I want to re-do the table in this paper. I would like to change them Based on my teacher comment. This is my teacher comment:In reviewing your paper, the FIRM Risk Scorecard you included are all elements provided in the text. What you need to do is revise each element of the scorecard as it pertains to the hospital you described. So, delete all the current entries and revise with those (in your own word) that correspond to your example. You can resubmit your revision in the Assignment folder.(Develop a risk scorecard using the FIRM template provided on pates 164 and 165 for the specific organization you describe. Do not just take the words from) the sample in the text. Create your own based on the organization. Let me know if you have questions.1
FIRM Risk Scorecard
FIRM Risk Scorecard
FIRM Risk Scorecard
Description of the Selected Organization
Three Rivers Hospital (TRH) is a not-for-profit healthcare facility within Washington
state, near the US-Canada border. The facility serves about 15,000 people who live within an
expansive area of over 6,000km2. For a long time, TRH has struggled with below optimal staff
numbers. The facility has survived nearly seven decades by economizing. When COVID-19
struck the country, TRH was among the hard-hit facilities. The government imposed restrictions
on elective surgeries, which was a major revenue-generating activity. This affected the hospital’s
financial situation gravely. Social distancing guidelines also reduced the number of people
visiting the facility for non-COVID-19 reasons. Many other units, including the primary care and
emergency units, closed down.
Early in the year, the facility contemplated shutting down. The state government provided
a lifeline to keep the hospital open, granting the hospital $200,000. The federal government also
lent a hand by giving TRH three months of Medicare payments in advance. However, this
amount was a drop in the bucket, because the hospital needed over $1 million to run for a month.
The hospital did not have an ICU, and it only had two operational ventilators. It continues to
struggle to remain open, since its closure would leave hundreds of patients who depend on the
facility helpless. Hopkin (2018) describes a FIRM risk scorecard that can help paint a bleak
picture of TRH’s risk exposure.
FIRM Risk Scorecard
Financial Component of the FIRM risk Scorecard
Lack of availability (or unacceptable cost) of adequate funds to fulfil
the strategic plans
Insufficiently robust procedures for correct allocation of funds for
Inadequate internal financial control environment to prevent fraud
and control credit risks
Inadequate funds to meet historical liabilities (including pensions)
and meet future anticipated liabilities
TOTAL for the component: 16
Infrastructure Component of the FIRM risk Scorecard
Inadequate senior management structure to support organization and
embed ‘risk-aware culture’
Insufficient people resources, skills and availability, including
concerns about intellectual property
Inadequate physical assets to support the operational and strategic
aims of the organization
Information technology (IT) infrastructure has insufficient resilience
and/or data protection
Business continuity plans are not sufficiently robust to ensure
continuation of organization after major loss
Product delivery, transport arrangements and/or communications
TOTAL for the component: 19
Reputational Component of the FIRM risk Scorecard
Poor public perception of the industry sector and/or potential for
damage to the brands of the organization
Insufficient attention to ethics/corporate social responsibility/social,
environmental and ethical standards
FIRM Risk Scorecard
Poor governance standards and/or sector is highly regulated with
high compliance expectations
Concerns over quality of products or services and/or after-sales
TOTAL for the component: 9
Marketplace Component of the FIRM risk Scorecard
Insufficient revenue generation in the marketplace or inadequate
return on investment achieved
Highly competitive marketplace with aggressive competitors and
high customer expectations
Lack of economic stability, including exposure to interest rate
fluctuations and foreign exchange rates
Marketplace requires constant innovation and/or product technology
is rapidly developing
Supply chain is complex and lacks competition and/or raw materials
costs are volatile
Organization is exposed to potential for international disruption
because of political risks, war, terrorism, crime or pandemic
TOTAL for the component: 20
How to Mitigate the Marketplace Component
One of the fastest ways of reducing marketplace risks is to open more revenue-generating
units. TRH depends on very few revenue streams. The facility had relied almost solely on
elective surgery, which is now impossible due to the ongoing pandemic. Organizations such as
this should come up with multiple revenue-generating units, so that others can still bring in
money to maintain an optimal level of operations when one is down. According to Leyes (2020),
having several income-generating units helps an organization reduce the risk of failure. TRH
could start offering other services, such as serving as a COVID-19 isolation center.
Innovation might also help the organization to maintain a favorable marketplace position.
Through innovation, organizations can create a new market niche for themselves. For instance,
FIRM Risk Scorecard
TRH could introduce new treatment machines and set itself apart as a leader in treating a specific
disease common to the region. An organization should also consider supply-side factors that
affect its marketplace position. In a highly competitive environment, contracting multiple
suppliers may help make the supply chain competitive.
