RISK AND MANAGING RISK EXPLAINED GUIDE

Risk and managing risk

EXPLAINED
Guide

In association with:
2 | RISK AND RISK MANAGING RISK
 RISK AND RISK MANAGING | 1

CONTENTS

[Link]........................................................................................................................................... 2

2. What is risk?........................................................................................................................................... 3

3 . Understanding risk management principles........................................................................ 7

[Link]......................................................................................................................................... 10

5 . Leadership commitment and culture, roles and responsibilities............................ 14

6. Articulating risk in the organisation....................................................................................... 16

7. Risk communication, monitoring and reporting.............................................................. 20

8. Risk process overview................................................................................................................... 22

9. Business continuity, resilience and insurance .................................................................. 23

[Link] intangible risks............................................................................................................ 25

[Link] emerging risks............................................................................................................. 28

[Link] management assessment and analysis techniques,

methods and tools ......................................................................................................................... 31

[Link] improvement........................................................................................................... 35

[Link] to look for further information................................................................................. 38

2 | RISK AND RISK MANAGING RISK

1. INTRODUCTION
Risk-taking is fundamental to the success of any organisation. The leaders of an organisation must
decide the extent to which risk needs to be sought, accepted, addressed or avoided, and their approach
to this will determine how risks are managed across their organisation.

The concept of risk management has been of increasing nor required more of today’s risk manager.
relevance and importance in recent years, triggered in
A wealth of knowledge, guides, standards and publications
part by the greater maturity of corporate governance
exists to help with the detailed development of risk
frameworks and recognition of risk management as
management strategies and implementation of risk
an enabler and protector of value and achievement of
management programmes.
strategic objectives.
However, the focus now is to address increased complexity
Societal trends such as business accountability,
and connectivity, and ensure that risk management
disclosure of information, the velocity of change,
enhances business models by operating as an integral part
the connectivity of risks, the impact of emerging
of established and future processes. This approach requires
technologies and high impact, low probability risk have
a shared view of the impact of risk on business objectives
all added emphasis and importance to the need for
and effective communication between business leaders,
effective risk management.
functional teams and business operations.
According to the 2024 World Economic Forum Global
This guide summarises current approaches to risk
Risk Report, the disruptive capabilities of manipulated
management to promote a shared understanding. It will be
information are rapidly accelerating, as open access to
particularly useful for those new to risk management.
increasingly sophisticated technologies including artificial
intelligence (AI) proliferates and trust in information and It looks initially at the definition of risk and how risk
institutions deteriorates. It is anticipated that the boom management helps organisations address uncertainty.
in synthetic content will amplify societal divisions, with It then summarises the key principles underpinning the
rises in ideological violence and political repression. design and operation of a risk management programme with
The rapid proliferation of AI brings with it a potential reference to the international risk management standard ISO
shift in how society and business interact with the digital 31000:2018. It moves on to consider how risk governance
world. New opportunities and challenges are emerging fits within the developing corporate governance codes and
at an unprecedented speed, but we need to identify risks framework and associated guidance s.
and opportunities, how we embrace and manage these, Human and cultural factors have a fundamental impact on
and how we protect ourselves from the unforeseen the success of the risk management programme. These
consequences that could flow from unregulated AI factors and the importance of leadership are considered in
development and adoption. section 5.
The 2024 Edelman Trust Barometer highlighted the Section 6 focuses on articulating risk within the organisation
risks which are exacerbating trust issues, bringing with and will help the reader understand how risks are identified
it the threat of further societal instability and political and assessed in the internal and external context of the
polarisation. business. The approach to accepting and managing risks in
Coupled with the rise in global regulations and laws, risk order to create and protect value varies substantially across
management has never been higher on the board agenda businesses and this section highlights the way risks are
 RISK AND RISK MANAGING | 3

evaluated in conjunction with the risk criteria developed by The guide outlines why internal and external
the business. communication and monitoring are a key part of any
successful risk management programme. The impact
The guide incorporates practical examples where
of the Financial Reporting Council (FRC) guidance
appropriate. It also introduces the subject of organisational
is considered as part of the external communication
resilience and outlines the importance of appropriate
strategy of a listed company.
resilience within the wider risk management approach. The
International standard ISO 22301:2019, which specifies the This guide is intended to be used by Airmic members
requirements for a management system to protect against, starting out in their career in the profession, and
reduce the likelihood of and ensure a business recovers from by those who may be new to this subject, or to be
disruptive incidents, and British standard BS 65000:2014, shared with their business colleagues in areas such as
which provides guidance on organisational resilience, are procurement, finance, human resources, IT and internal
both referenced alongside cases from the Airmic Roads to audit.
Ruin and Roads to Resilience publications.

2. WHAT IS RISK?
Risk is a natural part of life, both in business and leisure. In Against the Gods, Peter Bernstein, the American
financial historian, portrays the mastery of risk as the key revolutionary idea defining the boundary
between the past and modern times. He demonstrates how the understanding and management of risk
has been and continues to be the driver for economic prosperity.

Risk is linked to uncertainty as many ventures face challenges • Risk can be expressed in terms of a combination of
and obstacles on the path to success. the consequences of an event and the associated
likelihood of an occurrence. This can be helpful to allow
2.1 Understanding the definition of risk
comparison of disparate risks with very different impacts
Whilst there are many definitions of risk, this guide adopts
on an organisation or its people and other stakeholders
the definition contained in the international
including investors, suppliers and customers..
standard ISO 31000:2018 which states:
• Uncertainty is inherent in risk. Uncertainty can arise from
“Risk is the effect of uncertainty on objectives.” a number of different sources, including a deficiency of
The following are of particular importance in considering information, understanding or knowledge of an event, or a
this: lack of awareness of its possible impact and likelihood.
• Objectives can have many different dimensions, including
• This definition allows for either a positive or negative
finance, safety, quality, regulatory or reputation, and can
deviation from the planned outcome. This is an important
apply at different levels of an organisation.
distinction and helps view risk as something to be
• An appreciation of these metrics helps determine risk
embraced and not just controlled or avoided.
characteristics such as causes and consequences, as well
• Risk is often characterised by reference to potential
as helping design risk indictors to monitor risk status.
events and consequences. For example, low-lying
premises near a river might be at risk of flooding, which 2.2 What is risk management?
could cause damage to property and disruption to a Risk management is the identification, assessment and
business, a community or people. prioritisation of risks followed by coordinated and economic
4 | RISK AND RISK MANAGING RISK

application of resources to maximise the realisation of achieve its objectives is referred to as ‘context’ in the
opportunity or address the impact and/or likelihood of ISO guide.
adverse events.
There should be an understanding of the interconnectivity
Risk management should have an objective to ensure that between internal and external risk events and coordination of
managing risk creates and protects value. Risk management risk management activities through supply chain partnerships,
must be an integral part of the management system and where possible. Figure 1 illustrates internal and external
be embedded within the culture of the organisation, sources of risk.
encompassing the entire workforce.

2.3 Recognising sources of risk

2.4 Analysing and evaluating risks
No organisation or individual can exist in isolation and
There are many ways in which an organisation might
consideration of risk must take account of factors that are
choose to evaluate risks arising from the internal and
both internal and external to an organisation. The internal
external contexts, and there are many different response
and external environment in which the organisation seeks to
strategies depending upon the objectives of the organisation

FIGURE 1
Some examples of internal and external sources of risk

EXTERNAL

Water Fiscal Oil price

crises crises shock

INTERNAL

Cashflow/ New product Loss of

Political Liquidity development suppliers Environmental
instability catastrophe

Pension fund M&A activities Regulatory

deficit compliance

Historic Product People

liabilities quality safety
Severe Pandemic
weather disease

Damage to Actions of Patent

assets agents & partners infringement

Cyber
Organised Terrorist Major transport infrstructure
crime attack accident attack
 RISK AND RISK MANAGING | 5

