is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Plugging the gap on risk: BS 31100
29 Jun 2011
Topics: BS 31100, Risk management, Risk analysis
Many business admit they needed to overhaul their risk management and others are still unaware of their legal requirements.
There's no doubt that the implosion of global financial markets has seen businesses in many sectors sit up and reassess their risk management processes. The harsh spectacle of international bank bail-outs, and even business collapses, indicated that awareness of exposure to long-term risk ought to be embedded far more firmly across the board in future.
For example, in a 2009 Accenture survey of almost 300 international corporate executives (chief risk officers and chief finance officers), 85 per cent admitted they would need to overhaul their risk management function "if the lessons of the economic crisis are to be used to improve business results".[1]
However, they also shared many concerns, including reports of an insufficient enterprise-wide risk culture (82 per cent), inadequate availability of data (80 per cent) and ambiguous risk responsibilities (78 per cent). And only a quarter of the executives reported that risk management was currently considered in activities surrounding performance management and goal setting.
Dan London, managing director of the finance and performance management practice at Accenture, said that the economic downturn had proved the "ultimate stress test of a company's risk management function", and that businesses should now take steps to integrate risk management capabilities "enterprise-wide".
Strengths and weaknesses
Meanwhile, a more recent report from the Federation of European Risk Management Associations (FERMA) suggests that general risk management and culture is indeed being improved in some respects, but still requires further action in others.[2]
A positive finding is of "more mature internal communication on risk". FERMA says European companies are increasingly defining risk management policies and charters, and identifies a trend towards more consistent use of certain risk tools ? notably "risk mapping exercises", which 77 per cent of companies now perform at either global or corporate levels. Also encouraging is that 85 per cent of these businesses report risk issues at the very top management level.
However, while FERMA also finds evidence of a deeper involvement in board-level decision-making, with risk at the top of the management, board and shareholder agenda, it stresses there is still work to be done in areas such as clarifying risk roles and supporting risk efforts organization-wide.
Furthermore, almost two-thirds (65 per cent) of businesses still don't perform systematic risk analysis prior to a major corporate decision ? and under half (42 per cent) audit compliance with their risk management procedures.
In fact, two-fifths of companies said they were even ignorant of the 8th European Company Law Directive on Statutory Audit, which FERMA president Peter den Dekker describes as outlining a "clear responsibility given to boards of directors and to their audit committees".[3]
"Senior management is expected to be involved in risk management and risk taking. Directors have to give direction depending on the risk appetite of shareholders," he says.
Taking a standard
BS 31100:2011 Risk management. Code of practice is a standard that can help organizations create a risk management framework to meet many of these challenges, including managing cross-organization risk, developing better understanding of legal and other compliance requirements, and improving strategic decision-making. First launched in 2008 as the financial crisis reached its climax, it provides a holistic view of the many ways risk can affect an organization, detailing basic principles and risk categories, and providing a number of management tools and activities.
"Most organizations already have pockets of risk management, but with different domains and methodologies," explains Robert Whitcher, BSI product manager in the US. "It isn't necessarily being pulled together at a senior management level, but that's what you need to decide where to focus your energy and spend money. Implementation of BS 31100 gives a clearer understanding of overall risk exposure to allow points of comparison."
The resulting framework promotes proactive risk management and provides assurance that necessary corrective steps are being taken, improving accountability. All relevant information can also be reported clearly to stakeholders in the form of annual financial statements or corporate governance reports.
"The idea is still quite young in the US, but risk management is very much about a change in culture," Whitcher adds. "It is a goal that people want to reach."
Nevertheless, Julia Graham, chief risk officer at global law firm DLA Piper, says that she has followed the standard's lifecycle and other principles when training lawyers, and finds it to be highly practical, with a clear place in any risk manager's toolkit. DLA Piper recently won the "best management of risk" category at the Managing Partners Forum (MPF) European Practice Management Awards 2010, where its enterprise approach to risk was especially highly praised.[4]
With 69 offices in 30 countries and numerous practice areas, Graham explains that the law firm is really "lots of organizations in one", and the principles of BS 31100 complement how its risk activity needs to be co-ordinated globally.
"It was designed to be applicable to all sizes of business, and is very transferable," she says. "It's also driving the emergence of the chief risk officer role in businesses, where somebody is leading all risk activity. That's difficult to do effectively if you don't have the enterprise structure and framework embedded underneath you, so education about these issues is of increasing interest."
