(c) American Institute of Certified Public Accountants. Contact AICPA for permission to reproduce this article., Business Management, Risk Management

Awareness is your security blanket

CIMA and Airmic have created a risk-identification framework that can help executives find peace in preparation and knowledge.

Organisations can find all sorts of ways to trip themselves up. A recent CGMA survey of 1,300 executives across the world found that 60% agreed that they faced a wide array of increasing and complex risk issues.

Quite understandably, there is a desire to comprehend what goes wrong and, perhaps more importantly, what needs to be done to put things right. During the past 20 years or so, policy-makers have responded on many levels with legislation, such as the Sarbanes-Oxley Act in the US, the introduction of corporate governance codes in many countries across the world, and the development of risk-management frameworks such as the one created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

More recently, particular attention is being paid to corporate culture. In the UK, the Financial Reporting Council, which oversees the corporate governance regime, is leading a project to provide guidance to boards on setting and embedding the right culture. Its existing guidance on risk and internal control, published in September 2014, emphasises the importance of setting the right risk culture in part by ensuring that performance incentives do not trigger excessive risk-taking.

While culture is important, it seems that failure to understand how the different parts of the business come together to create value in the context of the external environment — the business model, in other words — is also a factor.

In their Roads to Ruin report, researchers from Cass Business School investigated 18 high-profile cases of major risk events and identified seven key issues that were described as dangerous underlying risks. These included inadequate leadership on ethos and culture, but also blindness to inherent risks, such as risks to the business model or reputation.

Boards appear to lack the right tools and information to enable them to have an effective risk conversation that focuses on building resilience and protecting reputation. A McKinsey survey revealed that directors “struggle to understand and make time to manage business risks — one of several areas where directors indicate room for further improvement.”

What is needed, therefore, is a practical framework to help boards engage more effectively with the key risks to their business.

The basic idea is to paint a far more coherent picture of the organisation’s risk universe. The two core building blocks underpinning the framework are the business model and the risk-management process.

Introducing the business model
The business model is defined in the International Integrated Reporting Framework as the organisation’s “system of transforming inputs, through its business activities, into outputs and outcomes that aims to fulfil the organisation’s strategic purposes and create value over the short, medium, and long term.”

A thorough understanding of the business model within the context of the external environment provides a sound basis for identifying risks and opportunities.

The inputs and outputs of the business model are expressed in terms of the “six capitals” — the organisation’s key resources and relationships: financial, manufactured, intellectual, human, natural, and social and relationship. This ensures a broad, integrated view of value creation, which takes intangibles as well as externalities into consideration. A chart of the business model showing the value-creation process in the context of the external environment is available here.

The risk-management process
Setting the risk context
The business model needs to be applied to a robust risk-management process. This is illustrated in Figures 1 and 2, which show an iterative cycle of setting the context against which risks can be assessed, treated, and subsequently monitored and reported on.awarenessv1


Risk assessment
An essential element of the risk-management process is risk assessment. Typically, a risk register or inventory is developed, identifying a series of possible risk events. The benefit of using the business model as the basis for risk identification is to ensure that risks are viewed in an integrated way over the short, medium, and long term.

This should help the board better understand cause and effect, giving it greater assurance that it has line of sight over all the principal risks. Understanding the quality of key inputs, such as people or relationships, may help the board assess whether the organisation is setting up potential problems for the future, such as poor customer/patient care or industrial accidents. An events-based risk register or inventory might not pick up such broad-based risks that may play out over the longer term.

A more systematic approach is to use the four components of the business model (inputs, business activities, outputs, and outcomes) as a basis for identifying risks within the context of the external environment, as shown in Figure 3.


This process of identification creates the basis for an integrated risk analysis and evaluation, which informs how the risks need to be managed.

Figure 3 shows that risks need to be identified for each component of the value-creation process. For example, in relation to inputs, each of the six capitals needs to be considered in terms of cost availability and quality. The outcome of this process is a systematic identification of all the risks related to inputs, business activities, outputs, and outcomes. Figure 3 shows the key considerations relating to each category.

These key considerations can then be integrated and analysed to create a principal risk narrative. For example, an organisation may identify a risk that it is not able to access talent in sufficient numbers with the required skills to deliver its services effectively (a risk to an input). It can track this risk through the business model by connecting it to the risk of process failure (risk to business activity), resulting in poor service delivery (risk to output) and, ultimately, damaged reputation (risk to outcome).

This process should also flush out risks that have been missed. It enables risks arising from the different capitals to be integrated. For example, poorly trained people combined with inadequate equipment may result in poor customer experience and, at worst, a serious accident.

This process of integration enables a richer risk assessment by:

  • Identifying recurring or particularly strong risk themes, such as safety.
  • Developing a more comprehensive understanding of causes, effects, and consequences, leading to more complete risk responses. For instance, an organisation may address the risks of poor service delivery by investing in staff training, which may prevent short-term problems. However, in the longer term, it may be necessary to address the talent issue at a deeper level by collaborating with education providers, automating processes, and/or outsourcing some activities.
  • Based on this risk analysis, therefore, the organisation can determine appropriate risk responses over different timescales and at three levels: strategic, tactical, and operational.

Some risks will be relatively simple, demanding a relatively straightforward operational response. Others, such as the example above of poorly trained people combined with inadequate equipment, will benefit from being viewed through the lenses of the different capitals across all components of the business model to generate appropriate risk responses at the strategic, tactical, and operational levels.

Gillian Lees is head of research and development at CIMA, where she develops thought leadership on governance and risk. She also teaches risk management at the London School of Economics.

This article was originally published in December 2015 edition of CGMA Magazine.