Complete the corporate picture

Nick Chown deputy chairman, AIRMIC, and risk manager, Royal Mail, chaired the discussion

Dr Keith Blacker consultant and a director of the Henley Centre for Value Improvement

Lindsay Cox managing director, Risk Governance Ltd

John Davies principal, risk consulting practice, Marsh

Professor Ragnar Löfstedt director, Kings Centre for Risk Management, Kings College London

Peter Morris partner, Burges Salmon

Richard Nelson president, Institute of Internal Auditors

Embedding risk management
Nick Chown: The topic today is embedding risk management in business as usual. The issues which are felt to form a part of that topic by StrategicRISK are:• enlisting buy-in and engagement of directors, local management and others
• assessing whether the corporate culture is conducive to embedding risk management – I personally think that that is a particularly important one and we ought to concentrate on that if we can
• identifying and actively managing risks
• increasing risk awareness
• ensuring ownership of risk
• communicating risk management policies and the benefits of effective risk management
• making risk management an integral part of the business planning process
• assessing performance
I have some questions which you might like to consider. First, what are the respective roles of the risk manager and the internal auditor in embedding risk management? I suppose the next question is a sub set of the former – where you have both in an organisation, how should the two work together? And, is it possible to effectively merge a risk management and internal audit function into one?

Also, we have already said that one of the issues to be discussed is – Is the culture in your organisation conducive to embedding risk management? If the answer is no, what can you do about it?

You can carve up the risk cake in many ways. For the sake of argument, let us say that we carve it up into three areas: strategic risk management, change risk management and then control risks (the control environment). What would embedding mean in these three areas?

Lastly, there is potentially a distinction between the corporate governance focus to risk management and the commercial focus to risk management. By this I mean that, if you are looking at risk management commercially, presumably you are looking for something which is risk aware rather than risk averse. You are looking for something which is essentially a set of decision-making tools for your organisation so that you can make better decisions and be more successful. But it is possible that, if you take a corporate governance perspective, you may end up concentrating too much on the process for the sake of process. How can you reconcile those two imperatives - the commercial imperative and the corporate governance imperative?

Lindsay Cox: I would like to ask a question myself. How do people define embedding risk management? If the senior executives of a company and the senior management are risk aware and have a responsibility for reporting on risks, does that mean it is embedded? Or does embedding risk management really mean involving everyone within the organisation and embedding a systematic management of risks throughout the organisation?

Richard Nelson: I would have thought it meant the latter. It is inherent in a whole series of processes that the organisation carries out, whether it is strategic planning, business planning, quarterly performance reviews or whatever. In all those instances there is an element of identifying what the risks are and identifying how the organisation proposes to manage them.

Lindsay Cox: That is certainly my view. It is not just to be embraced by senior executives and managers, but must involve all owners of material risks throughout the company, and there must be a systematic management of them.

Keith Blacker: It has to be embedded throughout the organisation, because, at the end of the day, everybody must have a responsibility for managing risks, whether at the strategic level or the operational level. One thing that concerns me is when people say that risk is now top of their agenda. To my mind, it should never be top of the agenda, it should be a value within the organisation – something that people think about every day doing their day to day work.

Nick Chown: How would you set about making sure that risk is on everybody's agenda? And to what extent would you want it to be on people's agendas at various levels of the organisation?

Keith Blacker: You have to start at the top of an organisation by making sure that the board of directors is committed to having risk management as a value within the organisation. Moving it further down the operation involves a number of things – training, developments in risk awareness, having risk management software, which is the engine of the whole risk management process, to actually help install the culture and risk reporting and this type of thing. On top of that, it is a question of just generally making sure that people are risk aware in everything that they do in their day to day operations.

Peter Morris: The danger that I see in the process is that things are negative. It is very important to try to put across positives for risk management, because otherwise it is a complete turn-off. We have to be very clear about what the benefits are. I have been reading an old paper which said that risk management should create shareholder value, and I thought the chief executive would groan if he saw that as a justification. I think it is meaningless. We know what the author is trying to get at, but you need to be much more specific about how risk management processes will help to achieve it.

John Davies: I think that risk management on its own probably will not create shareholder value, but it will protect and enhance it. There is a subtlety there. We see many presentations where people say risk management creates value. We will often deliberately argue that it is a value destroyer. Risk management is a cost. How do you measure the benefits – the risk that did not happen or was significantly reduced because of the risk management system? It is very difficult to measure the return on the investment.

Another point is that, whether we like it or not, when the risk management cavalry come charging over the horizon from head office, people go on holiday. The key challenge for us is to make risk management useful. It is pretty straightforward. For the board, the benefits are probably quite clear. Governance is required. For example, directors might get arrested if they do not make sure that their US operations are compliant with the Sarbanes-Oxley Act's requirements. For the strategic business unit leader it is about understanding the risk that is stopping him from getting his bonus. I think that we do that by linking it to performance indicators.

