Historically, security management in hotels could be characterized as fragmented, uncoordinated and reactive. It was certainly not seen as central to the success of the business. Given the largely static security environment of hotels in the past, this approach was, however, probably effective enough in mitigating the security risks that confronted international hotel brands. As hotels themselves shifted from being largely individually owned to the international brands that currently populate business travellers’ lodging options, sets of brand standards emerged that attempted to guarantee a consistently good hotel experience for frequent travellers across the brand. In most cases, however, the move to brand consistency had little impact on security management, which had tended to become somewhat detached from developments elsewhere in the hotel sector and had become something of an organizational anachronism (even if still reasonably effective in responding to routine security issues). At the same time, the risk environment in which hotels operated was changing. Developments in the political, economic, social, technological and legal spheres were presenting new challenges as well as opportunities for hotel security risk management. The most salient element of this shift was the emergence of international terrorism, and this was made abundantly clear when al Qaeda in Iraq carried out simultaneous suicide attacks against three international hotels in Amman in November 2005. This was not, however, the only element in the security spectrum that had changed. The end of the Cold War had shifted the global security paradigm in other areas that now affected hotel risk management, such as identity theft and money laundering. National catastrophes such as the Asian tsunami and Hurricane Katrina in recent years also challenged the security departments of international hotel brands to prepare and respond to significantly higher-impact events. Similarly, security (and risk) departments became the first port of call for senior hotel management when faced with events such as the conflict in Lebanon in 2006 and 2007 and newly emerging threats such as cyber-crime. It became clear to IHG during this period that the traditional, fragmented and reactive approach to hotel security was not able to provide the desired level of sophisticated protection against a rapidly more complex and ambiguous threat environment; nor was it well placed to meet the increasing expectations placed on hotels to prevent, prepare for, respond to and recover from major risk incidents. IHG therefore carried out a far-reaching analysis of its existing security capacity set primarily against the benchmark of the international terrorist threat and developed a strategy of threat-based security risk management. The consequences of this study were to have a profound effect on the company’s perception of both the security risks and the consequent mitigation strategy.
Wednesday, November 11, 2009
Tuesday, November 3, 2009
The language of law
The law uses language similar to the language of risk management, but that language is interpreted in a different way. Understanding this difference is a key to unlocking controls that may reduce your residual risk. If you have ever picked up a legal textbook, talked to lawyers or been in court, you will have encountered language on the issue of risk that sounds vaguely familiar. There is an entire body of law, called ‘tort’, which sets out how much risk is acceptable and when you will be held liable if a risk materializes and causes damage to others. Tort law lays down that, in certain circumstances, you are deemed to owe a ‘duty of care’ to others. An employer’s duty to employees is an example. How much care you have to exercise is determined by an objective ‘standard of care’. If the standard of care you exercise is lower than a court would expect, and this contributes to someone sustaining a loss, then a court will hold you liable to pay compensation for the damage caused. Compensation for personal injury is the classic example.
In order to determine the standard of care, courts are meant to look at the ‘magnitude of the risk’. The greater the risk the greater the standard of care will be. An example will help you to understand this. Take a zoo. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. If a visitor is attacked by a lion, serious injury or death is the likely result. On the other hand, an attack by a penguin is likely to result in the victim being more embarrassed than anything else. So the law requires that a higher standard of care be applied to lions than to penguins. So, if you think about it, this idea of setting a standard of care on the basis of the magnitude of the risk looks like part of an RM process, of establishing the ‘probability of an occurrence and possible consequences’. In setting this standard of care, the law takes into consideration the ‘costs of preventative measures’ and the ‘social value’ of the activity being engaged upon. Again, this is language on which you can place a meaning, as its sounds pretty much like ‘cost–benefit analysis’ and ‘defining your context’ or ‘setting strategic objectives’ in an RM process. [.............]
In order to determine the standard of care, courts are meant to look at the ‘magnitude of the risk’. The greater the risk the greater the standard of care will be. An example will help you to understand this. Take a zoo. The standard of care required to guard against visitors being injured by animals will vary according to the threat posed by a given animal. If a visitor is attacked by a lion, serious injury or death is the likely result. On the other hand, an attack by a penguin is likely to result in the victim being more embarrassed than anything else. So the law requires that a higher standard of care be applied to lions than to penguins. So, if you think about it, this idea of setting a standard of care on the basis of the magnitude of the risk looks like part of an RM process, of establishing the ‘probability of an occurrence and possible consequences’. In setting this standard of care, the law takes into consideration the ‘costs of preventative measures’ and the ‘social value’ of the activity being engaged upon. Again, this is language on which you can place a meaning, as its sounds pretty much like ‘cost–benefit analysis’ and ‘defining your context’ or ‘setting strategic objectives’ in an RM process. [.............]