However, it is important to recognise that a successful risk Risk maturity is about having a sustainable, repeatable and
management approach will add value by integrating with and mature ERM programme. Risk maturity models measure
supporting existing business systems to enable improved maturity from the equivalent of ‘ad hoc’ to ‘fully embedded’
decision-making and to enhance controls and realise levels. Risk maturity models or tools can be used to assess
opportunities. maturity using maturity [Link] facilitate benchmarking
of a programme against a number of criteria, which typically
Once the organisation has understood and evaluated the
include the planning and governance of the programme, the
risk in the context of the business, attention turns to risk
execution of risk assessments, and the aggregation, analysis
treatment to address the risk.
and communication of risk information. These criteria form a
matrix with competency drivers which are scored.
2.5 Treating risks
Options for risk treatment include removing the source of Research indicates from the analysis of organisations using
the risk, changing the nature of the risk, sharing the risk with risk maturity models that mature risk management can be
another party, seeking an opportunity to create or enhance correlated with enhanced business performance. However, the
the risk, or avoiding the activity. Risk management tools are highest score from a maturity model is not always necessary
used to determine the possible impact of the risk and its or desirable – key is the systematic assessment against the risk
likelihood. These help organisations to understand their risk management objectives of an organisations and this should
exposure and the relative importance of the risks to assist drive maturity model targets. The cost of risk controls should be
them in establishing priorities for action. For example, an proportionate the improvement in managing risk.
organisation has a number of options to address the risk The term ‘risk progress’ is also used as an alternative to ‘risk
of disruption relating to a single-source supplier, including maturity’, which for some risk professionals better expresses
appointing a dual supplier, creating capacity inhouse or the risk journey being travelled towards a target or risk
accepting the risk, periodically monitoring it to ensure maturity goal.
acceptability, and potentially transferring the financial
implications of supplier failure to an insurance solution.
2.7 The COSO risk management framework
In practice, it is necessary to have regard to organisational Whilst this guide focuses on the risk management standard
objectives, and management and operational processes, and ISO 31000:2018, it is important to be aware of other risk
to consider these in the internal and external context in order management standards and frameworks. The most commonly
for risk decision-making to be effective. used in addition to ISO 31000:2018 is the COSO Enterprise
Risk Management (ERM) framework. In 2004, the Committee
Risk management assists the organisation by specifically
of Sponsoring Organizations of the Treadway Commission
addressing uncertainty. It establishes a structured process,
(COSO) issued the Enterprise Risk Management – Integrated.
operating within existing systems and procedures, to clarify
the nature of the uncertainty and how the uncertainty might
Framework to help businesses and other entities incorporate
be addressed.
into policy, rule and regulation, and it has been used by
When a risk treatment concerns an opportunity this might thousands of enterprises to better control their activities in
include exploit (increasing the likelihood), experiment (testing moving toward achievement of their established objectives.
new solutions or gathering and analysing additional data), COSO initiated a project to develop a framework that
enhance (taking more of the risk or relaxing controls) or would be usable by organisations to evaluate and improve
accept (adding no additional controls). their enterprise risk management. COSO ERM required
considering risks from a portfolio or ‘enterprise’ perspective,
2.6 Introducing Enterprise Risk Management which was not contemplated in COSO’s Internal Control –
Enterprise risk management (ERM) is the term used Integrated Framework, which is a complementary but distinct
to describe risk management applied across the entire publication first released by COSO in 1992.
organisation. ERM should be integral to the planning and
performance across the entire enterprise.
6 | RISK AND RISK MANAGING RISK

FIGURE 2
The COSO Framework is a set of principles organised into five interrelated components

Mission, Business
Strategy Implementation and Enhanced
Vision and Objective
Development Performance Value
Core Values Formulation

STRATEGY & INOFRMATION,

GOVERNANCE & OBJECTIVE-SETTING REVIEW & COMMUNICATION
CULTURE PERFORMANCE REVISION & REPORTING
1. Exercises Board Risk Context 10. Identifies Risk 15. Assesses Substantial and Technology
Oversight 7. Defines Risk Appetite 11. Assesses Severity of Change 19. Communicates Risk
2. Establishes Operating 8. Evaluates Alternative Risk 16. Reviews Risk and Information
Structures Strategies 12. Prioritizes Risks Performance 20. Reports of Risk, Culture
3. Defines Desired Culture 9. Formulates Business 13. Implements Risk 17. Pursues Improvement and Performance
4. Demonstrates Objectives Responses in Enterprise Risk
Commitment to Core Management
14. Develops Portfolio View
Values
5. Attracts, Develops,
and Retains Capable
Individuals
6. Analyzes Business 18. Leverages Information

The COSO ERM framework was revised and reissued in 2017 The principles are grouped under the following headings:
under the title Enterprise Risk Management – Integrating with
Strategy and Performance. As with ISO 31000, it emphasises • Risk governance and culture
the connectivity between performance, strategy and ERM. • Risk strategy and objective setting
The COSO ERM framework contains 23 principles that can be • Risk in execution
used to inform the design and continuous improvement of a • Risk information, communication and reporting
risk management framework. • Monitoring enterprise risk management performance

The COSO approach is scalable and suited to

all organisations.

The structure of the COSO ERM is illustrated in

Figure 2 above.
 RISK AND RISK MANAGING | 7

3. UNDERSTANDING RISK
MANAGEMENT PRINCIPLES
FIGURE 3
The risk management Principles – ISO 31000:2018

8 1

Continual
improvement Integrated

7 2
Structured
Human and and
cultural factors comprehensive
Value creation
and protection

Best available
information Customised
3
6

Dynamic Inclusive

5
4

Effective risk management enables better decision-making, 1. Integrated: To be truly effective, risk management must
leading to enhanced stakeholder value creation and be an integral part of the management system and
protection. be embedded within the culture of the organisation,
encompassing the entire workforce.
ISO 31000: 2018 contains eight principles which help guide
organisations in the design, implementation and evaluation Risk management should not exist as a stand-alone
of their risk management framework to ensure it contributes activity.
to the demonstrable achievement of objectives and
improvement of performance. It must be structured within and form part of all
organisational processes, including strategic planning,
These principles (See Figure 3.) A more detailed description/
operational, financial, legal, IT as well as project and
explanation of these principles follows:
change management processes. The approach will
8 | RISK AND RISK MANAGING RISK

enable the organisation to grasp new opportunities to the organisational need and context. The approach
whilst reducing the risk of business threats to it in a to risk management should be proportionate and scaled
controlled manner. Board risk blindness can be avoided to the needs of the organisation and the business
by encouraging the sharing of information and bringing environment in which it operates.
uncomfortable truths to senior management, so that
board decisions are well informed. The risk framework Organisations operate in different contexts so that
must be designed to reflect the reality of internal and risk management needs to be tailored to the specific
external influences. organisation’s requirements. For example, organisations
working in highly technical environments such as the
However, risk should not be a bureaucratic process nuclear industry will have a much more complex risk
but one which is intuitive, connected and dynamic. management approach compared with a small retailer.
Management systems are important to enable integration,
but arguably more critical are employee participation and Business ownership and growth trajectory are also
shared ownership, regardless of functional or business important considerations, for example, a privately held
unit reporting lines. business seeking an Initial Public Offering (IPO) will have
a considerably different framework to a partner owned
Risk management is an integral part of decision-making. organisation.
Risk management should assist the organisation in making
decisions about activities that may represent either 4. Inclusive: Risk management is transparent and inclusive.
upside or downside risks. Risk-taking must be recognised
as an important part of decision-making. Such decisions Key stakeholders within the organisation have formalised
will be informed by the organisation’s appetite for risk accountabilities and responsibilities for risk management.
(see section 6 of this guide). For example, an organisation However, all members of staff have a part to play, for
will generally have a higher risk appetite for commercial example, in communicating risks and incidents and
risk than for regulatory risk. Effective risk management, embedding the control framework. Senior management
properly embedded within the decision- making process, should ensure that all internal and external stakeholders
will help an organisation survive and thrive. are identified, and that effective two-way communication
is maintained. This will help in the identification
2. Structured and comprehensive: Risk management is and assessment of risk, and inform and drive the
systematic, structured and timely. organisational response.

Risk should be dealt with in a consistent way across 5. Dynamic - Risk management is agile, iterative and
different disciplines, allowing for decisions to be taken responsive to change.
with confidence and avoiding duplication of effort,
through efficient use of resources and management tools. Organisations need to be able to respond effectively to
internal and external change in a timely manner. The risk
The risk management framework should comprehensively management framework should be able to continually
cover all areas of risk, both internal and external, that are identify and respond to significant change, recognising
of relevance to the organisation. that some factors are subject to frequent change whereas
others can remain constant over long periods.
Whilst the framework would be expected to incorporate
a risk procedure providing clear guidance to members of Risk management assists the organisation in clarifying the
staff with risk roles and responsibilities, it should not be nature of the uncertainty and how the uncertainty might
overly bureaucratic as this will hinder implementation. be addressed.

3. Customised: The risk management framework is tailored 6. Best available information: Risk management decisions
 RISK AND RISK MANAGING | 9

should be based on the reliable sources of data. for taking the right risks in an informed manner. Risk
culture is considered in more detail in section 5 of
Sources of risk data will include subjective opinion, this guide.
empirical data and forecast information. Data should be
accurate, timely and verifiable, with quality assurance in 8. Continual improvement: Risk management
place. facilitates organisational learning.

Risk perception and attitudes will vary widely across the Over time, the organisational objectives will change
organisation and the risk manager should be aware of to reflect the new environment. There should be
biases which may distort risk information and lead to the a regular review of the way in which these risk
wrong decisions being made. management principles are applied, taking account of
learning from relevant events, technological change
Risk owners should be prepared to question assumptions and stakeholder expectations, to ensure that the risk
and opinions, and be aware of how risk can change over management approach continues to support and
time. drive these new objectives.

7. Human and cultural factors: Risk management takes

human and cultural factors into account.

Risk culture is a term that describes the values, beliefs,

knowledge and understanding about risk shared by a
group of people with a common objective. An effective
risk culture enables and rewards individuals and groups

“Directors face discharging their responsibilities for risk management in an

increasingly complex and fast moving world.

