Details

<p>List of Figures xxvii</p> <p>Preface to the Second Edition xxxi</p> <p>Acknowledgements xxxv</p> <p>About the Author xxxvii</p> <p><b>Part I Enterprise Risk Management In Context 1</b></p> <p><b>1 Introduction 3</b></p> <p>1.1 Risk Diversity 4</p> <p>1.2 Approach to Risk Management 5</p> <p>1.3 Business Growth Through Risk Taking 5</p> <p>1.4 Risk and Opportunity 6</p> <p>1.5 The Role of the Board 7</p> <p>1.6 Primary Business Objective (or Goal) 8</p> <p>1.7 What is Enterprise Risk Management? 9</p> <p>1.8 Benefits of Enterprise Risk Management 10</p> <p>1.9 Structure 12</p> <p>1.9.1 Corporate Governance 12</p> <p>1.9.2 Internal Control 13</p> <p>1.9.3 Implementation 14</p> <p>1.9.4 Risk Management Framework 14</p> <p>1.9.5 Risk Management Policy 15</p> <p>1.9.6 Risk Management Process 15</p> <p>1.9.7 Sources of Risk 16</p> <p>1.10 Summary 16</p> <p>1.11 References 16</p> <p><b>2 Developments in Corporate Governance in the UK 19</b></p> <p>2.1 Investor Unrest 19</p> <p>2.2 The Problem of Agency 20</p> <p>2.3 The Cadbury Committee 21</p> <p>2.4 The Greenbury Report 23</p> <p>2.5 The Hampel Committee and the Combined Code of 1998 23</p> <p>2.6 Smith Guidance on Audit Committees 23</p> <p>2.7 Higgs 24</p> <p>2.8 Tyson 24</p> <p>2.9 Combined Code on Corporate Governance 2003 25</p> <p>2.10 Companies Act 2006 26</p> <p>2.11 Combined Code on Corporate Governance 2008 26</p> <p>2.12 Sir David Walker’s Review of Corporate Governance, July 2009 (Consultation Paper) 27</p> <p>2.13 Sir David Walker’s Review of Corporate Governance, November 2009 (Final Recommendation) 29</p> <p>2.14 House of Commons Treasury Committee 2009 30</p> <p>2.15 UK Corporate Governance Code, June 2010 32</p> <p>2.16 The “Comply or Explain” Regime 34</p> <p>2.17 Definition of Corporate Governance 34</p> <p>2.18 Formation of Companies 35</p> <p>2.19 The Financial Services Authority and Markets Act 2000 36</p> <p>2.20 The London Stock Exchange 36</p> <p>2.21 Summary 37</p> <p>2.22 References 38</p> <p><b>3 Developments in Corporate Governance in the US 41</b></p> <p>3.1 Corporate Governance 41</p> <p>3.2 The Securities and Exchange Commission 42</p> <p>3.2.1 Creation of the SEC 42</p> <p>3.2.2 Organisation of the SEC 43</p> <p>3.3 The Laws That Govern the Securities Industry 44</p> <p>3.3.1 Securities Act 1933 44</p> <p>3.3.2 Securities Exchange Act 1934 44</p> <p>3.3.3 Trust Indenture Act 1939 45</p> <p>3.3.4 Investment Company Act 1940 45</p> <p>3.3.5 Investment Advisers Act 1940 45</p> <p>3.4 Catalysts for the Sarbanes-Oxley Act 2002 45</p> <p>3.4.1 Enron 46</p> <p>3.4.2 WorldCom 47</p> <p>3.4.3 Tyco International 47</p> <p>3.4.4 Provisions of the Act 50</p> <p>3.4.5 Implementation 52</p> <p>3.4.6 Sarbanes-Oxley Section 404 52</p> <p>3.4.7 The Positive Effects of Post-Enron Reforms 52</p> <p>3.4.8 Criticism of Section 404 Before the Global Financial Crisis 54</p> <p>3.4.9 Criticism of Section 404 After the Global Financial Crisis 54</p> <p>3.5 National Association of Corporate Directors 2008 55</p> <p>3.6 Summary 56</p> <p>3.7 References 57</p> <p><b>4 The Global Financial Crisis of 2007–2009: A US Perspective 59</b></p> <p>4.1 The Financial Crisis in Summary 59</p> <p>4.2 How the Financial Crisis Unfolded 60</p> <p>4.3 The United States Mortgage Finance Industry 61</p> <p>4.4 Subprime Model of Mortgage Lending 61</p> <p>4.4.1 Contributing Events to the Credit Crisis 61</p> <p>4.4.2 Foreclosures 63</p> <p>4.4.3 Negative Equity 65</p> <p>4.4.4 Housing Surplus 67</p> <p>4.4.5 Vicious Circles 68</p> <p>4.5 Why this Crisis Warrants Close Scrutiny 68</p> <p>4.6 Behaviours 70</p> <p>4.6.1 Investor Behaviour in the Search for Yield 70</p> <p>4.6.2 Mortgage Lending Behaviour 71</p> <p>4.6.3 Bank Behaviour and Risk Transfer through Securitised Credit 71</p> <p>4.6.4 “Group Think” and Herd Behaviour 72</p> <p>4.6.5 Banks’ Behaviour and Risk Appetite 74</p> <p>4.6.6 Behaviour of Regulators and the Division of “Narrow Banking” from Investment Banking 75</p> <p>4.6.7 Banks’ Behaviour and Misplaced Reliance of Sophisticated Mathematics and Statistics 75</p> <p>4.7 Worldwide Deficiencies in Risk Management 76</p> <p>4.8 Federal Reform 76</p> <p>4.9 Systemic Risk 79</p> <p>4.10 The Future of Risk Management 81</p> <p>4.11 Summary 82</p> <p>4.12 References 82</p> <p><b>5 Developments in Corporate Governance in Australia and Canada 85</b></p> <p>5.1 Australian Corporate Governance 85</p> <p>5.1.1 Regulation Arising from Corporate Failures 85</p> <p>5.1.2 