PAUL HOWARD: How much of risk management is actually cost effective?
Maybe a quantum has yet to be determined. And, at board level, is risk seen as a cost or as generating benefits? What are your thoughts on that?
PETER MORRIS: You have to differentiate between the high probability low impact type of risks and the low probability high impact risks. With the former you are going to have a history, so you're going to be able to evaluate what they have cost the business over a long period of time.
You will then be able to demonstrate the impact of risk management quite easily. With the other types of risk, the question is how lucky do the board feel? If they are feeling lucky they will not perceive something to be a risk at all. If they are feeling unlucky then they can see that there is a huge measurable loss to be mitigated or avoided altogether if they take steps to manage it.
RICHARD MOOR: I agree. If you take the attritional losses you can probably demonstrate the value of the loss control initiatives that you can use to reduce them. At the strategic level it is much more difficult. One of the areas you need to clarify with the board is their financial risk tolerance. What is important to risk managers in terms of strategic risk is probably going to be dictated to a certain degree at board level. How comfortable does the board feel about having to report a certain level of loss? It fluctuates with the financial health of the company and there is also a cultural element. It is very difficult to prove a financial gain in some areas but if you have risk management within the thinking and decision making of the business, it becomes almost implicit in what you do, and it isn't a separate entity. I think that is the goal that most of us have. It is maybe a little idealistic but I think that is where we are trying to get to.
STUART MARTIN: One of the problems you come across in trying to measure the payback is in actually measuring the losses. What are you including in the cost of risk? How many of those costs are not recorded and not considered to be a cost to the business? When you are just seeing incident numbers it is difficult to put a cash value on them if nobody has actually managed or measured the costs of those incidents. If you are looking at project management or contractual risks, you can look at previous projects or contracts, whether you have hit targets or not and the difference in costs where good risk management processes were in place. You need to understand the base lines of what you have been measuring initially before you can compare what you are proving as your cost savings.
MARGARET CLUBLEY: Risk managers have to produce evidence to their boards that this is what they are doing and this is how they are saving money.
There are a lot of unforeseen costs. As a third party administrator, with a number of our clients we don't just handle their claims. We actually look at and record all their incidents, so that they can see just how those incidents are occurring and what trends are emerging. Going one step further, this shows the incidents that are actually costing the company money. For example, if someone is away from work for three weeks, that is a cost to the business. The risk manager is focusing on these incidents initially to show to his board what they cost, so that they can then charge those costs back to individual business units. Tackling the incidents, establishing what they are really costing the business and getting good risk management in place ultimately help stop the claims. From my perspective, one of the things that the risk manager is looking for is good data on these incidents and claims, to identify trends and see where claims are happening..
JOHN WOODCOCK: I acknowledge what you are saying so far, particularly in relation to the obvious risk management linkage with direct cost reduction, but of course the so called intangible risks are more difficult. But I think even they are starting to become measurable. The two issues that we find regularly exercise boards are maintaining the continuity of the business and reducing potential volatilities. In particular the latter gives us the greatest opportunity - and gives risk managers generally the greatest opportunities - because it is where you start to affect the shareholders and other stakeholders. When we get involved with clients across the board, the simple question is not just how lucky the board feels, but what success looks like. In other words, if risk management is going to make a difference, how is the board going to see that difference?
To my mind that is always an interesting question to ask. You can make your own personal case as to what you think might be interesting, but time and time again, we find that boards have actually got a different interest level from what you perceive it to be.
They obviously know things that you do not, and so we avoid the approach of coming in with 'this risk management is going to do this and this risk management is going to do that'. We ask instead what the board wants it to do and then work backwards from there and ask how they are going to measure it, and how they will build that measurement into the board's own measurement parameters. Creating another measurement technique over and above what companies are already measuring tends not to work. They do not want to measure new things. What they want to know is how risks impact on the things they do measure. Data is beginning to come through on the linkage between risk management and quality of financial performance.
Oxford Metrica carried out a recent study that shows if you have good risk quality you will have longer term financial value. It is difficult, but not impossible, to produce qualitative and quantitative measurements of intangible areas of risk.
DOUG PENNYCUICK: You could argue that in any commercial enterprise everything the company does is risk management, because managing a business is about managing a risk/reward equation. So here we are talking about measuring what we would call the management of gratuitous risk or insurable risk.
