- Security TWENTY
- Women in Security
Author Paul Hopkin
ISBN No 9780749483074
Review date 19/05/2019
No of pages 480
Publisher Kogan Page
Publisher URL https://www.koganpage.com/product/fundamentals-of-risk-management-9780749483074
Year of publication 24/07/2018
A book that has reached its fifth edition must have something going for it, and so Fundamentals of Risk has; but then so too has the subject of risk management. Whether your work is in the public, private or 'third', charity sector, you avoid treating risk at your peril; or more likely, you are carrying out risk management like crossing the road (an early example in the book), doing it automatically without appreciating it.
The author does have a background in risk and has put in the time at UK industry bodies namely the Association of Insurance and Risk Managers (Airmic) for the public sector; and the Institute of Risk Management (IRM).
Sensibly, the book starts with the basics, a definition of the subject ('an unplanned event with unexpected consequences') and ways of going about managing risk; its scope, and what you aim to get out of doing it. Paul Hopkin suggests there are four types - opportunity (new cheaper or more powerful software; or a new market in a new country, but is it war-torn or with too much civil unrest for operations to be safe?), uncertainty (staying with that example, even if a new market appears safe for doing business in, what if there's a coup or the cost of cooking oil rises and leads to urban rioting? what if the electricity or some other supply conks out), hazard (still staying with the example, what if civil society remains manageable enough, but there's a flood, tornado or earthquake, or the locals come under the fence and steal) and compliance (you ride out all the metaphorical or literal storms, but while doing so your staff in that country are giving and taking bribes).
It's a considerable subject, and sensibly the author includes some steps back so to speak to tell you what your 'learning outcomes' can be (in other words, each chapter in brief), and offers websites if you want to find out more; and some case studies, from the public and private sectors in the UK and beyond. Those case studies do show how more or less any organisation can and should do risk management, whether a council, a land agent, or guide dog provider (and if you wonder what can be the risks to any of those, there comes a point when you are just going to have to buy the book).
Once you're well into the book, the author takes you through the process - of assessing risk, classifying risks, evaluating and analysing (because, to repeat, it's a process you should never end, as things can change). Hopkin offers the four Ts of hazard response - tolerate, treat, transfer and terminate. To stay with that example of doing business in a formerly war-torn country now a new market; if the rewards are great, such as a fairly untapped diamonds or other mining seam, do you roll up your sleeves and get on with it, even if the risks are extreme; do you pay attention to business continuity (worker medical safety and security in case of a terrorist attack); do you pay for insurance; or do you decide it's too risky and pull out.
Hopkin goes on to show how risk management applies to so many arms of an organisation - such as corporate social responsibility (are you doing good in that war-torn country, or part of the problem?), supply chain (is it using slave or coerced labour for 'security' or other workers?) and reputation management. Putting that another way, the book goes on to 'risk culture', which suggests how risk and its control can permeate an organisation. What's your appetite for risk. If you're Network Rail (to name one of the case studies), presumably you have little or no risk appetite, in case a train crashes. But, you cannot be so cautious that trains go at one mile an hour. As the book shows, all this requires training, division of responsibility (who 'owns' risks? a risk manager or committee, or an audit committee?), communications of those risks (as it's no good having a line to that mine in the war-torn country if it's easily cut, or if the regime stops the mobile network if opponents look like they're bringing out masses onto the streets; what are your contingencies?). Do you have an intranet, and a 'shared risk vocabulary' so that specialists and non-specialists are talking about the same things, and understand and rank threats the same?
Risk management need not be long-winded or complicated; as we all keep crossing the road. You can express it in terms of likelihood and magnitude (or impact), and concentrate on what's high-likelihood and high-magnitude; and safely ignore or leave until last the low-likelihood and low-magnitude risks. Whether you then keep a matrix, in terms of traffic lights (red-amber-green, for high-medium-low) or in terms of numbers, you act on the risks that are immediate and important. And here you see how relevant risk management can be, provided you assess what matters to your workplace or organisation; fire matters if you're in a warehouse of things that easily catch fire, and not flood if you're on a hilltop). As the book shows, risk management is not about stopping anyone from doing something, but on the contrary knowing itself, its appetite and what opportunities are out there, so that it can take risks.