exists for managing various risks, such as:

• Dangerous machinery
• Pressure systems
• Noise and vibration
• Electrical safety
• Hazardous substances
• Lifting and manual handling
• Slips, trips, and falls
• Display screen equipment
• Human factors like repetitive strain injuries
• Radiation
• Driving and vehicle risks
• Fire safety
• Workplace stress

Understanding and addressing these risks ensures a safer workplace and better compliance with regulations.

2) Property fire protection: One of the biggest risks for businesses in manufacturing, warehousing, retail, and leisure is fire. Over half of businesses that experience a major fire never fully recover. Fire is especially damaging in industries like manufacturing, transportation, retail, hospitality, and residential settings. Strong building security can also help prevent arson. When planning for fire safety, organizations should consider the common causes of workplace fires, which include:

• Electrical issues
• Hot work (like welding)
• Faulty machinery
• Smoking materials
• Flammable liquids
• Poor housekeeping
• Arson

The primary goal of fire safety measures is to protect people. This includes ensuring adequate fire exits, clear evacuation signs, proper building construction, and protected escape routes, such as with sprinkler systems when needed. In addition to protecting lives, businesses need to manage potential disruptions caused by fire. Fire prevention strategies often focus on:

• Preventive measures, like maintaining electrical systems, avoiding ignition sources, and safely storing flammable materials.
• Corrective measures, such as using sprinkler systems and fire barriers to contain fires.
• Directive measures, which involve training employees on fire response, early reporting to fire authorities, and using fire extinguishers when safe.
• Detective measures, like fire alarms, heat detectors, and routine fire patrols to catch fires early.

By combining these approaches, businesses can reduce the risk of fire, limit damage, and recover more effectively if an incident occurs.

3) IT security: For most organizations, IT infrastructure is a critical part of their operations. A computer system failure can cause major disruptions, making disaster recovery planning (DRP) for IT systems a key priority. Losing computer data can be a serious problem, often caused by hardware issues rather than software errors, power failures, or human mistakes. IT failures can lead to:

• Losing customers or business
• Damaging credibility or goodwill
• Cash flow issues
• Reduced service quality
• Inability to pay staff
• Delays in work or production
• Loss of important data or financial controls

As organizations rely more on IT, they must identify potential losses and manage the risks. Common causes of IT issues include:

• Theft of hardware
• Unauthorized access to systems
• Viruses or malware
• Hardware or software failures
• User errors, like accidental deletion
• Failed IT projects

Organizations should create an IT policy to guide proper data use and protect their systems. This policy should cover responsibilities for IT systems, backup procedures, antivirus measures, handling personal data, limits on personal internet use, and restrictions on accessing inappropriate websites. While personal use of IT systems by employees is often allowed, it should be controlled to prevent misuse. Organizations must also comply with data protection laws regarding the handling of personal information, which are strict in many countries. IT failures are inevitable, so organizations need solid backup plans to minimize data loss. For businesses heavily reliant on IT, detailed DRPs should include options like:

• Hot-start facilities: Fully prepared backup systems with up-to-date data.
• Cold-start facilities: Basic backup systems without preloaded data.
• Warm-start facilities: Systems that fall between hot and cold starts, with partial data and functionality ready.

Backup facilities can be onsite, in mobile units, or at alternative locations, ensuring continuity in case of a major IT issue.

4) HR risks:

Every organization needs people to operate, whether they are employees, contractors, or volunteers. This means there are always risks related to managing human resources, regardless of the organization’s size, type, or activities. Key risks linked to human resources include:

• Hiring, managing, and letting go of employees
• Complying with employment laws and regulations
• Recruiting, keeping, and maintaining skilled workers
• Managing pensions
• Handling performance issues and absences
• Ensuring workplace health and safety

Large organizations usually have HR departments with specialized expertise. Traditionally, it was thought that smaller organizations faced fewer HR risks because employees often know each other well and work more closely together, reducing the chance of legal issues or conflicts. However, it is now clear that smaller organizations also face significant HR risks. To address this, many small organizations now provide staff handbooks that cover employment terms, including policies for sick leave, maternity leave, annual leave, appraisals, workplace behavior, and employee roles. Organizations must also ensure they comply fully with employment laws, including those related to diversity and non-discrimination based on ethnicity or physical ability. Beyond meeting legal requirements, organizations can benefit from clear and supportive recruitment, retention, and employment practices, which can create opportunities for growth and stronger employee relationships.

Example of Control of reputational risks

1) Brand Protection: An organization’s brand name is one of its most valuable assets, and protecting it from damage is essential. Brand damage can happen for several reasons, such as:

• Changes in government policies
• Shifts in the market or new competitors
• Price wars or product specification challenges
• Counterfeit goods
• Misconduct by franchisees
• Issues with sponsors or joint-venture partners

A recent trend is using well-known brands to sell unrelated products or services, like supermarkets offering insurance or fuel. While this “brand stretching” presents big opportunities, it needs to be done carefully to ensure it’s appropriate, credible, and successful. Many organizations understand the importance of their brands and look for ways to expand them. However, in large companies, responsibility for managing the brand can sometimes be unclear. Extending a brand into new products or industries should only happen when someone is clearly accountable for the brand’s success. Another trend is allowing branded concessions, like well-known catering brands operating cafes in department stores, or sports stadiums named after sponsors. Franchising is another common approach, where a brand is licensed to individuals or businesses. These methods help organizations maximize their brand’s value but come with significant risks and need careful management. Managing a franchise brand involves challenges, such as ensuring franchisees meet the brand owner’s expectations, which are often detailed in contracts. However, older franchises might not have the same strict agreements. Franchise owners typically provide extensive training, especially on product quality, and often require franchisees to source supplies from approved vendors to ensure consistency. Effective brand management and careful oversight of extensions, concessions, and franchises are critical to protecting and growing a brand’s value.

2) Environment: Global warming and its impact on individuals and organizations is a growing concern. Environmental issues can range from contaminated land and water to industrial emissions and the desire for organizations to be seen as environmentally friendly. Waste disposal is a significant issue for all organizations. Companies producing industrial waste must follow strict laws on how to handle and dispose of it. Even businesses that don’t produce industrial waste face challenges with commercial waste disposal, which can be expensive. Many countries require or strongly encourage recycling to reduce waste. Organizations are now focusing on reducing waste and adopting eco-friendly practices. In the public sector, recycling is often highly regulated, with targets that are closely monitored. Companies may choose to source environmentally friendly materials, implement recycling policies, and set up systems for collecting recyclable waste. Additionally, organizations can encourage employees to use public transport or reduce unnecessary travel to lower their environmental footprint. For industrial operations, strict rules and regulations govern environmental impacts, and enforcement agencies have the authority to ensure compliance. Regulators also consider public opinion and assess:

• What environmental impacts might occur
• How harmful those impacts are
• The likelihood of the impacts happening
• How often and where they might happen

Overall, organizations are increasingly expected to minimize their environmental impact and comply with both legal and social expectations for sustainability.

Example of Control of marketplace risks

1) Technology developments: One of the biggest challenges for organizations is keeping up with customer expectations, especially as technology keeps evolving. Companies that make tech-based consumer goods face constant challenges, but these also bring opportunities. Recent changes in home and mobile entertainment highlight this challenge. Not long ago, entertainment relied on CDs, but MP3 technology changed everything. Companies had to decide whether to switch to the new technology, which required significant investment and involved major risks. Those that made the right choices and influenced the market saw huge rewards. In fast-changing markets, having the right technology can be a big advantage, but predicting which technology will succeed is always difficult and expensive. Consumers choose new technology based on convenience, quality, price, and trends. Since these technologies are developed globally, only a few companies have the resources to fund the research, design, manufacturing, and supply of these products. To adopt new technologies, many organizations partner with others through joint ventures to share expertise and costs. Choosing the right partners is crucial. In some cases, competitors work together to agree on a common technology for global use. This strategy helps share research costs and avoids competition over technology. However, it also limits the chance for any one company to gain a major competitive advantage in the future.

2) Regulatory risks: Regulatory risk is one of the most challenging issues for many organizations. While compliance may seem straightforward, it can become complicated due to changes in regulations, differences in laws across regions, and shifting public attitudes. Different industries face varying levels of scrutiny and regulation depending on the location. For example, the sex industry and gambling are regulated very differently across the world, reflecting local public attitudes and legal frameworks. This makes it difficult for organizations to ensure compliance and maintain good relationships with regulators, especially when public opinion or laws are changing. Global insurance programs highlight some of these challenges. Two major issues in such programs are:

• Paying insurance premium taxes in different countries.
• Using “non-admitted insurance,” where an insurer operates in a country without being officially licensed there.

For instance, a global insurance policy might be issued by a company based in one country but cover operations in multiple countries. Each country has its own rules about paying insurance premium taxes and whether non-admitted insurance is allowed. Many countries require local insurers to handle policies, which increases costs. Organizations have limited options for managing regulatory risks. Compliance is essential for all business activities and often requires collaboration with third parties and advice from local experts. For insurance programs, this might involve working with local insurers in regions that don’t allow non-admitted policies or hiring fiscal representatives to handle tax payments. These steps ensure compliance but can add complexity and expense to operations.

Nature of Internal Control

Internal control in Enterprise Risk Management (ERM) refers to the processes, policies, and procedures established by an organization to ensure that risks are identified, assessed, and managed effectively. It helps the organization achieve its objectives by minimizing the likelihood of errors, fraud, or non-compliance while improving operational efficiency and safeguarding assets. Internal control can be defined as a system of policies, procedures, and practices implemented within an organization to provide reasonable assurance that the organization’s objectives related to operations, reporting, and compliance are achieved. Internal Auditor refer it as “Control environment“, ISO 31000 as “risk management context” and COSO as “internal environment” As per CoCo (Criteria of Control) it can be defined “Internal control is all the elements of an organization that, taken together, support people in the achievement of the organization’s objectives. The elements include resources, systems, processes, culture, structure and tasks.“. As per IIA (Institute of Internal Auditors) it is defined “A set of processes, functions, activities, subsystems, and people who are grouped together or consciously segregated to ensure the effective achievement of objectives and goals.“. As per COSO it can be defined as “A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
● effectiveness and efficiency of operations;
● reliability of financial reporting;
● compliance with applicable laws and regulations“

Internal control is a key part of managing an organization’s risks successfully. It includes the methods, procedures, and checks that help ensure the organization meets its goals. Internal controls are the steps management takes to plan, organize, and guide activities, providing reasonable confidence that objectives will be achieved. Internal control also reflects how well-developed an organization’s processes are for managing risks. According to ISO Guide 73, a control is any measure that changes risk. This could be a policy, procedure, tool, practice, or action used to reduce or manage risk. However, Guide 73 also highlights that controls may not always work as intended or have the expected impact on risk. Internal control includes the organization’s structure, planning, and setting of goals. It focuses on evaluating controls that help the organization meet its goals, execute its strategy, and seize business opportunities. To design effective internal controls, the organization should ensure systems and processes support:

• Reliable operations,
• Timely and accurate information,
• Protection of assets,
• Efficient use of resources,
• Prevention and detection of fraud and errors.