If we narrow it down to that, from a provider's point of view my perception is that the management of risk is a bigger issue at board level than it has ever been before. It is not just the cost, but also the availability of insurance. Directors' and officers' liability, for example, has never had a higher profile in the board room. So I would have thought that the understanding of risk and dealing with risk would be more important than just coming up with a view that says we are going to have a return on the investment. If you look at corporate governance, companies and board members have never been under more pressure to be seen to be managing risk effectively. The argument has moved away from asking whether we are going to get a return from managing risk to 'we have no choice but to do this and are we avoiding surprises and are we satisfying our customers and shareholders?' That is the priority. From an insurer's point of view, the challenge is to be in a position where we, as providers of risk capital, can differentiate between those companies that manage risk well and those companies that do not. It is not always that easy. Everyone talks a good game but who is actually doing it.? That is the challenge from our perspective.
PAUL HOWARD: It is the hindsight risk.
DOUG PENNYCUICK: When we are asked to assess risk and to appraise something, the question is what is the client's quality of risk management? It is a difficult question to answer.
PAUL HOWARD: In the discussion so far, people have raised issues such as, are the board feeling lucky? what is the risk preference of the board?
is that related to how well the organisation is doing at the particular moment in time? We also asked how we put forward what the cost of the risk management programme should be and also maybe the visibility of some of the costs. How can you say how much impact something is potentially going to have on your organisation and how much it could affect the success of the organisation? One of the things that struck a chord with me is how we assess whether risk management is a key integral part of the business.
We have heard a lot about enterprise risk management: if it is embedded, it should not really be a bolt on. Is it something the board should be considering as the key part of any project, in which case payback should be what the project costs. Any views on that?
PETER MORRIS: What the board's view is going to be depends on the nature of the business, doesn't it? I think we are assuming the board views risk management as a necessary evil, rather than positively. I was talking to a colleague of mine about the rail industry and they are using risk management as a tool to reduce risk aversion at a high level. I took a quote from a slide, which I thought was very interesting. It said a more risk-based approach coupled with right risk management processes and competence seems the way forward for reducing risk aversion. I thought that was a very different perspective from the one that I think most of us come from and that really is going back to the point about is it a bolt-on or is it part of the culture? There, it is very much part of the culture and is seen as a positive driver for change.
PAUL HOWARD: Do we need to invent something different or is it just part of good decision-making? Is it just part of what the overall business planning process should be?
JOHN WOODCOCK: I think it is inherent in the question of risk aversion that those organisations that have a more entrepreneurial style probably have a different view of risk. They have a higher appetite for failure and therefore the way to manage it. Richard Branson is regarded as a great entrepreneur taking huge risks, and in his autobiography he actually said that the way to make those sorts of decisions is to know that you can manage the downside risk. He obviously put risk management into his culture without having any formal statement or anything else. It is about being embedded, and we certainly find that the more embedded risk management is into the management, the more successful it will be. If it is a bolt on, it tends to be forgotten - a necessary evil.
RICHARD MOOR: Picking up on the point that John raised about the board's focus on reduction of volatility and continuity planning, you always have to know what the important issues are for the board, because if you don't, you are going to struggle. Many businesses have moved from just complying, to buying into the concept in quite a short period of time. I don't think you always have to come up with a financial rationale, as Doug said. Linking into the right issues for the board in the right way is a challenge many of us have to face. First, we look to shape their thinking, and second, make sure that we actually hit what is topical and current in our own business. The issues vary in every business.
If you go back a year in your own company you will probably find that some things that were at the top of the list then have now moved down, and new risks have come to the forefront. It is a dynamic process.
The other thing is that if you are looking at attritional risk - the bottom corner of the traditional risk map - the recurring events are predictable in their nature; they are financed either through revenue, insurance or whatever. The surprises that are going to come in that area are relatively low. The shocks come from the top right hand corner - low frequency, high value - and you may not even know what these risks are. That is the challenge - putting those on the map and keeping your risk map dynamic.
JOHN WOODCOCK: We did some research several years ago looking at what the causes of major impacts on shareholder value were and exactly what happened. The insurable risks didn't even appear on the radar. The things that really hit companies were all the unmanageable things like big supply chain failure or major acquisition problems, risks like that.
RICHARD MOOR: All of our top five risks are uninsurable in a conventional sense.
JOHN WOODCOCK: Which of course is an interesting challenge, because the way to deal with them is not to compartmentalise them into the traditional areas of risk management, but to look at hybrids of solutions that achieve some particular end results.
DOUG PENNYCUICK: I wonder if there is any evidence that some of the techniques that have been developed in managing traditional risks are actually being adopted by companies in managing business risks.