FIRM Risk Scorecard
Hopkin, P. (2018). Fundamentals of risk management: understanding, evaluating and
implementing effective risk management. Kogan Page Publishers.
Leyes, K. (2020, February 25). Five Benefits Of Having Multiple Sources Of Income As An
Entrepreneur. Forbes. https://www.forbes.com/sites/theyec/2020/02/25/five-benefits-ofhaving-multiple-sources-of-income-as-an-entrepreneur/?sh=2448e7d743bb
Risk likelihood indicates how often a risk is expected to materialize. It can also be
described as risk frequency. However, using the phrase risk frequency assumes that the
risk occurs on a regular basis. The more general term risk likelihood is used throughout
this book. Risk likelihood can be determined on an inherent basis for any particular
risk, or can be determined at the current level of risk, paying regard to the control
measures that are in place.
For hazard risks, previous history may be a good indication of how likely the risk
is to occur. For a fleet of motor vehicles, there is certain to be a history of vehicle
accidents and breakdowns. Controls will be in place to reduce the likelihood of these
events. A road haulage company should assess the likelihood of vehicle breakdowns
on an inherent basis and also on the basis of current controls. There are, however,
difficulties in assessing the inherent likelihood of vehicle accidents, because certain
assumptions would have to be taken about what effect the removal of controls
would have on the likelihood of accidents.
Even if an assessment of the breakdown likelihood at the inherent level cannot be
undertaken, the company will still need to determine the importance of the vehicle
maintenance programme in preventing vehicle breakdowns and whether the maintenance activities provide value for money. In relation to vehicle accidents, the
company may have driver-training procedures in place and, again, the effectiveness
of these procedures can be determined by evaluating inherent and current levels of
risk. Whether levels of risk are evaluated at inherent or at current level, there is no
doubt that benchmarking the performance of the fleet against the average performance of the industry will be a useful exercise.
An example of a control measure that has an effect on the magnitude of the risk
but may have no effect on its likelihood is the use of seat belts in cars. In simple
terms, the driver wears a seat belt to reduce the impact of an accident, because the
seat belt has no effect on the likelihood of an accident occurring. The driver wears
the seat belt as a control measure for when the accident happens.
A sports club will wish to reduce the chances of a key player being absent. The
absence may be caused by inappropriate behaviour by a player, resulting in the need
for sanctions against that person. Accordingly, the club may decide to introduce
a ‘code of behaviour’ for senior players, and this would include a commitment by
each player to follow an appropriate, healthy lifestyle. Failure to comply with the
code of behaviour would result in financial and other punishments.
The club may also decide that additional controls are required to reduce player
absence, including fitness monitoring and social support for overseas players who
have recently moved to the country to join the team. It may also be agreed that an
attempt should be made to place contractual limits on the ability of national teams
to call on its overseas players. These actions will be taken in addition to other loss
control activities, such as excellent medical facilities to provide immediate medical
care and reduce the damage when an injury occurs. Also, the company may purchase
insurance to protect itself against the financial losses associated with the absence of
Reducing the magnitude of a hazard risk is very important. For hazard risks, magnitude
is often referred to as the inherent severity of the risk should it materialize. Reduction
in overall hazard risk severity will be achieved by reducing both the impact and consequences when the adverse event occurs. The seat belt in a car can reduce the impact
of an accident, but has no effect on the likelihood of having an accident.
It is possible for a serious fire to occur that results in a considerable amount of
property damage and is considered to be very severe and expensive. However, in
reducing the severity of a serious fire, the requirement is to reduce the impact of
the fire on the finances, infrastructure, reputation and marketplace (FIRM) of the
organization. Actions to reduce impact will concentrate on damage limitation at the
time of the fire and cost containment after the event. The consequences relate to the
effect on the strategy, tactics, operations and compliance (STOC) of the organization. Loss control is concerned with mitigation of the magnitude, impact and
consequences of an adverse event.
Damage limitation is also an important feature of reputational risk management.
When a serious incident occurs that attracts public attention, an organization will
need to be able to protect its reputation by reassuring stakeholders that the organization responded appropriately to the event. It is almost invariably the case that
the CEO or chairman of the company will arrive at the scene when there has been
a serious train or plane crash.
There have been examples where a serious incident has occurred and the management of the media by the organization has been very poor. In these cases, it is likely
that inadequate attention was paid to pre-incident planning, so that the damage to
the reputation of the organization was not effectively minimized at the time the
Organizations will also need to be concerned with cost containment. Cost containment following an event is usually based on the business continuity plan (BCP)
or disaster recovery plan (DRP) that the organization put in place before the incident
occurred. The development of effective BCP and DRP will put the organization in
the best position to ensure that the overall cost of the incident is kept as low as possible.