Lindsay Cox: A declared clear, tangible and visible embedded risk management process will enhance shareholder value. The underlying point about embedding risk management is of course culture change. Companies have got to be prepared to do that. There are different drivers, depending on whether you are in the public or private sector, as to what the value is. A lot of it is about perception. Look at what happened to GE's share price after Enron. It was massively reduced, because there was a question mark over the capability of the executives. There was a question mark against every business. Perception is a huge driver for companies in the private sector. In the public sector it is about transparency, service delivery, accountability and reputation.

Richard Nelson: One of the key issues as far as risk management process is concerned is that the organisation has identified a real business need for it, as opposed to doing it for corporate governance purposes. They have to identify tangible business reasons that managers can associate and align themselves with. It varies between one organisation and another as to what that might be.

Peter Morris: The question of why we are doing this applies all the way down. If people understand why they are doing it and the benefits they are can get from it then they are going to buy into it, but if they are just told to do it because it is something they have to do, it is not going to gain acceptance.

Richard Nelson: Further down the organisation, and, to be honest that is where much of the work is done, risk management may not actually be doing anything. Managers just manage risk anyway; that is what they have always done; there is no change there. I think the difference with a process is that it makes the major strategic and operational risks visible throughout the organisation. This allows different groups to make an input into how they should be managed.

John Davies: A good example of risk management being visible is a story told by one of our clients. At the company's AGM, some smart investors asked the chairman to tell them what the key threats to the business were and what he was doing about them. He was able to say that he could answer the question, because the company had got a process and it identified risk, and it was embedded throughout the corporation. How much is that worth? You cannot measure it, but the increased confidence that that statement gave to the investor community at the AGM must have been massive.

Peter Morris: I can give an example of where you have problems getting across the message. A colleague was running a risk management course the other day. The chief executive introduced him and the other presenter and said that this was terribly important to the business and that everyone had to buy into it and treat it very seriously. He then thanked the presenters and left the meeting himself!

John Davies: Leadership sets the tone. Without buy-in, whether it is real or perceived, by a chief executive, it is going to fail.

Lindsay Cox: One of the key questions that Nick asked was about culture and how to embed culture. If we do believe that embedding risk culture is about taking it to the whole of the organisation, then we have to try to consider how we take risk management out of the hands of the few and into the minds of the many. Peter, you were saying that people have to see a positive aspect to it. I agree. They have to understand why it is important for them to get involved in the process. And therefore I think it is important that people see and understand why it is a positive for them. They must see a value in it for them. What is the head of a business unit or a department going to get out of participating in the process? I have got some ideas of what I think they would get out of it. It would be interesting if anyone else has got any views.

Nick Chown: Perhaps we should throw that open to the table. What do we see as the key benefits of risk management at each of the key levels of the organisation?

John Davies: I think that the key reason is to enable people to take more risk. It is not about stripping risk out of the business. If there is no risk, clearly there is no reward. There are negative aspects to embedding risk management systems. It looks like bureaucracy, it looks like cost, and it looks like just another thing that people have to do. But the fact is that it enables business unit managers to understand what will stop them doing the things they are employed to do. If they understand that, then it becomes a useful management tool. Embedding comes after the framework has been put in place. After we have bought the software or whatever, how do we get people to use it?

We should think about the reasons why people do not want to embrace risk management at the business unit level. It is probably because it is a separate activity. If we can align it – probably with strategic planning, probably as part of the annual budget cycle – then it becomes useful. The risk map or the risk profile is just another input into the annual SWOT exercise – just another piece of information we gather. Competitor analysis, market analysis, key risks: they should all go into the pot when companies are considering their strategic plans for next year and for three years time.

Richard Nelson: It should be built into all the normal processes that a company is using, so that it does not become a stand-alone extra exercise, but part of normal everyday business. For example, a project assessment should seek to identify what the risks are, how those risks can be measured, what level of risk to take, etc. There are also the annual budget process and quarterly performance reviews of business units. They can be asking what people think are the major threats to achieving their targets for the period ahead and what they are going to do about them.

Lindsay Cox: It is interesting that the risk management standard published by AIRMIC, ALARM and the IRM starts with key risk objectives. That is a fundamental point. Business planning starts with objectives too. So there is a natural fit there. Embedding a risk management process into the planning process is the natural way to get the efficiency. Risk must be linked to objectives.

