InfoRMPublished by the Institute of Risk Management

July 2007

Risk Forum International Diploma Protection Analysis

Business Continuity

July 2007 InfoRM

InfoRM is sponsored by Norwich Union Risk Services

ContentsDoubt, Courage, Leadership and Vision ....................................................................................3Cary Depel

News from Lloyds Avenue .......................................................................................................................5

IRM Member GroupsIRM Regional Group News .........................................................................................................................6IRM Special Interest Group News ..........................................................................................................7

New Memberships ...........................................................................................................................................8

Member News ......................................................................................................................................................8

Say Hello to Simone Wray .......................................................................................................................10

Business Continuity within the Supply Chain .........................................................................12Lyndon Bird

Speak OutThe IRM Interview ..........................................................................................................................................14David Crichton

Analysis is King.................................................................................................................................................15Derek Salkeld

A Day is All It Takes 21st Century Business Risks .................................................................16Gareth Tungatt

Layer of Protection Analysis A Tool for Decision Making .......................................19Ramesh Babu

Norwich Union Risk Services Risk Review ...................................................................................22Brian Wallace

Education PagesTraining and Education ......................................................................................................................25Sophie Williams

InfoRM is the official publication of the Institute of Risk Management

The objective of IRM is to promote excellence in the practice of risk management. It aims to achieve this through education and examinations leading to professional qualifications, knowledge sharing, networking and organising events on topical issues.InfoRM is free to IRM members.

Institute of Risk Management 6 Lloyds Avenue, London EC3N 3AX

Tel: +44 (0)0 7709 9808, Fax: +44 (0)0 7709 0716www.theirm.org

Copyright 2007 Institute of Risk Management. All rights reserved.Reproduction without prior written permission is expressly forbidden. Whilst every care has been taken to ensure that the information in this publication is accurate, IRM cannot accept and hereby disclaims any liability to any party for loss or damage caused by errors or omissions resulting from negligence, accident or any other cause. The views of outside contributors are not necessarily the views of the IRM, its editor or staff.

ChAIRMANCary Depel

ChIEf EXECuTIvE OffICERSteve fowler

DEpuTy ChIEf EXECuTIvESophie Williams

ConTaCTs

ADvERTISINgadvertising@theirm.org

TRAININgtraining@theirm.org

EDuCATION ENquIRIESstudentqueries@theirm.org

ALL OThER ENquIRIESenquiries@theirm.org

EDITORLee Coppack

DESIgNCSg Designs: +44(0) 7739 733066

pRINTED ByThe printing place Ltd, Chelmsford, Essex

InfoRM July 2007

Doubt, Courage, Leadership and VisionCary Depel

Chairmans Column

I have had reason lately to think about how organisations make their visions a reality through leadership, and by developing a strategy and executing it. In my work experience, I have encountered poor and muddled decision-making (or none at all, passed off as further thought about future risk exposure), and lack of conviction or understanding about mission. On the flip side, I have seen great things happen when courage is applied to a vision.

Let us start with an illustration from history. What became known as Englands glorious Revolution of 1688 was not merely a minor coup detat that replaced a Catholic King with a protestant one; it also happened because a handful of Whig aristocrats saw a dramatic erosion of an ancient, legitimate and noble cause liberty, as enshrined by the Magna Carta in the 13th century.

Their success depended on taking a series of incalculable risks against overwhelming odds, but from those risks, and the bold execution of a daring plan that deposed King James II in favour of William III, came the complete realignment of world view for Anglo-Saxons.

This glorious Revolution brought forth the 1689 Bill of Rights (which, in turn influenced the American 1791 Bill of Rights), the genesis of representative government, the Bank of England, mercantilism and the Industrial Revolution, free enterprise, the rule of law and property rights, and religious toleration. Some of these consequences were unintended, but who cares? What animated these aristocrats to take these risks was a vision to fight for the liberty their forefathers had fought for and won.