Control of fires in hotels
Given the long emphasis on fire peril, perhaps it’s not surprising that improvements in
sprinkler systems have been a hallmark of the past 40 years. The single most impressive
innovation as it relates to fire has been the advent of the suppression mode sprinkler.
Standard sprinklers were control mode sprinklers, which controlled the fire until someone
arrived to put it out. The fire could grow and produce a lot of smoke.
As hotel fittings became more susceptible to smoke and water damage, the desire was
to suppress the fire, not just control it. The new sprinklers resulted in smaller areas being
affected by fire with less smoke and less damage.
Sprinkler technology has evolved significantly. Where we had a single standard spray
sprinkler head, we now have extra-large orifice heads and early-suppression, fast-response
sprinkler heads. The use of sprinkler systems has also spread from more traditional
manufacturing facilities into light-hazard exposures such as offices and nursing homes.
Corporations became more deeply involved in loss control efforts. For example, hotels
carried out two initiatives in the early 1980s using controlled fires to prove the efficacy of
plastic piping in hotel room sprinkler systems. Before the successful tests, sprinklers relied
on iron piping, which was more difficult to install than plastic and which took rooms out of
service for days during a re-fit.
The range of hazard risks where reducing the magnitude of the adverse event is
important will include fraud, health and safety, property protection and efficient
operation of IT systems, as well as incidents with the potential to cause damage to
reputation. Table 13.1 provides a list of the key dependencies that could give rise to
hazard risks, using the structure of the FIRM risk scorecard. When hazard risks
materialize, actions need to be taken to reduce the magnitude of the event, as well as
mitigate the impact and consequences.
Although the main focus of managing hazard risks will be on loss prevention,
successful management of hazard risks must also include consideration of damage
limitation and cost containment. There is a developing trend in the insurance market
towards settling claims in a more efficient and cost-effective manner. This trend is
partly based on encouraging organizations to get back to normal operation as soon
as possible. Indeed, some insurance companies refer to initiatives of this type as ‘cost
As mentioned previously, reducing the severity of an incident should be seen as
part of an overall attempt to implement loss control in an organization. An integrated
approach to loss control is important because it will enable the organization to
control both the likelihood and impact when a hazard risk materializes. In fact, loss
control should be considered to be loss prevention plus damage limitation plus cost
TAb LE 13.1
Generic key dependencies
FirM risk scorecard
Availability of funds/finance
Correct allocation of funds/finance
Internal control (fraud)
Liabilities under control (bad debts and pensions)
People skills and experience
Premises/plant and equipment
IT hardware and software
Communication and transport
Brand and brand expansion
Public opinion of sector
Regulators’ enforcement action
Corporate social responsibility
Health of world or national economy
Product development (technology)
Although the most important component of loss control is loss prevention, hazard risks
can materialize despite the best efforts of organizations. Adequate assessment of
hazard risks is vital, so that appropriate pre-planning of during-the-loss and post- loss
actions can be undertaken. Plans should be in place to ensure that the damage caused
by the incident is kept to a minimum and the cost consequences of the event are also
tightly controlled and contained.
Figure 13.1 shows how a bow-tie can be used to illustrate the three components of
loss control. Before the event occurs, the organization will have controls in place to
seek to achieve loss prevention. As the event is developing, steps should be in place
to limit the damage that the event is causing. After the event, cost containment
controls by way of business continuity and arrangements to reduce the cost of repair
should be activated. Disaster recovery plans will be relevant during both the damage
limitation and the cost containment stages. The relationship between the three components of loss control and the type of control that will be selected is considered in
more detail in Chapter 16. The types of hazard controls are described in Chapter 16
as preventive, corrective, directive and detective.
FIg URE 13.1
Loss control and the bow-tie
Another way of looking at loss control activities is that loss prevention is about
reducing the likelihood of an adverse event occurring, although it will also be concerned
with reducing the magnitude of an event that does occur. Damage limitation is
concerned with reducing the magnitude of the event when it does materialize. The
contribution of damage limitation will be greatest if actions are planned that can be
implemented as the event is actually taking place. Cost containment is concerned
with reducing the impact and consequences of the event. Cost containment will be
concerned with ensuring the lowest cost of repairs, as well as business continuity
plans to ensure that the organization can continue operations following damage to
the asset that has been affected.
Techniques for loss prevention will vary according to the type of hazard risk that is
being considered. For health and safety risks, loss prevention is related to eliminat- ing
the activity completely or ensuring that, for example, hazardous chemicals are no
For risks to buildings, loss prevention techniques involve such controls as the
elimination of sources of ignition and the control, containment and segregation of
flammable or combustible materials. Loss prevention techniques will also include
restrictions on smoking and other actions taken to reduce hazardous behaviours by
persons using the buildings.