Financial controls are a key part of internal control. These involve keeping accurate accounting records to reduce financial risks and ensure financial information is reliable for both internal use and public reporting. The main goal of internal control activities is to help the organization achieve its goals. They typically aim to:

• Protect the organization’s assets,
• Keep accurate records,
• Improve efficiency and effectiveness,
• Follow policies, procedures, and control measures,
• Ensure reliable reporting inside and outside the organization,
• Comply with laws and regulations,
• Protect the interests of shareholders and stakeholders.

The internal control system includes both the control activities and the structure and responsibilities that support them. This system helps leaders confidently guide the organization, whether times are good or challenging. Another purpose is to protect resources and maintain proper records and accountability systems. The purpose of the control environment is to ensure consistent and effective responses to risks and crises. A strong control environment helps implement preplanned actions efficiently during a crisis. Various methods can evaluate the control environment, including models like LILAC, CoCo, and risk maturity frameworks such as FOIL and the 4Ns. Using a maturity model helps assess the current state of the control environment and guides improvements to increase risk awareness across the organization. Frameworks like LILAC or CoCo can be chosen to drive and measure these improvements. The success of these efforts is reflected in the organization’s risk maturity level, as evaluated by models like FOIL and the 4Ns. Achieving higher risk maturity allows for more advanced and effective risk management. These models also help benchmark an organization’s risk management practices, setting targets to further enhance risk maturity over time.

1. LILAC Model: The LILAC model stands for:

• Leadership: The tone set by leadership, ensuring ethical values and risk awareness.
• Integrity: Upholding honesty, transparency, and consistency in operations.
• Learning: Adopting a culture of continuous improvement and learning from past events.
• Accountability: Clear responsibilities and ownership for decisions and actions.
• Communication: Transparent and effective information sharing throughout the organization.

The LILAC model focuses on building a strong control environment by fostering ethical leadership, clear accountability, and robust communication.

2. CoCo Model: The CoCo (Criteria of Control) model, developed by the Canadian Institute of Chartered Accountants, provides a broad framework for evaluating internal controls. It has four key components:

• Purpose: Ensuring objectives are defined and aligned with the organization’s vision.
• Commitment: Promoting ethical values, competence, and employee engagement.
• Capability: Ensuring resources, skills, and processes are in place to achieve objectives.
• Monitoring and Learning: Continuously reviewing and improving processes and controls.

The CoCo model emphasizes not only achieving goals but also sustaining a culture of improvement and learning.

3. FOIL Model: The FOIL (Four Levels of Risk Maturity) model is a maturity framework to assess the progress of an organization’s risk management. The levels include:

• Fragmented: Basic and inconsistent risk management practices.
• Organized: Some systematic risk processes, but not fully integrated.
• Integrated: Risk management embedded into core decision-making.
• Leading: Proactive and innovative risk management practices that influence strategy and culture.

This model helps organizations measure their risk management maturity and set goals for improvement.

4. 4Ns Model: The 4Ns model of risk maturity evaluates an organization’s control environment and risk awareness:

• Naïve: No formal risk management; reactive and unstructured responses to risks.
• Novice: Initial awareness of risks with some basic controls in place.
• Normal: Risk management practices are standardized and integrated across the organization.
• Natural: Risk management is embedded in the culture and instinctively part of decision-making.

This model provides a simple way to identify and enhance an organization’s maturity in managing risks.

Control Environment

The Criteria of Control (CoCo) framework, developed by the Canadian Institute of Chartered Accountants (CICA), provides a structured approach to evaluating the quality of an organization’s control environment. It emphasizes that a strong control environment is essential for effective risk management and internal control processes. The framework consists of four interconnected components that form a continuous cycle: having clear goals and objectives, a strong understanding of the organization’s purpose and values, the necessary skills and abilities to meet objectives, and the ability to adapt and improve over time. Together, these elements help ensure the organization operates efficiently and maintains effective controls.

The control environment, called the “internal environment” in the COSO ERM framework, reflects the organization’s risk culture. Many organizations use the CoCo framework to assess their compliance with the internal control part of the COSO ERM framework. This approach combines the CoCo framework with the other seven components of the COSO ERM framework.

Components of the CoCo framework

Purpose

• Objectives should be established and communicated.
• Significant internal and external risks should be identified and assessed.
• Policies should be established, communicated and practised.
• Plans should be established and communicated.
• Plans should include measurable performance targets and indicators

Commitment

• Shared ethical values should be established, communicated and practised.
• HR policies should be consistent with ethical values.
• Authority, responsibility and accountability should be clearly defined.
• Mutual trust should be fostered to support the flow of information.

Capability

• People should have the necessary knowledge, skills and tools.
• Communication processes should support the values of the organization.
• Sufficient and relevant information should be identified and communicated.
• Decisions and actions within the organization should be co-ordinated.
• Control activities should be designed as an integral part of the organization.

Monitoring and learning

• Environment should be monitored to re-evaluate controls.
• Performance should be monitored against the targets.
• Assumptions behind objectives should be periodically challenged.
• Information needs and related information systems should be reassessed.
• Procedures should be established to ensure appropriate actions occur.
• Management should periodically assess the effectiveness of control.

The CoCo framework explains its approach by emphasizing that tasks are completed effectively when individuals understand the purpose, have the necessary skills, feel committed to doing the task well, and monitor their performance and surroundings to improve and adapt as needed. This principle applies to any organization, where control relies on these components. CoCo shares similarities with the LILAC approach to measuring risk culture, which highlights leadership, involvement, learning, accountability, and communication as essential for embedding risk management. Organizations can choose how to assess their control environment or risk-aware culture, but it is clear that a strong risk culture is essential for successful risk management. Although CoCo is an internal control framework, it is relevant to risk management because of its strong connection to internal control activities. It also provides a useful way to evaluate an organization’s risk culture. CoCo identifies three main objectives for controls: ensuring operations are effective and efficient, maintaining reliable internal and external reporting, and ensuring compliance with laws, regulations, and internal policies.

The COSO and CoCo frameworks differ significantly, though they share some key similarities. CoCo takes a broader view of the control environment than COSO. For instance, CoCo emphasizes the need for controls in areas such as setting objectives, strategic planning, and corrective actions. It also highlights the importance of the control environment in decision-making processes. When evaluating the control environment using CoCo, a company might score well on purpose, commitment, and capability but perform poorly in monitoring and learning. This insight can guide the company to focus more on challenging objectives and questioning underlying assumptions. To address these gaps, the company might implement better auditing processes and introduce structured reviews of risk management and internal controls by senior management.

CoCo differs from COSO in explicitly addressing certain issues, including exploiting opportunities, addressing weaknesses in business resilience, the role of individual trust in shaping the control environment, and periodically questioning assumptions. In the COSO framework, the control environment is the first component and emphasizes key factors such as the organization’s commitment to integrity and ethical values, board oversight of internal controls, management’s role in setting structures and responsibilities, attracting and retaining competent individuals, and holding people accountable for their control responsibilities.

• Components of a good risk culture: A strong risk culture promotes consistent awareness, behavior, and decision-making about risks within a solid risk governance framework. It supports effective risk management, encourages appropriate risk-taking, and ensures that new or excessive risks are identified, evaluated, escalated, and addressed. A good risk culture focuses on: 1) achieving a balance between risk and reward that aligns with the organization’s risk appetite, 2) having an effective system of controls suitable for the organization’s size and complexity, 3) ensuring risk models, accurate data, and tools are reliable and open to scrutiny, and 4) investigating any policy violations, limit breaches, or operational issues, with appropriate corrective actions taken when needed.

CoCo framework of internal control

The CoCo framework has four key components that focus on effective internal control. The first component emphasizes setting clear objectives, identifying internal and external risks, and establishing policies to support the organization’s goals. It also highlights the importance of having measurable targets and performance indicators to track progress. CoCo stresses that organizations must analyze risks and opportunities in detail, assess resilience, and understand the sources of risk. The second component, commitment, focuses on shared ethical values like integrity, clear communication, and fostering trust. It also includes defining authority, responsibility, and accountability, as well as creating supportive human resource practices. The third component, capabilities, ensures that people have the skills and knowledge needed to achieve organizational goals. It emphasizes effective communication of relevant information, coordination of activities, and integration of these processes into the organization. The final component, monitoring and learning, involves keeping track of both internal and external environments to gather valuable insights. It recommends regularly evaluating performance against targets and questioning the assumptions behind objectives. When objectives change, the organization should reassess its information needs and adapt systems accordingly. Additionally, management should periodically evaluate the effectiveness of controls and share the findings with stakeholders.

Once the Risk have been analyzed , it will be necessary to decide how to respond to the risk. Risk evaluation is the point of risk assessment where decision needs to be taken whether to respond to the risk or not to respond to the risk. To respond there is some risk threshold to cross before the organization responds to risk and this threshold is known as risk appetite. Risk appetite is the amount and type of risk that an organization is willing to take on to achieve its goals and objectives. It represents the organization’s tolerance for risk in pursuit of its mission, whether in terms of financial risks, operational challenges, reputational risks, or other types. Risk appetite is typically defined by senior leadership and is influenced by factors like organizational culture, stakeholder expectations, regulatory requirements, and the nature of the organization’s industry.

Risk response is the process of developing strategies and actions to manage identified risks effectively. It involves deciding how to handle each risk based on its potential impact and likelihood. The goal of a risk response is to minimize the negative effects of risks or maximize the benefits of opportunities. There are typically four main risk response strategies, often called the “4 T” for threats and “4 E” for opportunity.:

4 T:

1. Transfer: Shifting the risk to another party. This might include buying insurance, outsourcing certain activities, or entering into contracts that assign responsibility to others.
2. Treat (Mitigate): Reducing the likelihood or impact of the risk. This involves taking action to lessen the risk, such as improving controls, implementing safety measures, or enhancing employee training.
3. Terminate (Avoid): Eliminating the risk by not engaging in the activity that introduces it. If a risk is too great, an organization might choose to avoid it altogether by changing its strategy, choosing a different approach, or abandoning certain projects.
4. Tolerate (Accept): Accepting the risk without taking further action. This is often chosen when the risk is low or when the cost of other responses outweighs the potential impact of the risk.

This figure suggests that in each of the four quadrants of the risk matrix, one of the 4Ts will be dominant, as follows:

• Tolerance will be the dominant response for low-likelihood/low-impact risks.
• Treat will be the dominant response for high-likelihood/low-impact risks.
• Transfer will be the dominant response for high-impact/low-likelihood risks.
• Terminate will be the dominant response for high-impact/high-likelihood risks.