Taking risks despite doubts, having courage in ones vision despite tremendous odds and leadership based on bold and tenacious execution allowed us to believe Winston Churchill when, as prime Minister very early in World War II, he said, We shall defend our Island, whatever the cost may be. In my experience, it was what Sir David Rowland demonstrated in 1996 when, as Chairman of Lloyds, he and others convinced the world that the market was worth saving when liability losses had brought it near failure. The vision of getting hundreds of small factors right also put the English Rugby Team on their path to win the 2003 World Cup, despite many set-backs.

No one in the world dominates the professional risk management education space at the moment. IRMs vision is this: to be the leading international institute providing practical risk management education. We can do this, but we must do many things over the next few years to achieve it. If we succeed, IRM will make your profession and your membership that much more valuable. Some of these things will mean taking risks, calculated, bold risks. We ask you to have confidence in our vision, and you can be sure that we will be accountable. We will be asking for your help soon in a variety of ways.

While the avoidance of risk looks like

the rational strategy in the short run,

in the long run it is the riskiest strategy

of all, since it leaves us unprepared

for emergencies and unable to take

the crucial decisions on which our

future depends.

Roger Scruton philosopher

InfoRM July 2007

Conference season IRM was pleased to support the AIRMIC conference at the queen Elizabeth hall, London, at the beginning of June and will also be sending a small team to the ALARM conference in Cardiff in early July. We welcome these events as an opportunity to meet many of our members and potential members.

News from Lloyds AvenueNews from and about the IRM

News from Lloyds AvenueNo 6 Lloyds Avenue London EC3N 3AX

IRM accredits Marsh courseThe Marsh principles of Risk Management course is the latest training course to receive IRM accreditation. A one-day interactive workshop based on the Risk Management Standard, the course raises awareness and understanding of risk and risk management within the context of corporate governance.

Commenting on the IRM accreditation, Brett Dorney, vice-president Client Training in Marshs Risk Consulting practice, said, The Institute of Risk Management is the standard bearer in enhancing the importance of risk management in the boardroom. The Institutes accreditation scheme is widely regarded as a benchmark of educational quality in the risk management industry, and we are pleased that we have received this recognition. As part of our ongoing commitment to IRM, we are seeking to align our client training offering even more closely with the Institute.

Carolyn Williams, IRM Development Manager, added, We are delighted to have worked with Marsh to accredit this programme, which provides a technically sound and well presented one-day introduction to risk management, in line with the Institutes aim of promoting high quality risk management training and education.

for further information about the Marsh course, contact Brett Dorney at Marsh on brett.dorney@marsh.com. To find out more about accreditation, contact Carolyn Williams or Rebecca Brueton in the IRM office.

Good wishesIRM would like to wish Suzanne Hirst, Publisher of Strategic Risk, all the best. She is leaving Newsquest Specialist Media, the magazines publishers, after 10 years. Strategic Risk, particularly Suzanne, has given us enormous support over the years.

IRM in the United States and Poland

Institute CEO Steve fowler attended the Risk and Insurance Management Society (RIMS) conference in New Orleans as a guest of the organisation.

RIMS puts on what is probably the largest risk management conference in the world with over 8,000 delegates this year. The event provides an opportunity to review risk management approaches across the world and to promote IRM in

the united States. The conference is also the occasion of the annual board meeting of the International federation of Risk and Insurance Management Associations (IfRIMA) of which IRM is a member. Steve chairs its educational panel.

Closer to home, Steve has also visited pOLRISK, the newly established polish Risk Management Association. he described IRMs programmes and approaches to an audience of university professors and risk managers from across poland.

IRM has made good progress establishing itself in this rapidly developing country and has the prospect of future taught support courses for Certificate

SToP PReSS Members summer party

IRM will be holding a summer drinks party for members in central

London. Date and venue will be announced on the web site.