“Before they should not however be expected to know all the answers about every
risk, or combination of risks, but they should be expected to ask Informed questions
posed to relevant experts employed or contracted by the company. The Airmic
series of guidance published with Airmic Partners McGill and partners, “Perfecting
Governance”, is designed to provide a context with twelve questions each designed
to help directors explore a series of important risk subjects at the boardroom level”.
Julia Graham, CEO, Airmic
10 | RISK AND RISK MANAGING RISK

4. GOVERNANCE
4.1 Governance explained Successful risk governance starts with an understanding
of the objectives. The risk management framework will be
Governance, Corporate Governance and Risk Governance developed to reflect the corporate objectives and the risk
Governance is a system that provides a framework for objectives. Different organisations will have very different
managing organisations. It identifies who can make decisions, objectives and therefore very different views of the risks
who has the authority to act on behalf of the organisation they are prepared to take and the opportunities they are
and who is accountable for how an organisation and its prepared to take to achieve these. The governance and
people behave and perform. Governance enables the framework will reflect this.
management team and the board to run organisations legally,
ethically, sustainably, and successfully, for the benefit of Successful risk governance relies on assurance over risk
stakeholders, including shareholders, employees, customers, exposures, as well as confidence in the assessment of the
and for the good of wider society”. (Chartered Governance impact and likelihood of the identified exposures. There
Institute UK and Ireland 2024: [Link]) should be assurance around the organisation’s risk control
environment and effective allocation of resources in
Corporate Governance is a code of behaviour expressing response to risk.
how management teams in organisations should act and
be governed, to create and protect value on behalf of their Successful risk governance starts with an understanding
stakeholders. of the objectives. The risk framework will be developed
to reflect the corporate objectives and the risk objectives.
The purpose of Corporate Governance is to create and Different organisations will have very different objectives
maintain a flexible, efficient, and effective framework for and therefore very different views of the risks they are
good management that delivers on the stated objectives prepared to take to achieve these. The governance and
of an organisation over the longer term. Risk governance framework will reflect this.
applies the values of Corporate Governance to the ways
in which an organisation manages its risks. Good risk
governance is associated with having clearly defined
roles and responsibilities across the organisation, where
management collectively recognises its ongoing responsibility
to manage risks.
“Organisations must build a more inclusive
Successful Risk Governance starts with an understanding pipeline of talent for senior management
of the objectives. The risk management framework will
be developed to reflect the corporate objectives and the
roles. There are proportionately still more
risk objectives. Different organisations will have different men than women holding positions as
objectives and very different views of the risks they are head of risk management and/or heads of
prepared to take and the opportunities they are prepared
to take to achieve these. The governance and framework
insurance, and this impacts the gender pay
will reflect this. Risk governance relies on assurance over gap”.
identified risks, as well as confidence in the assessment of the
impact and likelihood of the risks. There should be assurance
Investing in the right future: Artificial intelligence and the Future of the
around the organisation’s risk control environment and Profession - Airmic annual survey 2023
effective allocation of resources in response to risk.
 RISK AND RISK MANAGING | 11

FIGURE 4
Risk management Framework ISO 31000: 2018

Improvement
Integration

Leadership and
commitment

Evaluation

Design

Implementation

4.2 Introducing the risk framework reporting to the board, with decisions flowing down
The framework encompasses the organisational through the Risk function, through Risk Champions at
arrangements for designing, implementing, monitoring, a divisional level and then to local specialists. Alongside
reviewing and continually improving risk management. this, there will be documentation and toolkits to inform
It provides a structure for using the risk management people at every level of the organisation.
process as a basis for decision-making and accountability
at all levels of the organisation. The relationship between The risk framework should be developed as an integral
the components of the framework is shown in Figure 4. element of the other organisational procedures and
processes to bring maximum efficiency and effectiveness.
Leadership and commitment lie at the heart of the
framework and drive the process.
4.3 The three lines (of defence) model
This can be further illustrated by considering how in Organisations differ in their distribution of
practice the framework will operate in an organisation. In responsibilities.
a typical large company, the board will set the company
In a version of the model published by the Institute
policy and this will flow down for action to operational
of Internal Audit (IIA) (see Figure 5), the following six
executives at a divisional level and then to local site
Principles were introduced:
management for implementation. Risk oversight will often
be the responsibility of the Risk or Audit Committee,
12 | RISK AND RISK MANAGING RISK

FIGURE 5
The IIA version of the three lines (of defence) model - IIA 2020

GOVERNING BODY
Accountability to stakeholders for organizational oversight

EXTERNAL ASSURANCE PROVIDERS

Governing body roles: integrity, leadership and transparency

MANAGEMENT INTERNAL AUDIT

Actions (including managing risk) Independent
to achieve organizational objectives assurance

First line roles: Second line roles: Third line roles:

Provisions of Expertise, support, Independent and objective
products/services monitoring and assurance and advice on
to clients; managing challenge on risk- all matters related to the
risk related matters achievement of objectives

Delegation, direction, Alignment, communication

KEY: Accountability, reporting
resources, oversight coordination, collaboration

[Link]/resources/audit-committees/governance-of-risk-three-lines-model/

Principle 1: Governance management for achieving the objectives of the organisation.

Principle 2: Governing body roles It should determine the appetite for risk, and establish and
Principle 3: Management and first and second line roles oversee independent risk management and internal control
Principle 4: Third line roles functions, whilst overseeing compliance with legal, regulatory
Principle 5: Third line independence and ethical expectations.
Principle 6: Creating and protecting value
1. T
 he first line leads and directs actions, including managing
The following high-level roles serve to amplify risk and application of resources to achieve the objectives
the Principles: of the organisation. It maintains a continuous dialogue
with the governing body, and reports on planned,
The governing body accepts accountability to stakeholders
actual and expected outcomes linked to the objectives
for oversight of the organisation. It engages with
of the organisation. This line establishes and maintains
stakeholders to monitor their interests and communicate
appropriate structures and processes for the management
transparently on the achievement of objectives. The body
of risk and internal control, and ensures compliance with
should ensure a culture promoting ethical behaviour
legal, regulatory and ethical expectations.
and accountability. It should establish structures and
processes for governance, including subcommittees, where
considered appropriate for Risk and Audit committees. The
body delegates responsibility and provides resources to
 RISK AND RISK MANAGING | 13

2. The second line provides expertise, support, monitoring regards risk, this is expressly addressed by a separate board
and challenge related to the management of risk, including risk committee composed of independent non-executive
the development, implementation and continuous directors, or by the board itself.
improvement of the risk management framework
and processes, reporting on the achievement of risk The FRC’s 2024 revision of the Code is intended to provide a
management objectives, such as compliance with laws, stronger basis for companies to evidence the effectiveness of
regulations and acceptable ethical behaviour, internal their internal controls, thereby enhancing transparency and
control, information and technology security, sustainability investor confidence. The board is required to take a stronger
and quality assurance. It provides information, analysis role in overseeing risk management and internal controls
and reports on the adequacy and effectiveness of risk and to review the effectiveness of both at least annually. The
management and internal control. 2024 Code will apply to financial years beginning on or after
1 January 2025. The 2018 Code remains in place until
3. The third line communicates independent and objective this time. The Code is supported by Guidance which provides
assurance and advice to management and the governing further useful information but this does not form part of
body on the adequacy and effectiveness of governance the Code.
and risk management, including internal control, to
support the achievement of organisational objectives Underpinning the 2024 Code is the responsibility of boards
and to promote and facilitate continuous improvement. to establish a company culture based on integrity, openness,
It reports impairments to independence and objectivity and diversity, and which is responsive to the views of
to the governing body and implements safeguards as investors and wider stakeholders.
required.

External assurance providers provide assurance of legislative

and regulatory compliance, satisfy requests by management
and the governing body to complement internal sources of
assurance, and provide specialist support to the Second line
and Governing Body through an independent assessment of
the framework, assistance in designing and implementing the
framework, or specialist analysis.

4.4 What the Financial Reporting Council requires

The Financial Reporting Council (FRC) regulates auditors,
accountants, and actuaries, and sets the UK’s Corporate
Governance Code. Their work is aimed at investors and
others who rely on company reports and quality risk
management. The FRC requires a board to establish an
audit committee of independent directors. The committee
should have recent financial experience and competence
relevant to the sector in which it operates. In addition
to finance-related roles and responsibilities, the board is
charged with reviewing company internal financial controls
and internal control and risk management systems, unless as
14 | RISK AND RISK MANAGING RISK

5. LEADERSHIP COMMITMENT
AND CULTURE, ROLES AND
RESPONSIBILITIES
It is widely accepted that the commitment demonstrated by those in control of an organisation can make a
significant difference in the level of organisational achievement.

This applies equally to risk management: strong leadership 4. Transparent and timely risk information flowing up
and a positive culture are vital to the successful achievement and down the organisation, with adverse news rapidly
of risk management objectives. To be successful, risk communicated without fear of blame
management must be embedded within the culture of an
organisation and this requires that all those working within 5. Actively seeking to learn from mistakes and near misses
and on behalf of an organisation understand how their own by encouragement of risk event reporting and whistle-
roles and responsibilities help the organisation survive and blowing
thrive.
6. Ensuring that no process or activity is too large,
complex or obscure for the risk not to
5.1 Risk culture explained be readily understood
Risk culture is a term describing the values, beliefs, knowledge
and understanding about risk shared by a group of people with 7. Appropriate risk-taking behaviours rewarded and
a common purpose. This applies whether the organisations encouraged, and inappropriate risk-taking behaviours
are private companies, public bodies or not-for-profits, and challenged and sanctioned
wherever they are in the world.
8. Risk management skills and knowledge valued,
An effective risk culture is one that enables and rewards encouraged and developed
individuals and groups for taking the right risks in an
9. Sufficient diversity of perspectives, values and beliefs to
informed manner. To achieve success, the risk culture would
ensure that the status quo is consistently and rigorously
include:
challenged
1. A distinct and consistent tone from the top from the
10. Appropriate employee engagement to ensure
board and senior management in respect of risk-taking
focus on both business and personal needs.
and risk avoidance

2. A commitment to ethical principles and the 5.2 Illustrating the impact of poor culture
consideration of wider stakeholder positions in decision- Risk culture is organisational culture viewed through
making. Examples of poor behaviour include bullying or a risk lens, and acts as a vital bridge between the risk
inappropriate sales incentives appetite of the organisation and the overall culture and
management systems. The prevailing risk culture will orient
3. A common acceptance across the organisation of risk
employees towards organisational risk and their own risk
management, including clear accountability for and
responsibilities, and in particular their decisions on risk-
ownership of specific risks and risk areas
taking. Risk managers therefore must integrate cultural
 RISK AND RISK MANAGING | 15

management into the overall risk management framework. • Be aware of the risks that relate to their roles and
Problems with business and risk culture are frequently at the activities
heart of organisational scandals and collapses. The following • Continuously improve their management of risk
demonstrate real-life examples of poor business culture • Provide information to inform the risk management
leading to corporate disaster: process, such as information that helps identify ... risks,
and [supports] the effectiveness of controls
VW and car emissions 2015: VW has admitted lying to • Implement controls as part of day-to-day duties
markets and government officials about vehicle mileage and • Report ineffective and/or inefficient controls.
emissions. Investors in Both investors and customers have
suffered. Reports indicate that the leadership of VW had Everyone in the organisation should be aware of their role
such aggressive goals that technical teams could not achieve in the risk management strategy of the organisation, and
them. Rather than have the courage to speak up, employees personal objectives should be included within their own job
chose the ‘easier’ route of dishonesty. roles to reflect this.