John Davies: Strategic risk was mentioned earlier. What we have found is that companies are not asking us to tell them that their strategic direction is wrong. When we talk about strategic risks in a corporation, it tends to be about identifying the risks associated with executing their strategy. Is strategic risk about risks that threaten the execution of a strategy that has been set by the board? As an employee of a large corporation can I really dictate the strategy? Probably not. But I can assist with implementing that strategy, achieving the objectives, doing things in the right way and making sure that no errors are made.

Keith Blacker: That is certainly the way that we look upon it – the bullets that could impact on your strategy that you have or have not identified. Those bullets are going to be coming both internally and externally. They could be environmental, political, or whatever. They are all risks that you need to assess in the context of your strategic objectives.

Nick Chown: On the issue of SWOT analysis, if you are looking at the strategic planning process, to what extent should the risk people in the organisation get involved in considering strengths, weaknesses, opportunities and threats rather than the risks or maybe the control weaknesses? Also, Lindsay mentioned the risk management standard. This standard specifically espouses an approach which looks at opportunities as well as the downside. What are your views on that?

Keith Blacker: Risk has two sides to it. It comes back to the question you asked earlier. There is corporate governance and there is corporate entrepreneurship. There is taking risks to grow the business and there is managing risk to protect the business. It is embedding that within the framework that is important. Quite clearly, at the strategic level, it is important to do that. Interestingly, I have been working with a financial services organisation, where, for the first time in my experience, the person responsible for risk management is also responsible for strategic planning, with the title of strategic planning and risk director.

John Davies: We are seeing that increasingly across continental Europe – people are wearing two hats.

Richard Nelson: Is that a change in roles or a change in title?

John Davies: I think it is a change in roles. Companies have tried to force the strategic planning risk element through a former insurance or traditional risk management function. It probably does not work there, but it does work at the strategic planning or maybe investment appraisal level. That is probably a more senior position on the board.

Peter Morris: Does it work in the same sort of way, or are the people concerned approaching risk management from a slightly different perspective? If you are a strategic planner, you might look at things rather differently.

John Davies: From experience they are looking at the upside of risk. Traditionally, companies say 'Give us some tools, and support us with the things that could go wrong'. We always like to say that risk is also opportunity, but the reality is that probably most of the work that many of us around the table are doing is thinking about the downside of risk. For example, what are the things that are going to go wrong? What is going to stop me from hitting my unit's expectations, or seeing a drop in my stock price? So the value is in what can go wrong, and what can stop me from implementing the strategy, rather than what the opportunity is. But I think that the strategic planners do bring that opportunistic side more into the mix.

Keith Blacker: Can I just throw something else in on the definition of strategic risk? From the debates that we have been having at Henley Centre for Value Improvement, I wonder whether strategic risk also includes those risks, which, if they manifest themselves, could have a major strategic impact on the business. For example, the foreign exchange trading disaster at Allied Irish Banks was a significant hit. You could argue that that was a strategic risk to the business, albeit that the cause of it was mainly due to operational failures.

Peter Morris: My own firm has been having a debate on this as well. In some ways, if you have got medium impact high probability or medium probability risks, (and the aggregate of those can be pretty serious), you may well deal with them in a different way. You ought to be looking at those just as much as a catastrophic event with low probability.

John Davies: It is the distinction between a strategic failure and an execution failure. One of the points Nick raised was about risk management and internal audit. From experience we are seeing that an internal audit-driven risk management system tends to look backwards. Often it involves checking – are we performing in line with the system that is in place? A board-driven or a risk management-driven approach will be more about strategic anticipation – help me understand what is going to go wrong in the future; let us learn from the past, but let us look at our competitors and at the marketplace. Again, it comes back to the SWOT analysis. Let us try and second guess events that are going to come and cause us problems. Internal audit has the role of policing the system, but should it drive a risk management system?

Richard Nelson: We tend to find that there is a spectrum of approaches from companies. In some, internal audit reviews the process of risk management and provides assurance at the end of the day that the system is in place and working effectively. At the other end of the spectrum, there are internal audit departments which run the risk management process for companies. Obviously in those cases they cannot also review the process and have to have an external audit. There does not seem to be any pattern where these different systems apply, except in industries where there are particular requirements, such as financial services, where the functions have to be separate. In other places it just seems to vary according to the chairman or chief executive.

Keith Blacker: My doctoral research was focused on the respective roles of the risk management function and the internal audit function in the context of operational risk. There is no black and white. There are instances where you have an internal audit department with responsibility for risk assurance as well. And, quite clearly, they cannot audit or review their own work independently. In larger organisations, where you have a good risk-based audit approach, I think it can be very much forward looking, and so it should be. Although the perception and image are that internal audit tends to be backward looking, it does not necessarily have to be. Where you do have separate departments, the internal audit department should clearly review the work of the risk management department. If the risk management department is not doing its job well, then the company is exposed and you are not taking opportunities on the positive side. My view is that risk management and internal audit departments should operate as a partnership, relying on each other's work. The internal audit partner can use the profile developed by risk management as a way of focusing effort on the high risk areas in the business.