Now online booking for the IRM Risk ForumOnline booking is now available for the 2007 IRM Risk forum. To reserve your space, book now at www.theirm.org/riskforum/booking.html. you can still contact the office if you prefer a hard copy booking form.

online training in risk managementAre you looking for a tool to raise risk awareness within your organisation, or that of a client? pRORIM is a new online training course on practical aspects of risk management for smaller businesses.

pRORIM is the work of IRM in partnership with the risk management associations, AIRMIC (uK), AMRAE (france), ANRA (Italy), DvS (germany) and fERMA (Europe), the university of verona and online publisher, Must have Knowledge.

for more information, please contact rebecca.brueton@theirm.org

New BSi Code of Practice for Risk ManagementIRM has been taking part in the develop-ment of the British Standards Institutes (BSi) new Code of practice for Risk Management, BS 31100. Consultation is now taking place. If you would like to comment, the draft document and comments form are available from BSis website www.bsi-global.com The deadline for comments to BSi is 3 August 2007.

students there. In the meantime, polish students who are members of pOLRISK may claim a discount of 90 on Certificate enrolment costs.

Carolyn Williams, Development Manager, and Angela Barnes, IRMs new Membership Executive, at the IRM stand at AIRMIC

6 July 2007 InfoRM

IRM Member Groups

Dates for your diary

Date Group Meeting Location

5 July 2007 Midlands (UK) Why disaster restoration should be pre-planned as part of your risk management procedure

BELFOR International, Tamworth

5 July 2007 North West England (UK) (Joint APM Risk SIG)

Why quantify risk? Mechanics Institute,103 Princess Street Manchester

31 August 2007 Scotland Partnership risks: liability/duty of care Ernst & Young, Glasgow

25 September 2007 Midlands (UK) Managing injury and sickness absence to ensure positive outcomes

Zurich Risk Services, Rubery, Birmingham

27 November 2007 Scotland Strategic risks competitor (external) Scottish Water, Dunfermline

4 December 2007 Midlands (UK) Networking forum and discussion of content and format of the 2008 programme

Zurich Risk Services, Rubery, Birmingham.

Midlands (UK) GroupChair: Andrew Morton MIRM

Secretary: Brian Pountney FIRMBad weather resulted in a low turnout for our January meeting, but in complete contrast, our second meeting was well supported. At the beginning of April, members and guests met at the Royal Mail Centre in Birmingham to hear Dr Steve Boorman, Director of Corporate Social Responsibility at Royal Mail, deliver a lively and absorbing presentation on his organisations development of the processes of corporate social responsibility (CSR), followed by a lively question and answer session and discussion.

The principles of CSR require businesses to assess, understand and actively manage the social, environmental and economic impacts which they have on the corporate and domestic world around them. The size, in terms of manpower and diversity, of the Royal Mail organisation was overwhelming; however, participants felt that elements of the Royal Mails approach to CSR could be easily adapted to their own organisations. The afternoon concluded with a guided tour of the sorting room.

Our next meeting is on 5 July at the Tamworth offices of BELFOR International.

Neal Courtney, Midlands Region member and Market Development Director of BELFOR, will lead the presentation and discussion on disaster restoration. Neal will also be speaking at the biennial conference of the Federation of European Risk Management Associations (FERMA) in October on this topic.

The Midlands database has some 180 names and details of each meeting are emailed to those members. If you live or work in the Midlands and do not

receive information from us, please contact the secretary brianpountney@btinternet.com.

Regional groups on the web: Further information about these groups and their events can be found by visiting the events pages on the IRM website

Regional Group Contact

Canada and Northern US Bruce Mathesson abmatheson@yahoo.com

Greece (new group!) Maria Passa marstpa@otenet.gr

Hong Kong (new group!) Steve Fowler steve.fowler@theirm.org

Middle East (new group!) Rahat Latif rlatif@qatargas.com.qa

Midlands (UK) Brian Pountney brianpountney@btinternet.com

Networking North West (UK) Andy Garlick andy.garlick@riskagenda.com

Scotland (UK) Graham Offord geo@offrisk.com

South Wales and South West England (UK) Fergus Dolan fergus.dolan@marsh.com

IRM Regional Group News

InfoRM July 2007 7

IRM Member Groups

The Institute of Risk Management runs a number of special interest groups (SIG) to enable IRM members with specific interests to work together to share and develop knowledge.