Corporate Governance Reforms Following the Accounting Scandals of the Early 2000s 86</p> <p>5.1.3 Horwath 2002 Corporate Governance Report 88</p> <p>5.1.4 The ASX Corporate Governance Council 89</p> <p>5.1.5 Financial Statements 90</p> <p>5.2 Canada 90</p> <p>5.2.1 Dey Report 90</p> <p>5.2.2 Dey Revisited 91</p> <p>5.2.3 Kirby Report 91</p> <p>5.2.4 Saucier Committee 92</p> <p>5.2.5 National Policy and Instrument (April 2005) 92</p> <p>5.2.6 TSE Corporate Governance: Guide to Good Disclosure 2006 93</p> <p>5.3 Summary 94</p> <p>5.4 References 94</p> <p><b>6 Internal Control and Risk Management 97</b></p> <p>6.1 The Composition of Internal Control 97</p> <p>6.2 Risk as a Subset of Internal Control 98</p> <p>6.2.1 The Application of Risk Management 98</p> <p>6.3 Allocation of Responsibility 102</p> <p>6.3.1 Cadbury Committee 102</p> <p>6.3.2 Hampel Committee 102</p> <p>6.3.3 Turnbull 103</p> <p>6.3.4 Higgs Review 104</p> <p>6.3.5 Smith Review 104</p> <p>6.3.6 OECD 105</p> <p>6.4 The Context of Internal Control and Risk Management 106</p> <p>6.5 Internal Control and Risk Management 107</p> <p>6.6 Embedding Internal Control and Risk Management 107</p> <p>6.7 Summary 107</p> <p>6.8 References 108</p> <p><b>7 Developments in Risk Management in the UK Public Sector 109</b></p> <p>7.1 Responsibility for Risk Management in Government 109</p> <p>7.1.1 Cabinet Office 110</p> <p>7.1.2 Treasury 111</p> <p>7.1.3 Office of Government Commerce 111</p> <p>7.1.4 National Audit Office 112</p> <p>7.2 Risk Management Publications 112</p> <p>7.3 Successful IT 113</p> <p>7.4 Supporting Innovation 115</p> <p>7.4.1 Part 1: Why Risk Management is Important 115</p> <p>7.4.2 Part 2: Comprehension of Risk Management 115</p> <p>7.4.3 Part 3: What More Needs to be Done to Improve Risk Management 115</p> <p>7.5 The Orange Book 116</p> <p>7.5.1 Identify the Risks and Define a Framework 116</p> <p>7.5.2 Assign Ownership 116</p> <p>7.5.3 Evaluate 117</p> <p>7.5.4 Assess Risk Appetite 117</p> <p>7.5.5 Response to Risk 117</p> <p>7.5.6 Gain Assurance 118</p> <p>7.5.7 Embed and Review 118</p> <p>7.6 Audit Commission 118</p> <p>7.7 CIPFA/SOLACE Corporate Governance 120</p> <p>7.8 M_o_R 2002 121</p> <p>7.9 DEFRA 123</p> <p>7.9.1 Risk Management Strategy 123</p> <p>7.10 Strategy Unit Report 124</p> <p>7.11 Risk and Value Management 125</p> <p>7.12 The Green Book 126</p> <p>7.12.1 Optimism Bias 126</p> <p>7.12.2 Annex 4 127</p> <p>7.13 CIPFA Guidance on Internal Control 127</p> <p>7.14 Managing Risks to Improve Public Services 129</p> <p>7.15 The Orange Book (Revised) 131</p> <p>7.16 M_o_R 2007 132</p> <p>7.17 Managing Risks in Government 132</p> <p>7.18 Summary 134</p> <p>7.19 References 136</p> <p><b>Part II The Risk Management Process 137</b></p> <p>References 139</p> <p><b>8 Establishing the Context: Stage 1 141</b></p> <p>8.1 Process 141</p> <p>8.2 Process Goal and Subgoals 142</p> <p>8.3 Process Definition 143</p> <p>8.4 Process Inputs 143</p> <p>8.5 Process Outputs 145</p> <p>8.6 Process Controls (Constraints) 145</p> <p>8.7 Process Mechanisms (Enablers) 146</p> <p>8.7.1 Ratios 146</p> <p>8.7.2 Risk Management Process Diagnostic 147</p> <p>8.7.3 SWOT Analysis 148</p> <p>8.7.4 PEST Analysis 148</p> <p>8.8 Process Activities 149</p> <p>8.8.1 Business Objectives 149</p> <p>8.8.2 Business Plan 150</p> <p>8.8.3 Examining the Industry 151</p> <p>8.8.4 Establishing the Processes 151</p> <p>8.8.5 Projected Financial Statements 153</p> <p>8.8.6 Resources 155</p> <p>8.8.7 Change Management 155</p> <p>8.8.8 Marketing Plan 155</p> <p>8.8.9 Compliance Systems 156</p> <p>8.9 Summary 156</p> <p>8.10 References 156</p> <p><b>9 Risk Identification: Stage 2 159</b></p> <p>9.1 Process 159</p> <p>9.2 Process Goal and Subgoals 159</p> <p>9.3 Process Definition 160</p> <p>9.4 Process Inputs 161</p> <p>9.5 Process Outputs 162</p> <p>9.6 Process Controls (Constraints) 162</p> <p>9.7 Process Mechanisms (Enablers) 163</p> <p>9.7.1 Risk Checklist 163</p> <p>9.7.2 Risk Prompt List 163</p> <p>9.7.3 Gap Analysis 163</p> <p>9.7.4 Risk Taxonomy 164</p> <p>9.7.5 PEST Prompt 165</p> <p>9.7.6 SWOT Prompt 168</p> <p>9.7.7 Database 168</p> <p>9.7.8 Business Risk Breakdown Structure 169</p> <p>9.7.9 Risk Questionnaire 169</p> <p>9.7.10 Risk Register Content/Structure 170</p> <p>9.8 Process Activities 171</p> <p>9.8.1 Clarifying the Business Objectives 171</p> <p>9.8.2 Reviewing the Business Analysis 171</p> <p>9.8.3 Need for Risk and Opportunity Identification 171</p> <p>9.8.4 