“Corporate risk takers are very much like entrepreneurs. They take personal risks to make new
       ideas happen.”

               (Gifford Pinchot III, management consultant, ’Intrapreneuring’)

       The concise oxford dictionary suggests that risk is, among others, “hazard or the
chance of loss”, “the possibility of bringing about misfortune or loss” or, “a person or
thing considered as a potential hazard”. There are numerous forms of risk, the ultimate,
for human beings, being the risk to life. From the time we are born we run a cauldron of
risks starting with where we are born, the area of the world and the immediate
circumstances of family and the possibility of inherited physical or medical defects.

        Then there is the plethora of childhood diseases, for example, chickenpox,
mumps, measles and rubella for which we can be vaccinated to provide a degree of
protection and other more dangerous viruses. Then there are risks from foodstuffs and
the cleanliness of drinking water and, as we age, we are constantly under attack from
airborne and waterborne diseases, atmospheric pollution through global warming and
other environmental disasters like ozone depletion.

        It is also reasonable to suggest that risk means different things to different people
depending on, for example, their profession, their career, and the areas of a country or
the world in which they live. The initial examples that spring to mind are the ‘El Nino’
effect, earthquakes and typhoons or monsoons and Tsunamis.

        In more recent years, in the UK for example, there has been a regular risk from
flooding in low-lying parts of the country or in housing areas built on flood plains, more
often than not caused by the overuse of solid materials like concrete and tarmac
reducing the watershed and run-off ability of the land, but, government and local council
planners appear to have paid no heed, no one is responsible and there are still, ‘lessons
to be learned’. Other risks have been introduced and exacerbated by man’s abuse and
misuse of chemicals and bacteriological material, in other words, man-made and not
natural disasters, including the results of global and tribal confrontation and war.

         Every facet of life is a risk, items in the workplace such as electrical and
mechanical machinery, and other equipment and structures that can or could present a
risk. In the home there are many objects that we use that present a degree of controlled
risk, mostly electrical and electronic gadgets; when we get into our motor-cars and drive
round the roads and motorways there is a degree of risk not only from our own actions
but also from the actions of others.

        And, people who serve in the Armed Forces, the Fire Service and Police Forces
are in higher risk professions in that what they do is often associated with more than a
degree of threat and danger. In those professions the element of risk is very often
indefinable in that different circumstances and conditions can suddenly arise and that is
why training, re-training and exercising procedures and testing command and control
elements is of paramount importance as part of the process of looking to reduce risk. It is
also why if those organizations are to function effectively and efficiently that they are
provided with the necessary equipment to enable them to undertake ‘risky’ procedures
and ventures. Without the right equipment, the right manpower level and the right
platforms the risk level increases to a point where it becomes unacceptable.
        When we travel by various forms of public transport, land, sea and air, there is an
element of risk and some of that risk cannot be quantified, but it is essential that those
public transport services conduct risk assessments and have procedures in place to deal
with emergencies. And, in the same vein, it is paramount for operators of all forms of
public transport, rail and air, and including airports and runways, stations and supporting
command control areas conduct security checks on all their personnel to ensure that
they are not employing someone with any kind of criminal record or who could pose a
risk to the traveling public. We have to believe and accept that the owners, operators
and managers of those companies have, hopefully, made every effort to reduce the
danger factor and will have put in place contingency plans to cover eventualities
including procedures for their staff to follow because they have a duty of care.

       In fact, it is reasonable to assume that since these companies have to carry
various levels of insurance to cover the possibility of accidents that their insurers also will
have carried out a risk assessment in order to determine the level of the premium to be
paid and how often. However, with each increasing disaster insurance companies and
the insurance business in general make the time to re-write policies and/or increase
premiums to cover the possibility of a similar even occurring.

          For individuals risk is a case of how much they are prepared to gamble with their
life, for example, parachuting, sky-diving, deep-sea diving and pot-holing are sports with
a higher degree of risk than, say, basketball, cricket or football. From that we can concur
that risk is, often, something of an individual nature in that what may be perceived as a
high risk by one person will be looked at as a low risk by someone else. Again, risk may
be based, to a degree, on the level of experience of the individual or the individuals
involved in a given task, a particular operation or exercise or a sporting event, but that is
not to say that the unexpected may arise. But, it is then up to the individual to ensure
that he or she has covered their risk factor through insurance and other procedures.