STUART MARTIN: In some of the companies that I have worked for, their approach to insurable risk was the same as to uninsurable risks, the same matrix and the same processes and controls were applied.
DOUG PENNYCUICK: Is the risk manager setting the standard within the company or is he responding to what the company is doing? Who is setting the pace?
STUART MARTIN: It also depends on the culture of the company. Some of the older, set-in-their-ways companies take the attitude that they will do what they must to comply with the current standard of corporate governance.
The younger, fresher companies understand that risk is always moving.
They are more inclined to make sure it is part of the business processes and management systems.
RICHARD MOOR: You can help facilitate things, but ultimately the lead has to come from the board as they are setting the strategy and objectives.
STUART MARTIN: I regard my role more as auditing the processes and controls than actually trying to embed them and teach people what they should be doing. At the end of the day these people know the business and the risks better than I would. They are looking at it from every aspect. In some respects I just go in to give them more confidence that the processes and controls they have in place are actually working.
JOHN WOODCOCK: With the Turnbull committee putting greater emphasis on the role of internal audit, I saw a different role emerging, where the risk manager would become the board adviser. The strategic executive authority for risk obviously sits with the board, but the risk manager would take a different, perhaps more elevated, role of being more of a holistic adviser to the board, with internal audit taking on more of the checks and balances function.
STUART MARTIN: There are limits to what internal audit can do, because of their background. With Turnbull and the enhanced combined code they are trying to expand their role and get into other areas to develop it.
The major accounting firms have recruited additional specialities within their risk functions to try and accommodate that point of view, but it still requires a certain amount of check and balance and comfort within the board that the specialist risk manager is actually checking that the company is doing it right.
JOHN WOODCOCK: We did some work a couple of years ago where the board management group of a financial institution said that they had a very heavy internal audit function because of the nature of the business, and felt it was right for internal audit to look at some of the key risks we determined, so that they could train internal auditors to use the sort of audit techniques they were used to, but create easy ways of auditing the day to day functions. That worked quite successfully, because there was some skills development of the internal audit function. This released the risk manager to concentrate more on some of the really gritty risks.
PETER MORRIS: There is a great difference in role. The risk manager really ought to be proactive, whereas an auditor, by definition, is looking at what has happened in the past. I would have thought there were limits as to what one can expect from one's internal audit team.
STUART MARTIN: We have to make sure the risk managers and the internal auditors are actually linking the process together.
RICHARD MOOR: There is an important question of ownership. The ownership of risk should be at the board level of the entity you are dealing with, because these are the people who know the business and should integrally be involved with the identification of risks and controls. Who reports risk and monitors controls is another matter, but unless the risks have been affirmed at board level, your perception of risk is going to be distorted, because it is coming from the wrong level of the company.
JOHN WOODCOCK: I was thinking here about using internal audit for what I would call the operational issues: things like the health and safety, compliance with standards, things which are quite easily auditable. As you rightly say, the strategic area is difficult.
RICHARD MOOR: That's because of what drives it. You are back to the bottom left hand corner and the top right hand corner of your risk map.
You are in danger of concentrating on the wrong parts of your profile if you rely too much on internal audit.
STUART MARTIN: They are seen as having a policing role rather than being a function that can help to develop the business.
PAUL HOWARD: A lot of the audit-type systems now do produce some monetary gain or some potential monetary loss; a lot of the risk maps have moved on from high, medium and low to reflect whatever the risk preferences are in various organisations. Whether it be a risk-based focus or an audit-based focus, are there ways to measure some sort of payback from risk?
JOHN WOODCOCK: I think there are. We have developed a few techniques, one of which uses a similar methodology to that used with insurable risk.
There is the concept that impact and probability are the two components of all risk. You can estimate the probability and impact now, and then estimate the probability and impact with the risk improved, and then factor in the cost of making that improvement. You need to have some sort of indexing system that will identify whether something is a high, medium or low priority. One of the things we talked about is the board's perception of risk. That is where there may be a problem. All of us have a perception of risk which may not be related to its real quantum. In the past, a lot of time and money has been put into managing risks which have turned out to have low real impact on the business, but they salve the egos of the people who have a particularly emotional concern about these risks.