For fraud and theft risks, loss prevention techniques will include separation of
responsibilities and security tagging of expensive items. Fraud prevention techniques
may also involve pre-employment screening. A more detailed consideration of health
and safety risks and fraud prevention is set out in Chapters 16 and 23.
Damage limitation in relation to fire hazards is well established. Although sprinkler
systems are often considered to be a loss prevention measure, they are in fact the
major control measure for ensuring that only limited damage occurs when a fire breaks
out. Other damage limitation factors related to fire include the use of fire segregation
within buildings, the use of fire shutters and well-rehearsed arrangements in place to
remove, segregate or otherwise protect valuable items. After the fire at Windsor Castle
in 1992, arrangements were quickly put in place for valuable artwork to be removed
from areas of the castle that had not (up to that time) been affected by the fire.
Accidents at work still occur, despite the considerable attention paid to health and
safety standards and other loss prevention activities. Provision of adequate first aid
arrangements is an obvious damage limitation activity and suitable first aid facilities
are provided by most organizations. For some high-risk factory occupancies, emergency treatment arrangements and even medical facilities are provided on site.
In some cases, these medical facilities will include specialist treatment facilities
related to the particular hazards on site. An example is the provision of cyanide
antidotes in factories where chromium-plating activities take place using cyanideplating solutions. A simpler example is the provision of emergency eye-wash bottles
in locations where hazardous chemicals are handled.
The Deepwater Horizon oil spill in the Gulf of Mexico in 2010 provides many risk
management lessons. One of the key issues was that the oil spill took some weeks to
stop. Loss prevention measures were in place to prevent the oil spill starting and cost
containment steps were taken to manage the cost of clean-up, recovery and business
continuity. It is, perhaps, the case that the damage limitation measures were not as
robust as may have been required. Because the oil leak lasted some weeks, there was
opportunity for damage limitation measures to be introduced. However, it does not
appear that these measures had been sufficiently planned in advance.
When a hazard risk materializes despite the efforts put into loss prevention and the
efforts that have been put into damage limitation, there may well still be a need to
contain the cost of the event. For example, among the activities for minimizing costs
associated with serious fires are detailed arrangements for salvage and arrangements
for decontamination of specialist items that have suffered water or smoke damage.
Cost containment in relation to a fire will also include arrangements for specialist
recovery services. The actions that will be taken to ensure that post-incident costs
are minimized should all be set out in business continuity, disaster recovery and crisis
management plans, as appropriate. The topics of business continuity planning and
disaster recovery planning are considered in more detail in Chapter 18.
A further consideration relevant to cost containment after an incident is what
insurance companies refer to as ‘increased cost of operation’. Most material damage/
business interruption insurance policies will allow for payment of increased cost of
operation. This may arise when an organization has to sub-contract certain production activities, or has to undertake manufacturing work at another one of its factories,
which may be located some distance away.
If a manufacturer discovers that faulty goods have been released into the marketplace, a number of actions become necessary. The organization should have developed
plans in advance of the event for notifying customers of the fact that faulty goods are
in the marketplace and how to identify them. The box below considers the importance
of product recall in these circumstances.
Product recall risk management
products could be financially impacted by the direct or indirect costs of a product recall.
costs include communications and this could entail purchasing air time on radio and
television and notices in newspapers or industry publications.
Indirect costs can include lost production time for staff who must focus on the recall
process, as well as the hiring of temporary employees to ensure continued production.
share. A product recall should be designed to:
protect the customer from bodily injury or property damage;
remove the product from the market and from production;
comply with specific regulatory requirements;
protect the assets of the company.
upside of risk
Upside of risk
Defining the upside of risk is one of the greatest challenges for risk management.
The overall contribution of risk management is to help deliver mandatory obligations,
assurance, enhanced decision making, as well as effective and efficient core processes
(MADE2). However, there is a desire amongst risk management practitioners to
identify a more dynamic range of benefits that can be delivered by successful risk
management. Often, these are the unexpected or greater than expected benefits of
A range of interpretations of the phrase ‘upside of risk’ is possible, and some of
these are offered in Table 14.1. There is a belief amongst risk management practitioners that risk management makes a significant contribution to the operation of
the organization, and this contribution is often described as the upside of risk. In
simple terms, the upside of risk is achieved when the benefits obtained from taking
the risk are greater than any benefit that would have resulted from not taking it. In
other words, the organization has received an overall benefit from undertaking the
activities that resulted in exposure to the risk or set of risks involved.
For example, a manufacturing company that produces waste by-products that
create a disposal problem may achieve the upside of risk by selling the unwanted byproduct or by identifying a means of adding value to the waste product and selling
it as another product stream. This is an example of identifying a difficulty for the
business and, in solving that difficulty, acquiring additional benefits that had not
been foreseen and were not otherwise available.