Risk and Opportunity Identification 172</p> <p>9.8.5 Facilitation 172</p> <p>9.8.6 Gaining a Consensus on the Risks, the Opportunities and</p> <p>their Interdependencies 182</p> <p>9.8.7 Risk Register 182</p> <p>9.9 Summary 182</p> <p>9.10 References 182</p> <p><b>10 Risk Analysis: Stage 3 185</b></p> <p>10.1 Process 185</p> <p>10.2 Process Goal and Subgoals 186</p> <p>10.3 Process Definition 186</p> <p>10.4 Process Inputs 186</p> <p>10.5 Process Outputs 188</p> <p>10.6 Process Controls (Constraints) 188</p> <p>10.7 Process Mechanisms (Enablers) 188</p> <p>10.7.1 Probability 188</p> <p>10.8 Process Activities 189</p> <p>10.8.1 Causal Analysis 190</p> <p>10.8.2 Decision Analysis and Influence Diagrams 190</p> <p>10.8.3 Pareto Analysis 193</p> <p>10.8.4 CAPM Analysis 194</p> <p>10.8.5 Define Risk Evaluation Categories and Values 195</p> <p>10.9 Summary 195</p> <p>10.10 References 196</p> <p><b>11 Risk Evaluation: Stage 4 197</b></p> <p>11.1 Process 197</p> <p>11.2 Process Goal and Subgoals 197</p> <p>11.3 Process Definition 198</p> <p>11.4 Process Inputs 198</p> <p>11.5 Process Outputs 198</p> <p>11.6 Process Controls (Constraints) 199</p> <p>11.7 Process Mechanisms (Enablers) 200</p> <p>11.7.1 Probability Trees 200</p> <p>11.7.2 Expected Monetary Value 201</p> <p>11.7.3 Utility Theory and Functions 203</p> <p>11.7.4 Decision Trees 204</p> <p>11.7.5 Markov Chain 208</p> <p>11.7.6 Investment Appraisal 210</p> <p>11.8 Process Activities 215</p> <p>11.8.1 Basic Concepts of Probability 215</p> <p>11.8.2 Sensitivity Analysis 216</p> <p>11.8.3 Scenario Analysis 217</p> <p>11.8.4 Simulation 217</p> <p>11.8.5 Monte Carlo Simulation 218</p> <p>11.8.6 Latin Hypercube 220</p> <p>11.8.7 Probability Distributions Defined from Expert Opinion 220</p> <p>11.9 Summary 221</p> <p>11.10 References 222</p> <p><b>12 Risk Treatment: Stage 5 223</b></p> <p>12.1 Process 223</p> <p>12.2 Process Goal and Subgoals 223</p> <p>12.3 Process Definition 224</p> <p>12.4 Process Inputs 224</p> <p>12.5 Process Outputs 224</p> <p>12.6 Process Controls (Constraints) 225</p> <p>12.7 Process Mechanisms 225</p> <p>12.8 Process Activities 226</p> <p>12.9 Risk Appetite 226</p> <p>12.10 Risk Response Strategies 228</p> <p>12.10.1 Risk Reduction 228</p> <p>12.10.2 Risk Removal 228</p> <p>12.10.3 Risk Reassignment or Transfer 229</p> <p>12.10.4 Risk Retention 230</p> <p>12.11 Summary 230</p> <p>12.12 References 231</p> <p><b>13 Monitoring and Review: Stage 6 233</b></p> <p>13.1 Process 233</p> <p>13.2 Process Goal and Subgoals 234</p> <p>13.3 Process Definition 234</p> <p>13.4 Process Inputs 235</p> <p>13.5 Process Outputs 235</p> <p>13.6 Process Controls (Constraints) 235</p> <p>13.7 Process Mechanisms 236</p> <p>13.8 Process Activities 236</p> <p>13.8.1 Executing 236</p> <p>13.8.2 Monitoring 236</p> <p>13.8.3 Controlling 237</p> <p>13.9 Summary 239</p> <p>13.10 Reference 240</p> <p><b>14 Communication and Consultation: Stage 7 241</b></p> <p>14.1 Process 241</p> <p>14.2 Process Goal and Subgoals 242</p> <p>14.3 Process Definition 242</p> <p>14.4 Process Inputs 243</p> <p>14.5 Process Outputs 243</p> <p>14.6 Process Controls (Constraints) 244</p> <p>14.7 Process Mechanisms 244</p> <p>14.8 Process Activities 244</p> <p>14.9 Internal Communication 245</p> <p>14.10 External Communication 245</p> <p>14.11 Summary 245</p> <p>14.12 Reference 246</p> <p><b>Part III Internal Influences – Micro Factors 247</b></p> <p><b>15 Financial Risk Management 249</b></p> <p>15.1 Definition of Financial Risk 249</p> <p>15.2 Scope of Financial Risk 250</p> <p>15.3 Benefits of Financial Risk Management 250</p> <p>15.4 Implementation of Financial Risk Management 251</p> <p>15.5 Liquidity Risk 251</p> <p>15.5.1 Current and Quick Ratios 251</p> <p>15.5.2 Mitigation of Liquidity Risk 253</p> <p>15.6 Credit Risk 253</p> <p>15.6.1 Default Risk 253</p> <p>15.6.2 Exposure Risk 254</p> <p>15.6.3 Recovery Risk 254</p> <p>15.6.4 Credit Insurance 255</p> <p>15.6.5 Counterparty Risk 256</p> <p>15.6.6 Due Diligence 256</p> <p>15.7 Borrowing 259</p> <p>15.8 Currency Risk 259</p> <p>15.9 Funding Risk 260</p> <p>15.10 Foreign Investment Risk 262</p> <p>15.10.1 Country Risk 262</p> <p>15.10.2 Environment Risk 263</p> <p>15.11 Derivatives 263</p> <p>15.11.1 Exchange Traded Derivatives 263</p> <p>15.11.2 Over-the-Counter Derivatives 264</p> <p>15.12 Summary 264</p> <p>15.13 References 265</p> <p><b>16 Operational Risk Management 267</b></p> <p>16.1 Definition of Operational Risk 268</p> <p>16.2 Scope