       So, it is also reasonable to suggest that risk is associated with competitiveness
whether in sport or in business and hence the first quotation from Gifford Pinchot III, but I
am not necessarily convinced that corporate risk takers and entrepreneurs always
gamble with their own resources. Rather they tend to gamble with other people’s
resources and that is why too many take too many risks too often.

        There is, for example, a degree of risk associated with introducing a new make
and shape of motorcar, a new soap, shampoo or washing product, a new type of
material or blend of tea or coffee or a new material. But, again, senior management will,
necessarily, have taken a decision that the level of risk involved is worth the investment
and conducted a risk assessment as to the possibility the product launch will not be
successful. They are, in those instances, gambling with the assets of shareholders, the
jobs and effort of employees and with their own career prospects. Responsibility and
accountability for those at the highest levels in organizations means that success will
lead to acclaim, and failure to ignominy if the results are very bad; therefore, the greater
the level of responsibility the greater the need to conduct risk assessments.

       However, the risks that are referred to on a daily basis are those likely to be
encountered by business, whether directly or indirectly by a company, for which
insurance premiums can be paid to cover losses. But it remains paramount for those
same companies and organizations to ensure they have covered every possible
eventuality to reduce the level of risk and to ensure safety or security.
        Therefore, it is reasonable to define risk assessment as the process of
discussing, determining and defining the possible circumstances, conditions and events
that could adversely affect the day-to-day functioning of an organization; and that the
reason for conducting risk assessments is to define the damage that could result from
those circumstances or conditions and to identify what controls can be put in place in
order to minimize possible potential effects and losses resulting from such events.

        Directors and managers in every type of business, big or small and whether in
banking, manufacturing or the retail sector, have to make daily decisions that carry risk.
If the company employs people in a shipyard or steelyard, an engineering plant, a mine
or even in an office block it should have plans that cover such areas as emergency
evacuation procedures, fire-fighting, dealing with floods, loss of electrical power supplies
and telecommunications connectivity. This is especially important for companies that use
and rely on computers and databases, and few do not these days, so that they can
continue to conduct business if and when they are hit with any kind of disaster.

         Other examples that immediately spring to mind are the risks involved in
acquiring another company, through merger or acquisition, and whether or not there is
synergy between what you do and the expertise of the employees in your company and
in the other and whether operations can be dovetailed successfully. Or, an area of even
greater risk, whether or not you can merge with another company to form a much larger
one with the view to dominate a particular area of business, industry or commerce whilst
making savings in manpower and reducing overheads and costs. Some larger
companies, mainly banks and other financial institutions, which rely very heavily on
computers and databases of information, will, as a matter of course, have full fall-back
facilities located, sensibly, in another area of a city, another town or even another
county; but whether or not they conduct risk assessments on loans appears to be open
to question, rather, some appear to be too lax in conducting risk assessments.

         As every naval and military commander, indeed every naval and military officer,
knows and is trained to understand and appreciate, it does not make strategic sense to
concentrate all your effort and logistic resources in one area; the fundamental reason is
that provides a prospective aggressor with the optimum solution and opportunity to
wreak havoc with your resources. Thus, the availability of higher speed
telecommunications networks and equipment in IT hotels and the ability of more people
to work at home, on a regular if not on a permanent basis, should help reduce the level
of risk to IT systems.

        In fact, there is another area that has achieved a high profile in the list of
responsibilities for which owners of companies and boards of directors are responsible
and that is the introduction of the Data Protection Act (DPA) and protecting the privacy of
sensitive, personnel and personal data. The collection, storage, retrieval and use of
information are, increasingly, the lifeblood of many companies and therefore it is
essential to institute internal measure to protect any and all such information from illegal

        Many organizations suffer from security breaches and company databases are
under regular attack from viruses and other forms of hacking that can cause widespread
disruption. And, such action is not always external. It is possible that employees could
mishandle information or send e-mail to the wrong internal or external address and
disgruntled employees could deliberately release information.
        However, more importantly is to make sure that you have contingency plans for
your employees. There is little or no point in having a back-up computer and
telecommunications network if you have nowhere to put people safely and securely and
that is why the human element, as I say time and time again, is paramount in any risk
assessment and disaster recovery plan. Without your people, your employees and your
suppliers, you cannot operate and control systems and equipment; and neither can you
recover the business.

