collaborators within the organisation, as well as third parties (external agencies, contractors, etc.), may also be impacted by any changes. Therefore, significant communication, negotiation and coordination are often required. Indeed, even fairly simple or common-sense risk measures may require significant analysis in order to prepare the groundwork for formal authorisation processes. The particular contexts in which this is mostly likely include:
• If the benefits of risk-response actions are “external” or highly asymmetric, such as where the costs of risk mitigation are borne by one department, but the benefits may accrue to another department or project.
• If changes are required to organisational processes, budgets, targets, timelines, quality or other performance indicators, or to contractual or other relationships with third parties.
• If the identification of risks may potentially expose issues of a political or motivational nature, for example if problems are uncovered that should have already been addressed within normal work, or if a lack of expertise capability or competence would be highlighted.
In such contexts, formalised risk assessment processes will support the activities of a project team by creating robustness in the analysis, in the assessment of the cost–benefit trade-offs, and will increase objectivity and transparency.
There is an increasing requirement for decisions within businesses to be supported by formal governance processes, particularly in publicly-quoted (listed) companies, where management is ultimately responsible to shareholders, and not to themselves. One may think of governance issues in two categories:
• Mandated governance requirements and guidelines.
• Processes that enhance general organisational effectiveness and competitive advantage (see later).
A complete description of published governance guidelines is beyond the scope of this text: their focus is typically on structured frameworks and processes to manage risk (especially operational risk) and less on the details of modelling issues and associated challenges. Here, we simply highlight a few examples from various contexts; the interested reader can no doubt easily find others by general internet or other searches:
• The UK Combined Code on Corporate Governance. This sets out standards of good practice in relation to Board leadership and effectiveness, remuneration, accountability and relations with shareholders. Certain listed companies are required to explain in their annual report and accounts how they have applied the Code. The Code includes the following (June 2010 edition):
• “Every company should be headed by an effective Board, which is collectively responsible for the success of the company … The Board's role is to provide entrepreneurial leadership within a framework of prudent and effective controls which enables risk to be assessed and managed …”
• “The Board should be supplied in a timely manner with information in the form and of a quality appropriate to enable it to discharge its duties. All directors should … regularly update and refresh their skills and knowledge.”
• “The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems.”
• The Corporate Governance Council of the Australian Stock Exchange publishes Corporate Governance Principles and Recommendations (or Principles), of which Principle 7 concerns recognising and managing risk. Selected sections (2nd edition, 2010) state:
• “Risk management is the culture, processes and structures that are directed towards taking advantage of potential opportunities while managing potential adverse effects.”
• “Companies should establish policies for the oversight and management of material business risks and disclose a summary of those policies.”
• “The Board should require management to design and implement the risk management and internal control system to manage the company's material business risks and report to it on whether those risks are being managed effectively. The Board should disclose that management has reported … the effectiveness of the company's management of its material business risks.”
• The Sarbanes–Oxley Act (2002) requires management to certify the accuracy of financial information of companies listed on US exchanges. The guidelines cover issues relating to risk assessment and internal controls, rather than management decision-making.
• A number of other organisations have provided guidelines, recommendations and standards relating to risk assessment and its methods. A few examples include:
• The International Organization for Standardization (ISO) has published ISO 31000 Risk Management – Principles and Guidelines and 31010 Risk Management – Risk Assessment Techniques. The British Standards Institution (BSI) has published BS 31200:2012 Risk Management: Code of practice and guidance for the implementation of BS ISO 31000, and other works.
• The Institute of Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC), Alarm (the Public Risk Management Association) the Federation of European Risk Management Associates (FERMA) and the Committee of Sponsoring Organizations (COSO) each regularly publishes documents, such as COSO Enterprise Risk Management – Integrated Framework. Each provides guidance on risk management processes and controls for management. The PRMIA (Professional Risk Managers' International Association) also publishes on a number of similar topics.
Of course, organisations will not succeed simply by following mandated guidelines: of utmost importance is the ability to create, identify and exploit opportunities that are aligned with strategy, create value and have some competitive differentiation. According to financial theory, in efficient markets, higher risks should be associated with higher returns only where such risks cannot be reduced economically efficiently or diversified away: the taking of risk per se is not rewarded. In contrast to many personal situations (for which the making of an “adequately good” decision is usually sufficient) organisations exposed to high levels of competition will need to perform to a superior standard, and to create opportunities, structure projects and make decisions that are (close to) the best possible ones available.
Formalised risk assessment can support effectiveness in these areas in several ways:
• Supporting the consideration of a full range of decision options.
• Helping to ensure that the opportunities being considered are value-creative and structured optimally.
• Ensuring that decisions are supported by robust rational analysis and data, and are appropriately transparent.
• Ensuring more transparent trade-offs and appropriate risk tolerances in decision-making.
• Reducing biases in analysis and in decision-making.
• Ensuring that project execution risks are appropriately considered within decision evaluation processes, as well as within the detailed implementation projects.
Businesses almost always require that important decisions are supported with fairly detailed quantitative analysis. Risk assessment can be used to support this in many ways:
• Reflecting the reality that the situation inherently contains risk and uncertainty.
• Providing a structured process to ensure that all relevant factors are included in the analysis and quantitative