of Operational Risk 269</p> <p>16.3 Benefits of Operational Risk 270</p> <p>16.4 Implementation of Operational Risk 270</p> <p>16.5 Strategy 270</p> <p>16.5.1 Definition of Strategy Risk 270</p> <p>16.5.2 Objectives 271</p> <p>16.5.3 Business Plan 272</p> <p>16.5.4 New Business Development 272</p> <p>16.5.5 Resources 273</p> <p>16.5.6 Stakeholder Interests 273</p> <p>16.5.7 Corporate Experience 274</p> <p>16.5.8 Reputation 274</p> <p>16.6 People 275</p> <p>16.6.1 Definition of People Risk 275</p> <p>16.6.2 Types of People Risk 276</p> <p>16.6.3 Human Resource Management Practices 276</p> <p>16.6.4 Ability to Pay Salaries 277</p> <p>16.6.5 Regulatory and Statutory Requirements 277</p> <p>16.6.6 Staff Constraints 280</p> <p>16.6.7 Staff Dishonesty 287</p> <p>16.6.8 Risk Management 287</p> <p>16.6.9 Health and Safety 292</p> <p>16.7 Processes and Systems 292</p> <p>16.7.1 Definition of Processes and Systems Risk 293</p> <p>16.7.2 Controls 293</p> <p>16.7.3 Regulatory and Statutory Requirements 294</p> <p>16.7.4 Continuity 294</p> <p>16.7.5 Indicators of Loss 295</p> <p>16.7.6 Transactions 295</p> <p>16.7.7 Computer/IT Systems 297</p> <p>16.7.8 Knowledge Management 301</p> <p>16.7.9 Project Management 302</p> <p>16.8 External Events 303</p> <p>16.8.1 Change Management 303</p> <p>16.8.2 Business Continuity 304</p> <p>16.9 Outsourcing 305</p> <p>16.10 Measurement 307</p> <p>16.11 Mitigation 307</p> <p>16.12 Summary 307</p> <p>16.13 References 308</p> <p><b>17 Technological Risk Management 309</b></p> <p>17.1 Definition of Technology Risk 310</p> <p>17.2 Scope of Technology Risk 310</p> <p>17.3 Benefits of Technology Risk Management 311</p> <p>17.4 Implementation of Technology Risk Management 311</p> <p>17.5 Primary Technology Types 312</p> <p>17.5.1 Information Technology 312</p> <p>17.5.2 Communications Technology 315</p> <p>17.5.3 Control Technology 319</p> <p>17.6 Responding to Technology Risk 324</p> <p>17.6.1 IT Governance 324</p> <p>17.6.2 Investment 326</p> <p>17.6.3 Projects 329</p> <p>17.7 Summary 330</p> <p>17.8 References 331</p> <p><b>18 Project Risk Management 333</b></p> <p>18.1 Definition of Project Risk 334</p> <p>18.2 Definition of Project Risk Management 334</p> <p>18.3 Sources of Project Risk 335</p> <p>18.4 Benefits of Project Risk Management 335</p> <p>18.5 Embedding Project Risk Management 336</p> <p>18.5.1 Common Challenges in Implementing Project Risk Management 336</p> <p>18.5.2 Lack of Clearly Defined and Disseminated Risk Management Objectives 337</p> <p>18.5.3 Lack of Senior Executive and Project Director Commitment and Support 337</p> <p>18.5.4 Lack of a Risk Maturity Model 337</p> <p>18.5.5 Lack of a Change Process to Implement the Discipline 338</p> <p>18.5.6 No Common Risk Language (Terms and Definitions) 338</p> <p>18.5.7 Lack of Articulation of the Project Sponsor’s Risk Appetite 338</p> <p>18.5.8 No Definition of Roles and Responsibilities 339</p> <p>18.5.9 Lack of Risk Management Awareness Training to Build Core Competencies 339</p> <p>18.5.10 Lack of Integration of Risk Management with Other Project Disciplines 340</p> <p>18.5.11 Reticence of Project Personnel to Spend Time on Risk Management 340</p> <p>18.5.12 Risk Owners not Automatically Taking Responsibility for Assigned Risks 341</p> <p>18.5.13 No Clear Demonstration of How Risk Management Adds Value and Contributes to Project Performance 341</p> <p>18.5.14 Overcomplicated Implementation from an Unclear Risk Policy, Strategy, Framework, Plan and Procedure 341</p> <p>18.5.15 Lack of Alignment between the Business Strategy, Business Model and the Risk Management Objectives 341</p> <p>18.5.16 Lack of the Integration of Risk Management Activities into the Day-to-Day Activities of Project Managers 342</p> <p>18.6 Project Risk Management Process 342</p> <p>18.6.1 Establish the Context 342</p> <p>18.6.2 Risk Identification 344</p> <p>18.6.3 Risk Analysis 344</p> <p>18.6.4 Risk Evaluation 345</p> <p>18.6.5 Risk Treatment 345</p> <p>18.6.6 Risk Monitoring and Review 345</p> <p>18.6.7 Communication and Consultation 346</p> <p>18.7 Responsibility for Project Risk Management 346</p> <p>18.8 Project Director’s Role 347</p> <p>18.9 Project Team 347</p> <p>18.9.1 Lack of Team Structure 347</p> <p>18.9.2 Lack of Definition of Roles 348</p> <p>18.9.3 Lack of Responsibility Assignment Matrix 348</p> <p>18.9.4 Poor Leadership 348</p> <p>18.9.5 Poor Team Communication 348</p> <p>18.10 Optimism Bias 349</p> <p>18.10.1 The Investment Decision 