Whether you can merge them into one was another question that Nick asked. It very much depends, particularly on the CEO and how he wants to manage risk and internal audit within the business. Typically, in smaller organisations, they do get merged into one.

John Davies: From a shareholder perspective, would you be happy with self regulation of the risks that could completely destroy any value you have in a corporation? I think the functions should be separate, although complementary. In the light of the Higgs report and the comments about non-executive directors, perhaps there is more of a role for non-executive directors nowadays from an audit perspective of risk management. If a company is not going to employ an internal audit department, perhaps it should put some obligation on its non-executive directors.

Lindsay Cox: The audit committee obviously has to have very clear visibility of everything that is going on in the business from a risk perspective to be able to feel comfortable and do the checks.

Peter Morris: Looking at the question of whether or not the internal auditors should drive rather than police, my perception is that the personality of internal auditors is not geared to the driving side. Their background is more the policing side.

Richard Nelson: I think in many cases that is true. As Keith was saying, the issue is what you want in your organisation as an effective process for identifying risks and deciding how they are going to be managed. What you want from the internal audit department is assurance that that process is in place and working effectively. If everyone is happy with that process at the end of the day, internal audit should use what have been identified as the key risks to see that they are being effectively managed.

Lindsay Cox: Good risk management processes and procedures should drive an internal audit department's work plan to concentrate on the key risks to the business.

Richard Nelson: Exactly. Certainly, in the organisations that I have worked for where we have done that, it has led into looking at all the softer things, because they are where many concerns tend to be at the end of the day.

Nick Chown: Is it true to say that if you have an effective well run internal audit department working in a risk-based manner, acting strategically, getting involved in the key areas of the business, then that function might have a better understanding of the key risks than maybe a relatively small risk management function, particularly if it is a traditional risk management function?

Richard Nelson: Both sides are different pieces of the jigsaw. It is important to put it all together. The internal audit goes out and looks around the organisation to see what is going on. They need to feed that information back to the risk management department, if there is one.

Keith Blacker: The internal audit partner can, if they work properly and professionally, help to embed the risk management culture. As they go round the organisation, they can explain what risk management is all about and can help to identify risks through the work that they do on risk-based auditing. They can bring a very positive contribution to it.

Richard Nelson: I have the impression that in many organisations, risk management arose as an issue which was driven by internal audit. Now, most organisations are moving to having separate risk management and internal audit functions. Where is the trend going currently?

John Davies: I predict that we will see a much bigger increase in risk management activity at a strategic planning level. That is where it adds the most value, and it does not look like a separate thing that people have to do and do not like doing. It becomes part of the process, just another way of gathering information.

Peter Morris: On a separate point, we have tended to find that businesses are pretty good at their own risk management of their core business. It is the bits around the edge where they tend to be flaky. It is trying to get the whole of the business thinking in terms of its wider risk which is a bit of a challenge.

John Davies: We are seeing this a lot. We all know the phrase 'top down bottom up'. The problem is that often there is no middle. A company may have good operationally-driven risk management at the business and operating levels, and some good strategic thinking and risks identified at the board level, but they just do not join up. We are being asked to help people use their risk information in a more useful way.

Lindsay Cox: That is a very good point. It is important that people understand how the risks in their part of the business can be clearly linked right up to group objectives at the top. It is very important that that line of accountability and responsibility can be clearly demonstrated. It is difficult to do, because you have got the two elements, but how do you get them to meet?

Richard Nelson: They are linked by the targets and objectives at every stage.

Lindsay Cox: Yes, but how do you make sure that that is getting done? How can you visibly show that it is done? How can you embed a systematic approach to doing that? That is the challenge.

John Davies: Our recommended way is to benchmark risk, or measure risk against a key performance indicator. Let us say it is return on capital. There is going to be an indicator for the corporation, there is going to be some sort of ROC indicator at country level, business unit level and all the way down. There are always one or two performance indicators which go all the way down. If we are all measuring risk against the same indicator, we can start to aggregate results. That seems to work. But then again, it is monitoring, collecting information, aggregation, reporting upwards.

Richard Nelson: People can identify risk, but I do not think they are good at identifying which are the major risks. In my experience, risks have been identified, but their impact has been grossly underestimated. Often the impact is actually much greater than had been expected. It is only in very few instances that things occur that people did not think of at all.

Keith Blacker: As a result, they tend to ignore the risk, because they do not perceive it as having a high impact or a high probability.