It’s important to understand that the responses shown in each area of the risk matrix are just the main or most likely approach, but sometimes a different or additional response might be needed. For example, if there are high-impact and high-likelihood risks involved in essential activities, the organization might not be able to avoid these risks. In such cases, it may not be possible to “terminate” the risk. One challenge with a simple risk matrix that shows the 4Ts (tolerate, transfer, treat, terminate) is that a slight change in a risk’s impact or likelihood could move it from one response category to another, like from “terminate” to “tolerate.” Some organizations might be forced to keep a risk that goes beyond their risk tolerance or even their capacity, as with firefighters who face critical risks that can only be tolerated, even after applying all possible safety measures. When an organization has no choice but to tolerate high-level risks, they typically increase monitoring to quickly introduce better controls as soon as they are available.

4 E

1. Explore: Seek out and investigate potential opportunities that align with the organization’s goals. This involves scanning the environment, researching emerging trends, and identifying areas with growth potential.
2. Expand: Once an opportunity is identified, consider ways to broaden or enhance it, possibly by developing complementary services, targeting new customer segments, or adding resources to grow the opportunity.
3. Exploit: Fully utilize the opportunity to capture as much benefit as possible. This means implementing actions that will maximize the opportunity’s positive impact, such as increasing investment, scaling production, or accelerating market entry.
4. Exit: Evaluate when an opportunity is no longer viable or advantageous, and plan for a structured exit. This can help limit costs or risks associated with diminishing returns and refocus efforts on more promising opportunities.

The 4T of hazard response

The organization should aim to implement efficient controls to minimize compliance risks, with the benchmark for significance set to reflect a meaningful impact level. After identifying priority significant risks, the organization should review current controls and decide if further actions are needed. For hazard risks, the range of responses is often referred to as the 4T (Tolerate, Transfer, Treat, and Terminate). There are various terms for risk response options. British Standard BS 31100 and ISO 31000, for instance, use the term “risk treatment” as a broad description. The British Standard defines it as the “process of developing, selecting and implementing controls,” while ISO 31000 describes it as the “development and implementation of measures to modify risk.” This text uses the Orange Book terminology for the risk response phase, identifying options as the 4T.Each of the 4T has a primary response based on where a risk falls on the risk matrix. For risks that are low likelihood and low impact, the main response is to tolerate them. For risks with a high likelihood but low impact, the response is usually to treat them. For risks that have a low likelihood but high impact, the typical response is to transfer them. And for risks with both high likelihood and high impact, the primary response is to terminate them.

• Tolerate ( Accept/retain): The exposure may be tolerable without any further action being taken. Even if it is not tolerable, the ability to do anything about some risks may be limited, or the cost of taking any action may be disproportionate to the potential benefit gained.
• Treat (Control /reduce): By far the greater number of risks will be addressed in this way. The purpose of treatment is that, whilst continuing within the organization with the activity giving rise to the risk, action (control) is taken to constrain the risk to an acceptable level.
• Transfer (Insurance/contract): For some risks the best response may be to transfer them. This might be done by conventional insurance, or it might be done by paying a third party to take the risk in another way. This option is particularly good for mitigating financial risks or risks to assets.
• Terminate (Avoid/eliminate):Some risks will only be treatable, or containable to acceptable levels, by terminating the activity.

Example of Key dependencies and significant risk For Financial, Infrastructural, Reputational and Marketplace.

1 Financial

• Availability of funds– Insufficient funds available from the parent company
• Correct allocation of funds- Inadequate profit because of incorrect capital expenditure decisions
• Internal control- Fraud occurs because of inadequate internal controls
• Liabilities under control- Higher than expected liabilities arise in the pension fund

2 Infrastructure

People- Failure to achieve/maintain health and safety standards
Premises- Damage to key location caused by insured peril
Processes- IT control systems not available because of virus or hacker activity
Products- Disruption because of failure of the supplier

3. Reputational

Brand– Product recall causes damage to product image and brand
Public opinion- Lost sales or revenue because of change in public tastes
Regulators- Regulator enforcement action causes loss of public confidence
CSR– Allegations of unethical product sourcing causes loss of sales

4. Marketplace

Regulatory environment- Change in tax regime results in unbudgeted tax demands
Economic health- Decline in world or national economy reduces consumer spending
Product development- Changes in technology reduce product appeal and sales
Competitor behavior-Competitor substantially reduces prices to win market share

The table above shows examples of key risks linked to the FIRM risk scorecard. By assessing each risk, the organization can map it on a risk matrix. This position on the matrix will suggest the best response for managing that risk. If the risk assessment is based on the current level of risk, it means the impact of existing controls has already been taken into account as part of the assessment.Here are examples of each of the 4Ts (Tolerate, Treat, Transfer, Terminate) responses to production loss risk in an oil and gas company. Each of these approaches helps manage the potential production loss in ways aligned with the company’s risk tolerance and objectives.

• Tolerate: The company may decide to tolerate minor production losses due to regular equipment maintenance. Since these losses are expected, low impact, and cannot be entirely avoided, the company accepts them as part of routine operations.
• Treat: To minimize production loss, the company could improve maintenance protocols, upgrade equipment, or introduce predictive maintenance technology to identify potential issues early. This treatment reduces the risk of unexpected breakdowns causing significant production downtime.
• Transfer: The company might transfer some of the financial impact of production loss by purchasing business interruption insurance. This way, if production is interrupted due to an unforeseen event (e.g., equipment failure), the insurance will cover a portion of the financial loss.
• Terminate: For a high-impact risk, such as a production stoppage caused by a location vulnerable to severe weather events, the company might decide to terminate this risk by relocating production to a safer, more stable area. This eliminates the risk of production loss due to extreme weather in that location.

Tolerate risk

Tolerating risk means deciding to accept a risk without taking any further action to reduce it. This approach is usually chosen when:

1. The risk level is low, and any potential negative impact is minor.
2. The cost or effort required to reduce the risk outweighs the benefits of doing so.
3. There are already sufficient controls in place, and the organization believes the risk is manageable.

In cases of tolerating a risk, the organization might monitor the risk closely to ensure it remains acceptable, but it won’t actively work to eliminate or reduce it. This approach allows resources to be focused on more significant risks that need attention. Risk tolerance is how much risk an organization or its stakeholders are willing to accept after managing risks, to reach their goals. This tolerance can be affected by legal or regulatory demands, meaning that sometimes organizations must accept certain risks due to these rules, even if they’d rather not. Tolerance applies to specific risks, while “risk appetite” is the broader level of risk an organization is generally willing to take. The terms “tolerating risk” and “risk tolerance” can sometimes be confusing. To “tolerate” a risk means being willing to keep a risk, even if it’s higher than what the organization would ideally accept. On the other hand, “risk tolerance” is often used to describe the acceptable range of risk. An organization may need to tolerate risks that are above its comfort level or even beyond its capacity, but this is usually temporary, as it makes the organization more vulnerable. When a risk fits within the organization’s appetite, it becomes more tolerable. Generally, organizations will accept low-probability risks with low impact, or even higher risks if they are tied to profitable activities or core processes. Usually, hazard risks aren’t accepted until all reasonable controls are in place, which makes the risk tolerable at its current level. Controls aim to lower the risk’s likelihood and impact. Sometimes, organizations balance one risk with another, such as through risk hedging or partnerships. For example, an electricity company operating in the northern U.S. might partner with a company in the south. This partnership would balance the risk of seasonal demand changes, allowing each company to benefit from steady sales across different climates and seasons.

Treat Risk

Treating risk means taking steps to manage or reduce it to an acceptable level. This can include actions like implementing safety measures, creating contingency plans, improving processes, or using insurance. The goal of risk treatment is to minimize the likelihood or impact of potential risks, so they are less harmful to the organization. Risk treatment is part of the larger risk management process, and it usually involves deciding whether to avoid, reduce, transfer, or accept the risk based on the organization’s risk tolerance and objectives. When the likelihood of a risk happening is high, but the potential damage is low, the organization will want to manage or treat the risk. Risk treatment usually happens with the current risk level in mind, so that once the treatment is applied, the new risk level may become acceptable. Risk management actions are always being reviewed. For example, wearing a seatbelt while driving or installing a security alarm in a home are ways of reducing risk. In terms of physical risks, improvements like adding sprinklers to buildings, upgrading security, or vetting employees are examples of actions to better manage risks. When choosing the right way to treat a risk, the organization must consider how the treatment affects the likelihood of the risk happening and what the impact would be if it does happen. Cost-effective solutions should be chosen, and their effect can be shown on a risk matrix. The term “treat risk” can be understood in different ways. ISO 31000 sees “treating risk” as the main category, with several options, such as:

• Avoiding the risk by not starting or continuing the activity
• Taking on more risk to pursue an opportunity
• Removing the risk source
• Changing the likelihood or impact of the risk
• Sharing the risk with others
• Accepting the risk by making an informed decision

Other risk management standards use the term “risk response” instead of “treat risk,” and this chapter follows that approach, which includes options like tolerating, treating, transferring, or terminating the risk. The organization should define its own risk-related terms, making sure they are consistent with its internal and external context. In some cases, external rules may dictate the terminology, such as for banks and financial institutions. If an organization already has its own terminology, it’s usually better to stick with that, rather than introducing new terms that might not match existing practices.

Transfer Risk

Transferring risk involves shifting the potential impact of a risk to a third party, so the organization is less affected if the risk occurs. Common ways to transfer risk include purchasing insurance, outsourcing certain activities, or creating contracts that pass responsibility to another entity. For example, an organization might buy insurance to cover potential financial losses from property damage, or it might outsource certain operations to another company that specializes in managing specific risks. Transferring risk doesn’t eliminate it, but it reduces the burden on the organization by sharing or moving the risk elsewhere. When the likelihood of a risk happening is low but the potential damage is high, the organization may want to transfer the risk. A common way to do this is through insurance, which helps cover the financial loss caused by risks. In some cases, transferring the risk is closely tied to the goal of completely eliminating or ending the risk. However, some risks can’t be transferred to insurance because the premiums are too expensive or the risks aren’t insurable. Risk transfer can also be done through contracts or by finding a partner to share the risk, like in a joint venture. Risk hedging or neutralizing can also be considered as ways to transfer risk, as well as treat it. The cost of transferring risk is part of risk financing, which involves setting aside funds to cover the financial impact if the risk happens. This is usually done through insurance. Risk financing covers the cost of making financial arrangements in case a risk occurs. The cost includes funds needed for treating the risk. ISO 31000 suggests that risk sharing should be preferred over risk transfer because no risk can be fully transferred, no matter the intention.

Terminate Risk

Terminal risk refers to a risk so severe or critical that, if it materializes, it could result in the failure or collapse of an organization, project, or system. It represents the type of risk that poses an existential threat, leaving no room for recovery or continuity.

Examples of terminal risks include:

• Bankruptcy due to unsustainable financial losses.
• Reputational damage so significant that it leads to the loss of all stakeholder trust.
• Regulatory violations that result in the closure of operations.
• Catastrophic system failures in critical industries like healthcare or transportation.

