Simplifying Risk Management An Evidence-Based Approach to Creating Value for Stakeholders

Recent decades have seen much greater attention paid to risk management at an organizational level, as evidenced by the proliferation of legislation, regulation, international standards and good practice guidance. The recent experience of Covid-19 has only served to heighten this attention. Growing interest in the discipline has been accompanied by significant growth in the risk management profession; but practitioners are not well served with suitable books to guide them in their work or challenge them in their professional development. This book attempts to place the practice of risk management within organizations into a broader context, looking as much at why we try to manage risk as how we try to manage risk. In doing so, it challenges two significant trends in the practice of risk management: • The treatment of risk management primarily as a compliance issue within an overall corporate governance narrative; and • The very widespread use of qualitative risk assessment tools (“heat maps” etc.) which have absolutely no proven effectiveness. Taken together, these trends have resulted in much attention being devoted to developing formalized systems for identifying and analyzing risks; but there is little evidence that this is driving practical, cost-effective efforts to actually manage risk. There appears to be a preoccupation with the risks themselves, rather than a focus on the positive actions that can (and should) be taken to benefit stakeholders. This book outlines a simple, quantitative approach to risk management which refocuses attention on treating risks; and presents choices about risk treatment as normal business decisions.

Introduction Risk in the Context of Organisations Trends in Risk Management Bridging the Gap Between Academics and Practitioners Terminology, References and Structure Chapter 1: What do we Mean by Risk? Upside and Downside Risk Risk vs Uncertainty Risk to Whom? Reconciling Conflicting Interests Risk Measures Categorisation of Risks Summary Chapter 2: Why do we try to Manage Risk? Improving Expected Outcomes Reducing The Likelihood of Extreme Events Reducing Variability in Outcomes Demonstrating Good Corporate Governance Compulsion Why do we not Manage Risk? Empirical Evidence Summary Chapter 3: Risk Management Systems Integrated Risk Management Implementation of Integrated Risk Management Systems ISO 31000 Risk Displacement and Risk Compensation Summary Chapter 4: Scope, Context and Criteria Agreeing Risk Criteria Ownership and Delegated Authority Justifying Resources Summary Chapter 5: Risk Assessment Risk Identification Risk Analysis Summary Chapter 6: Risk Treatment Risk Treatment Example Combining Risk Treatments Recording and Reporting Summary Chapter 7: Measuring the Effectiveness of Risk Management Measuring the Effectiveness of Individual Risk Treatments Estimating the Mitigating Effect on Major Disruptions Evaluating the Success of Implementation Quantifying the Overall Impact of Risk Management Programmes Taking A Pragmatic Approach to Measurement Summary Chapter 8: Underlying Themes and Summary Is a Quantitative Approach Really Practical? How Does Strategy Link to Risk? Where Does Risk Management Belong in the Organisation? Crises and Black Swans Applicability to the Public and Not-for-Profit Sectors Would any of This Have Made a Difference in the Covid-19 Pandemic? Summary of Key Ideas Annex A: Risk Return Relationships in UK Listed Companies Data Results Discussion Annex B: The Impact of Covid-19 on FTSE 100 Share Price Data Results Discussion Annex C: Alternative Numerical Example Risk Criteria Risk Analysis Risk Treatment Annex D: Some Useful Sources of Risk Information Information Security Natural Disasters Other

Patrick Roberts is a Principal Consultant in the Climate and Resilience team at Verisk Maplecroft. In this role Patrick advises clients globally on all aspects of organisational resilience. Prior to joining Verisk Maplecroft, Patrick was a director of Cambridge Risk Solutions. Over the course of fifteen years, he assisted the whole spectrum of organisations, from micro businesses and small not-for-profits to large corporations and government agencies, to manage risk and resilience more efficiently. In particular, he developed extensive experience in the implementation of business continuity management and information security management systems. He also designed and delivered a wide range of crisis management training and exercises to clients including hospitals, airports and universities. He is a Fellow of the Institute of Strategic Risk Management and has a PhD from Nottingham University Business School. Before embarking on a career in risk management, Patrick had a varied career including various project and line management roles in the engineering industry and serving as an Infantry Officer in the British Army. Patrick was also a director of British Weightlifting from 2015 to 2019.