349</p> <p>18.10.2 Optimism Bias 350</p> <p>18.10.3 Monitoring 350</p> <p>18.10.4 Using Numerical Indicators in Project Decision Making 350</p> <p>18.10.5 Causes of Optimism Bias 351</p> <p>18.10.6 The Distinction between Risk Events and Optimism Bias 351</p> <p>18.11 Software Tools Used to Support Project Risk Management 351</p> <p>18.12 Techniques Used to Support Project Risk Management 352</p> <p>18.13 Summary 352</p> <p>18.14 References 354</p> <p><b>19 Business Ethics Management 355</b></p> <p>19.1 Definition of Business Ethics Risk 355</p> <p>19.2 Scope of Business Ethics Risk 356</p> <p>19.3 Benefits of Ethics Risk Management 357</p> <p>19.4 How Unethical Behaviour can Arise 357</p> <p>19.5 Recognition of the Need for Business Ethics 358</p> <p>19.5.1 US Department of Commerce 358</p> <p>19.5.2 The G8 Summit in Italy Pushes for a Return to “Ethics” 359</p> <p>19.5.3 OECD and Its Approach to Business Ethics 359</p> <p>19.5.4 UK Financial Services Authority 360</p> <p>19.5.5 US Department of Justice 360</p> <p>19.6 Factors that Affect Business Ethics 361</p> <p>19.7 Risk Events 361</p> <p>19.8 Implementation of Ethical Risk Management 365</p> <p>19.8.1 Areas of Focus 365</p> <p>19.8.2 Levels of Application 366</p> <p>19.8.3 The System 368</p> <p>19.9 Summary 374</p> <p>19.10 References 374</p> <p><b>20 Health and Safety Management 375</b></p> <p>20.1 Definition of Health and Safety Risk 375</p> <p>20.2 Scope of Health and Safety Risk 376</p> <p>20.3 Benefits of Health and Safety Risk Management 376</p> <p>20.3.1 Business Benefits 377</p> <p>20.3.2 The Enterprise Context: AstraZeneca 378</p> <p>20.4 The UK Health and Safety Executive 378</p> <p>20.4.1 The UK Perspective: Health and Safety Record 379</p> <p>20.5 The European Agency for Safety and Health at Work 379</p> <p>20.5.1 Main Challenges Concerning Health and Safety at Work 380</p> <p>20.6 Implementation of Health and Safety Risk Management 380</p> <p>20.6.1 Management Arrangements 381</p> <p>20.6.2 Risk Controls 381</p> <p>20.6.3 Workplace Precautions 381</p> <p>20.6.4 System Implementation 382</p> <p>20.7 Workplace Precautions 382</p> <p>20.8 Contribution of Human Error to Major Disasters 382</p> <p>20.8.1 Tenerife, 27 March 1977 382</p> <p>20.8.2 Chernobyl, 26 April 1986 384</p> <p>20.8.3 Kegworth, 8 January 1989 385</p> <p>20.8.4 <i>Herald of Free Enterprise</i>, 6 March 1987 386</p> <p>20.8.5 <i>Piper Alpha</i>, 6 July 1988 387</p> <p>20.8.6 Ladbroke Grove, 5 October 1999 387</p> <p>20.9 Improving Human Reliability in the Workplace 388</p> <p>20.10 Risk Management Best Practice 389</p> <p>20.10.1 Crisis Management Plan 389</p> <p>20.11 Summary 390</p> <p>20.12 References 390</p> <p><b>Part Iv External Influences – Macro Factors 391</b></p> <p><b>21 Economic Risk 393</b></p> <p>21.1 Definition of Economic Risk 393</p> <p>21.2 Scope of Economic Risk 393</p> <p>21.3 Benefits of Economic Risk Management 394</p> <p>21.4 Implementation of Economic Risk Management 394</p> <p>21.5 Microeconomics and Macroeconomics 394</p> <p>21.6 Macroeconomics 395</p> <p>21.6.1 Gross Domestic Product 395</p> <p>21.7 Government Policy 397</p> <p>21.7.1 Fiscal Policy 397</p> <p>21.7.2 Monetary Policy 397</p> <p>21.7.3 Competing Theories 398</p> <p>21.8 Aggregate Demand 398</p> <p>21.8.1 Using Aggregate Demand Curves 399</p> <p>21.8.2 Determinants of Consumer Spending 399</p> <p>21.8.3 Determinants of Investment Expenditure 400</p> <p>21.8.4 Determinants of Government Spending 400</p> <p>21.8.5 Determinants of Net Expenditure on Exports and Imports 401</p> <p>21.9 Aggregate Supply 401</p> <p>21.10 Employment Levels 403</p> <p>21.11 Inflation 403</p> <p>21.12 Interest Rate Risk 404</p> <p>21.13 House Prices 405</p> <p>21.14 International Trade and Protection 405</p> <p>21.14.1 Trade 405</p> <p>21.14.2 Methods of Protectionism 406</p> <p>21.14.3 Trade Policy 406</p> <p>21.14.4 Balance of Trade 406</p> <p>21.15 Currency Risk 407</p> <p>21.15.1 Risk Mitigation by Hedging 407</p> <p>21.16 Summary 412</p> <p>21.17 References 412</p> <p><b>22 Environmental Risk 413</b></p> <p>22.1 Definition of Environmental Risk 413</p> <p>22.2 Scope of Environmental Risk 415</p> <p>22.3 Benefits of Environmental Risk Management 415</p> <p>22.4 Implementation of Environmental</p> <p>Risk Management 415</p> <p>22.5 Energy Sources 416</p> <p>22.5.1 Renewable Energy 417</p> <p>22.6 Use of Resources 419</p> <p>22.7 Pollution 420</p> <p>22.8 Global Warming 420</p> <p>22.9 Response to Global Warming 