. 10
( 131 .)


To demonstrate this wider definition of business risk we quantify other loss
experiences of companies, many of whom were unprepared and did not view
them as risks as they were outside their traditional view of what was business
and business risk. In this book we use research supplied by the SERM Rating
Agency Ltd who have analysed a wide range of companies™ loss episodes,
which can be quantified as having had an economic impact, including:
Non-compliance fines and enforcement notices;
Reputation and brand damage;
Work stoppages, labour disputes and strikes; and
Product recalls and loss of stakeholder confidence.
Through this research it is possible to develop an overview of the organisation
and their past losses in relation to their market value and to predict the future
probabilities of reoccurrences, or of new risk impacts occurring based upon
their sector of activities averages. The quality of management on SERM-related
Part A “ Overview of Risk Management

risk issues is then considered to see to what extent these risks are mitigated and
if actions have been taken to prevent the repetition of previous occurrences.
These risks quite often impact most upon intangible assets, brand value and
reputation, and it can be difficult to insure against losses that arise from them.
The new risk environment is more intangible and further away from a trad-
itional tangible asset-based view of the organisation. The process is diagram-
matically presented below, with more detailed explanation in Appendices
C and D.

The methodology has been tested and refined over 10 years, originally
developed in partnership with: the insurance industry, the United Nations
Environment Programme (UNEP), the Association of Chartered Certified
Accountants (ACCA), the Association of British Insurers (ABI) and the Centre
for the Study of Financial Innovation (CSFI), among many others. It can be used
to access any size of organisation.
A key element of a SERM system is the concept of ˜sustainability™ or sus-
tainable development as it is also known; sustainable development is one of the
guiding philosophies behind our investigating the potential of a Sustainable
ERM (SERM) system. The term is generally traced back to the World
Commission on Environment and Development (the Brundtland Commission)
report which coined the following definition: ˜Sustainable Development is
development that meets the needs of the present without compromising the
ability of future generations to meet their own needs™.
Sustainable development reporting can help companies to mitigate risk, protect their cor-
porate brands, and gain competitive advantage. (World Business Council for Sustainable
Chapter 2 “ A Sustainable Enterprise Risk Management (SERM) system 21

A more current corporate version offered by Lord John Browne, Group Chief
Executive of BP in a speech on sustainability, notes:
Our purpose is to supply the goods and services which people want to buy at a cost they
can afford. If a business can™t meet the needs of its customers it will cease to trade ¦ The
business of business is business and sustainability is about achieving enduring commer-
cial success. (6th Annual Peter M. Wege Lecture, University of Michigan, Flint, USA, 14
November 2006)

The need to find new frameworks like a Sustainable Enterprise Risk
Management system has been emphasised by Richard Evans, President and
Chief Executive Officer of Alcan Inc.:
Sustainability requires new approaches, innovative solutions and stronger partnerships.
All of those, when executed and managed well, build value ¦ Sustainability is not a
challenge. It is a path “ I would argue the only path “ to a successful future. (The 2006
Banff Forum, in Mont-Tremblant, Canada, 6 October 2006)

The risk management system also sits well with the frameworks within corpor-
ate social responsibility (CSR) frameworks (also known as corporate responsi-
bility (CR), corporate accountability (CA) and corporate citizenship (CS)),
which follow a sustainable development style framework, as this quote on the
definition of CSR demonstrates:
A company™s commitment to operating in an economically, socially and environmentally
sustainable manner, while recognising the interests of its stakeholders, including
investors, customers, employees, business partners, local communities, the environment
and society at large. (Canadian Business for Social Responsibility)

Ensuring business legitimacy and licence to operate are the overreaching aims
of the wider business community. To ensure this, there are concepts of: non-
financial performance measurement; corporate social responsibility (CSR) also
known as corporate responsibility and corporate accountability; sustainability;
and business durability. Some prominent business organisations are also
promoting these concepts. The Confederation of British Industry (CBI) has
It is a prime responsibility of managements to ensure that companies are good corporate
citizens, caring not just for those with a direct stake in business “ shareholders, employ-
ees, customers, suppliers “ but for the general public and the environment, in the broad-
est sense of the term. Social responsibility encompasses many different aspects of
business life. It means putting customers first, and providing them with good, safe and
reliable products and services. It means being a first class employer, providing fair pay,
good conditions and decent pensions for employees. It involves genuine concern for
health and safety, and a commitment to good employee involvement and communica-
tions. (Quoted in A Practical Approach to Corporate Governance, Dr Saleem Sheikh,
Lexis Nexis Tolley, 2003, p. 297)

The linking of risk management to business strategies plays a vital role in
developing an appropriate performance-focused approach to risk management
at board and executive management level. This has been outlined in the ICC
Part A “ Overview of Risk Management

Business Charter for Sustainable Development: http://www.icc.se/policy/

Sustainable risk management
Sustainability without a real business case is mere philanthropy; without
measurement, mere whimsy; without meaningful reporting to sharehold-
ers, mere public relations. Today™s best-run companies “ and smartest
investors “ are seeing sustainability for what it truly is: a strategic business
driver that will separate the winners from the losers in the next decade.
Companies seeking to establish strong, successful sustainability pro-
grammes will need the active participation of their CFOs.
(A. Savitz, author of The Triple Bottom Line “ How Today™s Best-Run
Companies are Achieving Economic, Social and Environmental Success
and How You Can Too)

A Sustainable ERM strategy
A Sustainable ERM system includes the more traditional elements of risk
embedded within your organisation: financial, operational, infrastructure and
IT risks, as well as regulatory and compliance issues but within the structure of
the three pillars of sustainable development.
Yet it has a wider inclusion of external risk factors, and more emphasis on
reviewing the risks that pose a threat to intangible assets such as reputation. In
the risk reward analyses and strategic risks analysis there is a wider scope and
time length than more ˜traditional™ systems.
These newer elements may still impact either directly or indirectly upon your
business activities and we seek to demonstrate the risk levels by the use of a non-
financial risk rating system, the SERM risk rating system, as a template of average
loss experiences. The SERM model will offer quantitative measure of impacts
upon companies with relevance to their bottom line, or rather, their market value.
While most organisations have a core of risk management capability to
conform to legal requirements, it is beneficial for performance to invest in risk
management processes if they are in line with business objectives and strategy.
Generally speaking, a SERM strategy should contain the following key areas.

