BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.

Business Standards > Articles

Risk and reward

11 Sep 2009
Topics: BS 31100, Risk management

Why are many UK businesses, large and small, still reluctant to spend time identifying and reducing the risks that threaten them? Are they missing out on potential opportunities?

When it comes to business, risk is not the exception: it's the rule. As businesses look for ways to ride out the recession, risk management should be even higher up the boardroom agenda. Yet for many, it's not even considered - why?

"A number of companies are not paying sufficient attention to risk management," says Richard Taylor, BSI group product manager of risk. "Many say, 'That's not going to happen to me; I'm not going to do anything about that'. Smaller businesses in particular are in need of help and guidance."

The lack of enthusiasm among UK businesses for a systematic review of potential risk factors may be down to a perception of risk management as a compliance issue. As Allan Gifford, divisional director for Enterprise Risk Management at HSBC Insurance points out, some risks have always been there, but the landscape has changed in recent years.

Increasing regulation such as Sarbanes Oxley in the US, which put responsibility for compliance onto individual executives, has focused corporate minds on risk as a defensive game aimed at meeting the requirements of regulators. As a consequence, business leaders are inclined to guard against losses rather than look for opportunities to increase profitability.

The right response

Risk management is not about complex modelling and probability theory. Identifying risks can be as straightforward as a combination of brainstorming, web-based research and conducting a survey.

Based on work done by BSI in recent years, there are several ways organizations can respond to risks once identified. The first is to accept the risk, acknowledge it and work round it - also known as "retaining risk". The second option is to mitigate a risk by putting procedures in place that will limit the damage it might cause.

Often a more attractive solution is to transfer risk to someone else. An insurance policy shifts the burden to the insurer if a factory burns down. An IT outsourcing contract with associated service level agreements could mean that an IT supplier is responsible for keeping mission critical systems on the road.

The fourth option is simply to exit a risky scenario. For example, if a product line is competing against a demonstrably superior rival, it may be sensible to drop the line rather than risk further losses.

Apart from these, there is one other undeniable option: from time to time, an organization must actively seek risk. A good example is product development: a critical element in competing effectively, but one that carries a degree of risk. Some organizations, such as venture capitalists, constantly take risks and lose money with the expectation that when they fund a successful venture, it will more than make up for earlier losses.

Managing the message

"You can't worry about everything," says Julian Thrussell, product manager for risk at BSI UK. "You should aim to identify and prioritize risks that might be a problem and mitigate them with early action.

"For example, a local view of risks may be very different from a corporate one. A risk that really worries one department of a business may, compared with other risks, be a low priority. Good risk management should ensure that decisions and resources are proportional and based on the most information available. Sometimes we see a high profile department or one that makes a loud fuss getting money and resources that would be better spent elsewhere. Just as common are less interesting risks remaining unmanaged. Risks that no one wants to deal with can become serious over time. No organization has the bandwidth or the resources to immediately address every risk; understanding then managing those risks is so important.

"So often we see the bigger picture not reaching senior management. As a consequence, resources and money don't go to the right places."

Thrussell gives the example of a small part of a large parcel business in which the IT staff were struggling to be heard. They were acutely worried their existing IT infrastructure would not support a planned group parcel tracking service. "This isn't just a local IT issue," he explains. "It is a business risk that involves many other departments, including marketing and sales. Risks such as these should be seen as crossing traditional departmental boundaries and their potential impact tracked as a single issue."

Lack of communication and office politics can obstruct effective risk avoidance. Individuals might not flag up problems because they could reflect badly on them or they might not be thinking about the impact on the rest of the business. Thrussell points out that it's a question of joining up risks in the organization in order to eliminate silos of information: "It may be that a department is staying quiet because it is embarrassed: for example, it might have a problem that they just don't know how to fix."

Thrussell points to the Lehman Brothers crash: according to reports, many parts of the business knew extreme risks were being taken but senior management was not informed, so the full impact of the bank's position was not appreciated in time.