Dates for your diaryDate Group Meeting Location

12 July 2007 Charities Afternoon seminarICSA Charities Secretaries Group, 16 Park Crescent London W1B 1AH

IRM Special Interest Group News

People Communication & Behaviour Chair: Bruce Widdowson

Our e-newsletter continues to provide useful data on people, communication and behaviour matters. Our most recent event was a talk in London on 18 June by Richard Cayzer, a consultant who describes himself as a creative and analytical transformation agent, on psychometrics.

PPP/PFIChair: Mike Walker

Balfour Beatty Capital hosted the PPP/PFI SIG on 12 June for a meeting on risk in the government programme, building schools for the future (BSF). Marc Evans, Balfour Beatty Capitals Commercial Manager, explained the structure of BSF contracts, examined the services provided by the local education partnership and considered the risks from an investor perspective, looking at the question: Is BSF more risky than PFI?

Following this Ben Martyr, Currie and Brown, presented the risks from a local authority perspective. It was a fascinating meeting, comparing aspirations and experiences.

Innovation, Value Creation and opportunityChair: Mark Boult

Secretary: Nicholas Vioix

As our name states, our aim is to share and develop knowledge on innovation, value creation and opportunity in conjunction with risk management. The focus of our activities is shown in the diagram below:

The SIG meets regularly to discuss our areas of interest and to undertake joint work. We share knowledge and learning though regular short seminars, contributions to the IRM Forum, articles in InfoRM and publications on IRMs website.

During the IRM Risk Forum 2007, the SIG will run a work-shop focusing on innovation in risk management. It will take place in the learning zone on Thursday 13 September 2007 (code C06).

The next breakfast seminar will be held in London between the end of October and mid-November, and we are planning a networking party close to Christmas.

If you would like to join the Innovation, Value Creation and Opportunity SIG or to learn more about our activities, please contact us via the IRM website or by emailing Mark Boult mark.boult@dnv.com or Nicolas Vioix nicolas.vioix@ westfield-uk.com

Special interest groups on the web Further information about these groups and their events can be found by visiting the events pages of the IRM website

Willingness to take risk

Corporate environment

Emerging risks

Risk in innovation

Value management

Business improvement

Communication

Risk in value creation

Risk +

Innovation, Value, Creation and Opportunity

Innovation in risk

Opportunity(upside risk)

Skills and capabilities

Tools and processes

Knowledge

Tracking progress

Portfolio management

Treatment strategies

8 July 2007 InfoRM

Odit lore molenis cidunt nit velendit alisit wismodolum ad dolore diate dolore tate cor ad modolor summy nissi.

New MembershipsFellows (FIRM)

Paul Loveless Voca

Members (MIRM)

Amanda Bateman Applewell & Event Assured

Gordon Knox AIG Europe (UK)

Certificants (CIRM)

John Coyle J Consulting

Malcolm Pickering Learning and Skills Council

Jennifer Wyllie Thorntons Law

Affiliates

Rita Bell Prudential

William Dakin Bank of England

Mark Eaton Amnis

Membership

Membership renewals 2007/2008, a reminder

Renewal forms were posted to members in June. To ensure that you continue to receive the benefits of membership, including this magazine, please return your completed form with your payment by 1 August 2007 (for members) or by 1 October 2007 (for students).

All payments made before these dates attract a discount of 25.00. please refer to the renewal form or the IRM website www.theirm.org/joining/JOannualsubs for further details.