RICHARD MOOR: You could almost categorise the big ticket risks into two areas. Perhaps the easy ones to identify with are those that the board has already bought into. They are important to them, important to the business, and therefore important to you. So you need to think how you can contribute and provide a solution. The other area where you probably need the risk matrix is where you think there is a value-threatening risk that has not been recognised. There is a danger in becoming almost too obsessed with proving the payback, rather than concentrating on the important things for the people running the business.
JOHN WOODCOCK: Going back to the point that Paul was making earlier on, that we have moved forward in risk registers from high, medium and low, the first impetus for a board to decide what its priorities for risks are, is to know what the risks are. That is where risk management techniques come in, because until you have got some form of measurement the board are prepared to accept, they won't necessarily buy into it - unless, as I said, it is a perception thing. External stakeholders are taking a much stronger view of this. They take corporate governance very seriously indeed.
They will use their investment power to ask the board just how robust their techniques are for establishing risk, and assess whether those techniques are based purely on what the board happens to be feeling today.
They want to see truly objective assessment, so you do need to have some form of measurement system. We know that it is very difficult to quantify what has not happened, but you have to start somewhere. For example, you can do a kind of scenario development, saying what the current scenario is, what it would be if you made the improvement, and then making some kind of assessment and ranking risks in order of importance.
PETER MORRIS: If you are trying to sell risk management, you do not have to sell the things that are already on the radar screen. So you do not have to worry about measuring it too much, because they want to do it anyway. It is the other things which you need to think harder about and try to measure it in some sort of way.
PAUL HOWARD: So how do we extend that to new activities that the company might be undertaking, or to diversification? If you cannot look to the past to be a key to the future, how could you expand your risk measurement to look at those other scenarios?
STUART MARTIN: You would have to weigh each aspect differently. You would use different measurement techniques for an acquisition than you would use for a diversification or a disposal. For example, if you are looking at a disposal, you are looking at a history that might come back and bite you rather than how it is going to develop in future.
DOUG PENNYCUICK: A major acquisition is one of the biggest risks facing a company. If it goes badly wrong, it can actually destroy the business.
How many risk managers today are involved in the due diligence process?
Or are they only asked to get involved once the acquisition is complete?
A few years ago I would have expected few risk managers to be involved in the due diligence prior to an acquisition. Has that changed at all?
RICHARD MOOR: It depends on the size of the acquisition.
DOUG PENNYCUICK: With a major acquisition which was subject to confidentiality because of investor issues, would we expect risk managers to be involved in the process?
STUART MARTIN: Again, it goes back again to company culture. Some companies have the kind of M&A team who do not talk to anyone until they are at signing point. In the companies that I have worked for, the risk management team has always been involved from the initial thought process right up to closure of the deal.
PAUL HOWARD: So if we are looking at measuring the payback, maybe that is a non-quantitative aspect.
DOUG PENNYCUICK: A successful acquisition which adds shareholder value over time is a very good long term measure of payback.
JOHN WOODCOCK: You certainly need to run a number of 'what if' scenarios when you make acquisitions. As we've said, it is very difficult to measure something that has not happened, but it is reasonable to be able to identify what the deal is and therefore what the worst that could happen is as far as the business is concerned. You might be 100% out, but at least you have got the starting point of saying whether there's a £25m problem or a £500m problem if things go wrong. That sort of work is needed, particularly to look at some of the entrepreneurial risks; the new things that have not yet happened, just to get some quantum.
STUART MARTIN: You should be able to draw on the experiences of your competitors and look at how they are doing. You can look at the balance sheet to see how much it is costing them. A lot of UK companies are doing that already. For example, a UK-based plc looking to expand in the US can look at one or two of its major competitors and see how they have done there.
PETER MORRIS: In that situation it is very difficult to strip out what is being measured for risk management purposes and what is being done at the commercial strategic business level. The whole thing is a mesh in the takeover situation, so I would be very hesitant about saying that the risk management input there could be measured in terms of the potential risks the company is facing in going ahead with that takeover.
JOHN WOODCOCK: But it is still better than doing nothing. I think you have got to accept the principle.
RICHARD MOOR: There is generally some sort of structured risk analysis as part of any investment decision. Most businesses are much better at that than they used to be.
DOUG PENNYCUICK: Taking the discussion back to insurables, I would have thought that within the last few years risk managers have had some very difficult conversations with their finance directors, explaining that although they have budgeted a set amount for the cost of insurance, it is going to actually be a lot more than that. In terms of seeking payback, or measuring whether risk management works, the price and the availability of insurance risk transfer must be an opportunity. A risk manager can say, 'Here is the payback with what we are doing, because here is evidence that the insurance market is responding to what we are telling them about our risk'.
