Product Family


Technical Director,The Institute of Risk Management UK

The past decade has seen some spectacular business meltdowns, from energy company Enron through retailer Woolworths Group PLC to the recent leadership troubles at the  Co-operative Bank. At the other end of the scale, half of the start up businesses in the UK fold within the first two years. The financial and human cost when companies and projects fail is enormous. Yet risk still has to be taken as without it there will be no growth, no profit and no progress. Corporate governance requirements are becoming more prescriptive in requiring risk management arrangements to be clearly in place. Even for smaller businesses, evidence of effective risk management is increasingly being demanded by suppliers, investors, insurers and other stakeholders. Legal developments in the field of corporate manslaughter hold out the prospect of criminal prosecutions for company directors if a fatal accident occurs and they cannot demonstrate that their risk and safety management systems are robust and at least up to industry best practice. Similarly robust sanctions for directors are in prospect in relation to bribery and data protection.

The stakes are high. Not only must you have 'risk management' but more importantly you must have risk management that works.

The Financial Reporting Council recently released their draft guidance on how companies should approach the requirements in the UK's corporate governance code in relation to risk management, internal control and the going concern basis of accounting. These proposals, with which all UK listed companies are going to have to comply (and which are also likely to be highly influential in shaping corporate governance developments in other sectors)  will seriously raise the bar for risk management at board level.

In future boards will be required to carry out a robust assessment of the principal risks facing the company and explain, in the annual report, how these are being measured and mitigated. The guidance also, for the first time, requires firms to give serious consideration  to such matters as the extent to which the company is willing to take on risk - its risk appetite - and also to ensure that sufficient attention is paid to complex but important human factors like risk culture, behaviours, incentives and rewards. The past 15 - 20 years have seen the development of increasingly sophisticated systems of risk management, alongside more codes, regulations and processes. But the various enquiries and analyses that take place when things go wrong usually tell the same story - on paper the organisation appeared to have the right processes but these are applied by complicated and fallible human beings who may not always behave the way they are expected to in relation to risk.

The complexity of modern business also complicates the picture further - the extended and interconnected nature of today's supply chains, partnership working, outsourcing (including 'cloud computing') and new ways of delivering public services mean that the old 'command and control' model is not going to work in the new, fluid and networked environment. The problems last year with the appearance of horsemeat in various supply chains for beef products highlights the difficulties in managing risks across these extended enterprises (a subject on which a group of IRM members is currently preparing some practical guidance).

We have come a long way from the rigid 'silo' based approach to risk management of a couple of decades ago, where task based activity like health and safety was dealt with in one part of the organisation, insurance purchase in another, computer disaster recovery in another, legal compliance in another and so on, with none of these departments really talking to each other, let alone co-ordinating their risk activities. Enterprise risk management approaches have done a lot to focus attention on the broad range of threats to corporate objectives and the need for risk management to be embedded consistently across the organisation's processes, breaking down the old silos. This has included, in many organisations, the development of sophisticated quantitative techniques to measure risk. Yet, as we have seen when looking at the real life examples of corporate collapse, at the end of the day actions are taken (or not taken) and decisions made (well or poorly) by people. Understanding why people do what they do, and applying this knowledge to risk management, is going to be the hot topic of the next decade.

Carolyn WilliamsTechnical DirectorThe Institute of Risk Management

November 2013

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.