Planning and people
A review of the regulatory and risk environment, including extensive cover-
age of stakeholder influences and risks as well as the probabilities of external
risk occurring. The risk environment means the risks evident in the environ-
ment in which the organisation operates. When preparing the business object-
ives and strategy of an organisation it is important that this risk environment,
Chapter 2 “ A Sustainable Enterprise Risk Management (SERM) system 23

after it has been agreed and communicated across the organisation, is taken
into consideration;
A valuation of the risks “ which outlines the risks to the organisation and the
benefits of managing the risk environment in line with business objectives.
Herein lies the difficulties of allocating resources, the opportunity cost of the
resources spent on risk management being better spent on more profitable
activities. Again, ideal risk management minimises spending while maximis-
ing the reduction of the negative effects of risks;
An analysis of the risk appetite of the organisation and its willingness to accept
risk. Risk appetite relates to the amount an organisation is willing to ˜bet™ in
pursuit of its objectives. Defining the amount and type of risk that is acceptable
allows an organisation to design a strategy that is appropriate to it. A company
which has a low appetite for risk but follows a high risk strategy can expect a
hazardous time. In practice, the risk appetite will be different for different
parts of the organisation. Thus different operations or individual business
units will have different appetites with a central function taking a portfolio
view and monitoring the risk/return ratio. For example, a pharmaceuticals com-
pany will have a low risk appetite when addressing its quality assurance activ-
ity, understanding that this activity has to be well controlled, but may have a
different risk appetite for risk in its research and development area;
Formulation of a risk strategy. It is clear that a well-defined risk appetite, and
risk environment, will influence the setting of the overall business strategy.
All strategy documents that go to the board for approval should include a
commentary on the key risks associated with the organisation™s objectives
and strategy and their acceptability in line with the agreed risk appetite,
based on the organisation™s understanding of the risk environment;
A properly designed and formalised business strategy should describe how
an organisation will prioritise, focus and allocate its resources to exploit
identified opportunities. To help an organisation achieve its business strat-
egy a number of supporting strategies, such as HR and IT, will be developed
for the allocation of resources and investment. The allocation of risk manage-
ment resources and investment is no different in this respect; and
A risk management statement based on organisational objectives and busi-
ness strategy.

An analysis of the organisational risk culture of the organisation. Failing to
communicate organisational risks and risk appetite across the organisation
can lead to inconsistent decisions and a diminishment in the board™s ability
to challenge management™s recommendations. Neither outcome is particu-
larly healthy to the fortunes of an organisation, whether viewed from a con-
formance or performance perspective; and
A review of the ownership of responsibilities for the risk management strat-
egy at all levels, the people and teams involved and the training required to
equip these staff with the relevant capabilities.
Part A “ Overview of Risk Management

A risk identification process seeking out the potential source of problems, or
with the problem itself, based on a source analysis (risk sources may be internal
or external to the system that is the target of risk management), problem
analysis (risks are related to identified threats), or event basis. Common risk
identification methods are: common-risk checking (previous or sector occur-
ring risks); objectives-based, scenario-based analysis; taxonomy-based risk
identification (a breakdown of possible risk sources);
A risk assessment. Once risks have been identified, they must then be
assessed as to the probability of occurrence multiplied by the potential sever-
ity of loss; this crudely equals the risk level. These values can be either sim-
ple to measure or near to impossible to know. Therefore it is critical to make
the best informed assessment to assist the next stage of the risk management
plan, prioritisation. A crucial point is that research has shown that the finan-
cial benefits of risk management are more dependent on the frequency of the
risk assessment than on any formula used;
A risk prioritisation process should follow, with the greatest loss and the
greatest probability of occurrence being handled first, and risks with lower
probability of occurrence and lower loss handled later. In practice the balancing
between risks with a high probability of occurrence but lower loss versus a risk
with high loss but lower probability of occurrence can prove difficult; and
A risk management framework or system employed to deliver the above
requirements and develop the organisational risk management culture.
While risk environment, risk appetite and the risk management strategy are
key elements to organisations achieving their business strategies, these need
to be supported by a unifying risk management framework.

A definition of the performance criteria employed for reviewing the effect-
iveness of the Sustainable Enterprise Risk Management framework. An
organisation™s plan for actively targeting its risk management resources, so as
to manage risk both effectively and appropriately to deliver performance,
should be reviewed and revised regularly in line with its overall business
As the diagram below suggests, organisational sustainability is dependent upon
sufficiently compliant performance in the economic, social and environmental
categories, which are in turn dependent upon the people, plans and processes
in place, including your risk management elements. Progress in the three pil-
lars of sustainable organisational development should ensure a strong enough
foundation to weather the matrix of future risks and opportunities.
Indeed many Sustainable ERM suggestions are just good management prac-
tice and the integration of them into the organisation™s objectives is quite often
a constitutional requirement of the management, whether related to profit gen-
eration or loss minimisation, i.e. they represent legal compliance issues.
Chapter 2 “ A Sustainable Enterprise Risk Management (SERM) system 25


Pressures and

A Sustainable Enterprise Risk Management System (SERM)
and Improved Competitive Performance


. 10
( 131 .)