Organizations typically aim to eliminate terminal risks through preventive actions, contingency planning, or by avoiding the risky activity altogether. If the risk cannot be eliminated, significant control measures are implemented to minimize its impact as much as possible.When a risk is both very likely to happen and could cause serious harm, the organization will aim to eliminate it. For example, risks from trading in certain regions or using harmful chemicals might be considered unacceptable by the organization or its stakeholders. In such cases, the organization might stop the risky activity, find a safer alternative, or outsource it to reduce the risk. However, there are times when the activity causing the risk is essential for the organization’s operations. In these situations, it might not be possible to completely eliminate the risk. Instead, the organization will need to put in place other measures to manage it. This challenge is common in public services, where certain activities must continue because they are legally required. Even if the risks are high, public service organizations may not have the option to stop the activity. Instead, they must find cost-effective ways to control the risks. These controls often involve a mix of risk treatment and risk transfer. As the controls are applied, the risk level can be reduced to a point where it becomes manageable. However, not all risks can be reduced to within the organization’s comfort zone. In some cases, the organization may need to accept risks that exceed its usual limits to keep essential activities running.When a risk is both very likely to happen and could cause serious harm, the organization will aim to eliminate it. For example, risks from trading in certain regions or using harmful chemicals might be considered unacceptable by the organization or its stakeholders. In such cases, the organization might stop the risky activity, find a safer alternative, or outsource it to reduce the risk. However, there are times when the activity causing the risk is essential for the organization’s operations. In these situations, it might not be possible to completely eliminate the risk. Instead, the organization will need to put in place other measures to manage it. This challenge is common in public services, where certain activities must continue because they are legally required. Even if the risks are high, public service organizations may not have the option to stop the activity. Instead, they must find cost-effective ways to control the risks. These controls often involve a mix of risk treatment and risk transfer. As the controls are applied, the risk level can be reduced to a point where it becomes manageable. However, not all risks can be reduced to within the organization’s comfort zone. In some cases, the organization may need to accept risks that exceed its usual limits to keep essential activities running.

Strategic risk response

Strategic risk response is the process of managing risks that could significantly impact an organization’s long-term goals, competitive position, or overall strategy. It involves making deliberate decisions on how to handle risks in a way that aligns with the organization’s objectives, risk appetite, and resources. Strategic risk responses aim to address risks at a high level, often focusing on opportunities and threats that arise from market changes, regulatory shifts, technological advancements, or other external factors. Types of Strategic Risk Responses:

• Avoid the Risk: Stop or avoid activities that expose the organization to unacceptable risks. Example: Exiting a market with unstable political conditions.
• Accept the Risk: Decide to proceed with an activity despite the risk, often because the potential rewards outweigh the risk. Example: Expanding into a new market despite uncertainty.
• Mitigate the Risk: Take actions to reduce the likelihood or impact of the risk. Example: Diversifying suppliers to reduce dependency on a single source.
• Transfer the Risk: Shift the financial or operational burden of the risk to another party, such as through insurance or partnerships. Example: Using insurance to cover potential losses.
• Exploit Opportunities: Treat some risks as opportunities, leveraging them to gain a competitive advantage. Example: Investing in innovative technology that competitors hesitate to adopt.

Strategic risk response is critical for ensuring that risks are managed proactively, enabling the organization to remain resilient and adaptable while pursuing its goals. Managing control and opportunity risks is similar to managing hazard risks, but there are some key differences in the options available. These differences are important enough to be explained separately. It’s also helpful to remember that projects are usually the actions taken to implement a broader strategy. The “4Ts” framework (Tolerate, Treat, Transfer, Terminate) is commonly used for managing hazard risks, with specific controls linked to each approach. On the other hand, the “4Es” framework (Exist, Explore, Exploit, Exit) outlines responses for managing opportunity risks. To develop and execute an effective strategy, an organization must assess both the risks and the potential rewards of each option. The 4Es relate closely to the organization’s stage of development:

1. Exist: The organization establishes itself in the market.
2. Explore: Entrepreneurial opportunities are pursued, but risks and rewards remain high.
3. Exploit: During growth, the organization achieves higher rewards while reducing risk, aiming to maximize gains until competition increases.
4. Exit: If growth slows or risks remain too high, the organization may choose to leave certain operations.

In the mature phase, the organization continues to exploit opportunities, balancing lower risks with steady but reduced rewards. Over time, mature operations may decline, but some organizations choose to remain in these markets because both risks and rewards are low.

The use of the 4Es (Exist, Explore, Exploit, Exit) to manage strategic, opportunity, or speculative risks aligns with the relationship between risk and reward shown in Figure 3. For many organizations, focusing on opportunity risks and setting strategic goals are top priorities. However, the input of risk management into strategic decisions is often less structured and thorough compared to its role in operations and projects. In Figure 2, the main responses and controls for each quadrant are similar to how the 4Ts are used in hazard risk management. For example:

• Operating in a mature or declining market (Exist) is like accepting uncertainty and tolerating hazard risks.
• Exploring new opportunities (Explore) is similar to finding ways to treat hazard risks.

The key differences emerge when managing opportunities during the Exploit and Exit stages, compared to managing hazards and uncertainties. Figure 4 refines Figure 2 by analyzing the high-risk, high-reward zone in more detail, considering the associated risks more carefully.

Exiting an opportunity might be the right choice if the organization lacks the appetite, capacity, or resources to pursue it and can’t or won’t find a partner to share or buy into it. Still, most organizations with a promising opportunity aim to benefit from it in some way. Selling the opportunity can provide a profitable way out, but partnering in a joint venture might be a better long-term option. A joint venture reduces the organization’s risk but also means sharing the rewards. The decision depends on the organization’s strategy, risk appetite, capacity, and the availability of suitable partners. Beyond joint ventures, organizations can share risks through outsourcing, distributing some risk to others in the supply chain. Figure 4 outlines a flow from exploring opportunities (start-up), to expanding (growth), to exploiting opportunities (maturity), and eventually existing in a declining phase. While similar to Figure 3, Figure 4 adds an option to exit during the growth phase if pursuing the opportunity exceeds the organization’s risk appetite or capacity. This approach adjusts the 4Es framework to a “5Es” model, reflecting this added flexibility. An example of this extended approach is shown, although it uses slightly different terminology, as is common in risk management.

Opportunity evaluation and response: The goal of evaluation and response is to determine which opportunities need action and decide on the best way to respond. Here are the main strategies to consider, which can be used individually or together:

• Enhance: Similar to mitigating a risk, this involves increasing the likelihood or impact of an opportunity to make it more beneficial.
• Exploit: Like avoiding a risk, this approach ensures the opportunity is fully realized.
• Ignore: Similar to accepting a risk, this means taking no specific action and letting the opportunity play out naturally, reacting only if needed.
• Share: This involves partnering with someone who can better manage or maximize the opportunity, increasing the chance of success.

Risk appetite

Risk appetite refers to the amount and type of risk an organization is willing to accept or take on in pursuit of its goals and objectives. It reflects the organization’s tolerance for uncertainty and potential negative outcomes, balanced against the potential rewards of its actions or decisions. Risk appetite defined as per ISO Guide 73 is “The amount and type of risk that an organization is willing to pursue or retain” . As per orange book “The amount of risk that an organization is prepared to accept, tolerate or be exposed to at any point in time “. As per CIIA it is “The level of risk that is acceptable to the board or management. This may be set in relation to the organization as a whole, for different groups of risks or at an individual risk level “. IIR states Risk appetite as the amount of risk that an organization is willing to seek or accept in the pursuit of long-term objectives. Key Characteristics of Risk Appetite:

• Strategic Alignment: It is tied to the organization’s mission, vision, and strategic goals, ensuring that the level of risk taken aligns with its overall priorities.
• Varies by Risk Type: Different areas of the organization may have different levels of risk appetite. For example, a company may have a high risk appetite for innovation but a low risk appetite for regulatory compliance breaches.
• Dynamic: Risk appetite can change over time due to internal factors (e.g., financial health, leadership changes) or external factors (e.g., market conditions, regulatory shifts).
• Stakeholder Consideration: It often incorporates the expectations and perspectives of stakeholders, including investors, customers, employees, and regulators.

Examples of high, moderate, modest, and low risk appetites specifically for an oil and gas company.

1. High Risk Appetite
   • Deepwater Exploration in Unstable Regions: Investing in drilling projects in politically unstable or environmentally sensitive regions, despite high costs and potential regulatory backlash, due to the possibility of significant oil and gas reserves.
   • Adopting Unproven Extraction Technology: Experimenting with cutting-edge techniques such as enhanced oil recovery (EOR) methods to maximize production, despite uncertain success rates.
2. Moderate Risk Appetite
   • Expanding into Emerging Markets: Entering developing countries with growing energy demands and moderate geopolitical risks to establish a market presence.
   • Developing Renewable Energy Projects: Investing in solar, wind, or hydrogen energy projects to diversify energy portfolios, balancing risks with long-term sustainability goals.
3. Modest Risk Appetite
   • Incremental Upgrades to Facilities: Modernizing existing refineries or pipelines to improve efficiency and safety while avoiding major new capital expenditures.
   • Partnerships with Local Operators: Collaborating with regional oil companies to reduce risk exposure in exploration and production projects.
4. Low Risk Appetite
   • Focusing on Core Operations: Prioritizing stable, mature oil fields with established production rates rather than exploring new, high-risk sites.
   • Compliance and Safety First: Investing heavily in regulatory compliance, environmental safety measures, and worker safety protocols to avoid legal and reputational risks.
   • Hedging Against Market Volatility: Using financial instruments to protect against fluctuations in oil and gas prices, ensuring stable revenue streams.

Risk appetite is a key idea in risk management but can be hard to define and apply. It is often linked to the risk criteria an organization sets, which are used during the process of ranking risks based on how likely they are to happen and their potential impact. Risk appetite refers to how much risk an organization is willing to take in the short term to carry out an activity. In contrast, risk attitude and risk criteria reflect the organization’s longer-term perspective on risk. A challenge with risk appetite is that organizations typically focus on their willingness to continue operations, start a project, or pursue a strategy, rather than having a direct appetite for risk itself. In other words, risk appetite and exposure result from business decisions rather than driving them. Risk appetite decisions are made alongside other business considerations, not in isolation. Risk management standards recommend that risks be evaluated in the context of the organization’s strategy, operations, and compliance activities. Questions about risk appetite can only be answered when these broader contexts are considered. Some businesses may achieve profits but take on too much risk or fail to use their risk-taking capacity wisely. Risk capacity is the organization’s ability to handle risk, while risk exposure is the total value of everything at risk. Risk appetite, on the other hand, is the amount of resources the organization’s leadership is willing to put at risk. Many organizations haven’t clearly defined their risk appetite, calculated their actual risk exposure, or assessed their capacity to handle risk. This gap can lead to inefficient or excessive risk-taking.