5.3 Communicating roles and responsibilities

Top management in an organisation it accountable for
achievement of the strategic objectives and business
performance. Their obligation to shareholders and other
stakeholders requires it also to be responsible for the risk
management policy in the organisation. Therefore, the board
(or equivalent) should demonstrate its commitment to risk
management by:

• Recognising that it is ultimately accountable

• Defining roles, responsibilities and accountability
for managing and reporting on risk throughout the
organisation
• Setting risk management objectives to support and
achieve the organisation’s risk appetite
• Setting risk management objectives to recognise risk in
decision-making
• Providing achievable risk management goals
• Communicating the commitment across the organisation
• Providing the infrastructure to support the successful risk
culture elements identified above.

Everyone across the organisation has an active role to play

in risk management. Senior management,
line managers, supervisors and individuals need to
understand their role and how important it is
to the success of the organisation.

The following should be regarded as minimum

responsibilities for everyone in the organisation:
16 | RISK AND RISK MANAGING RISK

6. ARTICULATING RISK IN
THE ORGANISATION
As outlined in section 4 of this guide, there is an increased emphasis on the role of the board in determining the
nature and extent of the principal risks it is willing to take in achieving its strategic objectives.

6.1 Defining risk criteria for consequence and catastrophic). The five risk categories are also ranked
In order to consider different types of risks, an organisation in increasing severity from 1 (lowest) to 5 (highest). In this
should first define the risk criteria used when evaluating way, it is possible for the organisation to undertake an
the risks. Risk criteria are the reference points which allow assessment across diverse risks and be able to express them
different risks to be evaluated in a manner that enables them in a manner that allows comparison. Financial loss is often
to be compared and prioritised. best considered as a percentage of turnover or profit as this
is then easier to apply to a range of organisations of different
The matrix overleaf shows an example of risk criteria for sizes.
consequence for a large business. The matrix illustrates five
different types of consequence (organisational objectives, The key is to define the risk criteria in a way that is
people, financial loss, reputation and environmental damage) appropriate to the business.
and five risk categories (insignificant, minor, significant, major

TABLE 1
Examples of risk assessment criteria for consequence

Score 1 2 3 4 5
Consequence Type Insignificant Minor Significant Major Catastrophic

Organisational Internal Project failures Divisional Failure to meet Failure to meet key
Objectives information failure in one division objectives not met one key group group objectives
objective

People Minimal harm Short-term Permanent Single fatality Multiple fatalities

disability disability

Financial Loss Less than £10k - £100k loss £100k - £1m loss £1m - £10m loss > £10m loss
£10k loss

Reputation Adverse mention Significant Headlines in Headlines in Regulator action,

Damage in local press attention from national press and international prosecution,
government television media, prosecution punitive fines
agencies/regulators

Environment Will recover fully Will recover fully Short-term change Change in eco Long-term damage
Damage in the short term within 2 years to eco system; system for up to 2 to eco system;
good recovery years; reasonable poor potential for
potential potential for recovery
recovery
 RISK AND RISK MANAGING | 17

6.2 Defining risk criteria for likelihood 6.3 Using heat maps to display different risks
Similarly, it is usual to develop risk assessment criteria Comparing the risk criteria makes it possible to assess
for likelihood. This can often present more of a challenge and compare different risks across the business and
as it is often difficult to obtain accurate information on provides a common format for articulating risk across the
probability of occurrence. business. In many organisations, it is common to use risk
maps to display risks on a grid which combines the risk
Table 2 is an example of a matrix for likelihood with scores for consequences and likelihood onto one chart. A
criteria expressed as a percentage probability and also in typical format is shown in Figure 6.
more commonplace language. As in Table 1, the criteria
is also expressed as a risk score to facilitate ranking and This form of display is often referred to as a heat map
comparison across different risks. or Probability Impact Diagram (PID). In such a map the
colours represent the following:

• The green zone includes risks with low consequence

and/or likelihood
Risk criteria are the terms of reference • The red zone contains high risks which may be
against which the significance of a risk is catastrophic to the organisation

evaluated. • The amber zone shows risks falling between the two
extremes.
Definition from ISO Guide 73
The heat map is perhaps the most common visual
tool employed to demonstrate different risks across
a business. Different organisations will use a range of
TABLE 2 different criteria and detail; however, the underlying
Examples of risk assessment criteria basis of presentation is often similar.
for likelihood
Score Probability of occurrence Likelihood expressed 6.4 Risk appetite
in next 24 months % in day-to-day language Understanding the comparative effect of different risks
and formalising risk appetite is an important exercise
1 0-10 Very unlikely:
for any organisation. Although there are a number of
Only in exceptional
circumstances “Never definitions of risk appetite in existence, most view
heard of it”
risk appetite as the amount and type of risk exposure,
2 10-40 Low: or potential consequence from an event, that an
Once in 10 years organisation is willing to pursue or retain.
“Heard it has happened”

3 40-60 Possible:
Risk appetite is about understanding the risks associated
Once in 5 years with the organisation and relating these to possible
“Know it’s happened”
outcomes. Some organisations actively seek to take risks
4 60-90 Likely: that others might regard as completely unacceptable.
Once in a year Some organisations might view the primary objective as
“Seen it happen”
vital and will accept other risks with adverse outcomes.
5 90-100 Almost Certain:
More than once a year The expression ‘risk tolerance’ is also sometimes used.
“Happens all the time”
18 | RISK AND RISK MANAGING RISK

FIGURE 6
A typical risk map or heat map
RISK MAP

Catastrophe

Major

Significant
Consequence

Minor

Insignificant

Very Unlikely Low Possible Likely Almost Certain

Likelihood

TABLE 3
The amount of risk an organisation Risk appetite for outcome
is willing to accept in pursuit of its
Outcome Appetite for Outcome
strategic, operational, and financial Win at all costs Ethical play
objectives. It reflects the risk
Cause personal injury to Accept Avoid
management philosophy that a board opposition players

or equivalent governance body wants Break rules if necessary Accept Avoid

the organisation to adopt and, in turn, Incite supporters to Accept Avoid

influences its risk culture, operating intimidate opposition

style and decision-making”. Intimidate referee Accept Avoid

Play to win Accept Accept

As an example, consider a typical football match where both

The risk the organisation is not prepared sides are striving to win. Whilst they have the same ultimate
objective, some teams might be prepared to go to any lengths
to take, or the range of variation from to achieve victory, whereas others might only wish to play to
Risk Appetite which it is prepared to win within the spirit and the rules of the game. Table 3 outlines
take”. how the appetite for the outcome will be different for
each team.
 RISK AND RISK MANAGING | 19

Such statements demonstrate an organisation’s attitude or

Whilst both teams have the same overall objective, their
philosophy towards upside and downside risks, which are
team philosophy and culture will influence the extent to
difficult to quantify numerically.
which their actions are acceptable or not.

Quantitative statements might include the following:

6.5 Illustrating risk appetite in business
This simple approach to risk appetite can be developed and
• We will maintain a credit rating of AA
applied in complex situations to enable the board or top
• We will maintain our market share of 40% irrespective
of profit margin
management of an organisation to establish the guiding
principles that allow the organisation to assess and take risk
• We will maintain a dividend cover of 4x earnings
in the appropriate way. Organisations can establish both
• We will reduce energy consumption per unit produced
by x% in 10 years.
qualitative and quantitative measures for their risk appetite
statements.
Organisations can utilise other financial performance
indicators such as Operating Income, Earnings Per Share,
Qualitative statements might include the following:
Profit Before Tax and Cashflow within their risk appetite
• We have a low appetite for risk statements.
• We have a high appetite for development in emerging
markets
• We have no appetite for fraud/ financial crime risk
• We have a zero tolerance for regulatory breaches
• We wish always to avoid negative press coverage
• We will seek to introduce new innovate products in
growth markets
• We are committed to protecting the environment.