RICHARD MOOR: That presupposes a stable market.
DOUG PENNYCUICK: We have seen a big increase in the cost of insurance.
RICHARD MOOR: Yes but now we are seeing a big reduction.
DOUG PENNYCUICK: Are insurers differentiating between well-managed companies and poorly-managed companies, or does everybody get treated the same?
STUART MARTIN: There is some differentiation, but at the end of the day I am still paying for the badly managed companies' insurance claims.
JOHN WOODCOCK: Our experience is that there is a lot of talk about differentiating between good and bad risks, but when it actually comes down to how much benefit this company is going to get from having this much risk management, then the reality is very different. I think there ought to be differentiation.
I have always believed that risk quality is key.
STUART MARTIN: It all comes back to how insurers actually audit and measure the risk management processes and controls within a company.
DOUG PENNYCUICK: Traditionally, insurers have been very poor at this.
As far as what is happening in the marketplace is concerned, there was a huge increase in the cost of insurance; there was a huge knee-jerk reaction to certain events. What is happening at the moment is a correction, and I actually think there is a new dynamic in the correction. Of course there is always supply and demand; of course there is a cycle, but there is a bit of correction going on and capacity is seeking out well managed risks. In my own company, we are working very hard at developing techniques to differentiate. We are looking at loss control engineering. We are encouraging direct relationships between ourselves and the client more. Insurers, like providers of other types of capital, want to get to know the management of an organisation, and we want to make judgements on its quality, because there is a correlation between the quality of management and the management of risk. The insurance industry is not perfect at this, but we are a lot better than we were, for the simple reason that we are under more constraints from the people who provide us with capital. We are having to prove to our capital providers that we are managing it better than before. Therefore we are making more demands of our customers. That is a healthy dynamic.
JOHN WOODCOCK: There is an appetite for differential. I think the questions are how much differential and how is it going to be compared; what represents good and bad risk management and so on. We have certainly seen, with the market softening in certain areas, that some of the risk management requirements in terms of submissions and risk quality information are not tailing off.
DOUG PENNYCUICK: Over the last 10 years, the information flow between clients and insurers has been a very inefficient process. Now we are trying to make the gathering and assessment of real risk information more efficient.
We are having to do new things to achieve this. A tripartite relationship between insurers, brokers and clients is one way, and there are other initiatives in the market place as well. If a company is well managed and can convince its providers of contingent capital of this, there must be a real payback at the end of the day.
RICHARD MOOR: We are taking this down an insurance route, but insurable risk is not on the top of most people's agenda, is it?
STUART MARTIN: It is still a big budget item. If you improve the risk management processes and controls you are going to see reductions in some costs, so you have certain aspects from an insurable point of view that can put into a matrix to measure the payback for risk management.
RICHARD MOOR: But ultimately what is the board interested in? Generally, it isn't interested in insurable risks, it is interested in anything that isn't covered and hits the bottom line.
PAUL HOWARD: That goes back to our earlier conversation. As far as insurable risk is concerned, the board's view is that they have done something about it. What they are more interested in are the risks that they have done nothing about. I think there was maybe some differentiation when the premiums went up. Whether it was enough, who knows? To a certain extent the increases were easily explained. Everyone knew the market was changing so it was quite difficult to measure payback there.
MARGARET CLUBLEY: Over the last 18 months my own organisation has introduced a risk committee, and when you look at our list of risk items they are all non-insurable ones. For example, a common thread for our loss adjusting arm is the need for compliance with the FSA. Our loss adjusters have to be qualified and to show competency. We have to have that recorded and we have to have an audit process. When we first started looking at it, we realised that the loss that could have occurred from that risk was quite enormous. For example, it could have meant we lost a major contract from one of our bigger insurance clients. Over the last few years, in order to comply with the FSA we have had to put a lot of risk management practices in place - data bases, education, training, audit trails. When we first started out we worked out what the cost of non-compliance would be, and over the last three years we have seen this cost come down.
RICHARD MOOR: It comes back to putting risk management into the culture of the business. It is not risk management, just common sense management.
It's the classic pattern that people have one vision when they start and it changes as they progress. Facilitating them and encouraging that process is an important part of embedding risk management in the business.
MARGARET CLUBLEY: That's right, because, in an average company, a lot of departments might not even know they had a risk and would not realise it until you get more and more people within the organisation involved and start talking to them about what has been happening in their departments.
