6. Decide which of the following statements are right and which are wrong. Give the correct variants.

1. The corporate website should be like a daily magazine with serious headlines that people are interested to read.

2. The first rule for raising risk awareness in a company is to explain the risks involved.

3. It is particularly important for all members of staff to wreak havoc.

4. The particular problems surrounding fraud in a company call for a bigger cross-industry and government effort.

5. Companies also need to set up mechanisms for reporting risks.

6. Senior management should lead only by exhortatory emails.

7. There is no point starting something up and leaving it up on the corporate website until it gathers the internet equivalent of an inch of dust.

8. The corporate website needs to be changed regularly and made relevant to things that are happening in the company and outside the world.

7. Make up your own sentences using the words and word combinations given below.

To minimise risk, to assess future hazards, to have access to, to raise risk awareness in a company, to change passwords regularly, to go bust, to adopt a holistic approach, to assess company’s risk, to circulate issues, to keep a high level of awareness, to create an anti-fraud culture, to behave with honest and integrity, to get the message through, to get concerns through management chain, to wreak havoc, to ruin reputation, to damage property, to give information out, to be off guard, to let something slip, to preach a series of diktats to workers, to be pretty lousy at risk management, to mitigate the risk, to have skeletal plans, exhortatory emails, to commit a fraud, to report risks.

8. Look through recent newspapers and magazines for stories about lawsuits against firms. Prepare a report. How much was the award? What was the issue? Are the damages awarded too little, too much, or about right?

9. Debate the following statement: “Businesses are responsible for the products they make and should be liable for any and all injuries sustained by customers using them”.

10. In pairs make up a dialogue between a risk manager in a major corporation and a journalist. Talk about what he or she does and what the challenges are.

FINANCIAL TIMES OCTOBER 27 2004

Wanted: less bang for your buck

Lindsey Partos explains why spending on self-protection tends to escalate

Real costs can hurt, but costs that might never deliver results, and never be justified, must count as every budget manager’s nightmare.

Yet the reality is that risk management need not be an endless extra cost for large companies, nor even a simple price of doing, and staying, in business.

Risk management costs at their most productive can open the door to slimmer, smarter ways of doing business. But it is a target that starts with a redefinition of where risk management begins and ends.

The first and oldest cost of risk management lay with insurance – passing the risk on to others. But as a separation of responsibility from consequence, insurance has come under increasing pressure in dealing with the rise of the global corporation and the vulnerabilities set up by global trading.

The rise of the derivatives markets has since increased the scope for transferring risk to others. But neither insurance nor hedging yet provides solutions to the growing risks borne of being a large business: and it is here, with internal risk management, that costs continue to gallop.

With an increase in size comes a more complex organisation that has a tougher time defining the risks, says Andrew Field, a senior risk management advisor at KPMG.

A small company led by a focused management with clear goals, strong communication skills and an ear to the ground is already minimising risk through daily practice.

But in larger businesses, senior managers operate further away from the ground, creating an absolute need for thorough communication. Any failure in that communication exposes the firm to added risk. And this is only exacerbated by top-heavy hierarchies, where avenues that permit the questioning of strategic decisions, or the passing up of worrying details, may be closed. Such systemic failure by businesses to spot the warning signs or the weakest link can add up to enormous aggregate and even social costs.

On a global basis, consultants Deloitte Touche put the cost to companies last year of hackers at $12.5bn. Meanwhile, according to the Centers for Disease Control and Prevention in the US food-borne illness – the manifestation of an ill-managed risk – annually costs the country $7.7bn.

For individual companies, such costs can act as a permanent sinker: which pushes them to the first cost-benefit equation of risk management.

Many crises are simply worth averting, and thus the spending begins.

“In a major bank you may have about 15 staff dedicated totally to risk management and supported by clerical workers, IT systems, credit risks, market risks. Coming up with a cost figure will depend on the company, the salaries paid, the IT expenditure et al. A large bank might spend $2m to $3m on just purchasing the IT system and easily $5m to $10m on risk management systems,” says Glyn Holden, a US risk management consultant in the capital, commodity, and energy markets.

For the Danish food ingredients company, Danisco, the risk management cost of being large costs millions of Danish kroner a year.

“Information sharing is one of the most important issues today for us,” says Henrik Jansdorf, senior vice president for global operations. Danisco’s global IT network keeps information flowing between employees day and night, feeding constant investment in guidelines, monitoring, enhancing control, registration, traceability tests, and production chain and access controls, he says.

This emphasis on information flows is reflected across the risk management business.

GeoDelft, the environmental risk management consultancy, estimates that 90 to 95 per cent of risk management costs are attached to data procurement and reporting. Yet the value of risk management will be dictated by the cheapest part at the beginning, the QRA, or Quantified Risk Assessment.

“A contract with GeoDelft will cost a firm seeking to identify and manage risk anywhere from £1,000 to £3,500,000, depending on the size and complexity of the issues,” says the firm. But it is this initial contract that will often drive the spending decisions from there on.

A host of risk assessment tools will identify the risks, with many businesses then essentially applying cost-benefit analyses to the results. With numerical values assigned to the risk and reward factors in a project, risk is then subtracted from reward to produce the final tally.

“Cost plays a role in determining the extent and quality of the remedial action that is elected for, with risk management helping to prioritise and therefore control such costs”, says GeoDelft. But along the way, “remote risks are identified and removed from any action plan that may involve cost”.

Most risk assessment procedures are often tiered to filter out remote risks and devised to provide cut off points that remove the need to spend money on remedial actions.

“If a risk becomes too expensive to guard against, then alternative risk removal solutions, rather than prevention options, are devised,” says GeoDelft.

And it is risk removal that is now becoming the holy grail – the restructuring of contracts and supply arrangements, the dotted i’s and crossed t’s that allow for just-in-time delivery, empty warehouses and the taking of greater risks than were previously possible.

With the confidence in a back-up, the entire business model can be revised to embrace what would have been untenable risks.

Indeed, the back-up itself can become an all-embracing piece of risk management, where one cost fits all.

As Rudolph Giuliani bears witness, writing for the Economist Intelligence Unit: “As mayor of New York, I remember thinking that the hundreds of millions of dol­lars we spent preparing for Y2K might have been wasted”.

“On the morning of 11 September, I realised that it wasn't. We had the backups that allowed us to get a new command centre partly operational within two hours.”

Cost is not a cost if it saves greater costs, and with every step forward, compa­nies embrace new risks, which can only be man­aged ... or not managed.

For Andrew Field at KPMG the equation is simple: “Today companies invest heavily in risk management but they need to invest more.”