Paul Hopkin Interview: Fundamentals of Risk Management
The third edition of Paul Hopkin's classic book, Fundamentals of Risk Management, focuses on business and commercial risks and how we evaluate them. Here, he explains changes and developments in the field of risk management.
Q. What would you say are the main revisions and changes between this edition of Fundamentals of Risk Management and the previous edition?
A. There is a wider range of case studies in the third edition, including a greater number of international case studies. The chapter on risk appetite has been substantially revised and updated and chapters concerned with the relationship between the success of the organization and risk management are greatly enhanced. There is consideration of the importance of risk management and the business model, as well as the importance of reputation and the increasing importance of resilience.
Q. What skills and qualities does a successful risk manager need?
A. Successful risk managers require technical knowledge and business knowledge. People skills are essential in order to apply the risk management and business knowledge, so that the risk manager becomes competent to support the increased success of the organisation. People skills (often referred to as soft skills) are described as communication, relationship, analytical and management skills.
Q. There are many definitions of risk. Which one do you find most effective?
A. Risk is an event that can impact the success of the organisation by impacting on the resources, the existing business model, or the successful implementation of revisions to the business model to ensure continued success. Organisations have a choice of how they commence the risk assessment process. Analysis of objectives, stakeholder expectations and key dependencies will all lead to the successful identification of significant risks. The correct definition of risk is the one that supports risk management in the organisation.
Q. In the new edition, there is a chapter devoted to risk appetite and risk attitude. How would you define these concepts, and how do they relate to each other?
A. Risk attitude represents the long term approach of the organisation to risk taking and is similar to the attitude that a person has to food. Risk appetite is a narrower concept and relates to the willingness of an organisation to take risk at any particular time. This is similar to the appetite that a person may have for food at any particular time. It is important that an organisation has an overall attitude to risk. An organisation should also confirm how risk appetite decisions will be taken.
Q. What are the biggest challenges that managers face in implementing and embedding successful ERM programmes?
A. The person leading the risk initiative needs to ensure that the reasons for undertaking the initiative are clearly understood. These reasons include: (1) mandatory requirements; (2) the need for the board to have assurance regarding risk management; (3) additional risk management information will ensure better decision-making; and finally (4) enhanced risk management will improve the efficiency and effectiveness of strategy, tactics, operations and compliance activities within the organisation.
Q. What do you think are the main difficulties in measuring operational risk?
A. The difficulties in measuring operational risk arise from uncertainties regarding the frequency and magnitude of operational disruption. The risk manager needs to facilitate the identification, analysis (magnitude and frequency) and evaluation of operational disruption and the assessment of existing controls.
Q. How does a company’s risk management strategy contribute to a resilient business model for that company?
A. It is important that organisations anticipate and plan for changes in their business environment, as well as being able to cope with disruptive events when they occur. A successful risk management strategy will improve organisational resilience by ensuring that it is both risk compliant and risk responsive. The scope of the risk management strategy for a resilient organisation will include actions related to “prevent, protect and prepare” for events, as well as actions to “respond, recover and review” when events occur.
Q. What company case studies have you found useful in developing and structuring this new edition? (Name one or two case studies and explain what managers can learn from them).
A. Significant information on risk management is contained in the annual report and accounts of publicly listed companies. The third edition has drawn widely on international case studies to extract descriptions of good risk management practice. For example, the risk assessment and management approach of Australian Mines Limited is described, together with the risk management process in the South African hotel company TSOGO SUN. Further examples of good practice include the statement on market risks by the Walt Disney Company, sustainability and responsibility within the Canadian coffee shop chain Tim Hortons and the governance report of the John Lewis Partnership UK.
Q. How do you feel risk management should be reported most effectively?
A. Reporting on risk management includes internal risk reports for the risk committee, board and audit committee, as appropriate. External reports on risk performance are also important. The fundamental purpose of risk reporting is to provide sufficient information for the recipient to decide whether the level of risk management is acceptable to them as shareholders, members of the board, or whatever other stakeholder capacity applies.
Q. Do you see reputation management as separate from risk management, or should both be factored into a business model?
A. It is often said that the reputation of an organisation is its most important asset. Therefore, reputation risk management is a key component of the protection of resources and assets. Most business models recognise that reputation is an important part of successfully recruiting and retaining customers. The risks to reputation include those associated with the quality of the offering (products and services) provided to customers. Therefore, reputation is at the heart of successful risk management.
Q. What is an ‘embedded risk,’ and can companies develop any sort of meaningful contingency plan to deal with them?
A. Many organisations face risks related to the sector and/or activities they undertake. Embedded risks are those risks over which an individual organisation has little or no control. For example, a company that earns significant income in another currency will face foreign exchange rate fluctuations. The organisation needs to plan for when embedded risk actually materialise. It is not acceptable to have no plans in place to respond to embedded risks.
Q. What trends and issues do you see affecting risk managers in the future?
A. Developing trends relate to emerging risks, reputational risk management, risks to the business model and the need for resilience. It is vital that risk managers contribute to the business success of their organisation. The risk manager should constantly ask the question “what are the opportunities, threats and weaknesses in our business model and how can these be managed?” The risk manager can also ask what enhancements are required to the business model and support the development of appropriate strategy to overcome the threats and weaknesses and embrace the business opportunities.