In simple terms, the upside of risk may just be the reward for taking the risk in the
first place. Climbing a challenging mountain may be a significant risk, but the upside
of taking that risk is when the climber has safely reached the summit and gains that
reward. Another approach is to say that risk management is concerned with achieving the best possible outcomes and reducing uncertainty or volatility. If this is accepted
as a definition of risk management, the upside of risk is simply achieving what the
organization set out to achieve, by taking the risks that were embedded in the strategy,
tactics and/or operations that were involved.
Defining the upside of risk
TAb LE 14.1
Defining the upside of risk
Fewer disruptions to normal operations and greater operational efficiency resulting
in less downside of risk
Specifically identifying positive events during the risk assessment and deciding how
to encourage those events
Opportunity management, by completing a detailed review of a business opportunity
before deciding to embrace it
Achieving a positive outcome in difficult circumstances as an unintended and/or
automatic result of good risk management
Another interpretation of the upside of risk is that the risk assessment workshop
should also focus on identifying risks that have an upside outcome. The risk assessment workshop would therefore address questions like: ‘What events would create
a better outcome than expected?’ A register of positive outcome risks can then be
identified and actions can be taken to make those upside risks more likely to occur
and/or have more beneficial impact and consequences when they do materialize.
A more satisfactory explanation of the upside of risk is that the organization will
be able to undertake activities that it would not otherwise have the appetite to
undertake. In a commercial sense, this is enabling an organization to seize a business opportunity that a competitor does not have the appetite to take, or considers
to be too risky. This may be because of the greater efficiency within the organization,
or because a cost-effective means of changing the organization by a development
project has been identified that the competitor failed to recognize. On a strategic
level, this upside of risk may arise from the organization identifying a means of
targeting the business opportunity, but only the profitable component of that business opportunity.
A further way of looking at the upside of risk is to reflect on a business venture
that turned out successfully in circumstances where failure could have been foreseen.
This is a somewhat retrospective approach based on the analysis: ‘that could have
gone wrong, but it did not and therefore we have enjoyed the upside of taking that
risk.’ This approach to the upside of risk depends on the organization being willing
to pursue a risky venture, albeit with adequate controls in place, that leads to a
positive outcome in circumstances where a competitor may not have been willing
to take the risk.
Finally, there is the analysis of the upside of risk that reflects on the benefits of
having a robust risk management process. Achieving the MADE2 benefits, especially
benefits related to mandatory obligations, may be considered to be a sufficient reason
for undertaking a risk management initiative. In these circumstances, certain organizations may consider that achieving compliance with mandatory obligations is an
upside of risk.
Defining the upside of risk
At its most simplistic, and specifically in relation to hazard risks, the upside of risk
is that there is less downside. However, that is not a very compelling reason for senior
managers to support a risk management initiative. Perhaps the most easy to explain
and the most compelling thought is that the upside of risk is the ability to pursue a
business opportunity that competitors would be unwilling to embrace. It would also
be part of the explanation to say that competitors would be too risk-averse to take
such a high-risk opportunity.
With so much talk about the upside of risk, it has become a problem for risk
management practitioners. The range of analyses from less downside to formalized
opportunity management is wide and lacks focus. The board of an organization is
not going to be persuaded by such a wide-ranging and ill-defined set of concepts and
approaches. Clearly, the discipline of risk management needs to get a better understanding of the upside of risk and sell the message to the board.
Perhaps there is also scope for the risk management standards to take a more
coherent approach to the upside of risk. An approach employed in some risk management standards is that the 4Ts should be extended to include the fifth T of ‘take the
risk’ and become the 5Ts. Very often, the established standards fail to recognize that the
organization will be taking the opportunity and the intended rewards, rather than
deliberately taking the risk for its own sake.
The story in the box below is an example of an individual who saw an opportunity and embraced that opportunity. He did not seek, embrace or take the risk,
except insofar as it was embedded in taking the opportunity. It is the case that individuals who are seen as risk takers are, in fact, individuals who are willing to pursue
opportunities that others may consider too risky. Their behaviour is about embracing
the opportunity, not necessarily enjoying taking the associated risks.
Honesty box and the upside of risk
Finally, he put a small basket on the side of his stand filled with dollar bills and coins,
at twice the pace because he didn’t have to make change. In addition, he found that his
able to double his revenues without adding any new cost.
Defining the upside of risk
Successfully embracing business opportunities is more likely to be achieved if the
organization undertakes opportunity assessments. Many consultancy firms undertake a detailed evaluation of each new business prospect. The organization will look
at the new prospect and evaluate the scope for a profitable partnership, opportunities to earn extra income and the reputational benefits that might arise from having
that potential client as a customer.