Lindsay Cox: If it is true that the impact is wrongly assessed, at least you will know that, once an event occurs. If you can capture the detail of the loss, with the benefit of hindsight you can start to get much more sophisticated.

Richard Nelson: If something does go wrong, you look at why it went wrong - not to blame people, but to work out how to improve the process. I have a fairly jaundiced view of those detailed mathematical systems which calculate risk, because, as far as I can see, in every industry where they are used, companies still make bad decisions. Assessing impact is almost a gut feeling. You have to recognise that and go on that basis.

Lindsay Cox: This is the basis of what Nigel Turnbull was saying – let us get risks identified and it does not matter so much how accurately you score them. But if you identify that a risk exists, someone is responsible for it, someone is accountable for it, there is a regime for reporting against it, and there are probably controls to mitigate it. How you have scored it may be irrelevant. Identifying the risk will drive the importance of it for the internal audit department.

John Davies: That is very important. People do get hung up on impact. We have got anecdotal evidence of a major plc that had a risk register of 22,000 risks. They were obviously very proud of this wheelbarrow of risk information but how do you prioritise it?

Richard Nelson: No matter how good your processes are, it is all down to the people at the end of the day. Take the example of Enron, which had everything in place. Their risk management system was supposed to be their competitive advantage.

Nick Chown: That brings us back to cultural issues. If you have identified that there is going to be significant resistance to risk management in your organisation, what would you do as risk manager? Let us assume that there is buy-in from the top, but there is resistance from the shop floor, or from people at lower levels of the organisation. There is a natural inertia to change of any sort, such as the introduction of a more structured approach to risk management.

Lindsay Cox: People have to see it as positive. As we said earlier, they have to see it as something which is not an onerous extra task. Making sure people see benefits or value for themselves is a fundamental element of embedding risk management. It is making sure people see it as something positive that is going to affect their job, or their reputation, or their ability to get ahead in the business. There are all sorts of reasons why the individual could see it as a benefit. If you have got personal objectives and you have got risks associated with them, you have got risk management as part of your job. The process that people have to get involved in must be very simple and not onerous. They need to be involved in a regular process that can be daily, weekly, monthly or quarterly, and see a benefit in it.

Richard Nelson: Some organisations include how people manage their risk management process in their performance appraisals of individual.

Lindsay Cox: I agree with that. Participation must form part of people's job description and appraisals.

John Davies: We have to be able to answer two questions that people ask. One is, 'Why are head office making me go through the process?' The second is, 'What is in it for me?' We touched on these points earlier. Why is it another process? Well it should not be; it should be embedded in the strategic planning or whatever. What's in it for me? That is about aligning the risks that the individual identifies with his personal objectives or the objectives of his team. It means linking it to performance.

Richard Nelson: One of the issues is for the risk manager and his team to get together and identify the major threats to their objectives and how they manage them. Invariably when you get together with people who do not want to do this and feel they have much more important things to do, once they have gone through the process, they will say that it was really good. That sells it, and then they pick it up themselves and go forward with it. That is how you convince people, by helping them initially to do it themselves and then leaving them to get on with it.

John Davies: If we can work out a way of persuading people of the feel good factor beforehand our job would be a lot easier.

Lindsay Cox: It is also important that everybody has a common understanding of terminology and definitions. That means that you have got to have some simple common communications medium by which people can share information – easy access to common documents, definitions, policies, procedures, etc - so that they can be helped in their job. Then people can take advantage of collective wisdom. If someone has been wrestling with a risk issue in some part of an organisation on one side of the world, someone on the other side of the world should be able to gain some benefit from the work that has been done or the experience that people have had and not have to re-invent the wheel. It is important that people should be able to share information.

Keith Blacker: Part of the risk management process is the recording of risk events and sharing those around in an organisation. I have been working with one particular financial services organisation who believe that they have a no blame culture. In other words, people are very much encouraged to report when they make mistakes, because we are all human at the end of the day, and so on and so forth. If that works, it is another way of embedding the risk management culture.

John Davies: What about solutions? People may not buy into the risk management process because they do not see any fix for the risks. Maybe a lot of the time we do not focus enough on fixing, or helping people to fix, the list of problems that we have just given them.

Richard Nelson: I do not think we should be giving them the problems. They identify the problems themselves and they are also the people who have the solutions. I do not think you can set up a group anywhere who are going to come along and identify your problems and identify all the solutions.

John Davies: What about sharing best practice? We have seen instances where, for example, the people in Asia see risk number three as priority number one and the people in Europe see it as priority number 52. This is because the people in Europe have got a really good handle on how to manage the risk. The solution there is for them to share this information. That is a hugely powerful benefit for the process. Matching the solutions is absolutely critical.