If you have any queries on membership subscriptions, please contact Angela Barnes at the IRM office, angela.barnes@theirm.org

Member NewsMember News

IRM Certificate holder wins top insurance award

Martin Davidson CIRM won the 2007 Rutter Medal as the best qualifying new fellow of the Chartered Insurance Institute (CII). he received the medal and a cheque for 1,000 from CII Deputy president Lord hunt at the CIIs graduation ceremony, and his disserta-tion has been published within the CIIs information services online research centre.

Renew

memb

ership

Lord Hunt, Martin Davidson and John Howard, Chairman of the Financial Services Consumer Panel

InfoRM July 2007 9

Membership

Member News continued

Member Name Member News

Nick Avery Affiliate

Nick Is Chief Risk Office of the Tote, the first UK bookmaker to receive a gold award for occupational health and safety from the Royal Society for the Prevention of Accidents (RoSPA). He put the foundations in place in 2004 when he brought together audit, security, health and safety, and insurance into a single function. According to Nick, We received a Gold Award for Occupational Health & Safety from the Royal Society for the Prevention of Accidents, the first UK bookmaker to do so. The foundations for this were put into place when I brought together audit, security, health and safety and insurance into a single function back in 2004. Our health and safety performance had historically been poor, bearing in mind that as a business sector we have relatively few inherent risks. This is, therefore, quite an achievement and it was done without significant extra cost, as we were able to provide compliance and education infrastructure using what was already in place.

Colin Campbell FIRM

Colin was appointed Chairman of AIRMIC at the annual meeting of the UK risk management association on 6 June. Colin also judged the Post Magazine British Insurance Awards at the publications awards dinner held at the Royal Albert Hall in London on 4 July.

Jason Clement MIRM

Jason has taken up the position of Corporate Risk Manager for Watercare Services in Auckland New Zealand. Watercare provides bulk water and wastewater services to the wider Auckland area. Jason previously worked as a risk consultant with Marsh Risk Consulting in Manchester.

Susan Davies MIRM

Susan Davies, Marketing and Business Development Director of the insurance valuation firm Rushton International, has become a 30% shareholder in the company. While continuing in her original position advising clients and insurance brokers throughout the United Kingdom, she will also take a more strategic role at Rushton.

Alan Dimech Student

Alan has been appointed an Assistant Manager of the commercial lines underwriting department, Elmo Insurance

Alan Fleming MIRM

Alan, who retired earlier this year as Insurance Commissioner at the Guernsey Financial Services Commission, has been named interim Chief Executive of AIRMIC. He is a former Chairman and Chief Executive of the association.

Andrew Fox CIRM

Following the acquisition of Target Express by Rentokil Initial and the subsequent merger of Target with City Link, Andrew has been appointed Risk and Insurance Manager. He has been with the business as Health and Safety Manager for six years.

Member Name Member News

Paul Goulding FIRM

Paul was one of the judges of the Post Magazine British Insurance Awards at the magazines awards dinner held at the Royal Albert Hall in London on 4 July.

Gary Izatt MIRM

G2 Associates, of which Gary is a Director, specialises in risk management for the London insurance market. It has produced a risk management audit product based on the Lloyds risk management toolkit.

Lindsay John Cox Affiliate

John is Managing Director of Risk Governance which won the risk management product of the year at the Strategic Risk 2007 European Risk Management Awards.

Ajay Narayanan FIRM

Ajay has taken over as Head of the Sustainability, Global Financial Markets Department, at International Finance Corporation, part of the World Bank.

Mike Robinson MIRM

Mike has set up a company, First Action Safety, to offer risk management services, help and solutions.

Bilal Salloum MIRM

Bilal has been promoted to Senior Safety Engineer for ADCO.

Gillian Stokes MIRM

Having worked for Strategic Thought Group as a risk consultant, Gillian is now Risk Management Facilitator for Housing 21, a housing association which caters predomi-nantly for the elderly and families. She will be responsible for ensuring all departments have an up-to-date risk register.