Risk appetite and Risk attitude

Risk appetite and risk attitude are related concepts in risk management, but they have distinct meanings and applications:

1. Definition: Risk Appetite refers to the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is typically a formal, organizational-level statement that guides decision-making and strategy. Risk Attitude refers to how individuals or organizations perceive and respond to risks, influenced by their values, culture, experience, and context. It reflects their behavior and mindset towards risk. Example of Risk appetite will be “We are willing to accept a moderate level of financial risk to pursue growth in emerging markets”. Example of Risk attitude will be “A conservative manager might avoid risky investments, while an aggressive manager might embrace them.”
2. Scope: Risk Appetite focuses on the collective, strategic approach of the organization as a whole. Risk Attitude can vary between individuals, teams, or departments within the organization.
3. Consistency: Risk Appetite is usually well-defined, documented, and stable over time, though it may evolve based on strategic changes or external conditions. Risk Attitude can differ widely within the same organization and can change more frequently depending on personal or situational factors.
4. Application: Risk Appetite guides high-level decisions, such as setting policies, entering new markets, or allocating resources. Risk Attitude influences day-to-day decisions and actions, such as how a project manager handles uncertainty or how a team responds to unexpected challenges.
5. Examples in Context: Risk Appetite: An organization with a high-risk appetite may pursue aggressive growth strategies, such as expanding into volatile markets or adopting disruptive technologies. Risk Attitude: Within the same organization, some managers may be risk-seeking (favoring bold moves), while others may be risk-averse (prioritizing caution).

Risk Appetite, Risk Exposure, and Risk Capacity

1. Risk appetite – the acceptable level for the risk, where no further action is required other than monitoring and reviewing for changes in the context, risk and controls 
2. Risk tolerance – the level of risk that you can accept for a short period of time, and which you will be actively managing to bring to an acceptable level 
3. Risk capacity – the level of risk that is unacceptable.  This is the tipping point that the organization cannot or does not wish to go over 

These three concepts are fundamental to understanding an organization’s approach to risk management, as they define its willingness, actual risk levels, and ability to handle risks. Risk Appetite refers to the amount and type of risk an organization is willing to take on to achieve its goals. It is set by the leadership and aligns with the organization’s strategy and objectives. Risk appetite acts as a guide for decision-making, ensuring risks are taken in a controlled and deliberate manner. An oil and gas company might have a high-risk appetite for investing in emerging markets because of the potential for high returns but a low-risk appetite for safety risks in operations. Risk Exposure represents the total level of risk the organization is currently facing. It is the cumulative value of all risks (likelihood and impact) across the organization’s operations, projects, or strategies. Risk exposure is dynamic and can change based on internal decisions or external events. The same oil and gas company might have a high-risk exposure if it is operating in multiple volatile regions with political instability, even if its risk appetite is moderate. Risk Capacity refers to the organization’s ability to handle risks, considering its resources, financial strength, and resilience. It defines the maximum level of risk the organization can bear without compromising its survival or long-term goals. Risk capacity sets a ceiling for risk-taking, regardless of the organization’s appetite for risk.

This graph visually represents the relationships among Risk Appetite, Risk Exposure, and Risk Capacity:

1. Risk Appetite (Blue Line):
   • Represents the level of risk the organization is willing to take on.
   • Shown as a flat line, indicating a consistent willingness to accept a certain risk level.
2. Risk Exposure (Orange Line):
   • Shows the actual level of risk currently faced by the organization.
   • Oscillates due to dynamic factors affecting risk levels.
3. Risk Capacity (Green Line):
   • Represents the maximum level of risk the organization can tolerate or handle.
   • Shown as a higher flat line, emphasizing a limit above which the organization could face significant challenges.

Key Areas:

• Overexposure Area (Red Shading): When risk exposure exceeds risk appetite, the organization is taking on more risk than it prefers.
• Controlled Risk Area (Yellow Shading): When risk exposure is within or below the risk appetite, the organization is operating within a tolerable and manageable risk level.

This visualization helps organizations assess if their current risk exposure aligns with their risk appetite and capacity, ensuring balanced decision-making. ​​

This figure explains the concepts of risk appetite, risk exposure, and risk capacity of a risk averse organization, using a risk matrix to illustrate their relationships. Risk appetite is represented by shaded areas on the matrix, showing the level of risk the organization is willing to take. The curved line on the matrix represents the actual risk exposure, which is the level of risk the organization is currently facing. Risk capacity, on the other hand, is higher than both appetite and exposure, indicating the maximum level of risk the organization can handle. This ensures that the organization remains within acceptable risk limits while avoiding risks that could exceed its capacity. The matrix uses color zones to categorize risks. Green indicates risks that the organization is comfortable taking. Blue and yellow zones highlight risks that require careful judgment and decision-making before being accepted. Red represents critical risks that are only taken on when absolutely necessary. This structured approach helps maintain a balance between taking risks for growth and safeguarding the organization’s stability. In the past, organizations calculated the total cost of risk (TCoR) to manage hazard risks. This calculation included insurance premiums, the cost of loss-control actions, and claims not covered by insurance. These calculations helped organizations benchmark their performance against others and often supported the creation of in-house insurance solutions. However, these calculations relied heavily on historical data, which may not accurately predict future risks. While this approach aimed to minimize costs, it sometimes left organizations vulnerable to major incidents. For example, prioritizing low costs could mean taking on higher overall risks, while excessive insurance purchases might reduce risk but at a significant financial cost. Modern risk management practices have evolved. Organizations now use risk appetite as a basis to determine acceptable levels of risk. This approach compares the board’s defined risk appetite with the actual risk exposure faced by the organization. Unlike earlier methods, this updated approach considers all types of risks, not just those insurable. As market conditions become more volatile, organizations may need to take on higher risk exposure. This shift often involves strategic discussions among leadership to adjust risk levels or find ways to mitigate exposure. Risk management becomes especially important during periods of rapid change, such as in mergers or acquisitions. Organizations must carefully analyze the opportunities involved in such decisions, considering key aspects to ensure that the risks taken align with their strategy and capacity. By balancing risk appetite, exposure, and capacity, organizations can better navigate uncertainty and make informed decisions. A risk-averse organization is one that seeks to minimize uncertainty and avoid significant risks. These organizations prioritize stability, predictability, and the protection of existing assets over pursuing high-reward opportunities that come with substantial risks. They carefully evaluate potential downsides before making decisions and tend to focus on low-risk, steady-growth strategies. Their approach is often conservative, emphasizing long-term security and avoiding volatile or uncertain ventures. In contrast, a risk-aggressive organization actively seeks opportunities with high potential rewards, even if they involve considerable risks. These organizations are more comfortable with uncertainty and are willing to accept potential losses in exchange for the possibility of significant gains. They often invest in innovative or speculative projects and operate in volatile markets or emerging industries. Their strategy prioritizes rapid growth or market disruption, with a focus on achieving high returns, even if it means facing short-term instability or increased exposure to failure. The primary difference between these two types of organizations lies in how they approach uncertainty and manage risks. Risk-averse organizations focus on minimizing potential losses, favoring steady and secure growth. On the other hand, risk-aggressive organizations embrace uncertainty as an opportunity, taking calculated risks to achieve competitive advantage and substantial rewards. While risk-averse organizations value consistency and caution, risk-aggressive organizations are driven by a willingness to take bold actions in pursuit of significant outcomes. Risk-averse organizations focus on minimizing downside risks and tend to avoid decisions that could lead to significant losses. Risk-aggressive organizations focus on maximizing upside potential, often taking calculated risks to achieve higher rewards. Risk-averse organizations aim for steady, incremental growth, prioritizing long-term security. Risk-aggressive organizations aim for rapid growth or market disruption, prioritizing high returns even if it involves short-term instability. Risk-averse organizations allocate resources conservatively, often favoring proven methods or markets. Risk-aggressive organizations allocate resources more boldly, often investing in untested innovations or emerging opportunities. In essence, the difference lies in how each type of organization views and manages uncertainty. Risk-averse organizations prioritize safety and consistency, while risk-aggressive organizations embrace uncertainty as an opportunity to achieve competitive advantage and higher rewards.

This 2D line graph compares a risk-averse organization with a risk-aggressive organization:

• The blue dashed line represents the risk-averse organization. As the risk level increases, their response sharply declines, reflecting a preference for minimizing exposure to higher risks.
• The red solid line represents the risk-aggressive organization. Their response grows steadily with the risk level, showing a willingness to take on more risk for potential rewards.
• The dotted black line indicates a neutral risk level for reference.

This contrast highlights the differing approaches to risk management between the two types of organizations. ​​

This figure illustrates a risk-aggressive organization that is more willing to accept risk compared to a risk-averse one. Its comfort zone for taking risks is much larger, while the cautious, concerned, and critical zones take up smaller parts of the risk matrix. In this context, the organization’s “universe of risk,” represented by the darkest squares, includes only the most significant risks that the board considers worth addressing. Because the organization has a greater appetite for risk, it views fewer risks as critical, and risks must have a very high likelihood and impact to draw the board’s attention. The organization’s ultimate risk-bearing capacity lies within the lighter-shaded zones, but its actual risk exposure is shown to be well within the darkest area. This means the organization is taking on risks that exceed its ability to handle them, making it more vulnerable. This mismatch between risk exposure and capacity creates a potential weakness. Determining an organization’s risk appetite involves judgment at various levels. At the board level, risk appetite is a strategic driver that shapes overall decisions. At the line-manager level, it serves as an operational guideline, ensuring day-to-day activities align with the board’s policies. For individual staff members, risk appetite acts as a behavioral boundary, requiring them to operate within the framework set by the board and enforced by managers.

Understanding and applying the concept of risk appetite is a significant challenge for risk management professionals. Many risk management standards, both current and those being developed, emphasize the importance of identifying an organization’s risk appetite early on. However, organizations, like individuals, do not naturally seek out risk for its own sake. This raises a contradiction in risk management, which emphasizes that risks should always be evaluated within their specific context. Similarly, determining risk appetite without considering the organization’s broader context—its strategy, operations, and compliance processes—is illogical and impractical. As the concept of risk appetite gains more attention, practitioners will need to develop a clearer understanding of what it means and how to apply it effectively. For individuals, being labeled a “risk taker” often refers to enjoying high-risk activities, not seeking risk itself. For example, someone with a high-risk hobby doesn’t necessarily take unnecessary risks in other aspects of their life, such as crossing a busy street without caution. Risk-taking, therefore, must always be viewed in the context of the activity and its rewards. Organizations are similar in that they are drawn to strategies, projects, or operations based on their business goals, not the inherent risks. A company may pursue a high-risk strategy or approve a risky project, but this is driven by business needs and objectives, not a desire for risk itself. Often, the level of risk is a byproduct of the chosen strategy, rather than the strategy being shaped by the organization’s risk appetite. This highlights the importance of understanding risk appetite within the broader framework of the organization’s goals and activities.