TABLE 4 TABLE 5
Risk appetite for team ‘Win at all costs’ Risk appetite for team ‘Ethical Play’
Outcome Low Medium High Outcome Low Medium High

Cause personal injury Cause personal injury

Break rules if necessary Break rules if necessary

Incite supporters to Incite supporters to

intimidate intimidate

Intimidate referee Intimidate referee

Play to win Play to win

20 | RISK AND RISK MANAGING RISK

7. RISK COMMUNICATION,
REPORTING AND MONITORING
7.1 Communicating your risk management programme 7.2 Formalising monitoring
Effective communications are an essential element of a The monitoring of risk actions and updating of all elements
successful risk management programme. There is a wide of the risk process should be undertaken in accordance
range of internal and external stakeholders, each with with the relevant requirements. It should be noted that
different needs and expectations. The communication plan the ISO standard requires that risk management activities
will reflect the nature of the organisation and is likely to should be traceable, so it is important that this is reflected
include the following elements: in the ERM processes and is capable of being audited and
validated, if appropriate.
• A succinct policy statement outlining the tone from the
board and establishing the risk appetite and supporting
the ERM risk processes, in the language of the
organisation
• Provision of practical skills, training and knowledge
transfer to facilitate successful implementation of the
The Dow Jones Sustainability World
ERM processes across the whole organisation Index tracks the stock performance of
• Risk owners, appointed to be responsible for identified the world’s leading companies in terms
key risks, should provide regular updates on the actions
required and implemented to address those risks
of economic, environmental and social
• Provision of regular reports and case studies detailing risk criteria.
and related issues to enable everyone to understand and
learn from internal and external events, including near
misses
7.3 External reporting
• New and emerging risks to be subject to monitoring External communication is important for commercial,
and review. regulatory and learning purposes. In addition to the
FRC reporting requirements referenced earlier in this
guide, investors increasingly are seeking reassurance that
organisations adhering to risk practices that reflect their
investment criteria. Relevant areas for attention include
climate change, sustainability, corruption and safety. The
The Corruption Perceptions Index indexes issued by Dow Jones on sustainability and by
Transparency International on corruption illustrate the
published by Transparency International importance attached to these issues.
ranks countries by their perceived level
An introduction to the risk management strategy and
of corruption.
expectations should be included in staff inductions and
 RISK AND RISK MANAGING | 21

articulated to third-party partners as appropriate. Also

learning should be driven not just through the organisation
and the supply chain, but more broadly across different
organisations so that the experience gained from events can
be transferred as far as possible. Some of the most tragic
events have occurred through failure to communicate such
information both internally and externally.

At the highest level, risks and their management will be

reported to shareholders within the organisation’s annual
report.

“Companies have faced several years of economic and

geopolitical turbulence following the pandemic and
Russia’s invasion of Ukraine. Interest rate rises in response
to persistent inflation, the related impact on consumer
behaviour, and limited growth remain immediate
concerns in many economies. There are also considerable
uncertainties surrounding companies” exposures to climate
change and their plans for the transition to a low
carbon economy.

“This presents a challenging environment for financial

reporting as companies need to consider, and communicate
to investors, how these issues affect their business, as well
as the assumptions underpinning the values of assets and
liabilities in their financial statements”.

“The development and consolidation of the sustainability

reporting ecosystem continues at pace, with the phased
introduction of climaterelated disclosures in the UK and a
major milestone, the publication of the first International
Sustainability Standards Board (ISSB) standards,1 this year,
reflecting the demand for investor-focused information in
this area”.

FRC, Annual Review of Corporate Reporting 2022/23

22 | RISK AND RISK MANAGING RISK

8. RISK PROCESS OVERVIEW

The overall risk process takes account of all the different aspects referred to in this guide and is
summarised below.

This process, as illustrated in Figure 7, supports business understanding of the most critical risks, it provides a basis for
leaders by using a structured methodology to identify, the most cost and time effective allocation of resources to
define and assess risks to their business strategy, financial the protection and creation of business value.
performance and operational effectiveness. In enabling clear

FIGURE 7
The risk management Process – ISO 31000:2018

RISK MANAGEMENT
PROCESS
SCOPE, CONTEXT,
CRITERIA
MONITORING AND REVIEW
COMMUNICATION AND

RISK ASSESSMENT
CONSULTATION

Risk identification

Risk analysis

Risk evaluation

RISK TREATMENT

RECORDING AND
REPORTING
 RISK AND RISK MANAGING | 23

9. BUSINESS CONTINUITY,
RESILIENCE AND INSURANCE
A wide range of specialists can be utilised to control risks across different parts of an
organisation. These include Legal, Financial, Audit, Security, IT, Quality and Safety to name
just a few.

However, now there is increasing focus on bringing these Emergency response – Describes a process at a specific
different specialists together within a unified risk strategy location to safeguard life and to allow initial control of an
for the organisation. This section outlines how business emergency situation.
continuity management, organisational resilience and
Crisis management – Considers the strategic response to
insurance operate as an integral part of an enterprise risk
issues, including crisis communications (both internal and
management strategy.
external), and initial coordination of the business recovery
efforts.
9.1 Business continuity management explained
Business continuity management (BCM) is about identifying IT disaster recovery – Addresses how to recover IT and

those parts of your organisation that you cannot afford to infrastructure services.

lose and planning how to maintain these should an adverse

Business recovery – Addresses the phased recovery of
event occur. International standard ISO 22301:2019
business-critical processes.
Security and resilience – Business continuity management
systems – Requirements specifies requirements to The BCM plan should be developed in conjunction with
implement, maintain and improve a management system to appropriate internal and external stakeholders to ensure
protect against, reduce the likelihood of the occurrence of, that roles, responsibilities and communication lines are
prepare for, respond to and recover from disruptions when understood and agreed.
they arise. The requirements specified in this document are
generic and intended to be applicable to all organisations,
9.2 Introducing organisational resilience
regardless of type, size and nature of the organisation. The International standard ISO 22316: security and resilience -
extent of application of these requirements depends on the Organizational resilience - Principles and attributes helps to
organisation’s operating environment and complexity. shape what resilience is and what it means to businesses.
James Crask, Global Head of Resilience Advisory, Marsh,
An effective BCM plan should address the following core
and Convenor of the ISO working group of experts that
elements:
developed the standard, says “the standard takes a wide

• Emergency response view of the things that can drive resilience in an organisation.
The standard emphasises that many of these are behavioural
• Crisis management
and have historically been overlooked. This is why one of
• Technology disaster recovery
the key principles of the standard is to help them develop a
• Business recovery.
culture that supports resilience.”
24 | RISK AND RISK MANAGING RISK

FIGURE 8
The resilience and transformation model – Roads to Revolution, Airmic, 2018

e nt Ris
Rad k
e i nv s e
R rpo ar
Pu

L e a ve r n a
ers

Go
ke h i n

d e r n ce
old
St a Re t a

shi
p&
ela R
Ne onsh
de sses
n

ti
t w
sig
R ce

ork ps &
Pro

s
i
e

Re pid
& A v iew Ra onse
dap sp
t Re

Organisational resilience addresses the effective The following capabilities are critical when considering
management of a negative outcome resulting from any an organisation’s level of resilience.
risk or potential risk. Resilience encompasses the entire
organisation, enabling it to respond quickly and effectively Figure 8 is reproduced from Roads to Revolution and
to adverse events. Resilience also encompasses the long- illustrates the link between the principles of resilience,
term viability of the business in the context of organisational business enablers and resilience outcomes.
change.
1. Risk radars focused on emerging risks and
The intangible nature of resilience means that there is no developments in technology
single correct approach; rather, it depends on the intricacies
2. Resources and assets flexible and diverse to take
of each organisation.
full advantage of developments in technology
There are, however, characteristics of a resilient organisation
3. Relationships and networks constantly developed
and, by understanding these, it is possible to determine
and extended
where organisations are in terms of resilience maturity.
 RISK AND RISK MANAGING | 25

4. Rapid response capability supported by excellent against the company; and, in certain circumstances, because it
communications is a legal obligation.

5. Review and adapt mechanisms an ability to change Many insurance companies also offer additional services to
events to protect and enhance reputation help reduce the risk of loss and to assist in the response to
an adverse event should it occur.
6. Redesigned processes to embrace new technologies
and encourage and exploit innovation Insurance is an important risk treatment option for an
organisation as it allows specified risks to be transferred
7. Retention of stakeholders to discuss and share opinions to another party, the insurance company. The decisions
with all interested parties and develop options for digital on insurance purchase and the design of the insurance
delivery of benefits identified programme, therefore, should be directly linked to the risk
management framework and specifically take account of
8. Continuous reinvention of purpose achieved through
the organisation’s risk profile and risk appetite. Moreover,
commitment, capabilities, awareness and the willingness
the process for dealing with insurance claims should be
and courage to convert opportunities
directly linked with the BCM and resilience strategies for the
organisation to ensure the wider objectives are achieved.
9.3 Transferring risk by insurance
All businesses buy insurance. The type and amount of Further to the risk communication, monitoring and reporting

insurance cover purchased will vary according to the risk principles discussed in section 7, the Insurance Act 2015

profile and the risk appetite of the business. In the insurance places a duty on the insured to make a “fair presentation of

contract, an insurer promises to pay the insured if one of a the risk” to the insurer. This therefore requires the disclosure

series of specified events occurs in the future. Businesses of all material circumstances and information to the insurer

buy insurance to protect their assets and income streams; to in a timely manner, based upon the risk management

protect the assets of directors and officers of the company; framework.