Will Thompson MIRM

Will left Motability Operations where he had been Head of Insurance at the end of May, and set up his own risk management consultancy, Insurance Insights, to assist companies, charities and insurers. Before leaving Motability Operations, Will was delighted to receive Strategic Risks European Risk Managements award for the 2007 best risk financing programme on behalf of the company.

Lynne Thorn MIRM

After 12 years at Marsh, Lynne has left to take up a job with the Public Sector Unit of The Heath Lambert Group as an Account Executive.

Raymund Torres Student

Raymund has been promoted to Assistant Vice President at the Philippines office of Jardine Lloyd Thompson Risk Management Division.

10 July 2007 InfoRM

simone Wray is, of course, talking about the annual IRM Risk forum. for the raven-haired risk manager and chairman of the organising committee, the IRM forum is the highlight of the risk management year. I dont think, she continues that anyone can antici-pate the amount of work that goes into the planning.

Life changed for bubbly Simone when she took responsibility as chair of the Risk forum team in 2006. Its a very full programme over the two days and I have to confess that I sometimes used to sneak a tiny lie-in on the second day to recharge my batteries not an option any more as the chairman.

hot on the heels of the successful 2006 Risk forum, the team was already thinking about the 2007 event, which will take place from 11 13 September at a new venue, Conference hertfordshire on the de havilland campus of the university of hertfordshire.

Its a question of sitting down pretty quickly to talk about what worked well and what didnt and then reviewing the format. Simone told InfoRM, Based on the delegate feedback, we ask ourselves do we want to tweak it or make fundamental changes? The team is really very responsive to delegates feelings. We take it all seriously, but it really is overwhelmingly positive. Most people say how good its been. The forum formula is pretty well tested, so its usually only little things that go wrong, but sometimes things are just outside of our control, like the busses that were late for taking delegates to their trains at the end of the event in 2006, for instance, she says candidly.

A great boost for the committee members this year was the appointment of Catherine Tasker, whos taken a lot of the administrative project management and detail work off their shoulders. The long-haired blonde was thrilled to move to a full time role as events manager

and IRM Risk Forum colleagues

Say Hello to

Simone Wray Suddenly, It IS all oveR,

and WeRe exHauSted and

deFlated, but tHeReS

alMoSt no tIMe to pauSe

FoR bReatH beFoRe We

StaRt agaIn. laSt yeaR

WaS tHe FIRSt tIMe, and I

WaS a bIt SHocked.

Highpoints?Seeingallthedelegatesturningupandhavingagreattime/meetingthekeynotespeakers.

Lowpoints?Waitingforthefirstbookingin2004. Whatkeepsyougoing?ThepotentialeveryyeartheForumgetsbetter.

Paul Goulding, Risk & Insurance Manager, News International, IRM Risk Forum Committee chairman 2004-5 and committee member

InfoRM July 2007 11

IRM Annual Lecture

with IRM from Royal &SunAlliance, which seconded her to IRM to work on the forum in 2006. Catherine is such a help, says Simone with feeling.

After considering structure, the committee looks at potential keynote speakers, the workshop programme, marketing, logistics and planning.

A vital success factor for the forum is sponsorship and work on this continues throughout the year led by Carolyn Williams, IRMs Development Manager. Simone explains, Our sponsors recognise that this is one of the most successful vehicles for them to get in direct contact with risk practioners but we still need to provide them with value for money and their involvement is vital to making the forum successful. It enables us to offer a very competitive price to our delegates and enhance the programme by bringing in high profile keynote speakers.

In 2006, the committee came up with the idea of creating two workshop streams, one with contributions from IRM members and one led by sponsors as leading risk service providers. The idea goes back a bit to the early days of the IRM forum when members provided keynote speeches and workshops. Since then, the IRM has grown and its success allows us to bring in important keynote speakers from outside, so we have a broader perspective.