Richard Nelson: I agree. There is not much point in just coming up with a list of problems or challenges. You need to decide how you are going to manage them and what level of risk you want to run.

Lindsay Cox: The solution can span a number of risks. Of course, you might want to do some analysis of that to be clearer on how you manage the controls themselves.

John Davies: A lot of this conversation has alluded to a qualitative assessment of risk. When do we bring in the data? When do we start building the big complex risk models? Should it be for a portfolio of 50, 60 or 100 risks? Or do we wait until we prioritise with our gut feeling and then pick off a few that we want to look at in some more detail? Is that the right thing to do or should we build value at risk models for our top 30 or 40 risks?

Keith Blacker: Some risks, particularly the strategic ones, must be extremely difficult to quantify. There is a limit as to how much you can do. I think you can quantify the unexpected but maybe not the extreme. Therefore, it is a question of judgment. In the financial services sector, there is still a great deal of work to do to satisfy the Basle regulators in terms of quantifying operational risk experience. There have been various solutions, but at the sharp end I do not think that ordinary business operational management is overly concerned with the quantification to the nearest penny. Although, if it is a large organisation and it is going to quantify risks and start allocating risk capital to business units, then calculating risk on return at business unit level could have an impact. There is still a lot of research and work to be done in this area.

John Davies: It is so important because it is about tying up unnecessary capital in business. A few billion dollars of capital in the wrong place for a global financial institution is a serious issue.

Keith Blacker: The other thing about Basle II is that it says that strategic risk is outside the scope of quantification. But it does not define strategic risk.

Nick Chown: Is it true that if you have difficulty in quantifying a risk, you might have difficulty in reporting on it to the board?

John Davies: You should be able to find a quantifiable measure for every risk that you find. It is a cop out to say it is too difficult. You have to try to find something that tracks that performance. For example, one of our clients uses 6 sigma to measure the performance of risks because it is a performance measure.

Richard Nelson: If you can find measures it must be the right thing to do.

Keith Blacker: Whatever measure you use, it is still going to be a subjective measure and the key decision maker needs to realise this.

Peter Morris: I wonder if it really matters how much value that you put on a particular risk. It is more important that you put it into a band according to impact.

Keith Blacker: When you see an iceberg in front of you, your first question is not how big it is. You worry about how big it is later.

Richard Nelson: One of the things that I think is important is that, once a major risk is identified, the responsibility for managing that risk should also be clearly identified. For example, some organisations take their top risks and allocate overall responsibility among the board of directors.

John Davies: As we see more and more global corporations structured in a matrix way, there is a huge opportunity for risk just to be left alone. People think that it is someone else's responsibility.

Lindsay Cox: It is back to embedding risk management. You have got to make sure there is a sense of ownership, which means people have got to have responsibility, accountability and authority.

Peter Morris: Without the latter, you are in real difficulty.

Lindsay Cox: So many people do not have authority. They identify a risk, they are responsible for managing it, and there are some kind of controls in place to mitigate against the risk. But they have to have the authority to make sure that those controls are working. That comes back to the function of internal audit.

Richard Nelson: If you have a central risk management function, they should be there to provide tools, techniques and advice, to manage astride the organisation. Actually managing the risk should be done by the people on the ground who have the responsibility for it.

Peter Morris: But if you leave it up to the individual business unit to identify and manage its own risks, you are going to get some business units which are more receptive and more astute than others. The risk manager has to ensure a uniformity of approach.

Richard Nelson: I agree. The central risk management department would set out the policies to be applied, but it may leave it to the business units to apply those policies. The central group would provide them with the tools and techniques to use to provide the required information. And internal audit would review their application of the processes. But it does vary by the type of organisation. An organisation with lots of business units around the world may not want to apply exactly the same techniques everywhere, but it does want a consistency of approach so that it can make some comparisons between the information that comes back.

Nick Chown: Do we generally agree that the role of a central risk management function would be to set a series of minimum standards, to provide the tools and techniques to enable line management to deploy them? You could describe that as a risk management framework. What would you expect to see in this framework?

Keith Blacker: The typical risk management framework follows the risk management process, which is identification, assessment of the impact probability, and mitigation within the context of the business unit or the business unit's objectives. Around it of course you have got risk event reporting. You could argue too that risk management education is part of the framework, setting risk management policy and so on.

Nick Chown: Risk identification is the beginning of the risk management process, and we all know that there are some emerging risks out there which could leap out and bite us. How do we identify emerging risks and pick out the ones which are most important and how do we report on those important ones to the board?

John Davies: Every reporting framework should have an exception reporting component linked to the strategic business unit – what are the new threats? It has got to be at least quarterly.