        Again, if company employees work in various locations or, as already mentioned,
they are allowed to work at home all or some of the time, the overall risk factor is
reduced as are costs. This is sometimes referred to crisis management or contingency
planning and is closely associated with the process of risk assessment in that once you
have determined the level and type of risk you or your company could or might face then
you need to produce contingency plans that address those possibilities. Contingency
plans and programmes form part of the process of crisis management, which is working
to return systems to some semblance of normality.

        The starting point, as in any plan, is to take time and effort to identify any and
every possible risk that the company, and its people, could or might encounter. This is
often best achieved by discussing the subject during departmental or divisional meetings
and it is, or must be, something practiced in all naval and military organizations before
any exercise or operation. It is relatively easy to identify the major risk areas such as fire
and the associated smoke and toxic fumes, flooding and possible flood areas, the loss of
electricity supply, the loss of telecommunication services and therefore loss of
communication with employees, customers and suppliers.

        But, what about a possible threat posed by, for example, former employees or,
more relevant and depending what your organization does and where it is located,
extremist organizations. What contingency plans do you have in place for a rapid, mass
evacuation, how quickly can it be conducted, are there alternate routes and how long
does it take to clear the building to a ‘safer’ area?

        During this pre-planning process it is imperative to determine levels and areas of
responsibility. The main questions are who will be in overall charge, who is responsible
for various aspects of flood evacuation or fire fighting or restoring supplies, what are the
primary and secondary means of communication and who is responsible for taking
external actions to seek help and what they must do.

        The process or involvement not only helps to get people thinking along the right
lines but it sometimes throws up areas of business that might not have been considered
by other managers. This information should be communicated back to those managers
who have overall responsibility for producing risk assessments and disaster recovery
plans. And, once draft plans or programmes have been produced they should be shared
with the same people who contributed, if you do not then they will feel that their input
and their efforts count for nought, and that is not best management practice.

        In the United States for example, and no doubt in many other industrialized
nations, there is a requirement for companies involved in, for example, chemical
industries or hazardous materials to indicate the chemicals and materials on site. Each
company has to comply with rules and guidelines produced by their Environmental
Protection Agency (EPA).
       This includes the requirement to produce a risk management plan that covers
prevention and emergency measures and procedures that will be implemented and
swing into action in the shortest possible timeframe. Further, the US Federal Aviation
Administration (FAA) provides a list of airports that meet their stringent safety
requirements and therefore, presumably, provides information and guidelines on risk
assessment and what is necessary for airport security. Whether or not this happens in
the UK I am not certain but it would be a foolish company that does not conduct a risk
assessment and carry out regular updates to policy, procedures and plans.

        However, the whole process, of producing an effective risk assessment plan,
determining a priority to each area of risk, establishing a disaster recovery team and
areas of responsibility and testing the plan, depends on clear and unambiguous means
and methods of communication. If, at any time, there is doubt over the viability of a
particular area of the plan then it must be thrashed out, in wide consultation, until it is
resolved. And, on completion of the deliberations and production of a guide a plan must
be tested, on a regular basis, to ensure that all employees know how to respond. To re-
iterate then, a risk assessment, evacuation and recovery plan might consider the
following areas in a guide:

       a.       Establish the planning team, determine baselines and nominate
       b.       Define the scope of the risk guide and draft a ‘straw man’ document.
       c.       Define risk as it applies to the company or organization and then consult
       widely to determine areas to be addressed; the wider the consultation group the
       greater the possibility of noting every possibility that may arise.
       d.       Identify and then prioritize the most significant areas of risk as they might
       affect the company and its employees.
       e.       Identify fallback facilities including buildings, power supplies, emergency
       diesel generators, computers, and telecommunication and radio communications
       networks. This includes telephone, facsimile and electronic mail (e-mail)
       addresses of senior management and those likely to be involved in early
       f.       Assess the impact that each possible area of risk might have on the
       company and its employees.
       g.       Assess the capital expenditure required to cover the risks and fallback
       facilities necessary to cover eventualities and to provide checks and balances
       h.       Define how security measures can reduce the possibility of risk.
       i.       Pull together a team to draft the basic documents.
       j.       Initial dry testing of plan to cover eventualities or areas that might not
       have been addressed, e.g. areas of blind radio communication.
       k.       On completion of dry runs ensure that all problem areas are addressed.
       l.       Define how disruption can be minimized and safety of personnel ensured.
       m.       Identify resources needed to handle problem areas.
       n.       Issue guides to areas of business and conduct awareness-training
       o.       Issue general information so that staff know how to re-act or respond to a
       developing or a develop situation that requires response.
       p.       You will not know everything so; seek advice and guidance from any
       appropriate or relevant organization.
        There are, probably, many other areas that will need to be addressed. They
might include such matters as a more exact location of the company; the type of
materials or products being manufactured or stored and the size and structure of the
building or buildings in a complex or industrial park area. In addition, information on the
number of personnel employed in the organization, the proximity and availability of
emergency services and support and how immediate damage and losses can be
minimized must also be addressed. To do this successfully and to maintain data and
records it is important that the right administrative structure is in place with experienced
managers, and leaders, in operations, marketing, personnel functions, finance, logistics
and purchasing and facilities management. Without the right administrative support plans
cannot be produced and maintained.