This year four A-list speakers will bring their insights to the forum. They are Baroness Susan greenfield, the world respected brain researcher; Karren Brady, the woman who helped turn around Birmingham City football Club; professor David Crichton, an economist who tackles the risk industry on climate change issues, and Doug Richard, entrepreneur and technology visionary who appeared in the uK televi-sion programme on risk and reward, Dragons Den.

The annual dinner and student

IwasencouragedthroughcontactstogetmoreinvolvedafterIhadjoinedIRM.IalreadyknewSimoneabitandshehasaknackofpersuadingyoutodothings!!So,hey,Isaidyesand

gotinvolved.OnceIgetinvolved,IdonotliketoseethingsIaminvolvedinfail,soputeffortintokeepingmomentumgoing.JeremyHarrison,NetworkRail,HeadofProjectRisk&ValueManagement,

IRMRiskForumcommitteemember

I thought that thespecial interestgroups (SIGs)shouldbedoingmoretoraisetheirprofilebybecomingmoreinvolvedwiththeRiskForum.WhenaskedbySimone if Iwould like to contributesomeideas,Iknewitwouldbegoodtoworkwithherandmaybewecouldget the SIGsto contribute in some way. I helped to develop thelearningzoneprogramme.

Clive Thompson, New Business Projects Leader, Willis, IRM Risk Forum committee member

awards ceremony which takes place the following evening is IRMs most glittering event. This year nearly 400 real-life risk professionals will assemble in the extraor-dinary surroundings of the Royal Air force Museum, London. The evening begins with a Champagne reception in the historic hangars where delegates network with colleagues, clients and friends around the aircraft exhibits. Everyone will then sit down under the wings of a World War II Lancaster bomber for a formal dinner.

The banquet over, it will be the moment for the years best students to receive their prizes from the celebrity guest of the evening, comedian Marcus Brigstocke. Marcus is an Edinburgh festival regular and Time Out magazine voted him its best live stand up comic for 2006. IRMs Chairman, the trans-Atlantic lawyer Cary Depel, will be the host.

Deciding the menu for the dinner inevitably involves lots of discussion. As far as Im concerned, Simone says laughingly, As long as it involves chocolate for dessert Catherine has a free reign on the menu choice.

And what about managing the risks connected with the Risk forum, InfoRM had to ask Simone. What keeps you awake at night? Being a risk manager myself, I am inclined to think about what might go wrong, but Ill discuss it with the team. We keep going until were comfortable focussing on how to make it go right. for instance, we have contingency plans in case one of the keynote speakers cannot

make it at the last minute.Simone and her team wont relax

completely until the last 2007 delegate is safely on the way home. Theyll already have started thinking about the 2008 Risk forum by then. One thing I love about the forum is that it has its own identity. Although we do change and push the programme a bit each year, its not radical, so the forum has developed its own momentum and continues from year to year.

The forum programme and online registration are now open on the IRM website at www.theirm.org/riskforum. IRM has 75 copies of the book of the film, An Inconvenient Truth, which will be shown on the opening evening of the forum, to give away to the first 75 delegates who register online.

Whatkeepsmegoing?Itsgottobetheteamspiritandhappy

banterthatisinvolvedinproducingtheeventeveryone(nomatterhowsenior)stuffingbagsattheForumisasighttobehold-plustheknowledgethatyourehelpingthepremiereducationalbodyinriskmanagementandbydoingso

increasingeveryonesknowledgeoftopics,aswellasyourown.

AlysonPepperill,RegionalProjectManager,

OvalInsuranceBrokers,IRMRiskForumcommitteemember

the young catherine tasker

Ilikebeinginvolvedwithaprojectwhereyoucanjudgethesuccessofwhatyouredoingbyclearcriterialikethenumberof

delegatesweattractandthecontributionwemaketoIRMfinances.Ialsolikethefunelementandthedriveforcontinuousimprove-ment,yearonyear,alwayslookingforwaystogetevenbetter.