BSI's risk product marketing manager, Lorraine King, also observes a "desire to learn more about risk management principles". Speaking to the Institute of Occupational Safety and Health (IOSH) recently, she says that interest in the standard was "extremely high".
Time for a change
BS 31100 has just been revised to include even more information, and perhaps explode some myths, surrounding risk management. "One difference is that it includes more about the positive aspects of risk," explains sector content manager Tim McGarr.
That's because effective risk management is not only a question of what to avoid. A risk-focused culture can also provide competitive advantage, such as by improving efficiency in project management and helping companies to become more flexible.
Indeed, the standard even emphasizes situations where it may pay to take a risk. "It helps to identify opportunities where taking risks might benefit your business," McGarr says.
"Risk is often viewed as an overhead, particularly in an uncertain economic climate. But this is an opportunity for managers to show that they really add value through risk," adds Graham.
Meanwhile, another difference is to deal with the experience of smaller enterprises in greater depth. "There can sometimes be a perception that risk management is for big business, but the new version ensures any smaller organization appreciates the benefits early on," says McGarr.
Finally, there is more focus on an organization's overall risk culture. "It is important that the standard is embedded as well as theoretical, and so it discusses how to encourage people to buy into risk effectively," he explains.
One for all
Graham, who is also vice president of FERMA, says that the pharmaceutical and oil industries have proved particularly innovative at risk management in recent years, but that the issues in the standard are relevant to everyone from "white collar workers to heavy industry".
And BSI's Whitcher adds that comparisons between sectors are difficult when different industries will inevitably have different risk profiles.
"The financial sector is predominantly focused on financial risk. In manufacturing or aviation there will be more focus on health and safety, and in services employee knowledge will be key," he explains. "The standard ?s whole purpose is to help organizations to understand what their specific risks are and what is appropriate for them, which will vary depending on size and complexity."
The BS 31100 framework can help any organization reach this picture of the risk level it confronts. By establishing a blueprint for best practice, business can be managed both to reduce the likelihood of a negative event occurring and to encourage positive outcomes.
As FERMA's den Dekker puts it, "A good risk management system is like management systems on a racing car. They help it to go further, faster and more safely."
For more information on risk management standards and publications.
[1] http://newsroom.accenture.com/article_display.cfm?article_id=4848
[2] http://www.ferma.eu/Portals/2/documents/benchmarking-survey/ferma-european-risk-management-benchmarking-survey-2010.pdf
[3] http://www.ferma.eu/Portals/2/documents/press_releases/20100921-ferma-pr-eciaa.pdf
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
While there was a time when companies would never consider working alongside the competition, today's marketplace demands a more flexible approach. Collaboration is fast becoming par for the course. For example, large government contracts often require expertise that goes far beyond any one company's capacity to deliver. Forming a consortium brings together the right experience in the right place, and it can mean the difference between winning or losing a tender.
Integra ICT Hits environmental high
Integra ICT, the Bedfordshire-based telecoms provider, has achieved certification to ISO 14001 Environmental management from BSI.
Monarch Airlines chooses BSI for its European Union Emission Trading System (EU ETS) verification
Monarch Airlines has selected BSI as its provider of verification services against the requirements of the EU ETS directive. This comes in response to the industry's requirement to monitor its CO2 emissions and demonstrate compliance with the directive by submitting a verified annual emissions report by 31 March every year from 2011 onwards.
OCS, an international facilities services group based in the UK, has achieved triple certification to ISO 9001 Quality management, ISO 14001 Environmental management/ and BS OHSAS 18001 Health and safety management with BSI.
A little bit extra for Kitemark® bodyshops and garages
It's all well and good for an automotive bodyshop to earn the Thatcham BSI Kitemark® for Vehicle Body Repair, but it won't have as much impact if potential clients don't know about it. As a consequence, BSI decided to offer an Extras marketing toolkit to bodyshops and garages that have earned the Kitemark.
Question: What impact do you think BCM could have on business insurance in the future?
It is essential that any business suffering a disaster is able to continue as near normal trading in the shortest possible time period to survive. To achieve this, an organization should implement a comprehensive well-tested business continuity plan (BCP) as a first step. Insurance should be viewed as an extension to the BCP process, not an alternative.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