"Some key staff in Lehman knew what exposure the company faced with some products but kept quiet," maintains Thrussell.

BSI's Taylor adds that events like the Lehman Brothers crash can unfold at a greater speed than before. And their nature is changing: not only are risks more global, but also more likely to affect an organization's reputation.

"With raised media interest, people are much more aware of what's happening, making the risk to reputation a real possibility," he explains. In many instances, risk mitigation is as much about dealing with the aftermath as preventing it from happening in the first place.

The same page

Formalizing processes is an important part of risk management, says Thrussell: "We should not expect people to make instant decisions but to gather information that can be shared with others. For example, if one customer says they don't like a product or service, is that isolated or a serious problem? Is the customer important - what is the overall risk to the business? We need to wait for a complete picture to build up, reflecting more customers, further information and potential costs and losses. Once the information is analysed, the business can make appropriate, weighted and informed decisions.

"Ideally, everyone responsible for identifying risk should look at it in the same way," says Thrussell. As part of this effort, BSI has launched a new standard - BS 31100 - which emphasizes the positive contribution that risk management can make to business performance. Unlike similar guidelines, BS 31100 is not just about cutting losses; it aims to make risk management a tool for increasing profits through responsible risk-taking.

"The standard is about the flow of information: how it is gathered, who is responsible, the timescales involved and how risks can be put into some sort of logical format," says Thrussell.

A fair bit of corporate interest in risk management these days is being driven by the financial services sector, says Thrussell. Banks in particular are taking a much closer interest in the risks faced by enterprises in which they have invested: "We all have different appetites for risk. Some businesses thrive on risks, but a lot of businesses want a nice steady ride. Banks are taking more interest in this area and in doing so are forcing people to take more account of risk."

Gifford of HSBC Insurance spends his working life helping organizations pinpoint risks and then do something about them. He is quick to point out that businesses can usually only insure around 10-15 per cent of the risks that they face. Insuring the rest is either prohibitively expensive or the insurance industry does not have the products that might cover them.

"Organizations face very many different kinds of risk including their own decision making, outside regulation, their operational supply chain, their information technology, their financial liquidity and the wider economy," says Gifford.

"Not enough people are approaching risk in a systematic way. That's what nice about BS 31100: it gives people a route map, a framework. Heads of departments tend to manage different risks. People treat their risks as though they were in a separate silo and were not going to affect other risks. The result is that some risks are over-managed and others don't have enough attention paid to them." Gifford stresses the interdependent nature of risk reducing activities. Planning for business continuity, for example, is intimately connected with decisions about insurance.

"The person who looks after property and the person who looks after business continuity are looking after the same risk," he says.

Equally, risks can have a positive and negative element. Climate change, for example, may impact the business, but the business can also affect climate change. Taking measures to reduce the amount of pollution caused by a company's activities may help in raising finance because it reduces the risk of lawsuits and increases a company's standing among stakeholders.

"Considerations such as these often don't happen on an enterprise-wide management level," concludes Gifford. "But get six people around a table talking about risk and it can be a real eye opener."

CASE STUDY: BS 31100 - a new standard in risk management

BS 31100 offers a way for organizations to calculate risk, including how likely risks are to happen and the impact they may have if they do happen. Applying simple one to six scores that rate how likely risks are to happen allows risk managers to plot each risk and make an informed assessment.

The 40-strong committee that oversaw the production of the standard was determined that it used everyday language and avoided making recommendations that were overly bureaucratic. The intention is that a £20m turnover company can use BS 31100 as easily as one turning over £20bn.

For more information on risk management, visit: www.bsigroup.com/aug09risk

Business Standards © 2009. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.

Question: Given the state of the environment, should issues like energy management in business be more regulated and closely monitored instead of voluntary?

Climate change is such an urgent issue that some might argue the only answer to this question is "Yes". However, creating laws that achieve their goals in precisely the right way is challenging and time consuming at the best of times. And when it comes to climate change, the factors involved are varied - too many for any one law or set of laws to cover adequately.

Read more

Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.