Risk and uncertainty

In risk management, addressing both risk and uncertainty is crucial. Risk is managed by identifying, assessing, and mitigating measurable threats or opportunities. Uncertainty, on the other hand, is addressed by improving knowledge, developing flexible strategies, and preparing for multiple potential scenarios. Uncertainty and risk are closely related but distinct concepts, each addressing different aspects of decision-making in the face of the unknown. Uncertainty refers to the lack of complete knowledge about future events or outcomes. It means we do not know what will happen or how likely various outcomes are. Uncertainty can make it difficult to predict results because information is incomplete or ambiguous. For example, a new product launch might be surrounded by uncertainty about customer preferences, competitor actions, or market conditions. Uncertainty exists when probabilities of outcomes are unknown or cannot be reliably estimated.Risk is the measurable potential for loss or gain when making decisions under uncertainty. It involves situations where the likelihood and impact of different outcomes can be estimated, even if they are not guaranteed. For example, in the same product launch, risk might include the estimated financial loss if sales fall short of projections. Risk is quantifiable; it is the known probability of specific outcomes occurring. Difference Between Uncertainty and Risk

• Information Availability: Risk assumes enough information is available to estimate probabilities, while uncertainty arises when information is incomplete or outcomes are unpredictable.
• Decision Approach: Risk can often be managed with strategies like mitigation, insurance, or diversification, while uncertainty requires adaptive strategies, scenario planning, or hedging to cope with unknowns.

This figure shows the range of possible outcomes for different types of risk. When investing in opportunities, outcomes can vary widely—from a complete loss of resources to significant gains. In some cases, losses can exceed the initial investment if the associated risks are not fully understood. The figure highlights the relationship between risk and uncertainty, showcasing typical outcomes for hazard risks, control risks, and opportunity risks. By combining these risk types in one illustration, it becomes clear that they are interconnected and form a continuum. The organization’s total risk appetite is the sum of its exposure to hazards, acceptance of control risks, and investments in opportunities. The curved lines in the figure represent the range of possible outcomes for each risk type, with 95% certainty (leaving a 1 in 20 chance of outcomes outside this range). For example, if the organization tolerates a hazard risk represented by point A, it understands that outcomes may fall within the range defined by the 95% certainty lines. Similarly, for an opportunity represented by point B, the organization expects a positive return but also acknowledges the risk of potential loss within that range. Organizations face hazard risks that can disrupt operations. These risks include both the cost of incidents and the expense of managing them, such as loss prevention, damage control, and insurance. For each hazard risk, there’s a range of possible negative outcomes. The organization must assess and decide how much of this risk it is willing to accept, which forms part of its overall risk appetite. However, actual hazard exposure may exceed what was anticipated, particularly for regulated risks where compliance is mandatory. Most organizations maintain a zero-risk appetite for non-compliance with laws. Uncertainty also arises from control risks, which relate to unpredictable events with uncertain outcomes. For example, removing fraud controls could save money but might lead to fraud, with uncertain losses. Control risks are embedded in the projects an organization undertakes, and the cost of these controls should be included in project budgets. Failing to account for such controls could lead to significant financial and operational consequences. The cost of controls within the budget reflects the organization’s acceptance of control risks.

Risk appetite statements

A Risk Appetite Statement (RAS) is a formal declaration that outlines the level and type of risk an organization is willing to accept to achieve its objectives. It serves as a guideline for decision-making across strategic, operational, and compliance areas. The RAS helps ensure that all parts of the organization align with its overall attitude toward risk, enabling consistent and informed decision-making.Risk appetite usually covers a range of possible outcomes. This means there is a zone around the risk appetite where the level of risk is still acceptable. This zone is often called the risk tolerance range for that specific risk. Risk tolerance can be defined as “The acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives.”

Risk appetite involves different considerations depending on the nature and goals of an organization. For some organizations, particularly banks and financial institutions, risk appetite directly drives their strategy. For example, a bank’s decision to lend money to specific groups reflects its willingness to take on certain risks, which forms the core of its operations. In such cases, embracing risk is essential for gaining benefits and achieving business objectives.

In other organizations, risk appetite does not drive the business but serves as a tool for planning. It helps determine whether to proceed with certain tactics, projects, or changes by assessing the associated risks. Here, risk appetite helps the organization operate within acceptable limits while managing uncertainty. It guides decision-making and ensures that risk-taking aligns with broader organizational goals.

For some, risk appetite also acts as a set of operational constraints. For instance, it may define spending limits, authorization levels, or other boundaries within the organization. These constraints reflect the level of risk the organization is willing to accept, based on its size, complexity, and operations. By setting these limits, the organization minimizes risk exposure and its potential consequences. Ultimately, risk appetite is about identifying the optimal level of risk to achieve favorable outcomes while reducing uncertainty. It reflects the organization’s risk attitude, criteria, and willingness to accept specific risks. Risk appetite can be a strategy driver, a planning tool, or a set of operational constraints—or a combination of all three. Many organizations draft risk appetite statements without fully addressing whether they are focusing on strategy, planning, or constraints. A comprehensive approach that considers all three perspectives will create a more effective and nuanced statement. The stages that would be involved in developing this risk appetite statement are as follows:

• Identify stakeholders and their expectations, making reference to the possible range of stakeholders, as defined by CSFSRS.
• Define the company-wide risk exposure through an analysis of strategy, tactics, operations and compliance, as set out in the risk register.
• Establish the desired level of risk exposure that will lead to a risk appetite statement, that provides a set of qualitative and quantitative statements.
• Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.
• Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring exposure in line with risk appetite.
• Formalize and ratify a risk appetite statement, communicate the statement with stakeholders and implement accordingly.

Risk appetite statements should match the way risks are classified in the organization. These statements can be organized based on the sources of risk, the parts of the organization that could be affected, or the types of impacts or consequences. Examples include using the FIRM risk scorecard or focusing on the organization’s strategy, tactics, operations, and compliance (STOC). Here are risk appetite statements for an oil and gas company across high, moderate, modest, and low risk appetites:

1. High Risk Appetite
   “We are prepared to invest in high-risk, high-reward projects, such as deepwater exploration and operations in geopolitically volatile regions, to secure access to significant untapped reserves. We accept the possibility of operational and regulatory challenges, provided the potential returns align with our strategic growth objectives.”
2. Moderate Risk Appetite
   “We are open to pursuing opportunities in emerging markets and adopting advanced technologies that balance risk and reward. While we will actively explore new ventures, we prioritize projects with manageable geopolitical, operational, and financial risks that align with our sustainability goals and long-term profitability.”
3. Modest Risk Appetite
   “We will focus on optimizing and modernizing existing operations, ensuring efficiency and safety while exploring low-risk partnerships. Investments will be made in stable markets and proven technologies to secure steady, predictable returns and minimize exposure to high-risk ventures.”
4. Low Risk Appetite
   “Our priority is maintaining operational stability and compliance with all regulatory and safety requirements. We will avoid high-risk ventures and focus on established markets and mature assets to ensure steady cash flow and protect shareholder value, while continuing to meet environmental and safety standards.”

Here are examples of risk appetite statements for a manufacturing organization based on different business components:

1. Target Credit Rating
   The organization has a low risk appetite for actions that may harm its credit rating. It aims to maintain a minimum credit rating of “A” to ensure financial stability and access to favorable funding terms.
2. Target Capital Ratio
   The organization maintains a moderate risk appetite for capital allocation, ensuring a capital ratio of at least 25% to balance growth investments and financial resilience.
3. Financial Strength
   The organization has a low risk appetite for financial risks that could jeopardize its liquidity or solvency. It strives to maintain cash reserves sufficient to cover six months of operational costs and uphold a strong balance sheet.
4. Customer Dependence
   The organization has a moderate risk appetite for customer concentration. No single customer should contribute more than 20% of annual revenue to reduce dependency risk while allowing for strategic partnerships.
5. Regulatory Compliance
   The organization has a very low risk appetite for non-compliance with regulatory requirements. It prioritizes strict adherence to all laws, environmental standards, and industry guidelines to avoid legal or reputational risks.
6. Social Responsibility
   The organization has a high risk appetite for engaging in sustainable practices and social initiatives. It actively invests in eco-friendly technologies and community projects, even if they require upfront costs, as part of its commitment to long-term societal impact.

There is a connection between personal risk appetite and lifestyle choices. People make decisions about long-term health issues based on factors like family history and personal habits. Medium-term health decisions may focus on things like medical treatments, dieting, and managing weight. In the short term, decisions could involve exercise, alcohol consumption, or addressing recent illnesses or injuries. Individuals must consider their risk attitude, appetite, exposure, and capacity when making lifestyle choices. For example, a person might decide how much exercise they’re willing to do to stay within a healthy weight range. While people may have a certain appetite for health-related risks, their actual exposure to these risks might exceed their comfort level. For instance, someone may want to live a healthier lifestyle but still choose to smoke cigarettes, demonstrating that their risk exposure can surpass their risk appetite. People often prefer actions with immediate, positive, and certain outcomes. A smoker might enjoy a cigarette because the nicotine effect is instant and pleasurable. On the other hand, quitting smoking offers long-term health benefits, but these are delayed and uncertain, and the process of quitting involves discomfort. Risk attitudes vary greatly depending on the type of risk. For instance, a person might be cautious while driving but take significant health risks. Defining risk appetite, whether for individuals or organizations, is challenging, but having a clear risk attitude can help establish an acceptable range of risks. The willingness to take risks also depends on the nature of the risk and the ability to control it. The overall approach to managing risks—whether personal or organizational—should include embracing strategic opportunities, managing tactical uncertainties, mitigating operational hazards, and minimizing compliance risks.

In risk management, downside risk refers to potential negative outcomes, losses, or adverse impacts of a particular action, decision, or scenario. It’s the part of risk that could result in harm, such as financial loss, reputational damage, or operational failure. Managing downside risk focuses on controlling and mitigating these potential losses. On the other hand, upside risk is the potential for positive outcomes or gains from taking on certain risks. Upside risk is often less emphasized in traditional risk management, but it’s key in strategic planning and decision-making. It includes opportunities for growth, profit, innovation, or competitive advantage that may come from calculated risks. The Strategies to Maximize Upside and Control Downside can be as:

• Risk Identification and Analysis: Thoroughly identify all potential risks and analyze them in terms of both downside and upside potential. By understanding both, organizations can make informed decisions about which risks to take on and which to avoid.
• Risk Appetite and Tolerance: Define your organization’s risk appetite (the level of risk you are willing to pursue) and risk tolerance (the acceptable level of risk exposure). This helps balance between seizing opportunities (upside) and protecting against losses (downside).
• Enhanced Risk Monitoring: Use a proactive approach to monitor both downside and upside risks. This includes setting up key risk indicators (KRIs) for downside risks and key performance indicators (KPIs) for upside potential, ensuring a holistic view of risk across the organization.
• Adaptive Risk Response Strategies: For downside risk, use response strategies like avoidance, mitigation, or transferring risk (e.g., insurance). To maximize upside risk, adopt strategies like investing in innovative projects, strategic partnerships, or business process improvements that could lead to competitive advantage.
• Building a Risk-Aware Culture: Encourage a culture that views risk as an opportunity for growth rather than solely a threat. Empower employees to think creatively about how they can manage and leverage risks effectively.
• Regular Review and Scenario Analysis: Use scenario planning to understand the potential outcomes of both upside and downside risks under different situations. By preparing for various scenarios, you can better manage adverse effects and capitalize on favorable conditions.