        It is not impossible but it is expensive and time consuming to cover every
possible risk that may arise within any company or any organization and more especially
with IT systems, but, it is even costlier not to conduct full risk assessments; and, since
companies increasingly rely on such systems to conduct business it is imperative that
this area is given the priority it needs and not delegated and relegated to the information
technology department. Rather, the information contained in many company databases
is what keep organizations ticking over and that is why it is important that this area forms
part of corporate strategy and plans.

        Again, in an expanding global economy risk is increasing not just because of
further and much cheaper competition from developing nations but because of the need
to make the best possible use of, in some cases, dwindling natural mineral resources,
such as oil and gas, and includes, in some areas, trained and available manpower. As
President John F Kennedy suggested,

       “There are risks and costs to a programme of action. But they are far less than the long-range risks
       and costs of comfortable inaction.”

                (John F Kennedy (1917 – 1963). 35th President of the United States of America)

        And, as I mentioned on another article on Compliance and Corporate Risk there
are even bigger risks for multi-national companies looking to expand into other areas of
the globe. Companies need to be made aware of such major risk areas as political and
economic stability, there is little point putting resources into a country that might default
on repayments of where the currency is not worth the paper it is printed on. Under those
conditions risk guarantees from worldwide banking institutions would be essential before
individuals and individual banks proceed with investments and paramount before making
large loans to individuals, companies and organizations in developing countries.

       Such information on political risk is the responsibility of individual companies,
however, it would be helpful if there was a data base of global information provided by
professional management and directors institutions like the Confederation of British
Industry (CBI), the Institute of Directors (IOD), the British Chamber of Commerce (BCC)
and perhaps other professional bodies, for example, the Institution of Electrical
Engineers (IEE) or Institution of Mechanical Engineers (IMechE) and of course
appropriate government departments such as the Department of Trade and Industry
(DTI), the Department for Environment, Food and Rural Affairs (DEFRA), the
Department for International Development (DfID), the Home Office and the Foreign and
Commonwealth Office (FCO).
       All these government departments have a duty of care to be in a position to
provide information that is relevant to, for example, operating in a foreign country,
employing foreign nations, local cultural differences and possible risk areas within other
country’s border.

        Other areas that should be assessed are social conditions, working conditions
and local environmental issues such as access to fundamental needs such as water,
food, transport and stability energy supplies for locally employed personnel and the
likelihood of industrial unrest leading to strikes. It does not pay to be complacent.

        Of course there is an additional risk from the bad publicity likely to emanate from
investigative reporting when the jobs of workers, especially in developed countries, are
exported to developing countries where wages and conditions are that much cheaper
and worse there are no safeguards in local conditions. More than one international
company has had to re-visit terms and conditions because of investigative reporting. In
addition the general state of the air, road and rail infrastructure and radio and
telecommunication networks should be addressed so that goods can be shipped in and
out and guidance or instructions sent to managers in detached locations.

        There is a danger, a very real danger, from being complacent and ignoring the
fact that there are possible risks in every walk of life and that governments, companies
and organizations must make every effort to conduct risk assessments to ensure they
are doing everything possible to reduce the threat and the possible consequences. As
General George S Patton suggested,

       “Take calculated risks. That is quite different from being rash.”

       (General George S Patton (1885 – 1945), US Army General in World War II)

       However, once any plan or guide is produced it must be visited on a regular basis
and refined and updated as necessary from the result of tests or exercises. And,
because nowadays, personnel change jobs and responsibilities on a regular basis it is
important that those with particular areas of responsibility, including alternate designated
teams, are aware of what is required of them. Without dedicated personnel and
resources and a commitment from the most senior management to provide any and all
appropriate equipment there is little point conducting a risk assessment and producing a
disaster recovery plan.

(3830 including quotations)


September 2001

To top