A new risk

by the British Standard Institution

With the global and UK economies headed for uncertain times, the need for risk management is at an all time high.

The concept of risk management has sometimes struggled for recognition within the wider business community. Management of risk, so orthodoxy goes, means putting the brakes on, curbing exuberance, avoiding losses. It is a defensive move and a narrow interpretation of risk that belies the importance that the discipline can have in actually driving profits forward.

Monographic interpretations of risk management have been the norm in recent times. Take Basel II, the international code governing capital structure within banks, a dry document whose syntax is aimed squarely at forcing banks to avoid loss through over exuberant lending. This is not unreasonable, but it neglects the major benefits to be gained from risk management, the fact that increased awareness of risk equals greater sustainable profitability.

"There is a lot of regulation at the moment that is raising the profile of operational risk," says Michael Faber, vice-chairman of the Institute of Operational Risk and a member of the drafting committee for a new standard on risk management, BS 31100, due to be published this summer. "The problem with Basel II is it's very much concerned with the negative side of risk management, for example laying down actions you must comply with rather than focusing on what you can do for the good of the business."

According to American risk management guru Felix Klomans, risk management strategies should address three separate goals: to build and maintain the confidence of stakeholder groups; to teach organizations how to cope with uncertainty and doubt; and to encourage opportunism.

This last point has been lost on previous authors of standards, something that has arguably set the development of risk management as a business discipline back several years.

"There is continual debate about the positives and negatives of risk," says David Adamson, secretary of the committee responsible for drafting BS 31100. "Most people think negatively when they think of risk - for example, the dangers to be had from taking risks - but there is a school of thought that looks at the positives. For example, new customers that you might attract were you to move locations, rather than just focusing on what might go wrong. What we had to decide is whether these should be talked about in a standard or whether this was too avant-garde in the current climate."

"Risk management is as important as any other area of business, it just happens that up until now there has lacked a set of clear, simple and unambiguous guidelines," says Julia Graham, chief risk officer of global legal practice DLA Piper and chair of the BS 31100 drafting committee. "From a timelines point of view, risk management is coming under the spotlight in the current economic climate.

"Read any CEO survey these days and the top answer as to what's keeping them awake at night will be economic volatility. The credit crunch and what has followed after has woken a few boards up to the fact that failures in risk management are fundamental problems and part of the reason why they are in the position they are in now.

"In this respect, BS 31100 is raising the profile of risk management at just the right time and I think it could become a benchmark for organizations that do not want to make the same mistakes others have made."

One could argue that the long bull market of the past few years was created by financial markets that failed to heed the warning signs over US sub-prime mortgages and other indicators of an overheating economy.

Graham's view is that, had an effective risk management policy been widely employed, far from putting an end to the human behaviour that fuelled the boom, organizations in the City and elsewhere would have been able to profit in this period while avoiding the hangovers many are now feeling.

"We need to recognize the opportunity value of risk as well as the negative value of risk," she says. "We could have a booming economy based on more robust business models. BS 31100 doesn't get rid of good things, but teaches how to use risk to convert opportunity."

A standard of two halves

The committee that drafted BS 31100 approached risk management from two angles. First, it dealt with practical solutions: the principles, framework and processes required for an effective and scaleable code of practice.

The second half of the standard contains classifications of risk categories, risk management tools, maturity models and other features that help outline the positive consequences of risk. This format encapsulates the committee's vision of not only creating a document to promote good practice but also one to attempt to steer the debate towards aligning good risk management with better performance and higher profits.

Ultimately, though, it was about recognizing risk management as an opportunity and a business driver: "We've tried to demonstrate the positive aspects of risk management and to demonstrate the opportunity associated with the discipline. In this respect, BS 31100 is very much an aspirational standard," says Faber.

"There is no firmly established process for risk management, no document saying exactly what people already know. The trick was to make the language understandable and the solutions scaleable so that anyone from a sole trader to a multinational could make use of it," adds Adamson.