By actively managing downside risks while remaining open to upside potential, an organization can enhance resilience and agility, positioning itself to achieve sustained growth and competitive advantage.

Risk Likelihood

Risk likelihood refers to how often a risk is expected to happen. It’s sometimes called risk frequency, but this term implies the risk occurs regularly, so “risk likelihood” is used more broadly here. Risk likelihood can be measured either as an inherent risk (its natural likelihood) or based on current conditions and controls in place. For risks with a historical record, like vehicle accidents in a fleet, past incidents can help predict how often they might happen. A transport company, for example, could estimate the likelihood of vehicle breakdowns both with and without existing controls, like maintenance programs. However, assessing the inherent likelihood of accidents is trickier, as it would require imagining the outcome without any safety controls. Even if it’s hard to measure inherent risk for breakdowns, the company should still assess the effectiveness of its vehicle maintenance and whether it’s cost-effective. The same applies to driver training programs aimed at reducing accident risk. Whether risks are measured inherently or under current conditions, comparing fleet performance with industry averages is useful. Some controls don’t affect the likelihood of a risk but rather its impact. For instance, wearing seat belts doesn’t lower the chance of a car accident but does reduce injury if one happens. Similarly, a sports club may want to prevent key players from being unavailable. For instance, a player’s absence might result from inappropriate behavior, so the club could establish a “code of conduct” for players, including guidelines for a healthy lifestyle, with penalties for violations. Additional controls might include fitness monitoring and support for international players adapting to the country. Other measures, such as high-quality medical facilities and insurance, could further help manage the risks associated with player absence.

Risk Magnitude:

Risk Magnitude refers to the overall size or scale of a risk. It combines both likelihood (how often the risk might happen) and impact (the severity of the consequences if the risk does happen). Risk magnitude gives a complete picture of a risk’s importance by taking into account both how likely and how damaging it could be. For example, a risk with a high likelihood but low impact may have a similar magnitude to a risk with a low likelihood but high impact. Risk impact focuses solely on the severity of the consequences if a risk materializes, regardless of how likely it is to happen. It describes how much harm or disruption a risk could cause. For instance, an impact might be measured in terms of financial loss, damage to reputation, health and safety effects, or operational disruptions. The difference between Risk Magnitude and Risk Impact lies in scope. The difference Between Risk Magnitude and Risk Impact. The difference lies in scope:

• Risk impact measures only the severity of the outcome if the risk occurs.
• Risk magnitude combines both impact and likelihood, providing a more comprehensive assessment of the risk’s overall threat level.

In risk management, considering risk magnitude helps prioritize risks since it evaluates both how likely and how harmful each risk could be. Reducing the scale of hazard risks is essential. In hazard risks, magnitude often means the inherent severity of the risk if it happens. Lowering overall hazard risk severity involves reducing both the impact and consequences when an incident occurs. For instance, wearing a seatbelt can reduce injury severity in a car accident but doesn’t affect the chance of having an accident. A major fire, for example, could cause extensive property damage and high costs. To lessen the severity of such a fire, the focus should be on reducing its impact on the organization’s finances, infrastructure, reputation, and market position (FIRM). Actions to manage impact would focus on limiting damage during the fire and containing costs afterward. The consequences affect the organization’s strategy, tactics, operations, and compliance (STOC). Loss control focuses on lowering the scale, impact, and outcomes of a negative event. Damage control is also important for protecting a company’s reputation. If a serious event occurs that draws public attention, the organization must reassure stakeholders by showing it responded appropriately. Typically, in cases like a severe train or plane accident, the company’s CEO or chairperson will be present at the scene to demonstrate concern and leadership. Poor handling of media can worsen reputational damage if the organization fails to plan effectively before incidents happen. In these cases, lack of preparation can lead to more harm to the organization’s image. Finally, controlling costs after an incident is critical. Cost management is typically supported by a business continuity plan (BCP) or disaster recovery plan (DRP) prepared in advance. These plans help the organization keep costs as low as possible following an incident.

Hazard risks

Reducing the severity of hazard risks is important for various areas, including fraud prevention, health and safety, property protection, IT system reliability, and reputation management. When these risks occur, steps should be taken to lessen the event’s severity and reduce its impact and consequences. While the main goal in managing hazard risks is to prevent losses, successful management also requires focusing on limiting damage and controlling costs. The insurance industry is increasingly aiming to settle claims efficiently and cost-effectively, encouraging organizations to resume normal operations quickly. Some insurers refer to these efforts as “cost containment.” Reducing the severity of incidents should be part of a broader approach to loss control. This integrated approach helps organizations manage both the likelihood and the impact when a hazard risk occurs. In general, loss control is the combination of loss prevention, damage limitation, and cost containment. Though loss prevention is the most critical part, all three aspects are essential for effective hazard risk management.

Before an event happens, the organization should have controls in place to prevent losses. As he event unfolds, actions should be taken to limit the damage it causes. After the event, cost-saving measures, such as activating business continuity plans and setting up arrangements to reduce repair costs, should come into play. Disaster recovery plans are important for both limiting damage and controlling costs. Despite best efforts, risks can still occur, so it’s essential to assess hazard risks thoroughly and prepare plans for handling the incident during and after it happens. These plans should aim to minimize the damage and tightly control the costs associated with the event.

Loss prevention, Damage Limitation and Cost Containment

One way to think about loss control is to break it down into three activities Loss prevention, damage limitation, and cost containment are strategies used in risk management to handle potential losses from adverse events, but each focuses on a different phase and approach to managing the risk.:

1. Loss Prevention: This focuses on reducing the chances of an adverse event happening in the first place, though it can also help lessen the size of the event if it does happen. Different types of risks call for different loss prevention methods. For health and safety, loss prevention might mean avoiding risky activities or stopping the use of hazardous chemicals. For building safety, it could involve removing fire hazards and storing flammable materials safely. For fraud and theft risks, it may include separating responsibilities, tagging valuable items, and doing background checks on new hires.
   • Definition: Loss prevention aims to prevent a harmful event from occurring in the first place, or to reduce the chance that it will happen.
   • Focus: This strategy is proactive and focuses on lowering the likelihood of a risk materializing.
   • Examples: In an oil and gas company, loss prevention might include regular inspections and maintenance to prevent leaks, safety training for employees, and enforcing strict protocols to avoid accidents.
2. Damage Limitation:This focuses on reducing the severity of the event if it does occur. Damage limitation is most effective when plans are in place to act while the event is still happening.
   • Definition: Damage limitation is about reducing the severity or magnitude of an event while it is happening.
   • Focus: This strategy is reactive and works to control the extent of damage during the event.
   • Examples: If a fire breaks out, using fire suppression systems to contain it quickly is a form of damage limitation. Similarly, emergency response actions like deploying containment booms for an oil spill help limit the spread of damage.
3. Cost Containment: This involves reducing the financial impact and long-term effects of the event. Cost containment focuses on keeping repair costs low and using business continuity plans to keep the organization running after an asset has been damaged.
   • Definition: Cost containment focuses on minimizing the financial impact and consequences after the event has occurred.
   • Focus: This approach manages costs associated with repairs, recovery, and business continuity after an incident.
   • Examples: Cost containment might involve activating a disaster recovery plan, using insurance to cover repair costs, and implementing business continuity plans to resume operations quickly.
4. Key Differences
   • Timing: Loss prevention is proactive (before the event), damage limitation is reactive (during the event), and cost containment is post-event (after the event).
   • Purpose: Loss prevention reduces the likelihood of occurrence, damage limitation reduces the extent of damage, and cost containment minimizes financial impact and operational disruption.

Each approach is essential for a comprehensive risk management strategy, and together, they help protect an organization from various stages of potential loss .Damage limitation strategies for fire hazards are well established. Although sprinkler systems are often thought of as a prevention tool, they are actually the main control to limit damage when a fire starts. Other fire damage limitation measures include fireproof partitions in buildings, fire shutters, and well-prepared plans to protect or move valuable items. For example, after the fire , valuable artwork are quickly moved to safe areas. Even with strong health and safety measures, workplace accidents still happen. To limit damage, most organizations provide first aid facilities. In high-risk workplaces, some companies even have medical facilities on site, which may include specific treatments for hazards present. For instance, cyanide antidotes may be available in chromium-plating factories, and emergency eye-wash bottles are often found in areas where hazardous chemicals are used. For example oil spill can highlight important lessons for risk management. While measures can be in place to prevent the spill and manage cleanup costs, damage limitation measures appeared less prepared. Since it took weeks to stop the leak, there was time to introduce damage control, but plans were not sufficiently developed in advance. When hazard risks occur despite prevention and damage control, cost containment is often still needed. For example, after a severe fire, arrangements for salvage, cleaning, and decontamination of damaged items help reduce costs. Cost control steps after an incident, like these, should be outlined in business continuity, disaster recovery, and crisis management plans. Additionally, insurance policies often cover “increased cost of operation,” which can arise when a company has to subcontract production or use a distant factory to keep operating. If a manufacturer finds that faulty goods are in the market, it should have a plan ready to notify customers and help them identify the products.

Product recall risk management: Any company involved in making, assembling, selling, or processing products could face financial losses from a product recall. Direct costs include paying staff to carry out the recall and paying for ads on radio, TV, newspapers, or industry magazines to inform the public. Indirect costs include lost production time, as regular staff focus on the recall, and hiring temporary workers to keep production going. The biggest indirect cost, however, is the potential loss of market share due to bad publicity. A product recall aims to protect customers from harm, remove the product from the market and production, follow regulatory rules, and safeguard the company’s assets.