422</p> <p>22.9.1 Earth Summit 422</p> <p>22.9.2 The Kyoto Protocol 422</p> <p>22.9.3 Pollution Control Targets 422</p> <p>22.9.4 Sufficiency of Emission Cuts 423</p> <p>22.9.5 US Climate Pact 423</p> <p>22.9.6 The Copenhagen Accord 424</p> <p>22.9.7 European Union 425</p> <p>22.9.8 Cancún Agreements 425</p> <p>22.9.9 Domestic Government Response to Climate Change 426</p> <p>22.9.10 Levy 427</p> <p>22.9.11 Emissions Trading 428</p> <p>22.9.12 Impact on Business 428</p> <p>22.10 Stimulation to Environmental Considerations 429</p> <p>22.10.1 FTSE4Good Index 429</p> <p>22.10.2 Carbon Trust 429</p> <p>22.10.3 Public Pressure 430</p> <p>22.11 Environmental Sustainability 431</p> <p>22.12 Summary 432</p> <p>22.13 References 433</p> <p><b>23 Legal Risk 435</b></p> <p>23.1 Definition of Legal Risk 435</p> <p>23.2 Scope of Legal Risk 435</p> <p>23.3 Benefits of Legal Risk Management 436</p> <p>23.4 Implementation of Legal Risk Management 436</p> <p>23.5 Business Law 437</p> <p>23.6 Companies 438</p> <p>23.6.1 The Company Name 438</p> <p>23.6.2 The Memorandum of Association 438</p> <p>23.6.3 Articles of Association 439</p> <p>23.6.4 Financing the Company 439</p> <p>23.6.5 The Issue of Shares and Debentures 440</p> <p>23.6.6 The Official Listing of Securities 440</p> <p>23.6.7 The Remedy of Rescission 440</p> <p>23.6.8 Protection of Minority Interests 440</p> <p>23.6.9 Duties of Directors 441</p> <p>23.7 Intellectual Property 441</p> <p>23.7.1 Patents 441</p> <p>23.7.2 Copyright 445</p> <p>23.7.3 Designs 446</p> <p>23.8 Employment Law 447</p> <p>23.9 Contracts 447</p> <p>23.9.1 Essentials of a Valid Contract 447</p> <p>23.9.2 Types of Contract 447</p> <p>23.10 Criminal Liability in Business 448</p> <p>23.10.1 Misdescriptions of Goods and Services 448</p> <p>23.10.2 Misleading Price Indications 449</p> <p>23.10.3 Product Safety 450</p> <p>23.11 Computer Misuse 451</p> <p>23.11.1 Unauthorised Access to Computer Material 451</p> <p>23.11.2 Unauthorised Access with Intent to Commit or Facilitate</p> <p>Further Offences 451</p> <p>23.11.3 Unauthorised Modification of Computer Material 451</p> <p>23.12 Summary 452</p> <p><b>24 Political Risk 453</b></p> <p>24.1 Definition of Political Risk 454</p> <p>24.2 Scope of Political Risk 454</p> <p>24.2.1 Macropolitical Risks 454</p> <p>24.2.2 Micropolitical Risks 455</p> <p>24.3 Benefits of Political Risk Management 455</p> <p>24.4 Implementation of Political Risk Management 455</p> <p>24.5 Zonis and Wilkin Political Risk Framework 457</p> <p>24.6 Contracts 459</p> <p>24.7 Transition Economies of Europe 459</p> <p>24.8 UK Government Fiscal Policy 460</p> <p>24.9 Pressure Groups 461</p> <p>24.10 Terrorism and Blackmail 461</p> <p>24.11 Responding to Political Risk 462</p> <p>24.11.1 Assessing Political Risk Factors 463</p> <p>24.11.2 Prioritising Political Risk Factors 464</p> <p>24.11.3 Improving Relative Bargaining Power 464</p> <p>24.12 Summary 464</p> <p>24.13 References 465</p> <p><b>25 Market Risk 467</b></p> <p>25.1 Definition of Market Risk 467</p> <p>25.2 Scope of Market Risk 468</p> <p>25.2.1 Levels of Uncertainty in the Marketing Environment 469</p> <p>25.3 Benefits of Market Risk Management 470</p> <p>25.4 Implementation of Market Risk Management 470</p> <p>25.5 Market Structure 470</p> <p>25.5.1 The Number of Firms in an Industry 471</p> <p>25.5.2 Barriers to Entry 471</p> <p>25.5.3 Product Homogeneity, Product Diversity and Branding 473</p> <p>25.5.4 Knowledge 473</p> <p>25.5.5 Interrelationships within Markets 474</p> <p>25.6 Product Life Cycle Stage 475</p> <p>25.6.1 Sales Growth 476</p> <p>25.7 Alternative Strategic Directions 476</p> <p>25.7.1 Market Penetration 477</p> <p>25.7.2 Product Development 477</p> <p>25.7.3 Market Development 479</p> <p>25.7.4 Diversification 481</p> <p>25.8 Acquisition 482</p> <p>25.9 Competition 483</p> <p>25.9.1 Price Stability 483</p> <p>25.9.2 Non-Price Competition 484</p> <p>25.9.3 Branding 485</p> <p>25.9.4 Market Strategies 486</p> <p>25.10 Price Elasticity/Sensitivity 489</p> <p>25.10.1 Elasticity 489</p> <p>25.10.2 Price Elasticity 489</p> <p>25.11 Distribution Strength 490</p> <p>25.12 Market Risk Measurement: Value at Risk 490</p> <p>25.12.1 Definition of Value at Risk 490</p> <p>25.12.2 Value at Risk 490</p> <p>25.12.3 VaR Model Assumptions 491</p> <p>25.12.4 Use of VaR to Limit Risk 493</p> <p>25.12.5 Calculating Value at Risk 494</p> <p>25.13 Risk Response Planning 496</p> <p>25.14 Summary 496</p> <p>25.15 References 497</p> <p><b>26 