Opportunity assessment can be undertaken in relation to new business ventures, as
well as new clients. This opportunity evaluation is designed to identify the addi- tional
business opportunities that could arise from winning that client business. The
evaluation will also look at the potential disadvantages of successfully acquiring the
client prospect. When undertaking such an opportunity assessment, there has to be
the possibility that the organization will advise the client prospect that they do not
wish to tender for the business.
Consider the options for a theatre that discovers that fewer people are coming to
performances and decides to look at the opportunities to take more money from
those who continue to attend. The options may include general improvement to the
catering facilities within the theatre and the provision of organic produce in the
theatre restaurant. Additionally, there is the possibility of selling merchandise themed
to the particular performance.
As well as looking at increased revenue during performances, the theatre may
also look at sponsorship arrangements and open dialogue with local businesses to
discover what type of production would be most likely to gain local support and
sponsorship. In future, part of the assessment of any proposed new production could
include an evaluation of the level of sponsorship that might be available. As well as
generating greater income, this approach could also enable the theatre to stage
productions that otherwise would have been considered too risky.
Many organizations already practise opportunity management, although it may
not be seen explicitly as a risk management approach. Ideally, opportunity management should be embedded into procedures for developing and implementing strategy
and tactics and/or taking advantage of business opportunities. Some organizations
do not have explicit opportunity management procedures for the evaluation of new
business prospects, or for the evaluation of merger/acquisition opportunities.
When seeking to identify opportunities, many organizations facilitate a risk
assessment workshop that seeks to identify and analyse hazards and opportunities at
the same time. Figure 14.1 provides an example of a risk matrix that can be used to
record the outcome of such a risk assessment workshop. The exact design of the risk
matrix and the descriptors of likelihood and consequence will vary between organizations. Figure 14.1 should be treated as one example or illustration of how to
record the output from the risk assessment workshop.
One of the challenges when undertaking a risk assessment workshop that covers
both opportunities and hazards is that a wide range of people will need to attend the
workshop. Hazards tend to be operational- and compliance-related, whereas
opportunities tend to be associated with strategy and tactics. As with hazard risks, the
identification and analysis of opportunities has to be followed by evaluation of the
opportunities and the identification of actions or controls that will need to be
Defining the upside of risk
FIg URE 14.1 Risk matrix for opportunities and hazards
in place to ensure that the anticipated benefits are more likely to be achieved. The
opportunity assessment methodology described earlier in this section will need to be
applied to the opportunities that have been identified, analysed and recorded on the
The risk profile of an organization can be represented in many ways. The most
common method used is to prepare a risk register that contains details of the
significant risks that it faces. However, a disadvantage of the risk register is that it
is usually a qualitative evaluation of individual risks. Organizations need to develop
a means of measuring, evaluating and quantifying the total risk exposure of the
One of the features of the enterprise risk management approach is to develop a
consolidated view of the risk exposure of the organization. The approach based on
calculating the total risk exposure of an organization is similar to the approach
taken to the measurement and quantification of risk in operational risk management.
This section introduces the idea of a ‘riskiness index’. The idea is to present a
semi-quantitative approach that takes a snapshot of the overall level of risk embedded
in the organization. The overall level of risk will take account of the strategy currently
being followed by the organization, the projects that are in progress, and the nature
of the routine operations being undertaken. This approach can offer an opportunity
to benchmark risk management performance and track changes over time.
Defining the upside of risk
Table 14.2 presents a set of questions that can be used to develop a riskiness index
for an organization. The table uses the structure of the FIRM risk scorecard as a means
of categorizing risks. By using the riskiness index, an organization should be able to
identify the level of risk faced by its finances, infrastructure, reputation and the level
of risk that it faces in the marketplace.
Having completed the riskiness index, the organization can then seek additional
controls to reduce the level of risk. The main focus of risk management is then simply
to reduce the level of riskiness within the organization without affecting its strategy,
tactics, operations or compliance (STOC). The upside of risk then becomes that the
organization can follow the desired STOC at the lowest level of risk that is reasonably and cost-effectively achievable.
The level of risk identified by the riskiness index represents the risk exposure of
the organization. The board can then compare this level of risk exposure with the
risk capacity of the organization and the attitude of the board towards risk.