to pay compensation to third parties in the event of a claim

10. MANAGING INTANGIBLE RISKS

10.1 The increasing value of intangible assets landscape, with technology-driven service companies
Managing the risks to intangible assets is a common becoming increasingly prominent, while industries famous
theme for risk and insurance professionals. Increasingly, for their holdings of property, machinery and other tangible
risk registers are dominated by external threats to the assets have slowly lost position. American tech companies
organisation and focused on protecting assets that are flew high before the coronavirus pandemic. The upheaval
difficult to define and harder to value. of the pandemic has lifted them to new heights, putting the
industry in a position to dominate business in a way unseen
The importance of intangible assets has grown over since the days of railroads. The stocks of Apple, Amazon,
the last three decades from around 17% of S&P asset Alphabet, Microsoft and Facebook, the five largest publicly
value in 1975, to 32% in 1985, to 68% another decade traded companies in US, now constitute 20% of the stock
later in 1985, to ultimately today exceeding 85%. This market’s total worth, a level not seen from a single industry
has been closely linked to the changes in the economic in at least 70 years.
26 | RISK AND RISK MANAGING RISK

The focus of risk professionals has consequently shifted FIGURE 9

towards protecting intangible assets, reflecting the Protecting Intangible assets: preparing for a
transformation within their organisations. new reality – Lloyd’s and KPMG 2020

As the post coronavirus world drives anxiety levels to new

highs, businesses are also more prone to making reputational 8 KEY INTANGIBLE ASSETS
mistakes that can leave lasting impact in the way their
customers, employees, distribution partners and other
Intellectual property
stakeholders perceive the character of their business. This is
particularly important as various activist events keep pushing

Structural capital
the corporate environment from traditional shareholder Proprietary processes
capitalism to stakeholder capitalism. The recent ‘Black and procedures
Lives Matter’ protests have demonstrated the power of
social activism and the need for businesses to embrace the Written processes
changing social norms. and procedures

“We could well see activist movements growing in the Less

Organisational culture, likely to
next few years to address some of the well-known global rules, norms be valued
challenges, ranging from climate change to income on the
inequality. Risk owners in businesses across all industries balance
Reputation sheet
will have to be alive to these changes to make sure they and brand

Rational capital
have the right tools to keep enhancing their corporate
value. They will have to rethink the optimal ways of using
Relationship with
risk management practices to build internal resilience and
customers
become proficient at safeguarding their existing and new
intangible assets.”
Relationship with distributors,
partners
Protecting Intangible assets: preparing for a new reality –
Lloyd’s and KPMG 2020
Human capital

10.2 A framework for intangible risks

Just as we manage the impact of physical risks (e.g. fire
and flood) of tangible assets (e.g. buildings and machinery),

“In order to remain resilient and competitive, organisations across all industries must
be proactive in finding new ways to enhance their business practices to protect these
assets, and this will require a new way of thinking and acting.”

Paul Merrey
Partners KPMG
 RISK AND RISK MANAGING | 27

organisations also need to develop similar risk frameworks to • Perform ‘war-gaming’ exercises and ‘horizon
manage the risks associated with intangible assets. scanning’ with the working groups and top
management to test organisational resilience to risks
Steps to take: that may impact intangible assets
• Assess which risks are potential areas of material
• Assess the total intangible value of the organisation,
weakness and opportunity
including ‘hidden’ intangible assets that are valuable but
• Design triggers to create a dashboard to provide
not visible on the balance sheet (see FIGURE 9)
warnings when threats start to emerge and monitor
• Collaborate with finance and corporate communications
these through clearly assigned risk owners
teams to assess whether other assets should be included
• Determine if there are risks the organisation cannot
and to help validate the assessment
manage within the organisation and evaluate what
• Form interdepartmental working groups to assess the
financial or other solutions may be available.
relative value of different types of intangible assets in the
organisation
• With the same working groups, decide which types of
intangible assets are most important to the organisation
and critical to the achievement of organisational strategy
and objectives

TAKEAWAYS

The type of intangible assets organisations have to 6 Intangible risks can be less predictable than
1
protect and the risks impacting these assets are very physical risks so consider how often intangible risk
diverse – each risk will require unique preventative and assessments should be conducted – this will vary by
responsive measures. risk and connected risks according to the internal
and external context of the organisation.
Consider the connection between physical and
2
intangible risks – the cumulative and cascading financial 7 Traditional risk management tools and techniques
vulnerabilities caused by an inherent weakness in the may be less effective when dealing with intangible
inter-connected architecture of today’s business-to- risks – tools and techniques are addressed at section
business relationships can allow a single negative event 12.
to exponentially spread disruption and paralysis, and
economic damage within and between organisations. 8 Record which assets and risks are currently
financially transferable or insurable – this can help
3 Include near misses in risk databases – organisations focus the attention of top management on risks that
suffer far more near misses than actual risk events – these need greater attention in terms of non-financial risk
can provide a wealth of information to inform the risk controls.
management.
Remain agile and adaptive to change – intangible
9
4 Organisations must think beyond financial implications of risks can typically change profile and direction at
risks to achieve long-term success – high velocity.
many intangible risks can be hidden from financial view.

5 Intangible risk frameworks can be supported by external

sources of information often accessible without charge
– check what sources of information are used by the
insurance companies, insurance brokers and other
external advisors that the organisation deals with, and
other functions in the organisation.
28 | RISK AND RISK MANAGING RISK

11. MANAGING EMERGING RISKS

11.1 Emerging risks – the context However, there is no single definition of an emerging risk,
Boards confirm that one of their biggest needs for managing but organisations need to clearly define what they mean,
their risk responsibilities is timely and accurate information. ensure this is understood as part of their risk language, and
Risk professionals cannot and should not try to predict the communicate this internally and externally.
future, but the tools and techniques used for managing
traditional risks may not be effective for managing risks that
11.3 Assessing emerging risk
are emerging and evolving. These risks typically emit low
In practice, although a robust discussion of principal risks
signals on the risk radar, data about them can be sparse and
would also likely capture emerging risks, few organisations
unreliable; therefore, these risks are often therefore, these
currently have a formal process for identifying emerging risks
risks are often hard to detect and their trajectories hard to
or can specify how they apply this in practice. While the
assess. New tools and techniques must be developed if risk
approach for emerging risks should be analytical, it should
professionals are to rise to the emerging risks challenge.
also be creative and pragmatic, reflecting the complexity of
uncertainties to secure buy-in and actionable results. Often
there are no ‘right’ answers.

Emerging risk assessment should focus on plausibility and

“Intelligence is the ability to adapt to impact. Probability is notoriously challenging to assess

change.” for emerging risks and creating angst over this can act as
a distraction. Formal assessments and heat maps should
Stephen Hawking
be exchanged for structured, creative discussions across
business units and functions that bring different perspectives

11.2 Emerging risks defined to bear on the topic and seek to strip away unhelpful biases.

In simple terms, emerging risks are risks that are new or This will help organisations to better appreciate potential risk

changing in significance. Their possible trajectories exhibit trajectories, where the organisation might be touched and

high levels of uncertainty. Similarly, they often lead to the knock-on consequences.

multiple knock-on consequences. New means that the risk

The key is to ensure that high impact, low probability risks are
did not previously exist. New risks often arise from scientific
not overlooked when profiling top risks and issues.
developments and transformational technologies, societal
and attitudinal shifts, or the introduction of unfamiliar or
revised processes. Changing means that the profile or shape
of a ‘known’ risk is being aggravated by changing external
Covid-19
conditions (such as higher taxes on sugar in food and drink
products, tightening environmental regulation or a trade war) For over fifteen years before the Covid-19
or has become more consequential due to internal factors pandemic, the World Economic Forum’s Global
(more aggressive strategic ambitions, lower institutional Risks Report had been warning the world about the
resilience due to cost-cutting measures or challenges in dangers of pandemics. In 2020, we saw the effects
embedding new values and behaviours to reflect repurposing of ignoring preparation and ignoring High Impact,
initiatives). Low Probability risks.
 RISK AND RISK MANAGING | 29

FIGURE 10
Response options for emerging risks – Emerging Risks Airmic 2019

STRATEGY

• Rethink strategic purpose

• Align products and processes with purpose
• Align culture and talent with purpose
• Change investment allocation
• Make divestitures or acquisitions
• Develop joint ventures and alliances
• Build know-how and capability
• Embed flexibility and agility
• Adopt the Airmic Resilience
and Transformation Model

OPERATIONS FINANCE

• Tighten business controls and limits • Flex risk appetite

• Undertake public affairs and public relations campaigns • Reinforce financial buffers
• Respond to a shift in the supply chain curve • Increase risk transfer
• Strengthen Environmental, Social and Governance capabilities • Boost hedging
• Adopt new technologies to achieve digital transformation • Reduce cost

11.4 The value of scenarios moreover, capture attention, initiating discussion about
Airmic members report that risk conversations often mitigation measures. Facilitators should be unafraid to have
take place in silos and that the integration of output and the assumptions of the business challenged, creating space
actions could be improved. Scenarios are a good way of to ‘think the unthinkable’ and ‘speak the unspeakable’. This
making emerging risks tangible, with a view to delineating can help surface and resolve conflicts between commercial
or calculating the immediate and longer-term impacts ambitions and corporate risk appetite.
on strategic, tactical and operational targets. They can,
30 | RISK AND RISK MANAGING RISK

11.5 The importance of connected risks As the complexity of the world increases and the pace
It is crucial to understand the interconnections between risks of change heats up, managing emerging risk cannot be a
that can be influenced by the same external and internal strategic afterthought. A time lag can open up when the
factors, and that can also influence one another. Based on external and internal context of an organisation moves faster
discussions with Airmic members, there is a tendency for than the organisation, creating a gap between the reality and
organisations to manage risk in business silos and for senior the perception of risk. An assessment of these risks should
leaders to play down emerging risks until they are on the risk be part of the strategic planning process and contribute to
register. Most resource assigned to managing risk continues the strategy context-setting process. The frequency of risk
to be focused on near-time, downside risks, rather than risks assessment and analysis should be a function of how fast risks
further out on the horizon, which may present opportunities are emerging and the level of their materiality, rather than
for future value creation. Coupled with the absence of useful being determined by traditional institutional administrative
data sets from which to draw conclusions, this often means cycles.
that the consideration of emerging risks is relegated to the
back seat.

