Author: Philip EJ Green et al
ISBN No: 9780128006337
Review date: 23/04/2024
No of pages: 260
Publisher: Butterworth-Heinemann
Publisher URL:
store.elsevier.com/product.jsp?isbn=9780128006337
Year of publication: 30/11/2015
Brief:
Enterprise Risk Management
price
£26.34
Around the millennium Professional Security interviewed someone who said that one day we would all be risk managers. It isn’t turning out quite like that, and the banking crisis suggested that in banks at least if there were risk managers, other more senior managers were not paying heed. All that said, risk is part of business and general management language. Police now routinely talk of responding according to risk, threat and harm. What then is risk, and what (if anything) do you do about it?
Enterprise Risk Management: A Common Framework for the Entire Organization, by Philip EJ Green et al, a book by several, mainly north American, authors comprehensively covers the subject of enterprise risk management; and, as the sub-title suggests, argues that risk is a way that you can look at the world: assess risks (how serious and likely are they?) and mitigate; and monitor, because risks change as life does.
The authors show that risk management is about responding to what’s real, including the unexpected, rather than what we assume. Democracy is good, or at least better than a dictatorship? Not if you’re a mining company that did a deal with the military in an African country for mining right, and the new more democratic regime after overthrowing the generals wants to tear up the contract and make a new deal. To return to the banking crisis, a chapter on ‘risk culture’ points to how companies’ culture of short-term profit had a part to play in the crisis; in other words, the culture of an organisation, and ethics of its employees, matter. Typical response has been to appoint a chief risk officer. Yet as the chapter shows, the way that taking risks are rewarded may create risks. Managing culture is not easy; it takes training, gathering of information, and communication. Other chapters cover sorts of risks: financial, insurance, supply chain, brand and cyber. Most intriguing and relevant for the security manager may be the chapter on ‘human capital risk: the threat from inside’, whether fraud, wrong-doing by infiltrators (seeking to do espionage or sabotage for instance) or violence. The chapter takes us briefly through each sort of crime, for instance taking in the ‘fraud triangle’ (of motive, opportunity and rationalising of the crime) before going on to how you might control those risks: through physical security, or screening of job-seekers and contractors, or ‘management of the employee life cycle’ so that disgruntled leavers don’t do mischief or turn violent. The chapter points to how corporate security has to make alliances with other departments, such as HR and legal, towards ‘an integrated approach’ to managing those ‘human capital risks’. That will only minimise the risks; and other authors point out that you cannot eliminate risk, or its consequences.
In that case, if we have to accept that bad (malicious insiders, hactivists defacing the website, a civil war or extreme weather making operations in a country impossible and forcing evacuation of staff) things will happen, we may choose what one chapter calls ‘operational risk resilience’: being risk-aware, preparing for those risks, and learning from them. As that chapter admits, the sheer number of risks can mean it’s daunting to understand every risk, and prioritise. But if business opportunity lies in taking risks – whether seeking a market in an unstable country, or embracing an untried technology or supply chain – organisations ‘must be able to adapt to the prospect of continual changes in their risk profile’, and meet the new, and seek to learn from their experiences. Risk, in a word, is dynamic.
What this and any treatment of risk runs the risk of (pardon any pun) is to overlook the human factor. People cut corners to make money and gain their bonus, at the cost of the long-term stability of their company; they hide, if managing a project, being late or over budget (which can lead to an accounting or outright fraud); or, one error leads to another, which in a crisis such as a fire or accident can cause an avoidable catastrophe. The opening of the book wrestles with quantifying probability – rightly so, as evaluating the probability of an uncertain outcome is crucial. If you think a robbery is unlikely on your business estate or in your office, you’ll leave your back door or desk unlocked. But being human, or not having all the data, we can be led into error. This book is a welcome, absorbing and full way of thinking through the issues.
