Risk Management: why re-invent the wheel?


September 17, 2002

By Simon Ledgard and Errol Taylor of BSI Management Systems

Is your organization next to hit the headlines?

Recent news stories have focused the minds of business leaders on the importance of looking after all their stakeholders. It is no longer acceptable to drive businesses exclusively through financial controls. Although profit is fundamental to business success, other factors must be considered to ensure that business remains successful in the medium term. Customers, employees, legislation, litigation, local and wider community opinion can all have a significant impact on the health and prosperity of any organization.

Governments in North America, Europe and Asia are all increasing their focus on Corporate Governance and Internal Controls. The result will be increased requirements for organizations to demonstrate that they have structured management systems in place to review and prioritise the needs of all their stakeholders, as well as manage the business risks they face.

This twin focus on stakeholders and business risk is seen by many as a pair of new business initiatives that must be adopted as additional functions of the business. How can organizations juggle conflicting requirements such as high financial returns, good salaries & working conditions, low prices, excellent service and minimal impact on the environment?

Other organizations however, have applied Management Systems Standards for some time and have evolved with them. These organizations realise that the Standards are already helping them manage conflicting priorities in a structured way. They recognise that the new challenge is for them to understand what is not being done and where development is required to build upon systems that are already in place.

Organizations are increasingly taking the principle of a process-based approach (encouraged by the Quality Management Standard ISO 9001:2000) and are applying this to join up their business activities. The process approach becomes an essential tool helping the organization and its individual departments or business units understand the needs and expectations of both internal and external customers. Quality Management is no longer the exclusive domain of manufacturing operations: the process approach is proving invaluable to service organizations operating within local government, healthcare, finance and transport. An additional benefit of working with ISO9001:2000 is the fact that the Standard requires a virtuous circle of continuous improvement to be built into everything the organization does.

Meanwhile, the concept of a risk based approach to Management Systems standards has been introduced by the Environmental Standard ISO14001 and the Occupational Health & Safety System OHSAS18001. Organizations are encouraged to identify and evaluate each of the risks they face. Infrequent risks with minor consequences can be controlled . Significant ones with severe consequences must be managed, either by eliminating them or by working to reduce their frequency or severity.

As a result of adopting these process and risk-based approaches, organizations improve their focus on the requirements and expectations of their customers. They are also in a better position to manage the way in which they interacts with their physical environment as well as looking after the health and safety of people at work.

Thanks to the use of performance measures, organizations can measure progress against objectives. This in turn can be used to help drive continual improvement, competitiveness and therefore success in an increasingly demanding environment.

Stakeholder Engagement

Current management system standards and their integration are therefore proving increasingly useful to the whole spectrum of organizations from government departments, charities & financial institutions through to petrochemicals giants, electronics companies and the whole engineering industry.

A new standard, ISO 9004:2000 “Guidelines for Performance Improvement" could help achieve effective review and prioritisation of the needs of stakeholders. This Standard helps organizations go beyond the requirements of the global benchmark Quality Management Standard ISO9001:2000. It encourages interaction with all stakeholders to understand their needs & expectations, using the methodology of the “eight management principles":
* Interested Parties
* Leadership
* Involvement of People
* Process Approach
* System Approach to Management
* Continual Improvement
* Factual Approach to Decision Making
* Mutually Beneficial Supplier Relationships

By applying ISO9004, organizations get the opportunity to further understand the wider environment in which they operate. All organizations are affected by a large number of stakeholders. In many cases these are highly visible and a detailed review is unnecessary. However, in most established organizations, the needs and expectations of stakeholders are taken for granted and this leads to inappropriate use of the organization's resources.

Stakeholders can include owners/ shareholders, suppliers, competitors, society, employees and customers. Their needs both now and in the future need to be considered in developing both short and long-term strategic objectives. Of course, not all stakeholder needs can or should be met. Some stakeholder needs may be in direct conflict with others. All organizations inevitably have limitations on the resources they can deploy. The business strategy must be developed carefully in order to balance stakeholder expectation whilst remaining in business. Therefore, although stakeholder engagement must be maintained, prioritisation must take place in order to allocate resource to the most appropriate stakeholder needs. Knowledge of stakeholder needs and prioritisation provides the context and balance for sound strategic and operational decisions and can be used as an input into the risk management process.

The concept, structure and principles of ISO 9004 are similar to those used in ISO 9001:2000. Organizations already familiar with ISO9001:2000 will therefore find it relatively straightforward to apply ISO9004. However, the results in terms of having a very clear view of stakeholder needs, expectations an their relative priorities could have a dramatic impact on the way in which the organization's resource are deployed.

Identifying Risks

Risk can be seen positively as a business opportunity, such as investing in the development of an innovative new product, moving into new geographical markets or merging with another organization. Organizations that can manage these risks effectively are more likely to protect and enhance their stock market valuation and succeed in growing their business.

In the more traditional, negative sense, risk is usually seen as a potential for loss. Loss can be categorised as lost revenue, litigation, claims, harm to people, harm to property, harm to process or harm to the environment.

In fiercely competitive manufacturing industries using “just in time" techniques, late delivery from a supplier means production downtime and unhappy customers. Claims for lost revenue and damage to reputation are quickly fed down the supply chain and can destroy the financial viability of otherwise successful businesses.

Harm in the form of injuring people or the environment can be extremely high profile, resulting in damaging press coverage which in turn destroys shareholder confidence and the value of the business.

Less tangible assets, such as the organization's brands can also be an area where risk needs to be carefully evaluated. Brands take many years and huge financial investment to build but seconds to destroy. In an industry renowned for its excellent safety record, the pilots of some of the UK's highly successful low-cost airlines have recently been mentioned by air traffic controllers as putting efficiency above other criteria?.Would you fly with an airline with a poor safety record ?