TAKEAWAYS

Is there a clear definition of emerging risks in Is your organisation’s decision-making capacity adequate
1 7
your organisation and is this well understood and should there be a significant change in the risk context,
communicated? internally or externally?

Is the assessment of emerging risks part of Is challenge and debate encouraged with respect to
2 8
the overall risk management system for your risk-weighted decision-making for strategy, tactics and
organisation? operations?

Is consideration of emerging risks built Is there a process for recording, analysing and discussing
3 9
into strategic planning and major investment incidents and near-miss events to encourage a culture of
decisions sufficiently early and continuous learning?
sufficiently well?
Is there a preparedness by senior post-holders and
10
4 Are you comfortable with the oversight business partners to admit mistakes, biases and gaps in
arrangements for emerging risks? their knowledge?

Is there a consistent risk reporting methodology 11 Is the use of risk-based objectives part of the personal
5
across your organisation using key metrics that can evaluation, development and structured learning of all the
be aggregated? workforce?

Is there an arrangement for risk communication and Has the crisis management programme been calibrated
6 12
reporting to ensure that your board is sufficiently to reflect the emerging risk universe and the different
engaged on emerging risk issues? characteristics of emerging risks response?
 RISK AND RISK MANAGING | 31

12. RISK MANAGEMENT ASSESSMENT

AND ANALYSIS, TECHNIQUES,
METHODS AND TOOLS
This section provides an overview of the subject and signposts for further learning – it is not intended
to provide a comprehensive study of all techniques, methods and tools.

12.1 Techniques and methods and solutions about a specific issue or challenge. People
Some distinguish between techniques and methods, but are able to think more freely in an informal gathering and
for the purpose of this guide they are interchangeable they are more likely to suggest ideas spontaneously. All
expressions. the ideas are noted down without criticism and after the
brainstorming session, the ideas are evaluated.
Business studies, surveys and benchmarking reports:
There is a significant choice of reports available, generally Bow ties: The bow tie is a risk assessment method that can
at no charge. Define the criteria required, for example, by be used to demonstrate causal relationships and provide
geography, sector or subject and then search online. The a visual summary of risk scenarios. The bow tie can be
Airmic Library is a great place to start. Search other functions overlaid with control measures and integrated with semi-
within the organisation, including internal audit, corporate quantitative analysis techniques such as Layers of Protection
communications and human resources, as well as ‘affiliated’ Analysis, which is typically used in process industries where
risk functions such as insurance, health and safety, security, risk controls are developed as layers of defence that are
information security and business continuity. related to, but operate independently from, one another.
First developed five decades ago in the oil industry, bow
Staff surveys: Surveys of an organisation’s own people can ties are now used in many other sectors, including aviation,
be a simple and useful way of gathering information from mining, maritime, chemical and health care.
across an organisation. These surveys can also concurrently
be used to embed risk management communications. Root cause analysis: Often root cause analysis is used after
a problem has already come up. It seeks to address causes
Brainstorming: Brainstorming is a group creativity technique. rather than symptoms. But it can be applied to assessing risk
It involves a group of people meeting to generate new ideas

Threat Consequence
Preventative

Responsive
controls

controls

Threat Hazard Consequence

Threat Consequence
32 | RISK AND RISK MANAGING RISK

by going through the goals of any analysis, that asks: What objective of the project and those on the right-hand side
happened? How did it happen? Why did it happen? Once are harmful to achieving the objective of the project. This
those questions are addressed, develop a plan of action to allows for analysis and cross-reference.
prevent it from happening again.
Futures, Foresight and Horizon Scanning: Futures is
SWOT: SWOT, or strengths, weaknesses, opportunities, a structured approach to exploring what is possible in
threats, is another tool to help with identifying risks. To apply the future and what is preferable. It typically involves
this tool, go through the acronym. Begin with strengths and identifying areas of uncertainty, underlying drivers,
determine what those are in relation to the project (though opportunities and challenges. Foresight refers to the
this can work on an organisation level, too). Next, list the process of conducting Futures work and what you
weaknesses or things that could be improved or are missing get from it. Horizon Scanning is a specific systematic
from the project. This is where the likelihood of negative technique for looking ahead. Its focus is the future
risk will raise its head, while positive risk comes from the rather than the present and its purpose is to identify the
identification of strengths. Opportunities are another strategic issues that will be important. Mostly, these will
way of referring to positive risks and threats are negative be different from the issues that are important today.
risks. When collecting SWOT, illustrate your findings in a
four-square grid. The top of the square has strengths to The ‘Three Horizon Model’ is a mature and respected
the left and weaknesses to the right. The bottom of the technique. Horizon 1 issues are strategically important
square has opportunities to the left and threats to the right. now. They are visible and well understood, and are
The contents of left-hand side is helpful to achieving the generally the issues organisations are already responding

FIGURE 11
Applications of scenario analysis

Rehearsal of crisis management and business

continuity plans

Testing of claims scenarios to ensure insurance

coverage is adequate and would behave as
expected

APPLICATIONS
OF SCENARIO
ANALYSIS Horizon scanning and principal risk
assessment to test sustainability of the
business model
 RISK AND RISK MANAGING | 33

to. Horizon 2 issues may not be apparent yet, but many efficiency and subsequently change the oil demand. Single-
of the key trends and factors, the change drivers, that factor scenarios are more useful for risk management where
will define it are already in play. Horizon 3 challenges will understanding impact and probability is key. The more
emerge, but the change drivers are difficult to see in the complicated scenarios are more typically used to develop
present. It is not clear how these factors will develop, how strategy by considering the business environment in the
they will interact or whether they will create opportunities future and informing long-term decisions affecting research
or threats in the future. The objective is to identify and and development, marketing, etc.
track the drivers that will shape the future as doing so
allows organisations to develop foresight about the strategic Risk gamification: The idea behind gamification is to
challenges and choices they might face in the long term influence how people behave and what they do by tapping
and what kind of interventions might be required to sustain into their innate desire to play games. It’s about making
success. The main focus of this process is therefore the mid things fun – but more than that, it’s about understanding
to long term. The UK Government Futures Toolkit provides what really motivates people and then using a variety of
further information is a widely respected: The Futures techniques to inspire them to perform desired behaviours.
Toolkit*. As a bonus, the desired behaviours that users perform
are recordable and when there is data, that creates an
Scenario analysis: Scenarios are not risks. Scenario analysis opportunity to act on it.
is the exercise of considering unexpected events (sometimes
called ‘alternative worlds’), occurrences and change by Headline news and fake news scenario games: Headlines
asking the questions ‘what might happen?’ and ‘what generated by newspapers, television or online, including
could we do?’ It is an important part of an organisation’s social media posts, can change stock prices – even if the
risk management system, and involves understanding the headline story is incorrect or misleading. It’s interesting to
extreme but plausible events, and tests the efficiency of the note that risk connected to the headlines feared the most
controls already in place by highlighting unexpected risks and often don’t feature in many risk registers. Thinking about
opportunities. It can be used to test the operational, tactical headlines can create a simple exercise for top management
and strategic plans and activities within the organisation to ensure its focus is on the issues and risks that really
and how they fit together. It does not try to show an exact matter the most and to challenge the status quo and
picture of the future but, instead, presents several alternative ‘comfort’ of risks listed neatly in a risk register which create a
future developments and helps in the creation of a scope false impression of compliance and control.
of possible future outcomes and the development of paths
War gaming, simulation and modelling: War gaming
leading to these outcomes.
can help organisations to consider crisis scenarios, and
Scenario analysis is not based on extrapolation of the past experience and manage the reality of these. War gaming
or the extension of past trends, it does not rely on historical is a rigorous analytic process that enhances risk-informed
data and does not expect past observations to remain valid decision-making through immersive experiential learning.
in the future. To avoid confusion, organisations should Plausible, interactive scenarios bring diverse stakeholders
create separate but linked scenario and risk registers. together to challenge biases and assumptions, identify
critical gaps and vulnerabilities, and provide insights into
Organisations will have their own definitions of scenarios, emerging threats and opportunities. Players are encouraged
which can range from simple single-factor events, e.g. a to ask ‘so what?’ or ‘what if?’ and allowed to experience
retailer asking itself what would happen if there were a major failure in pursuit of these insights, all without facing
fire at a warehouse, to more complex multi-factor future real-world reputational, organisational and financial risk.
events involving an extensive chain of events, e.g. an oil Risk modelling and simulation leverage quantitative and
company asking itself how technology will improve energy
34 | RISK AND RISK MANAGING RISK

qualitative models to identify, assess and prioritize risks Risk registers: A risk register is a repository for risk
to populations, missions, programmes and operations. information to meet organisational, legal, regulatory and
Modelling approaches include system dynamics modeling, stakeholder needs. A register will include risks identified
agent-based modelling, discrete event process modelling, with information about each entry, e.g. the nature of the
event-based scenario analysis, and machine learning for risk, reference and owner, and mitigation measures. Some
analysis of unstructured data. organisations also use risk registers to record near-miss
risk events and examples of where risks are connected or
Examples as the basis of war gaming exercises include: aggregated. Risk information may be recorded before and
after risk the effect of risk mitigation measures to provide
Cyber-attack: where country, sector and organisation
gross and net gross and net reports of risk.
stakeholders need to understand the potential impacts of
an attack, and the pre and post event practices to mitigate Risk management information systems (RMIS): A risk
associated risks. management information system (RMIS) or governance, risk
management and compliance (GRC) system is an information
Physical infrastructure construction: using an immersive
system that assists in consolidating risk values, insured and
scenario that includes a dynamic and free-thinking
non-insured losses, exposure information and details of insurance
adversary, with capabilities greater than prevailing biases
covers to provide tracking to support risk management reporting
and assumptions allow, organisations could be forced
capabilities and the monitoring and control of the overall cost of
to confront undesirable and unintended consequences,
risk. Top benefits reported by users of these systems include:
yielding insights that can enable better preparation and
anticipation of future crises and risks.