Keith Blacker: How do you go about identifying these risks? I think that one technique is to look at what risk events have been happening to other organisations. I was staggered, after the Allied Irish Bank case, that many financial services organisations have not even bothered to look through the Ludwig report on why that particular incident happened. It identified a whole series of key risks, and provides a virtual checklist for organisations to consider how they manage them. Many organisations just tend to use workshops, control risk self assessment type techniques, to identify risks and leave it at that. There are lots of other things you can do, like looking at external events, networking with other people, and, if it's a big organisation, networking internally.

Richard Nelson: That does happen at board level but perhaps not further down in an organisation. A board member might ask whether something that has happened elsewhere could occur in this organisation. People further down, who are more focused on operational day to day activities, do not ask the question so often.

John Davies: Investors are punishing corporations if they are impacted by a risk that has already happened to a competitor. If it has happened to two or three competitors, they should have been aware of it.

Ragnar Löfstedt: How companies view their risks also depends on other outside forces. In the areas of reputation risk and environmental risk, for example, in which I have been involved, regulation plays a strong part. For instance, there is much discussion of the forthcoming chemical regulations in Europe, where we are basically going to have reversed burden of proof - a company will have to prove that a product is safe before putting it on the market. The European Commission is putting forward a very strong precautionary strategy with precautionary regulations. The US is not, but is going forward with scientifically-based risk analysis, and moving away from regulating by emotions. In the chemical industry some companies are very concerned about the extent of the regulations in Europe, so much so that they are reconsidering their research and development strategies here and considering putting these activities back into the US.

What makes people think about risk? In the companies that I have worked for, it is a series of factors. Firstly, they have been hit before. Secondly, companies that are trusted are much more willing to be risk takers than companies which are not. There is a correlation – risk aversion is equivalent to low trust, risk taking is high trust. In addition, most risk research has been done in the US – much of it to please the courts. In such a culture, understanding the risk is far more often on the agenda, because people realise that they could be sued.

Peter Morris: So it is driven by litigation?

Ragnar Löfstedt: Chiefly by litigation in the US.

John Davies: It is interesting that you say the US does not regulate by emotion. What about Sarbanes- Oxley?

Ragnar Löfstedt: Yes, I take your point, that was rather an emotional response. But the large chemical companies, for example, want to have regulations based on science. They are prepared to remove a product if it is scientifically proved to be bad for us. But they do not want to remove a produce just because of some hunch that is not based on scientific evidence. Hunches are unscientific and are not going to help anybody

Keith Blacker: Strategic risk obviously involves taking risks as well. You mentioned that companies that are trusted are seen as good risk takers. What do you mean by companies that are trusted?

Ragnar Löfstedt: The companies that I see as trusted are those like General Electric – well run and liked by their shareholders. A company like that will act fundamentally differently in Europe with regard to trying to cope with the changing nature of regulatory risk, as opposed to other companies that have been widely criticised and are frightened of activists. They are basically companies that are willing to go forward and put forward more intelligent, more thoughtful, partially risk taking strategies, than companies that have been hit very hard.

Richard Nelson: Are you saying that in the EU the regulatory framework is such that risks outweigh the rewards?

Ragnar Löfstedt: In certain sectors. Increasingly, regulations in the member states are driven by directives put forward by the European Commission. These regulations have been very much of a precautionary nature. The initial step in this was better safe than sorry. We can all live with that; it makes sense. What has happened over time, however, is that the Commission is slowly adopting a Swedish-style precautionary approach which involves reversed burden of proof. Secondly, they are using hazard assessment rather than risk assessment. With hazard assessment, if there are some minute traces of chemicals in a brand of bottled water, for example, the approach is to ban that brand, even though the risk is tiny and would have zero impact.

Peter Morris: So the counter balance in the US to organisations not having to prove that their products are safe, is that if they do not, and they prove not to be safe then they get sued out of existence.

Ragnar Löfstedt: Absolutely right. In the UK we have adopted a much more precautionary approach to mobile telephones for example. We are encouraging children not to use them; we are being very careful where we put masts, by avoiding siting them near schools. These types of regulations are only now slowly coming into the US. The other side of the coin is that American lawyers have tried to sue manufacturers of mobile telephones, and to date they have been thrown out of court.

Peter Morris: So we could do away with some of the regulations if we had more litigation and higher damages in this country?

Lindsay Cox: The FSA acquired new powers in 2001. Part of that was that individual directors of companies can be held individually responsible for events, if they cannot show that they have taken reasonable steps to identify that they might exist and put a process in place to prevent them. They would be prosecuted if something happened and it could be shown that they ignored the opportunity to do something about it.

Keith Blacker: Having identified a risk, the responsible position is to do something about it, unless you assess objectively that the impact is lower than the probability.