Essentially the first step along the risk management process, after all the necessary business information is available, is to perform a risk assessment. Risk assessment may seem to be more of an operational issue but in fact requires an organization wide approach. Risk can be inherent in an opportunity to acquire another organization as much as it can be the potential for loss should an incident occur.

Organizations that have successfully applied ISO 14001, the environmental management system standard, have been through an environmental review of which an integral part is to consider significant environmental aspects relating to emissions to air, releases to water, waste management, contamination of land, use of raw materials and natural resources and other local environmental and community issues. The mindset in such an organization is re-positioned to manage what is often a key stakeholder expectation: managing risk and preventing loss with respect to the environment.

Organizations that have successfully applied OHS 18001, the occupational health and safety management system standard, have first proactively identified hazards and performed a risk assessment within the organization relating to routine and non-routine activities, activities of all personnel having access to the workplace (including subcontractors and visitors) and facilities at the workplace, whether provided by the workplace or others. Organizations working in this way address another key stakeholder - the people within the organization, helping to establish a culture of risk management.

The challenge for business is to integrate this good practice and apply it to wider business aspects. Essentially the same risk assessment process is used except that at the same time as understanding the risks related to waste management or heavy machinery, the risk relating to less tangible assets such as brand management should also be evaluated. Again the environment in which the organization works i.e. the stakeholders that have an influence on the organization and how it operates are key prerequisites and should not be forgotten.

Managing Risk through an Integrated System

Once risk has been exposed the next step along the risk management process involves either tolerating, terminating, transferring or treating these risks. Treating the risk may often be the most difficult as it requires control and measurement. Again, control and measurement are the basis of effective management systems. The difficultly arises when the business recognises that risk falls outside of the usual scope or focus of the management system i.e. where the system has been formally implemented. For example a risk may have been identified in relation to information security and how information is collected, stored, maintained, accessed and communicated around the business and to other stakeholders. Through a more formal approach and using requirements agreed by industry the application of management system requirements such as those identified within BS 7799-2 (the Information Security Standard) should help an organization improve upon what is currently in place and mitigate significant risks.

Another aspect to managing risks through treatment is the balance between competency and procedure. Organizations having implemented ISO 9001:2000 will be aware that it is often more appropriate to manage a process through the competency of the personnel rather than the requirement for these same people to follow meticulous step by step instructions. This equally applies to the management of risk, as by its very nature, risk cannot always be controlled through checklists. A checklist cannot help with an unplanned or unexpected event!

A powerful way of managing risk is to use the skills of trained and highly competent staff. Effective training and inherent knowledge through experience allows staff to identify inherent risks in a particular situation. They should then be able to quickly work out the most appropriate course of action. This implies a completely different culture from the one in which staff are expected to work methodically through detailed procedures before filling in the required documentation?.

In managing risk it may therefore be appropriate to build in checkpoints along a process. Measures can be taken at these checkpoints to monitor the process and identify potential risks. Staff competency can be matched to the risks at each stage in the process, allowing them to mange the risk safely. Competency can be tested periodically and this can help drive training programmes as well as succession planning.

All management system standards require that measures are taken from the organization to provide and indicate performance against objectives. For those organizations that have successfully implemented management system standards these measures can of course be used for risk management. Also, since processes are in place to measure and analyse information, any additional information required with respect to risk management can be built in. For example, the organization may have identified that storage of a particular by-product of the manufacturing process beyond a certain level may be an unacceptable risk. To monitor and continuously evaluate this risk, measures can be taken from the sales process, namely providing an indication of the level of orders anticipated and therefore the corresponding levels of by-product expected once production against demand is completed. Further controls can then be put in place to ensure that when by-product is expected to exceed a certain level that arrangements are made in advance for safe disposal/ recycle.

Any business having an integrated approach including risk provides the objective evidence for top management to protect business viability and make improvement through management review, more efficient and effective. The application of management system standards helps to ensure a structured approach to making factually based decisions on how the organization can move forward.

A single Business Management System ?

Is risk management an independent issue, something to be managed separately? The indications are that most organizations are actually managing risk already through the application of management system standards.

Building upon what is already in place may seem to be the most appropriate way forward. Perhaps today's real challenge for organizations is not in understanding how risk can be identified and managed, but how the culture of the organization must be changed in order to focus on a single business management system. The single business management system can then become the basis for applying best practice.

Internationally recognised standards are now available to help organizations take account of the needs and expectations of all their stakeholders. The results from internal and external audits to these standards can be used to drive organizational risk management. The whole system needs to have a continual improvement focus, in line with strategic objectives, thereby safeguarding the future prosperity of the organization. The complete system could be described as a “Total Business Management System".

BPIR (Business Performance Improvement Review).

BIPR is a unique assessment service developed by BSI and based on the principles of ISO 9004. It is an assessment framework and methodology for the identification of improvement opportunities for an organization in relation to how:
? The organization prioritizes the needs of stakeholders through organizational policy, strategy and objectives.
? The organization builds upon and develops its existing management system to incorporate wider business aspects through the application of management principles.

CAPTM (Common Audit Protocol)

BSI's CAPTM assessment service involves the detection of system failures through the measurement of control and performance of the business management system. The CAPTM product provides an operational risk rating of a management system. As a by-product of the assessment, certification can be achieved to ISO 9001:2000, ISO 14001 and OHSAS 18001, quality, environmental and health and safety management system standards respectively.

Wilma Tulloch on +44 (0)20 8996 6330 OR
Marc Edney on +44 (0)20 8996 6330