1. Spend less time consolidating data, more time

Pandemic: an effective tool for assessing immediate crisis
analysing it
response capabilities. As organisations have experienced
2. Facilitate sharing of information
throughout the current Covid-19 environment, it’s
3. Harmonise practices and reporting
a response with clear leadership and agility that has
4. Facilitate cross-departmental analysis and
been a winning formula in maintaining focus in the face
avoid silos
of deteriorating conditions and has demonstrated an
5. Optimise the sharing of risk management best
organisation’s resilience. It is imperative to test and stress
practices
an organisation’s response and continuity plans during a
6. Visualise real-time data
war game.
7. Data reliability
8. Secure sensitive information
12.2 Tools 9. Be compliant with laws and regulations
Risk assessment templates: Templates can provide useful 10. Optimise transfer to insurance
checklists to support the process of assessing risks. These
can be especially useful when assessing risks that have
legal or regulatory requirements such as health and safety
in the workplace, information security and compliance
with certified standards of performance. Some suppliers
and customers may impose risk management requirements
and these can be converted into a checklist to ensure
compliance. Care must be taken to use risk assessment
templates to support and not replace an effective and
efficient enterprise-wide risk assessment process.
 RISK AND RISK MANAGING | 35

The most common RMIS modules that are requested when Risk maturity models: In evaluating the effectiveness
selecting a software solution for risk management are: of the risk management frameworks, risk
management maturity models rate the level of risk
1. Certificates of insurance maturity across agreed risk areas such as risk context,
2. Claims administration risk culture, risk identification, risk assessment,
3. Claims management risk treatment, communication and reporting,
4. Cost allocations and through to five or seven based on benchmark
5. Exposure management information from the database created from user
6. Incident management data. However, it is important that when using
7. Policy management these tools that organisation as a first step, consider
8. Root cause analysis their desired level of risk maturity in line with their
risk appetite, and then use the tool to assess their
Source: Risk Panorama annual report 2019 - AMRAE, the French risk
management association performance against this.

13. CONTINUOUS IMPROVEMENT

The enterprise risk management process must not become dormant and should be updated and
improved to help the organisation achieve its changing objectives.

Having an agile risk management framework that can be did the estimation of risk impact accurately reflect the
relatively easily adapted is therefore beneficial. Change is consequences of an event that occurred?
inevitable and it is important that the risk framework reflects • Review of issues (events which that occurred) and
the structure of the organisation and is intuitive to use to insurance claims to ensure that the root causes are
ensure effectiveness across the organisation. The framework understood and actions are in place to control future
will be reviewed in conjunction with other critical business events
processes on a regular, perhaps annual, basis. • A process of lessons learned should be in place to
systematically review good and bad practices, and
In order to receive accurate and timely information, it is identify measures to either disseminate good practices
important that members of staff feel free to make their or mitigate bad ones. Figure 12 depicts a typical lessons
opinions known without fear of blame or recrimination. learned process. Undertaking periodic lessons learned
Executives and managers are responsible for ensuring that and implementing changes will help to ensure a culture
an appropriate culture exists within the organisation. of continuous improvement
• Compare your organisation against others within the
The following are useful methods to help engender a
same sector as well as best practice organisations from
culture of continuous improvement:
other industries. A list of relevant industry bodies and

• Review of risk management information to determine links to useful knowledge forums is provided in the

the accuracy and effectiveness of data, for instance, appendix.

36 | RISK AND RISK MANAGING RISK

FIGURE 12
Lessons learned process

1.
Establish the context regarding
the lesson/issue that occurred
e.g. What? Why? Who? When?

2.
Establish individual perspectives
(via a brief questionnaire) from
representative stakeholders
3.
Analyse questionnaire findings
(Questions around What? and and prepare material for a
Why?, e.g. What went well? Why workshop
did it go well?, etc.) (NB - overlay with stakeholder
mapping)

4. 5.
Facilitate a workshop with
Clearly articulate findings
representative stakeholders to
in an easily searchable
discuss learning and application
database
elsewhere

6.
Communicate learning to other
parts of the organisation
RISK AND RISK MANAGING | 37
38 | RISK AND RISK MANAGING RISK

14. WHERE TO LOOK FOR FURTHER

INFORMATION
• Against the Gods – the remarkable story of risk, by Peter L. • FRC: UK Corporate Governance Code 2024
Bernstein [Link]
• Airmic: Roads to Ruin – A study of major risk events: their corporate-governance/uk-corporate-governance-code/
origins, impact and implications. A report by Cass Business • FRC: Corporate Governance Code Guidance 2024
School on behalf of Airmic – 2011 [Link]
[Link] corporate-governance/corporate-governance-code-
• Airmic: Roads to Resilience – Building dynamic approaches guidance/
to risk to achieve future success. • FRC: Guidance on Board Effectiveness – 2018
A report by Cranfield School of Management on behalf of [Link]
Airmic – 2014 • FRC: The Financial Reporting LAB - where investors
[Link] and companies can come together to develop pragmatic
• Airmic: Roads to Revolution – Reshaping risk and resilience solutions to today’s reporting needs
for the future – 2018 [Link]
[Link] • IIA: The IIA Three Lines Model – 2020
• Airmic: The importance of managing corporate culture – [Link]
2017 • ISO: ISO 22316, Guidance for Organisational Resilience
[Link] [Link]
• Airmic: Scenario Analysis: A Practical Guide: Helping to • ISO: ISO 22301 Societal security – Business continuity
develop insight and manage uncertainty – 2023 management systems – Requirements
[Link] [Link]
• Airmic: Investing in the right future: AI and Future of the • ISO: ISO 31000:2018, Risk Management – Principles and
Profession 2023 guidelines
[Link] [Link]
• Airmic: Competency Framework – 2020 • Marsh: The Global Risks Report – 2024 –
[Link] [Link]
• Airmic: Reputational Risk Framework – 2020 • The Marsh McLennan Cyber Handbook – 2022
[Link] [Link]
• Airmic: Navigating geopolitical risk: Building resilience • Risk Coalition: Raising the bar – Principles-based guidance
demands collaboration in a challenging world – 2023 for board risk committees – 2019
• Airmic: Complex supply chains in a complex world – 2019 [Link]
[Link] • Riskonnect, Risk Management Information Systems
• Airmic: Emerging risks – 2019 (RMIS): The Buyer’s Guide
[Link] [Link]
• COSO: Committee of Sponsoring Organisations of
the Treadway Commission (COSO) Enterprise Risk
Management – Integrated Framework
[Link]
RISK AND RISK MANAGING | 39
40 | RISK AND RISK MANAGING RISK

About Airmic

The leading UK association for everyone who has a responsibility for risk management and insurance in their
organisation, Airmic has over 450 corporate members and more than 1,900 individual members. Individual
members are from all sectors and include company secretaries, finance directors, and internal auditors, as well as
risk and insurance professionals. Airmic supports members through learning and research; a diverse programme of
events; developing and encouraging good practice; and lobbying on subjects that directly affect our members and
their professions. Above all, we provide a platform for professionals to stay in touch, to communicate with each
other, and to share ideas and information.

[Link]

About Marsh

Marsh is the world’s leading insurance broker and risk advisor. With more than 45,000 colleagues advising clients
in over 130 countries, Marsh serves commercial and individual clients with data-driven risk solutions and advisory
services. Marsh is a business of Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in
the areas of risk, strategy and people. With annual revenue of $23 billion, Marsh McLennan helps clients navigate
an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter,
Mercer and Oliver Wyman. For more information, visit [Link], follow us on LinkedIn and X.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and
Credit Broking (Firm Reference No. 307511).

Tower Place, London,

EC3R 5BU
+44 20 7357 1000

[Link]

Fiona Davidge

Fiona Davidge, currently Head of Corporate Risk at the House of Commons, acted as Executive Editor for the
original version of this guide.
RISK AND RISK MANAGING | 41
42 | RISK AND RISK MANAGING RISK

Airmic
Marlow House
1a Lloyd’s Avenue
London
EC3N 3AA

Tel: +44 207 680 3088

Fax: +44 207 702 3752
Email: enquiries@[Link]
Web: [Link]