Secrets of success
The secrets of success that emerged from the research we conducted are strongly reinforced by our experience in helping organizations of different types and sizes around the world manage risk successfully. They can be summarized as follows:
- Before you start, gain top management commitment.
- Get the organizational arrangements right.
- Have a strong, personable programme manager who has the drive, skill andexperience to deal with business, people, and technical issues as well as to drivea company-wide programme.
- Base your approach on a crystal-clear definition of risk that addresses what needs to be protected and both the magnitude and the probability of harm.
- Measure the five determinants or indicators of risk that your insurancecompany considers when assessing the risk posed by drivers (criticality or valueat risk; status of controls; special circumstances, eg complexity or scale; experienceof incidents; and the business impact of incidents).
- Ensure the risk management process is constructive rather than blameoriented (otherwise people will evade or sabotage the programme).
- Ensure the risk management process is continuous rather than a series of oneoffevaluations (so improvements can be tracked over time).
- Make risk management a personal responsibility of individual business‘owners’ of your ‘targets of evaluation’.
- Keep evaluations simple, efficient, objective and business oriented.
- Ensure the process is proportionate (when resources are limited it makessense to focus them where they will have the greatest payback rather thanspreading them evenly across everything).
- Produce meaningful results that capture the attention of busy decision makers– particularly business ‘owners’.
- Introduce an element of competition between facilitators and ‘owners’ (eg bypublishing risk league tables).
- Cause pressure to filter down so it motivates others to act (eg by showingdependency risk).
- Embed risk management into the fabric of the organization (eg make criticalityassessments become part of project approval and procurement processes).
Thursday, October 22, 2009
Dealing with the regulator
Did you hear the one about the company that was fined £225,000 for failing to register under the Packaging Waste Directive? Or the one about the company charged £80,000 for running a waste business without the appropriate permit? This is no laughing matter. Ten years ago the European Commission positioned itself as an enforcer of environmental laws rather than simply as a legislator. Since then regulatory authorities in the UK have been given increasing powers to prosecute wrongdoers. The power to investigate and penalize has seeped into local authorities and government agencies. It is no longer the sole preserve of the police to interview and charge someone whom they suspect has committed a criminal offence. Nowadays, powers once administered by the police may equally be utilized by your local health and safety officer.
Tuesday, October 13, 2009
Planning for and managing climate change
Many people’s perception of climate change is that it will lead to warmer conditions and that in the UK, where weather is a perennial topic of conversation, this must be a good thing. Something that many people fail to grasp is that climate change equals global warming equals disruption of the weather patterns that we have grown up with. There have been many instances of freak weather in the last hundred years or so, but generally weather patterns across the globe have been fairly stable. However, as we all know, this is starting to change. The Gulf Stream brings warm ocean currents across the Atlantic from the Gulf of Mexico. This has a positive impact on the weather of the UK, particularly on the west side. Toronto in Canada, for example, is further south than the UK but has much more severe winters. Disruption to the Gulf Stream could mean a dramatic change in the UK’s climate. The debate about whether climate change is being caused by natural cycles or human intervention rumbles on. The knowledge of past events on our planet proves conclusively that weather patterns go through cycles – for example ice ages – and we may be entering one of these new cycles. However, it is also certain that we have been polluting the planet to unprecedented levels since the industrial revolution, and the likelihood is that this is contributing to climate change. Some governments and organizations have looked only at the short-term view in relation to climate change issues, but things are improving and there now seems to be a much stronger will to ‘save the planet’ before it is too late. Whether we have yet reached the tipping point or whether we can, or will, have any impact on reversing or slowing down climate change remains to be seen, but everyone has a moral obligation to participate in the process.
Environmental risk
Does the term ‘environmental risk’ conjure up images of risk to business by environmental activities or risk to the environment by business activities? It’s an interesting – and interlinked – question. When businesses talk about environmental risk, more often than not the risk is taken to mean risk from the environment rather than risk to the environment. More companies are concerned by the risk that environmental factors can have upon operations and profitability than the impact that running a business has upon the environment. The effect the environment can have upon a business is particular to that operation; in other words, no two businesses will be affected in the same way, and the results can be devastating. The effect of recent summers’ torrential rain and flooding has shown how business and communities can be left in ruins. Incredibly, according to the Environment Agency, small businesses are now more at risk of flooding than of fire. The need to have emergency plans in place in the event of business disruption emanating from such natural phenomena is obvious.