TAb LE 14.2
Allocate a score of between 0 and 5 to each component (in accordance with
the key at the end of the table) of the generic example of the FIRM risk scorecard
to determine the level of risk within the organization, project, operation or location
Financial component of the FirM risk scorecard
Lack of availability (or unacceptable cost) of adequate
funds to fulfil the strategic plans
Inadequate internal financial control environment to
prevent fraud and control credit risks
Inadequate funds to meet historical liabilities (including
pensions) and meet future anticipated liabilities
TOTAL for the financial component
Defining the upside of risk
TAb LE 14.2
infrastructure component of the FirM risk scorecard
Inadequate senior management structure to support
organization and embed ‘risk-aware culture’
Insufficient people resources, skills and availability,
including concerns about intellectual property
Inadequate physical assets to support the operational
and strategic aims of the organization
Information technology (IT) infrastructure has insufficient
resilience and/or data protection
Business continuity plans are not sufficiently robust to
ensure continuation of organization after major loss
Product delivery, transport arrangements and/or
communications infrastructure unreliable
TOTAL for the infrastructure component
Poor public perception of the industry sector and/or
potential for damage to the brands of the organization
Insufficient attention to ethics/corporate social
responsibility/social, environmental and ethical standards
Poor governance standards and/or sector is highly
regulated with high compliance expectations
Concerns over quality of products or services and/or
after-sales service standards
TOTAL for the reputational component
Defining the upside of risk
TAb LE 14.2
Marketplace component of the FirM risk scorecard
Insufficient revenue generation in the marketplace or
inadequate return on investment achieved
Highly competitive marketplace with aggressive
competitors and high customer expectations
Lack of economic stability, including exposure to
interest rate fluctuations and foreign exchange rates
Marketplace requires constant innovation and/or
product technology is rapidly developing
Supply chain is complex and lacks competition and/or
raw materials costs are volatile
Organization is exposed to potential for international
disruption because of political risks, war, terrorism,
crime or pandemic
TOTAL for the marketplace component
the level of risk
the level of risk
Calculating the riskiness index of an organization requires identification of the
hazard risks actually being taken by that organization. In other words, evaluating
the riskiness index of an organization helps to identify the actual risk exposure of that
organization. Having identified the actual level of risk embedded within an organization, the board of that organization can then ask whether the portfolio of risks is
Defining the upside of risk
within the risk appetite and/or the risk capacity of the organization and compatible
with the risk attitude of the board.
The 2016 version of the UK Corporate Governance Code contains the following
requirement for companies listed on the London Stock Exchange:
The board is responsible for determining the nature and extent of the principal risks it is
willing to take in achieving its strategic objectives.
Organizations should be careful to ensure that, having identified the risks that they
are taking by a mechanism similar to calculating the riskiness index, the board does
not then simply decide that the risks it is currently taking must be the same as the
risks it is willing to take.
Upside in strategy
Organizations will have a mission statement, together with a set of corporate objectives and an understanding of the expectations of the different stakeholders in the
organization. The board of the organization then needs to develop an effective and
efficient strategy that will deliver exactly what is expected in terms of the mission,
objectives and expectations. In order to make correct strategic decisions, the board
of the organization will need access to risk information. A risk assessment of the
proposed strategy, together with a risk assessment of any viable alternative strategies,
should be undertaken. The availability of this risk assessment information will ensure
that the strategic decisions are more likely to be correct.
For opportunity risks, there is probably even less data available on which to predict
risk likelihood. An organization may see an opportunity to acquire a new client or
develop and market a new product. Accurate risk assessment of the likelihood of
positive and negative events will be necessary in order to determine whether the new
venture should go ahead. When a new product is launched, the requirement may
well be to increase the likelihood of a positive event occurring. If a new product is
being launched, advertising and press coverage will need to be maximized up to the
point that this remains cost-effective. Actions should therefore be taken to increase
the level of media interest in the launch.
Strategic core processes bring the disciplines of strategic planning and risk management together. Strategic planning is a systematic process for obtaining a consensus at
board level on the small number of issues that could have a massive effect on the
long-term performance of the organization. Strategic issues are vitally important,
and failure to implement strategy or the selection of an inappropriate strategy can be
amongst the most devastating risks to hit an organization. Implementation of strategy
is usually achieved by developing tactics that are implemented by way of projects
and then ultimately delivered by operational core processes. The operational core
processes in place at a specific time represent the business model of the organization,
as is discussed in more detail in Chapter 20.
Risk management activities are designed to ensure the best possible outcome and
reduce uncertainty. Therefore, the upside of risk in strategy is that risk management
efforts help with the design of an effective and efficient strategy. The implementation
Defining the upside of risk
of that strategy will be achieved through the tactics employed. Those tactics will be
designed to improve core processes in the organization, so that the organization is
using the most effective and efficient core processes.
The boxed example describes an attitude to risk management that sees risk as
opportunity. This approach to the management of the organization demonstrates
the desire to embrace the upside of risk.
Upside in projects
It is essential that every organization adopts the correct core processes. A core process
may be considered as the collection of activities that deliver a specific stake- holder
expectation. This is the meaning of core process that is allocated by business process
re-engineering (BPR) practitioners.