Social Risk 499</b></p> <p>26.1 Definition of Social Risk 499</p> <p>26.2 Scope of Social Risk 500</p> <p>26.3 Benefits of Social Risk Management 500</p> <p>26.4 Implementation of Social Risk Management 501</p> <p>26.5 Education 501</p> <p>26.6 Population Movements: Demographic Changes 502</p> <p>26.6.1 The Changing Market 503</p> <p>26.7 Socio-Cultural Patterns and Trends 504</p> <p>26.8 Crime 504</p> <p>26.8.1 Key Facts 504</p> <p>26.9 Lifestyles and Social Attitudes 505</p> <p>26.9.1 More Home Improvements 505</p> <p>26.9.2 Motherhood, Marriage and Family Formation 505</p> <p>26.9.3 Health 506</p> <p>26.9.4 Less Healthy Diets 507</p> <p>26.9.5 Smoking and Drinking 508</p> <p>26.9.6 Long Working Hours 509</p> <p>26.9.7 Stress Levels 509</p> <p>26.9.8 Recreation and Tourism 510</p> <p>26.10 Summary 510</p> <p>26.11 References 511</p> <p><b>Part V The Appointment 513</b></p> <p><b>27 Introduction 515</b></p> <p>27.1 Change Process From the Client Perspective 515</p> <p>27.1.1 Planning 515</p> <p>27.1.2 Timely Information 516</p> <p>27.1.3 Risk Management Resources 516</p> <p>27.2 Selection of Consultants 517</p> <p>27.2.1 Objectives 517</p> <p>27.2.2 The Brief 517</p> <p>27.2.3 Describing Activity Interfaces 517</p> <p>27.2.4 Appointment Process Management 518</p> <p>27.2.5 The Long-Listing Process 518</p> <p>27.2.6 Short-List Selection Criteria 519</p> <p>27.2.7 Request for a Short-Listing Interview 519</p> <p>27.2.8 Compilation of Short List 519</p> <p>27.2.9 Prepare an Exclusion Notification 520</p> <p>27.2.10 Prepare Tender Documents 520</p> <p>27.2.11 Agreement to be Issued with the Tender Invitation 521</p> <p>27.2.12 Tender Process 521</p> <p>27.2.13 Award 521</p> <p>27.2.14 Notification to Unsuccessful Tenderers 522</p> <p>27.3 Summary 522</p> <p>27.4 Reference 522</p> <p><b>28 Interview with the Client 523</b></p> <p>28.1 First Impressions/Contact 523</p> <p>28.2 Client Focus 524</p> <p>28.3 Unique Selling Point 524</p> <p>28.4 Past Experiences 526</p> <p>28.5 Client Interview 527</p> <p>28.5.1 Scene/Overview 527</p> <p>28.5.2 Situation/Context 527</p> <p>28.5.3 Scheme/Plan of Action 527</p> <p>28.5.4 Solution Implementation 528</p> <p>28.5.5 Success, Measurement of 528</p> <p>28.5.6 Secure/Continue 528</p> <p>28.5.7 Stop/Close 528</p> <p>28.6 Assignment Methodology 528</p> <p>28.7 Change Management 529</p> <p>28.8 Sustainable Change 529</p> <p>28.9 Summary 530</p> <p>28.10 References 531</p> <p><b>29 Proposal 533</b></p> <p>29.1 Introduction 533</p> <p>29.2 Proposal Preparation 533</p> <p>29.2.1 Planning 533</p> <p>29.2.2 Preliminary Review 534</p> <p>29.3 Proposal Writing 534</p> <p>29.3.1 Task Management 534</p> <p>29.3.2 Copying Text 534</p> <p>29.3.3 Master Copy 534</p> <p>29.3.4 Peer Review 534</p> <p>29.4 Approach 535</p> <p>29.5 Proposal 535</p> <p>29.5.1 Identify the Parties – the Who 535</p> <p>29.5.2 Identify the Location – the Where 537</p> <p>29.5.3 Understand the Project Background – the What 537</p> <p>29.5.4 Define the Scope – the Which 537</p> <p>29.5.5 Clarify the Objectives – the Why 537</p> <p>29.5.6 Determine the Approach – the How 538</p> <p>29.5.7 Determine the Timing – the When 538</p> <p>29.6 Client Responsibilities 538</p> <p>29.7 Remuneration 539</p> <p>29.8 Summary 539</p> <p>29.9 References 539</p> <p><b>30 Implementation 541</b></p> <p>30.1 Written Statement of Project Implementation 541</p> <p>30.2 Management 541</p> <p>30.2.1 Objectives 541</p> <p>30.2.2 Planning the Project 542</p> <p>30.2.3 Consultant Team Composition 543</p> <p>30.2.4 Interface with Stakeholders 543</p> <p>30.2.5 Data Gathering 543</p> <p>30.2.6 Budget 544</p> <p>30.2.7 Assessment of Risk 544</p> <p>30.2.8 Deliverables 544</p> <p>30.2.9 Presentation of the Findings 545</p> <p>30.2.10 Key Factors for Successful Implementation 545</p> <p>30.3 Customer Delight 548</p> <p>30.4 Summary 548</p> <p>30.5 References 548</p> <p>Appendix 1: Successful IT: Modernising Government in Action 549</p> <p>Appendix 2: Sources of Risk 553</p> <p>Appendix 3: DEFRA Risk Management Strategy 557</p> <p>Appendix 4: Risk: Improving Government’s Capability to Handle Risk and Uncertainty 561</p> <p>Appendix 5: Financial Ratios 567</p> <p>Appendix 6: Risk Maturity Models 573</p> <p>Appendix 7: SWOT Analysis 579</p> <p>Appendix 8: PEST Analysis 583</p> <p>Appendix 9: VRIO Analysis 587</p> <p>Appendix 10: Value Chain Analysis 589</p> <p>Appendix 11: Resource Audit 591</p> <p>Appendix 12: Change Management 595</p> <p>Appendix 13: Industry Breakpoints 599</p> <p>Appendix 14: Probability 601</p> <p>Appendix 15: Value at Risk 611</p> <p>Appendix 16: Optimism Bias 613</p> <p>Index 621</p>

