Awareness is your security blanket

CIMA and Airmic have created a risk-identification framework that can help executives find peace in preparation and knowledge.
Awareness is your security blanket

CIMA and Airmic have created a risk-identification framework that can help executives find peace in preparation and knowledge.

Organisations can find all sorts of ways to trip themselves up. A recent CGMA survey of 1,300 executives across the world found that 60% agreed that they faced a wide array of increasing and complex risk issues.

Quite understandably, there is a desire to comprehend what goes wrong and, perhaps more importantly, what needs to be done to put things right. During the past 20 years or so, policymakers have responded on many levels with legislation, such as the Sarbanes-Oxley Act in the US, the introduction of corporate governance codes in many countries across the world, and the development of risk-management frameworks such as the one created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

More recently, particular attention is being paid to corporate culture. In the UK, the Financial Reporting Council, which oversees the corporate governance regime, is leading a project to provide guidance to boards on setting and embedding the right culture. Its existing guidance on risk and internal control, published in September 2014, emphasises the importance of setting the right risk culture in part by ensuring that performance incentives do not trigger excessive risk-taking.

While culture is important, it seems that failure to understand how the different parts of the business come together to create value in the context of the external environment — the business model, in other words — is also a factor.

In their Roads to Ruin report, researchers from Cass Business School investigated 18 high-profile cases of major risk events and identified seven key issues that were described as dangerous underlying risks. These included inadequate leadership on ethos and culture, but also blindness to inherent risks, such as risks to the business model or reputation. (Also see “Resilience Through Rapid Response,” CGMA Magazine, Issue 2, 2014, page 16.)

Boards appear to lack the right tools and information to enable them to have an effective risk conversation that focuses on building resilience and protecting reputation. A McKinsey survey revealed that directors “struggle to understand and make time to manage business risks — one of several areas where directors indicate room for further improvement.”

What is needed, therefore, is a practical framework to help boards engage more effectively with the key risks to their business.

The basic idea is to paint a far more coherent picture of the organisation’s risk universe. The two core building blocks underpinning the framework are the business model and the risk-management process.


The business model is defined in the International Integrated Reporting Framework as the organisation’s “system of transforming inputs, through its business activities, into outputs and outcomes that aims to fulfil the organisation’s strategic purposes and create value over the short, medium, and long term.”

A thorough understanding of the business model within the context of the external environment provides a sound basis for identifying risks and opportunities.

The inputs and outputs of the business model are expressed in terms of the “six capitals” — the organisation’s key resources and relationships: financial, manufactured, intellectual, human, natural, and social and relationship. This ensures a broad, integrated view of value creation, which takes intangibles as well as externalities into consideration. A chart of the business model showing the value-creation process in the context of the external environment is available here.


Setting the risk context

The business model needs to be applied to a robust risk-management process. This is illustrated in Figures 1 and 2, which show an iterative cycle of setting the context against which risks can be assessed, treated, and subsequently monitored and reported on.

Figure 1: The risk context

Figure 1

Figure 2: The risk-management process — including the risk context

Figure 2

Risk assessment

An essential element of the risk-management process is risk assessment. Typically, a risk register or inventory is developed, identifying a series of possible risk events. The benefit of using the business model as the basis for risk identification is to ensure that risks are viewed in an integrated way over the short, medium, and long term.

This should help the board better understand cause and effect, giving it greater assurance that it has line of sight over all the principal risks. Understanding the quality of key inputs, such as people or relationships, may help the board assess whether the organisation is setting up potential problems for the future, such as poor customer/patient care or industrial accidents. An events-based risk register or inventory might not pick up such broad-based risks that may play out over the longer term.

A more systematic approach is to use the four components of the business model (inputs, business activities, outputs, and outcomes) as a basis for identifying risks within the context of the external environment, as shown in Figure 3.

Figure 3: Managing risk through the business model

Figure 3

This process of identification creates the basis for an integrated risk analysis and evaluation, which informs how the risks need to be managed.