PAUL HOWARD: They might not know they have a risk, but they will probably know how to manage their department and manage it particularly well.
JOHN WOODCOCK: That is probably a good example of risk management being fully embedded. It is no longer a separate entity, it is simply part of the way we do things round here.
RICHARD MOOR: The better companies are including risk management within their planning process. It should not operate in parallel. Risk management should be implicit in planning what you do in business whether it is short, medium or long term strategy. It is not a separate entity which is owned by the risk managers. It should be owned by the managers and directors of the business.
PAUL HOWARD: Just developing Margaret's example, there was a potential reputational aspect associated with non-compliance with FSA regulation.
How quantifiable would that be?
MARGARET CLUBLEY: I think there is a positive spin-off. For example, the better our training is then the better our brand is going to be. We will be doing quality work; we are going to have consistency and add to our reputation so that is going to enhance the business and bring in more business.
RICHARD MOOR: Ultimately the linkage between the risk manager and their value to the business is in direct proportion as to how you are relating what you do with the objectives of the business. A logical process is that you should have clear goals in your organisation and you assess your risks against the upside and downside of those objectives. That is a very simple way to get some buy-in from senior people. They are seeing that what they are trying to do and what you are trying to do is related and you can give them some analysis of that. It is a good way to demonstrate value.
JOHN WOODCOCK: I believe that compliance tends to be a very short-term driver. Take the Health and Safety at Work Act and all the legislation that has come in. Compliance becomes a very blunt instrument and a separate function in running the business. It should fall out of good risk management.
You have to do things, not just because they are needed to meet compliance, but because they are good for the business, and expect to automatically get your compliance sign-off because you run your business well.
RICHARD MOOR: I think that the same applies with business continuity which you mentioned earlier. Companies do not just manage it because it is corporate governance-driven. You present a business case for it, because if a certain plant goes down it will affect your bottom line by £xm pounds over so many months. And you need to monitor it because a contingency option that you thought you had may disappear because a factory has closed or the spot market has changed. It has to be related to both the real world and your business objectives.
PAUL HOWARD: But if you can build a factory pretty basically for £2m, or build it super-secure for £3m, and if your organisation has never actually lost a factory, that could produce quite a difficult discussion.
RICHARD MOOR: You are not trying to sell a risk that does not exist, so you have to bring it to the table, debate it, agree that what you are doing is reasonable and do it on a regular basis.
JOHN WOODCOCK: This goes back to my point about perception and behaving in a grown up way. Take the scenario of being able to build a basic factory for £2m and a fully risk-managed one for £3m. If your business continuity plan shows that losing the factory would not have a major impact, you should probably go with the £2m operation. You need to say that your business continuity plan is going to guide the way in which you operate and that means the correct value has been given to risk management.
PAUL HOWARD: You might also need to be aware that potentially it might not be capable of being insured.
JOHN WOODCOCK: That is all part of the issue.
RICHARD MOOR: You should never lose sight of the fact that the business does have a financial risk tolerance, and that there are earnings to be delivered and promises to be kept. You need to present your 'basket' of risks, explain the costs and get the board to decide how comfortable it is with retaining risk. But you must not forget that when they say they will take £xm of risk in one year they are thinking of one or two events.
You need to explain that there could be several consecutive events. Risk ranking and other similar sorts of tools are quite useful in these areas.
DOUG PENNYCUICK: How many organisations make the link between good risk management, and employee relations and customer relations as benefits of good risk management?
MARGARET CLUBLEY: I have been increasingly involved in what I call road shows for clients, where everybody in the whole chain comes together.
Each time I go to one of these events, I learn something new. Within the companies concerned the participants learn more about their jobs, and about how they can help the risk process, and so the claim process. For instance we frequently work hand in hand with customer services now.
PAUL HOWARD: So is that potentially another payback, qualitative rather than quantitative - better quality decisions and better communications?
RICHARD MOOR: There is a bit of that. We haven't really touched on payback as regards reputational risk, another non-financial measure, to which people are very sensitive these days.
PETER MORRIS: You cannot put a price on it. A reputational disaster can wipe a company out.
RICHARD MOOR: People are more aware of it. We have seen the rise of corporate social responsibility programmes and such areas as business ethics coming to the fore. All those are good areas to relate to when you are looking to put a case for supporting a particular risk management initiative.
JOHN WOODCOCK: We have seen evidence that people are (a) more interested and (b) more willing to take on measurement of risk against some of these difficult parameters and indeed to look at multiple parameters. In one organisation, there were actually five different drivers for assessing risk and they were the five drivers that drove the board on the key issues.