<p><b><i>About the author</i></b> <p><b>ROBERT J. CHAPMAN</b> is the Director of Risk Management in the Middle East for AECOM, a publicly traded company on the New York Stock Exchange, and listed on the <i>Fortune 500</i> as one of America's largest companies. Prior to this he held the position of Director of Risk Management at a number of European companies and has provided risk management consultancy services in Holland, Ireland, South Africa, Qatar, England and the UAE to companies within the pharmaceutical, aviation, marine, rail, broadcast, heritage, health, education, manufacturing, water, sport, oil and gas, property development, construction and media sectors. He was made a Fellow of both the Institute of Risk Management (UK) and the Association for Project Management (UK) for his contribution to the development of the discipline of risk management. He has provided guidance to the Chartered Institute of Accountants in England and Wales in the form of a risk management handbook and was a co-author of <i>Management of Risk: Guidance for Practitioners</i> published by the Office of Government Commerce and <i>Managing Business Risk</i> published by Kogan Page. He has had articles on the subject of risk management published in three languages and has a PhD in risk management.

<p><i>"Rob Chapman's book is modest in its title, yet is, at its heart, one of the best guides on how to 'do' Enterprise Risk Management, currently in print. Now completely revised to recognise the development of ISO31000 (the International Risk Management standard) and recent changes in governance and business ethics, this very accessible text is a must for anyone implementing ERM, irrespective of their business sector, country or background."</i><br/> <b>—Steve Fowler, Chief Executive, Institute of Risk Management, UK</b> <p><i>"This valuable text provides both the student and the practitioner with comprehensive coverage of the key elements which must be considered in respect of Risk Management."</i><br/> <b>—Dr Alistair Somerville Ford FTS, Chairman - Institute of Commercial Management, UK</b> <p><i>"The global financial crisis and in particular the demise of high profile companies has emphasised like never before the need for effective Enterprise Risk Management. This significantly expanded text will enable the reader, whether student, risk practitioner, auditor or board member to understand both the sources of risk and a process for implementing ERM. The clear and concise style of writing will provide a useful reference in navigating the ever expanding maze of business risk."</i><br/> <b>—Steve Wilmot, Risk Manager - Leighton Contractors PTY Limited, Australia</b> <p><i>"In today's highly volatile risk reality where ERM is the future of risk management, Chapman's book provides an in-depth insight into ERM. By combining theoretical and practical ERM knowledge from both a strategic and an operational angle, Chapman creates a valuable source of references for risk practitioners. While imminent risk issues are addressed, the book discusses how these risks can be managed most effectively across the entire organisation. The book aims to introduce risk professionals to key ERM aspects, and that's exactly what it does."</i><br/> <b>—Joanna Keith, Risk Management, JP Morgan, UK</b> <p><i>"Every student, practitioner, manager and director will find information in this book which will help them in their risk management efforts"</i><br/> <b>—Jonathan Allen, Program Risk Manager, Abu Dhabi Public Transport Network, UAE</b> <p><i>"Risk Management is such a broad subject and varies depending on the organization and the industry. Many standards and guidelines around the world try to encapsulate risk into one set of parameters but typically suffer as they are from one particular perspective. Robert Chapman however does not conform to this single minded approach and provides us with a mixture of current risk management issues, techniques and case studies to provide a broad and yet still comprehensive view on risk management that is relevant to any industry sector. As such, there is something here for everyone who is in the risk management field and should be a mandatory addition to any risk manager's bookshelf."</i><br/> <b>—Clayton Meteyard, Manager – Risk and Insurance, Etihad Rail</b>

GB