Figure 3 shows that risks need to be identified for each component of the value-creation process. For example, in relation to inputs, each of the six capitals needs to be considered in terms of cost availability and quality. The outcome of this process is a systematic identification of all the risks related to inputs, business activities, outputs, and outcomes. Figure 3 shows the key considerations relating to each category.

These key considerations can then be integrated and analysed to create a principal risk narrative. For example, an organisation may identify a risk that it is not able to access talent in sufficient numbers with the required skills to deliver its services effectively (a risk to an input). It can track this risk through the business model by connecting it to the risk of process failure (risk to business activity), resulting in poor service delivery (risk to output) and, ultimately, damaged reputation (risk to outcome).

This process should also flush out risks that have been missed. It enables risks arising from the different capitals to be integrated. For example, poorly trained people combined with inadequate equipment may result in poor customer experience and, at worst, a serious accident.

This process of integration enables a richer risk assessment by:

  • Identifying recurring or particularly strong risk themes, such as safety.
  • Developing a more comprehensive understanding of causes, effects, and consequences, leading to more complete risk responses. For instance, an organisation may address the risks of poor service delivery by investing in staff training, which may prevent short-term problems. However, in the longer term, it may be necessary to address the talent issue at a deeper level by collaborating with education providers, automating processes, and/or outsourcing some activities.

Based on this risk analysis, therefore, the organisation can determine appropriate risk responses over different timescales and at three levels: strategic, tactical, and operational.

Some risks will be relatively simple, demanding a relatively straightforward operational response. Others, such as the example above of poorly trained people combined with inadequate equipment, will benefit from being viewed through the lenses of the different capitals across all components of the business model to generate appropriate risk responses at the strategic, tactical, and operational levels.

Gillian Lees is head of research and development at CIMA, where she develops thought leadership on governance and risk. She also teaches risk management at the London School of Economics.

The board risk conversation

Based on the risk-management process, management should be able to determine what risk information is material for the board report as follows:

The risk-management process, including the risk context.

Conversation points:

  • Setting the context and tone from the top.
  • Is the risk-management process effective?
  • Are we picking up all the principal risks?

Report on the recurring and dominant risk themes, eg, safety.

Conversation points:

  • Would we expect these to be dominant themes for our business?
  • Are there other dominant themes we should reasonably expect to see? What are we missing?
  • Are the risk responses consistent with our risk appetite and risk culture?
  • Is our risk culture giving rise to these risks? Are we getting people to do the right thing?

Report on key business model risks.

Each headline risk would be supported by a strong narrative, which explains detailed causes and consequences, integrating all aspects of the business model and indicating a range of risk responses at the strategic, tactical, and operational levels. These risks would form the main part of the board risk conversation and would need in-depth discussion, relating the risks to risk culture and appetite as well as changes in the external environment.

Conversation points:

  • In view of these risks, is our business model fundamentally sustainable?
  • Are we comfortable that we are not risking catastrophic loss?
  • What metrics do we need to monitor these risks?
  • Are these risks and proposed responses consistent with our risk appetite and culture?
  • Is our business model giving rise to additional risks? Are we encouraging the right behaviours?

What the board receives is integrated and focused risk information that is underpinned by the logic of its business model, which should help it spend its time on the risks that have the greatest potential for damage. By using the business model as the basis for the risk-identification process, boards also avoid the trap of focusing only on strategic risks and missing operational disasters that cause reputational damage. As we saw above, risks identified through the business model should be considered on every level — strategic, operational, and tactical.

About the framework and a call for feedback

The Chartered Institute of Management Accountants (CIMA) has been working with the UK-based risk-management association Airmic to develop the framework described in this article.

The project builds on Airmic’s sponsorship of two seminal reports, Roads to Ruin and the follow-up report Roads to Resilience, with its eight cases of risk-management successes.

CIMA is refining its initial thinking to develop a practical framework. The organisation is seeking input on what readers think is the most useful way of looking at a business to identify risk. Send feedback to Gillian Lees at