Upside of Risk

Upside of Risk can be defined as

• Fewer disruptions to normal operations and greater operational efficiency resulting in less downside of risk
• Ability to seize an opportunity because competitors did not identify the cost-effective solution to a risky feature of a contract
• Specifically identifying positive events during the risk assessment and deciding how to encourage those events
• Opportunity management, by completing a detailed review of a business opportunity before deciding to embrace it
• Achieving a positive outcome in difficult circumstances as an unintended and/or automatic result of good risk management

Defining the positive side of risk is a big challenge in risk management. Risk management aims to help organizations meet requirements, improve decision-making, and run core processes more effectively and efficiently (known as MADE2). But risk managers want to identify additional, unexpected benefits that come from managing risk well. These benefits, or the “upside of risk,” occur when the gains from taking a risk are greater than if the organization had avoided it altogether. For example, if a manufacturing company produces waste by-products that are hard to dispose of, they could turn this challenge into an advantage by selling the waste or creating a new product from it. Here, solving a problem results in extra, unforeseen benefits. Simply put, the upside of risk is the reward from taking the risk. Climbing a difficult mountain, for example, involves risk, but the upside is the reward of safely reaching the summit. Another view is that risk management is about aiming for the best outcomes and reducing uncertainty. From this angle, the upside of risk is reaching organizational goals by managing the risks involved in the chosen strategies and operations. Another way to look at the upside of risk is to consider it in risk assessment workshops, focusing on identifying risks that could lead to positive outcomes. This means asking questions like, “What events could make things turn out better than expected?” By creating a list of these positive risks, the organization can work on making them more likely to happen or increasing their benefits. One benefit of the upside of risk is that it allows the organization to take on opportunities it might otherwise avoid. In business, this can mean pursuing a chance that competitors might see as too risky, either because the organization is more efficient or has identified a smart way to develop that competitors missed. This way, the company targets only the profitable parts of a new opportunity. The upside of risk can also be seen as taking a chance on a venture that, while risky, turns out well. This requires being willing to pursue risky opportunities, with controls in place, when competitors might back away. Finally, the upside of risk can mean having a strong risk management process. Meeting mandatory obligations alone can be seen as an upside, though it may not be very persuasive to senior managers. More convincingly, the upside is the chance to go after a business opportunity competitors would avoid due to risk aversion. There is debate in the risk management field about how to define the upside of risk. Some standards suggest adding a “take the risk” option to the traditional 4Ts (tolerate, treat, transfer, terminate), making it the 5Ts, focusing on opportunity rather than just taking risks for their own sake. An example of this is when someone seizes an opportunity that others see as risky. It’s not about enjoying the risk itself but embracing the opportunity despite the risk.

Opportunity assessment

To successfully take advantage of business opportunities, organizations benefit from doing opportunity assessments. Many consulting firms conduct detailed evaluations of each new business opportunity, examining potential profits, extra income, and reputation boosts from working with certain clients. Opportunity assessments can be used for evaluating both new business ventures and new clients, with the goal of identifying additional possibilities that could come from gaining that client. These assessments also consider potential downsides of working with a new client. Sometimes, after evaluating, a company may even decide not to pursue a particular client. For example, if a theater notices a drop in attendance, it might assess ways to earn more from those who still attend, like improving food services, offering organic options, or selling themed merchandise. The theater could also explore sponsorship deals and discuss with local businesses what types of shows would attract support. This kind of assessment could help the theater choose productions with good sponsorship potential, allowing it to stage performances that might otherwise seem too risky. Many organizations already manage opportunities, though it might not be recognized as part of risk management. Ideally, opportunity management should be integrated into the development of strategies and tactics. Some organizations lack specific processes for assessing new business opportunities, mergers, or acquisitions. During risk assessment workshops, many organizations now consider both risks and opportunities, tailoring the risk matrix and the likelihood and impact ratings to fit their needs. When assessing both risks and opportunities, organizations typically need a diverse group of people involved, since risks are often linked to operations and compliance, while opportunities are related to strategy. After identifying and analyzing opportunities, organizations should evaluate them and determine actions or controls to increase the chances of achieving the expected benefits. The same opportunity assessment approach can be used to analyze and manage these identified opportunities on the risk matrix. To successfully take advantage of business opportunities, organizations benefit from doing opportunity assessments. Many consulting firms conduct detailed evaluations of each new business opportunity, examining potential profits, extra income, and reputation boosts from working with certain clients. Opportunity assessments can be used for evaluating both new business ventures and new clients, with the goal of identifying additional possibilities that could come from gaining that client. These assessments also consider potential downsides of working with a new client. Sometimes, after evaluating, a company may even decide not to pursue a particular client. For example, if a theater notices a drop in attendance, it might assess ways to earn more from those who still attend, like improving food services, offering organic options, or selling themed merchandise. The theater could also explore sponsorship deals and discuss with local businesses what types of shows would attract support. This kind of assessment could help the theater choose productions with good sponsorship potential, allowing it to stage performances that might otherwise seem too risky. Many organizations already manage opportunities, though it might not be recognized as part of risk management. Ideally, opportunity management should be integrated into the development of strategies and tactics. Some organizations lack specific processes for assessing new business opportunities, mergers, or acquisitions. During risk assessment workshops, many organizations now consider both risks and opportunities, tailoring the risk matrix and the likelihood and impact ratings to fit their needs. When assessing both risks and opportunities, organizations typically need a diverse group of people involved, since risks are often linked to operations and compliance, while opportunities are related to strategy. After identifying and analyzing opportunities, organizations should evaluate them and determine actions or controls to increase the chances of achieving the expected benefits. The same opportunity assessment approach can be used to analyze and manage these identified opportunities on the risk matrix.

Example of Risk assessment checklist for Financial

1. Lack of availability (or unacceptable cost) of adequate funds to fulfil the strategic plans
2. Insufficiently robust procedures for correct allocation of funds for strategic investment
3. Inadequate internal financial control environment to prevent fraud and control credit risks
4. Inadequate funds to meet historical liabilities (including pensions) and meet future anticipated liabilities

Example of Risk assessment checklist for Infrastructure

1. Inadequate senior management structure to support organization and embed ‘risk-aware culture’
2. Insufficient people resources, skills and availability, including concerns about intellectual property
3. Inadequate physical assets to support the operational and strategic aims of the organization
4. Information technology (IT) infrastructure has insufficient resilience and/or data protection
5. Business continuity plans are not sufficiently robust to ensure continuation of organization after major loss
6. Product delivery, transport arrangements and/or communications infrastructure unreliable

Example of Risk assessment checklist for Reputational

1. Poor public perception of the industry sector and/or potential for damage to the brands of the organization
2. Insufficient attention to ethics/corporate social responsibility/social, environmental and ethical standards
3. Poor governance standards and/or sector is highly regulated with high compliance expectations
4. Concerns over quality of products or services and/or after-sales service standards
   

Example of Risk assessment checklist for Market place

1. Insufficient revenue generation in the marketplace or inadequate return on investment achieved
2. Highly competitive marketplace with aggressive competitors and high customer expectations
3. Lack of economic stability, including exposure to interest rate fluctuations and foreign exchange rates
4. Marketplace requires constant innovation and/or product technology is rapidly developing
5. Supply chain is complex and lacks competition and/or raw materials costs are volatile
6. Organization is exposed to potential for international disruption because of political risks, war, terrorism, crime or pandemic
   

Scoring for Different level of Risk
No Risk -0
Little Risk-1
Some Risk-2
Medium Risk-3
High Risk-4
Extreme Risk-5

To calculate an organization’s riskiness index, it’s necessary to identify the specific hazard risks the organization is actually facing. In other words, assessing the riskiness index helps reveal the organization’s true level of risk exposure. Once this risk level is known, the board can determine if this risk fits within the organization’s risk appetite, risk capacity, and aligns with the board’s overall approach to risk. Organizations should be careful not to assume that the risks they are currently taking are the same as the risks they are willing to take, just because they’ve identified those risks using something like the riskiness index.

Upside in Strategy, Projects, and Operations

Organizations typically have a mission statement, a set of objectives, and a clear understanding of what their stakeholders expect. The board must then create a strategy to meet these goals and expectations effectively. To make informed decisions, the board needs risk information about the planned strategy and any alternative options. This risk assessment helps improve the chances of making the right decisions. For opportunity risks, like acquiring a new client or launching a product, there may be limited data to predict outcomes. Accurately assessing the chances of both positive and negative events is crucial to deciding whether to proceed with the opportunity. For example, if a new product is launched, the goal might be to increase the likelihood of success by maximizing cost-effective media and advertising efforts. Strategic planning combines risk management with high-level planning. It’s a structured process to reach consensus on the key issues that will shape the organization’s future. Failing to implement or choosing the wrong strategy can be extremely harmful. Strategies are carried out through tactics, which are implemented via projects and day-to-day processes, forming the organization’s business model. Risk management ensures these processes work effectively and reduce uncertainty. Thus, the benefit of risk management in strategy is that it helps design and implement an efficient approach, improving the organization’s core operations over time.

Every organization needs to adopt the right core processes, which are the key activities that fulfill specific stakeholder expectations. In business process re-engineering (BPR), these activities are seen as essential. There’s a difference between a process being efficient and being effective. An efficient process runs smoothly and without extra costs, but it might not be the best way to meet the organization’s needs. When processes need improvement, a project is usually set up to make these changes. If multiple projects are needed, this is often called a program. Through these projects, organizations aim to improve the efficiency or effectiveness of core processes. By assessing risks before making changes, an organization can help ensure the project is completed successfully—on time, within budget, and meeting its goals. To gain the positive side of risk (the upside), projects need good management and the right selection. Organizations often do a post-project review, sometimes led by internal auditors, to confirm that the project achieved its intended benefits and was worth the resources invested. In tough financial times, organizations need to prioritize projects that offer the best use of limited resources. Risk management in projects is linked to implementing tactics to fulfill the organization’s strategy. Some organizations only approve projects that will reduce risk. For instance, if an activity is at risk due to weak IT systems, a project might aim to improve these systems, reducing risks and boosting efficiency. In summary, good risk management makes it more likely that projects finish on time, within budget, and meet quality standards. It helps manage outcomes, whether they match the plan or not.

Organizations need to run operations that are both efficient and effective. Efficient operations use the organization’s resources well and avoid unexpected disruptions. When operations use the least resources for the most output, they provide the greatest benefit. Effective operations mean choosing the best way to carry out these activities. For example, traveling across a busy city might be efficient by car or bus, but the most effective way in large cities is often by metro.

Risk management can help organizations ensure their operations are both effective and efficient. In a business setting, this can provide an advantage over competitors by allowing work to be done at a lower cost while remaining profitable. For public services, effective and efficient operations are also crucial, as these services often have challenging delivery targets. Risk management supports improvements in public services by making operations more flexible and resilient, which is part of gaining the upside of risk. In a competitive market, achieving the upside of risk can sometimes impact competitors, suppliers, or third parties. But seeking the benefits of risk-taking requires awareness of possible downsides. Avoiding certain actions because they seem too risky could sometimes actually increase risk. The first step in the risk management process is to set the context, and a “riskiness index” can help define both the external and internal context for the organization. When setting this context, it’s important to think about the upside of risk and how the organization can benefit from opportunities related to strategy, tactics, and operations. For compliance risks, there’s also a potential upside. If an organization needs a license from a regulator to operate, a good relationship with that regulator can help. By meeting and even influencing high standards, an organization may gain an advantage over competitors who might struggle with these standards.