One was reputation, another was customer confidence and so on. The risks were ranked against these with definitions of five grades or levels of severity. It was not a measurement in pounds, yen or euro. You cannot measure reputation quite as easily as that, but you can define different levels of reputation damage, from something arising and handled locally, up to a full-scale adverse media event. The board found this useful, because they could relate to those different levels. And it was quite easy to assess the vast number of risks they had and to slot them in where they belonged on the severity and likelihood scales.
We are seeing more and more of these methodologies, and they don't involve complex maths. It is about looking at components and about having the ability to define different levels of impact so that there is a necessary threshold between each one for the purposes of definition. It does work; you get some good answers and some good risk ranking, based on real stuff that boards are interested in.
PAUL HOWARD: Can we expand at this stage to look at some of the issues that have been adopted in the public sector, for example best value approaches?
We seem to be struggling a little regarding the quantitative measure of payback. Are there other ways that we can demonstrate adding value?
MARGARET CLUBLEY: From my experience of the public sector, and admittedly that is some years ago, there were those organisations that had excellent risk management and those that had none. There were two schools of thought.
Is it better to know about it and put a lot of procedures in place or is it just cheaper to forget about it and simply pay the claims when they arrive?
PAUL HOWARD: On the best value side, a lot of public sector organisations have tried to look at their overall relationship with the communities they serve and build a risk-based element into how they serve them. Whereas in the private sector, we are probably looking at things like, how do we add shareholder value in some way. I accept that we don't want to get too hung up on bureaucracy and measuring things, but there does seem to be a useful series of indices coming out in the public sector which for private sector risk managers would look great in their annual risk management report to the board. They give a bit of a benchmark for improvement and it would be interesting if they could be adopted into the private sector
PETER MORRIS: I think that what governmental organisations do at a very high level is relevant here. Essentially it is a risk management exercise.
They are now required to carry out regulatory impact assessments (RIAs) whenever they want to introduce some sort of legislation, either primary or secondary. The purpose of the RIAs is to tease out the risks of not regulating and the cost of risk of actually introducing legislation. I think this was introduced by the current government and it has become pretty endemic across everything they do.
PAUL HOWARD: It sounds like a potential impact analysis.
PETER MORRIS: Yes, it measures the potential impact of the proposal on all the potential stakeholders, and of course that means that part of it will involve a consultation process. They produce a preliminary RIA which sets out what their initial thinking is, then go out to consultation, after which they work it up to a final RIA, which will then inform the final decision-making process. That is something we may already do in different ways, but I think the private sector could probably adopt and adapt this process quite usefully.
PAUL HOWARD: On the private sector side, is that similar to what happens on a macro basis, for example with large project risk decision-making where you look at the pluses and minuses of any decision?
STUART MARTIN: It is similar to business impact analysis that you apply to any aspect of your business. I don't think that the Government is as well educated on risk management approaches and measurements as the private sector, so you have to be careful looking at the Government's approach to risk impact analysis and how that correlates with private industry's views, opinions and aspects of measurements of risk.
JOHN WOODCOCK: While I think that we intuitively know the capability for risk management to help organisations achieve growth and their targets, I'm not sure that the case is overtly put forward. We are still stuck to some extent in the area of preventing downside risk. We can intellectualise about the idea of risk management for growth, but the truth is that it is very difficult to identify a positive impact from taking risk management.
I can think of a theoretical example. If you were a supplier and had complete confidence in your business continuity approach, you could gain a competitive edge by reducing your minimum supply contract period, because you could guarantee that all your suppliers would meet your standards regardless.
So if it typically took a month to deliver something in your particular industry, you could offer a two week delivery period. I have not come across any organisation doing that yet, but those are the sorts of things we actually have to do.
PAUL HOWARD: We have touched on some of the issues involving the UK public and private sectors. Has anyone any views on the differences between Continental Europe and the UK, particularly now we are looking at an enlarged European Union?
DOUG PENNYCUICK: Some of the large continental buyers tend to be very traditional in the way that they buy insurance. Their appetite for self insurance is less.