"Smaller organizations don't have the resources to employ risk management professionals, so we tried to make it as jargon-free as possible. But a really successful standard also needs to be scalable and in this case that meant making sure the final document didn't lose the ‘what if' high level thinking that was applicable to the most advanced multinational organizations.

"Standards are not monographs or text books: the content really had to be digestible," Adamson continues.

Inclusiveness is the key

Inclusiveness is a key element in the formulation of BS 31100, which perhaps goes some way to its wide-ranging appeal across stakeholder groups. The drafting committee, whose 40 representatives comprise groups from industry, government and academia, and was so well supported that, by the time the committee issued a Draft for Public Comment (DPC) in 2006, it received 3,000 comments back from the approximately 30,000 entities that had received the draft. This in turn resulted in the committee taking the unusual step of issuing a second DPC a few months later to take into account all the recommendations received the first time around.

Towards a risk informed future

While the economic climate has conspired to push risk management up the business agenda, Faber argues that recent successes in promoting business continuity management (BCM) have also played a part in paving the way for a renewed effort to modernize thinking on risk management.

"BSI's BCM standard BS 25999 has had a big impact on business life. I was recently on a judging panel for the Business Continuity Awards and almost every entrant on every award cited BS 25999 in their nomination pitch. This has changed the way business views the field of business continuity management," he says. BSI was given an award at the ceremony for its contribution to business continuity management through the publication of BS 25999.

Of course, BS 25999 came to life via PAS 56, which described an effective BCM process and provided a series of recommendations for good practice. Thus, its passage was smoother than the two years that it has taken BS 31100 to get to publication. Nevertheless, given the amount of ground covered by the new standard, the dearth of best practice out there and the need for the new standard to work within the confines of existing terminology used in BS 25999 and other standards, two years does not seem long.

"This guidance has not been produced in isolation of related standards," says Graham. "The committee has used a bible of what are considered leading works in the area of risk management, kept closely aligned to the work of BS 25999, and taken a pro-active role in the development of the proposed ISO standard on risk management ISO 31000. After all, why have three definitions for a common issue?"

Faber's hope is that the introduction of BS 31100 will have a wide-reaching effect on how the discipline is regarded, both in the UK and internationally: "BS 31100 will definitely bring together more specialisms in risk management. What you tend to have at the moment is lots of silos or fiefdoms in risk management, from health and safety to information security. It's about time the discipline grew up and we all worked more closely together. Risk management professionals need to provide good, consistent, consolidated information to the board to enable them to make informed decisions: boards cannot make informed decisions if they do not get a consistent view.

"Risk management is ready to enter an aspirational stage," Faber adds. "People in government acknowledge that in some places there is too much regulation and that what is really needed is good self-regulation. There is a role here for BS 31100 and if we can get good take up from within government and the private sector, I think this standard will be a success.

"BSI doesn't want to increase regulation - it wants to increase good practice without diluting what is already out there. The irony is, good risk management enables companies to take far greater risks in a more controlled manner, thus creating greater shareholder value."

In a nutshell: BS 31100

BS 31100, BSI's new code of practice for risk management, began life in 2006. Drafted by a 40-strong technical committee made up of representative bodies from industry, government and academia, the standard went through two public consultations before it was ready for publication. Unlike other standards that concentrate on reducing losses, BS 31100 aims to widen the discipline's appeal by focusing on how it can be employed to help drive profits through responsible risk-taking.

BS 31100 is aimed at all sizes of organization and its language has been especially adapted in order to be understandable to both small organizations and multinationals, and to reduce duplication as much as possible by tying in language and methodologies from existing or future bodies of work, such as ISO 31000. BS 31100 will be published this summer.

For further information about the Standard and BSI, please visit www.bsigroup.com/july08risk.

To download a copy of the BCM whitepaper, please visit www.bsigroup.com/july08BCMwhitepaper.

Tweets by @biz_works