Conversely, the effect of one business upon the environment cannot be taken in isolation; its effect is cumulative and contributes to change on a global scale. Despite the best efforts of the recent Republican candidate for the US vice-presidency, Sarah Palin, to advise us to the contrary, few remain in doubt that human behaviour is having a fundamental impact on accelerating and worsening climate change.
Conversely, the effect of one business upon the environment cannot be taken in isolation; its effect is cumulative and contributes to change on a global scale. Despite the best efforts of the recent Republican candidate for the US vice-presidency, Sarah Palin, to advise us to the contrary, few remain in doubt that human behaviour is having a fundamental impact on accelerating and worsening climate change.
An introduction to modeling operational risk
Operational risks are those associated with the failure of systems, people or processes, or that result from the impact of external events. Therefore it is clear that businesses have always managed operational risk. They have taken steps to prevent theft and fraud and have introduced checks and balances to pick up the basic human errors that beset all businesses. Since computers have become a commonplace of business life, we have created a dizzying array of passwords, firewalls and encryption methodologies to ensure that our data remain secure, and we have insured our business assets against fire, theft, flood, earthquake and other natural disasters. All of these actions are designed to protect us against the adverse impact of operational risk. On the whole, however, firms have not found it necessary to model or seek to quantify operational risk exposures. They have identified and ranked risks in relative terms as being high, medium or low risks, but have not sought to apply a financial value to such exposures. For financial institutions this situation changed with the advent of Basel II, the name commonly applied to the guidance provided by the Committee for Banking Supervision of the Bank for International Settlements on the appropriate level of capital that internationally active banks should set aside to protect themselves against risk. Under the previous system (commonly referred to as Basel I), capital was set aside to cover credit risk (on the basis of a set amount to be held against money lent regardless of the quality of the borrower) and market risk. Basel II, however, seeks to create a risk-sensitive, forward-looking capital adequacy assessment that will assess levels of credit, market and, for the first time, operational risk that are present in the bank concerned and assign capital based on these levels of risk.
The Committee sets out the methodologies that banks should use to calculate their exposure to operational risk.1 At the most basic level, capital is calculated by using a proxy (average net interest income plus average net non-interest income over the previous three years) and multiplying this value by a risk factor designed to be indicative of the level of operational risk in the market. Such methods involve no risk analysis but merely provide a number for capital adequacy purposes. The road is, however, open for more ambitious institutions to opt for the Advanced Measurement Approach and develop a modelled approach to the quantification of operational risk.
The motivation for a bank to model operational risk exposures has therefore originated through regulatory imperative, but the process has commercial benefits that flow across industry and business sectors and stretch beyond the regulated financial services sector. Let us say, for example, that we detect a flaw in a system and process that exposes us to loss and we believe the risk to be ‘high’. However, the event has yet to produce a tangible loss. We want to avoid such a loss, but how will we be able to build a business case to support the level of expenditure we need to correct the flaw? Those responsible for the company purse strings are unlikely to be swayed by a red traffic light in a risk report when asked to release a possibly significant sum to resolve the flaw. It is useful in such cases to be able to indicate a monetary scale for the potential risk so that a proper cost–benefit analysis can be carried out. To produce this estimate of exposure we will need to develop an operational risk model
The Committee sets out the methodologies that banks should use to calculate their exposure to operational risk.1 At the most basic level, capital is calculated by using a proxy (average net interest income plus average net non-interest income over the previous three years) and multiplying this value by a risk factor designed to be indicative of the level of operational risk in the market. Such methods involve no risk analysis but merely provide a number for capital adequacy purposes. The road is, however, open for more ambitious institutions to opt for the Advanced Measurement Approach and develop a modelled approach to the quantification of operational risk.
The motivation for a bank to model operational risk exposures has therefore originated through regulatory imperative, but the process has commercial benefits that flow across industry and business sectors and stretch beyond the regulated financial services sector. Let us say, for example, that we detect a flaw in a system and process that exposes us to loss and we believe the risk to be ‘high’. However, the event has yet to produce a tangible loss. We want to avoid such a loss, but how will we be able to build a business case to support the level of expenditure we need to correct the flaw? Those responsible for the company purse strings are unlikely to be swayed by a red traffic light in a risk report when asked to release a possibly significant sum to resolve the flaw. It is useful in such cases to be able to indicate a monetary scale for the potential risk so that a proper cost–benefit analysis can be carried out. To produce this estimate of exposure we will need to develop an operational risk model
Subscribe to:
Posts (Atom)