Peter Morris: It depends on the nature of the risk. A good example of that is the Enterprise Bill and competition risk. Individuals are going to be held responsible if they act in a way that is anti-competitive.

Nick Chown: We were talking earlier about regulation. I think we were skating around what has been termed the risk society. This seems to suggest that, as a community, we are becoming too risk averse.

Ragnar Löfstedt: The term risk society was coined by Profession Ulrich Beck. Beck argues that risks are becoming increasingly uninsurable and unmanageable. Examples that he has used in the past are nuclear power and also BSE. The growth of the risk society, according to Beck and other people, is because people are increasingly becoming very risk averse. As a result we have got to put forward new mechanisms to deal with it. I am rather critical of the risk society view. I think it is a simplistic way of dealing with things. I agree that people have become risk averse. For example, Professor Aaron Wildavsky, (Berkeley: University of California) said that because people now have more time, and are in safer jobs and so on, they are expecting greater safety. I think that is true. The crucial issue here is trust. If we trust a regulator, if we trust a policymaker, if we trust an industry, we are much more willing to accept risk. If we do not trust them we become increasingly risk averse. If we want to ensure that society as a whole becomes more risk taking, we need to build or rebuild trust.

Peter Morris: Is there a correlation between trust and openness?

Ragnar Löfstedt: The New Labourites of the world would argue that transparency is the key to increasing trust. That is part of the equation. Trust is composed in the main of three components – competence, fairness and efficiency. If you do not have those three components, you are in trouble. The focus in this country is far too much on the fairness aspect. The approach is that we have got to have greater transparency, more public and stakeholder involvement in the policymaking process. But we have to remind ourselves that we still need to have competent and efficient policymakers. In my view, we need to recruit the best civil servants we can buy, pay them salaries that are comparable to those they would receive in the City of London, and ensure that the policymaking they carry out is efficient. This would help to restore trust.

Richard Nelson: Is there an issue about what people's understanding of the risks are? People are best able to understand risks which they take personally and have personal knowledge of, for example crossing the road. With something like BSE, although the risk of contracting it was extremely small the concern was extremely great. Is it trust or is it experience?

Ragnar Löfstedt: How much information you give is certainly important. But I think that one of the problems with the attitude of the present UK government is that we do not really want to get involved. The majority elected the Government to set policy for us. By having them say that we should be involved, they are shifting responsibility back to us.

Sue Copeman: As we are getting towards the end of the session, can I just ask what do you think would be the key traits for an organisation which has embedded risk management successfully? What would you expect to see ?

Lindsay Cox: You would expect to see a clear definition of objectives, clear visibility of policies associated with achieving those objectives, and clear definition and monitoring of people's roles and responsibilities.There would also be a framework in place for being able to report on risks and act on them. There must be continuous assessment. And risk management would be a board agenda item.

Peter Morris: One of the first things that I look at if I'm asked to go and help somebody with their legal risk management is their annual report to see what they say about risk management and what framework the board has set.

Lindsay Cox: I was recently talking to a marketing organisation which produces annual reports for major companies. In their view, most people pay lip service to the combined code, and this is of course fairly loose. Their view was that if a company could demonstrate how it is embracing corporate governance through an illustration of procedures, processes and responsibilities, that would have a huge effect on the analysts' views of that company.

Nick Chown: Do we think that a chief risk officer has a role in embedding risk management in the organisation?

Lindsay Cox: Absolutely. The reason is that it has to have the most senior sponsorship to help drive it through and therefore someone has to have teeth – the authority to make it happen.

Keith Blacker: As long as management do not think that because they have got a chief risk officer he is responsible for managing all the risk. That is the danger. The CRO is very much the facilitator.

Ragnar Löfstedt: It must be more than just a grand title. There has to be some serious substance to it.

John Davies: We are seeing an increasing number of companies appointing CROs. They tend to be coming from a treasury function rather than an operational or hazard function.

Keith Blacker: Hand in hand with the growth in CROs has also been the development of risk committees.

Nick Chown: Do you think that treating risk management in a separate committee is consistent with the aim of embedding risk management?

Richard Nelson: Some organisations form risk management committees so that they can focus on the risk management process and in some cases review particular risks. Others feel that all the board needs to understand what the risks are and therefore discussions should be held at the board meetings rather than by a sub committee. But you can argue that about any committee. The important question is what is the reporting like back to the main board? Does the board get a full understanding of the issues that are being raised? It depends on things like how much time the board has, and how much effort you want to put into this particular aspect, and how the company is organised as well. If it has a number of separate business units, it may have risk committees in each of these.

Nick Chown deputy chairman, AIRMIC, and risk manager, Royal Mail, chaired the discussion