There is a difference between a process being efficient and effective. An efficient
process means that there is no disruption and no excess cost. However, the process may
be the incorrect one for cost-effectively delivering the requirements. Where processes
need to be improved, a project will normally be undertaken and change achieved. In
circumstances where a series of projects are required, this is often referred to as a
programme of work. When a project, or programme of work, is implemented by an
organization, the desire will normally be to improve the effectiveness and/or efficiency
of core processes.
By undertaking adequate risk assessment of the intended change, the organization
should be able to ensure that the project is more successfully delivered on time,
within budget and to specification. Achieving the upside of risk in the project or
programme management requires that projects are adequately managed and that
the correct project or priorities have been selected by the organization.
Often, organizations will undertake a post-implementation review to ensure that
the benefits expected from the project have been delivered in practice. This review is
often undertaken by internal audit and is designed to ensure that the project was
delivered successfully, delivered the benefits that were required and was overall worthwhile. During difficult financial times, it is important that the organization selects
projects that are not only successful, but represent the best possible allocation of limited
resources when compared with alternative projects that have not been selected.
Risk management in projects is associated with the implementation of tactics
designed to achieve the strategy. In some organizations, projects that will implement
tactics are only approved if the project reduces risk. For example, if a particular activity
could fail because of poor IT systems, the project should be designed to make the
activity more robust. In doing so, risks will be reduced and it should be possible to
quantify the benefits that will result from activities that are more efficient because
of better use of human resources and because of fewer failures of IT systems.
In summary, the benefits of good risk management within projects are that the
project is more likely to be delivered on time, to budget and at the required quality.
Risk management activities will assist the delivery of the project and, at the same time,
help manage a situation when an outcome is different from what was expected as the
project progresses. This different outcome will demonstrate whether the tactics
Defining the upside of risk
have been successful and the correct project was selected. A negative difference will
need to be mitigated and a positive difference will be embraced, as this is one example
of the upside of risk.
upside of risk for organizations.
of a city centre at reduced rents, whilst also increasing trade and profits.
additional generating capacity to reduce generating costs over the long term.
Upside in operations
It is a fundamental requirement for organizations that they have effective and efficient
operations. Efficient operations should make best use of the resources of the organization and should operate without unplanned disruption. Undertaking efficient
operations that use minimum resources and produce maximum output will deliver
the greatest benefit to the organization. Operations also need to be effective in that
they represent the best way of conducting the operations. For example, it is possible
to have an efficient journey by car or bus across a busy city. However, the effective
way to travel in many large cities is by means of the metro or underground system.
Risk management evaluation of operations can enable the organization to deliver
the most effective and efficient activities, operations and processes. By delivering the
most effective and efficient operations, a commercial organization can achieve advantages over a competitor and undertake work for a lower cost and still make a profit.
For public services, the delivery of effective and efficient operations is equally
important. Most public services have targets for delivery of those services that can
be complex and challenging. Failure to anticipate and manage risks appropriately
can undermine the delivery of public services. The contribution of risk management
will also help achieve sustained improvements in service by bringing flexibility
and resilience to the way in which services are delivered. This contribution by risk
management may be considered to be part of delivering the upside of risk.
In a competitive marketplace, achieving the upside of risk will often be to the
detriment of competitors, suppliers or other third parties. However, seeking the
upside of risk taking requires awareness of a possible unexpected downside. Deciding
not to do something because it appears to have become more hazardous may actually
Defining the upside of risk
result in the risks increasing. Further aspects of risk appetite and personal perception of
risk are discussed in Chapter 25. In terms of business decisions about operational risk,
it is important that those risks are taken on an objective basis. Personal views and
perceptions of risk can lead to incorrect business decisions. Ensuring the avail- ability
of accurate risk information in order to make business decisions is one of the key
responsibilities of the risk manager.
Chapter 7 confirms that establishing the context is the first stage in the risk management process. The riskiness index set out in Table 14.2 provides a useful structure
for establishing both the external context and the internal context of the organization. When establishing the context, it is important to consider the upside of risk and
how opportunities will emerge for the organization and how these opportunities can
be exploited, in relation to strategy, tactics and operations.
Finally, it is important to note that there is an upside that can be achieved in relation to compliance risks. For some organizations, there will be a regulator that grants
licences and, without a licence, the organization cannot operate. In these circumstances, a good working relationship with the regulator can often provide an upside of
risk. This will be especially true if the organization seeks to influence the regulator to
require tighter control of regulated activities. In this way, the organization will set high
standards that it is able to achieve, in the hope that competitors may suffer
disadvantage, if they also have to achieve these high standards, but are not able to
do so without additional expense.
Purchase answer to see full
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.