RICHARD MOOR: They have a different approach. If you do an analysis of, say, auto and employee losses and you move from US through UK to Europe, in the US you have got a fairly well measured comprehensive system which is actually like the old UK tariff approach. It is coded, which gives you good benchmarking and highly visible costs. In the UK you have a little of that but it is slightly haphazard and it is very difficult to get commonality of approach. Moving into Europe, your employee accidents are totally buried in the welfare system and your auto costs tend to be insured down to a very low level, so there is a very different perception of the attritional risk. And I think you are right, the appetite for risk transfer in the traditionally insured catastrophe risks is different as well. If you go into business risks, then it is similar and depends on the organisation.
JOHN WOODCOCK: There is quite a lot of fragmentation in Europe. There are different responsibilities, and in some countries certain risks are dealt with by state organisations. A lot of the Continental European areas still have quite traditional purchasing needs. Scandinavia is probably an exception. The Scandinavian countries are up with world trends in terms of looking at risk management and wanting to get guidance and advice.
But in some other areas, although the boards do still manage risk, they presumably do it in a completely different way from the UK and there is still quite a strong insurance focus.
RICHARD MOOR: That is particularly true for indigenous businesses.
MARGARET CLUBLEY: We deal with the worldwide claims for one of our large clients, and I got to know quite a bit about what was happening internationally because I set up about 50 different hubs round the world. The overall objective is to get things as consistent as possible in every country.
You can do this with things like claims forms, but one of the things that we have to take into account, not just in Europe but around the world, is the local customs and culture. Some countries are 10 or 20 years behind us, and that is not going to change overnight. The law is also very different in different countries. You have to recognise the differences and work around them.
JOHN WOODCOCK: Yes, if you take things like employee absence, which is a big issue here, in many parts of Europe it is not an issue because it is hidden in the welfare system. They don't measure the lost days because the state pays, so the company doesn't have any costs.
RICHARD MOOR: But you can still risk map it, although you have to find a common currency. If the business is the same in every territory, there must be a way of mapping the risk whether in terms of loss of time as opposed to a financial measure.
PAUL HOWARD: I also wonder whether there might be a potential future business risk to UK organisations who might find themselves up against heavy competition from sparsely-regulated competitors from regions such as the Baltic republics, where health and safety regulation, for example, is not quite so advanced.
RICHARD MOOR: It may not be a traditional consideration, but a lot of the legislation is there. Most of the Eastern European countries are shadowing EU legislation. Implementation is another matter.
STUART MARTIN: A lot of international companies have taken an ethical standpoint when considering entering marketplaces, because of the legislation and working practices there. They review the risk when they are considering entering those marketplaces, and will take the decision not to go into that territory.
RICHARD MOOR: It is easy to make a presumption on these new EU countries.
The reality is that if you meet a lot of the managers in their businesses, they are very well educated professional people. There is the danger of confusing the lack of past investment in plant with the quality of the people running the businesses. There is a very good generation of managers coming through in those countries.
MARGARET CLUBLEY: An interesting point regarding Eastern Europe is that there hasn't previously been a claim culture there at all. I think that is now starting to emerge and I wonder just how far it will go.
PAUL HOWARD: Is it possible to compare payback on risk management in different organisations in different sectors or is it perhaps too sector specific?
STUART MARTIN: Certain aspects of the risk will be sector specific, but if you are looking at reputational risks and some of the other high level hot topics then I don't see any reason why you can't measure.
JOHN WOODCOCK: The principles involved in the different risk mitigation techniques that one might put in place ought to have common features, so that by capturing that information collectively you have got ammunition to help you to assess how much effect a particular risk management initiative is going to have, even though the components of it will vary from organisation to organisation. There is a kind of library or repository of information on what has worked and how it has worked. But we are not very good at capturing information in the UK, so we tend to work at reinventing the wheel all the time which is a very depressing activity.
RICHARD MOOR: The amount of information that you can get varies from country to country. That weakens your case when you are trying to sell risk management initiatives, and you have to find another way to measure effectiveness, which can be difficult.
PAUL HOWARD: If we are looking at increased focus on the benefits of investment in risk management across organisations are we potentially looking at some comparability? At the moment everyone is reporting in different ways. Are we moving towards more of an external measurement focus that may indicate some of the value of risk management?
JOHN WOODCOCK: It is inevitable. The Stock Exchange and Standard & Poor's plan to introduce a corporate governance index. This is inevitably going to draw in risk management, so we will get more required measurements.
DOUG PENNYCUICK: You have got to find ways of saying what the benefits of investing in risk management are for customers, employees and shareholders, and how risk management is affecting the business drivers. I think that the biggest challenge for risk management is actually being able to have some sort of measurement system that says what the benefits to the business will be if we invest in it.