CarolynWilliams,IRMDevelopmentManager

1 July 2007 InfoRM

Odit lore molenis cidunt nit velendit alisit wismodolum ad dolore diate dolore tate cor ad modolor summy nissi.Business Continuity

Business Continuity within the Supply ChainLyndon Bird

Supply chain managers have only recently started to give business continuity management (BCM) serious attention.

The reasons for this comparative neglect probably lie in the misconception that business continuity is only a new name for disaster recovery, and it is really all about computer failures. It is not, although it is certainly true that much of the early work in BCM evolved from the protection of computers and was generally known as disaster recovery planning.

The pioneers of BCM were to be found in uS multi-national corporations where large scale mainframe computing was well established. Apart from technical malfunc-tions and fire, the major threats to uS business operations tended to involve natural disasters. By contrast, in the united Kingdom, natural disasters on any large scale were rare, but the threat of terrorist attack was very real. During the Irish Republican Army (IRA) bombing campaign in London in the early 1990s, it was clear that technology, systems and data were essential, but not enough to keep you in business. people, suppliers, logistics, property and business processes were just as vital.

Despite the efforts of the growing BCM community in the 1990s, it was not until the threat of the change in millennium to computer controlled equipment, known by the shorthand expres-sion y2K, that many senior executives saw BCM as a business issue, rather than just a technical IT problem. The work for y2K provided many organisations with the first real opportunity to

develop plans for failures that did not relate primarily to the loss of IT or premises. It also brought a whole range of people with vast retail, manufacturing and distribution experience into contact with BCM concepts for the first time. As a result, topics like product recall planning and crisis media response planning came within the BCM sphere of influence in many companies.

very soon after the apparent no-show of the millennium bug, another event demonstrated the risk to business continuity from unexpected sources. In the united Kingdom, the fuel crisis of September 2000 had a nationwide impact on the public, business, customers and suppliers, and gave firms the opportunity to put business continuity to a real test. for the first time, many organi-sations in retail, distribution or logistics invoked their wide scale plans, as most of their activities were totally reliant on the availability of fuel for transportation. It also demonstrated to government and companies alike, how vulnerable they were to even a short disruption of the supply of a basic commodity.

Global interdependenceThe fuel crisis, however, was a relatively local issue, and in todays world there is a more global nature to supply chain threats. Businesses have far more economic dependency between regions than ever before. We invariably depend on longer supply chains for physical production of the goods we consume, and we increas-ingly rely on offshore outsourced operations for much of our service delivery and back office administration.

The interdependencies can manifest themselves in different ways. for example, a disaster in Asia might result in a break in

Fire on board the container ship Hyundai Fortune in March 2006 Ph

oto

: Ro

yal N

eth

erla

nd

s N

avy

Damaged bridge after Hurricane Katrina

InfoRM July 2007 1

Business Continuity

a key part of a European supply chain. This might mean a loss of business and cash. It could also lead to loss of market share or reputation, and one companys disaster can be a competi-tors opportunity. The media might well pick up service delivery failure, leading to loss of confidence from customers, suppliers or investors. you must also remember the need to manage both the incident and how you represent it to the media. In the words of the leading uS investor, Warren Buffet, It can take 20 years to build a business and 15 minutes to destroy it.

An interesting example is what happened to primark, a successful uK fashion retailer. In November 2005, just before the start of Christmas peak trading, it lost 50% of its garment stocks in a fire at one of its two large distribution centres. The company was able to continue trading by chartering aircraft to fly to and from China bringing new stocks in every day. In effect, it created a virtual distribution centre at 35,000 feet above the ground. The strategy worked, but the cost was significant and the risk to the organisation enormous.

Another aspect of globalisation is the increased outsourcing that companies now undertake for both products and services. virtually all major European and uS corporations have some outsourced activities, mainly in India and South East Asia. It is becoming clear that the simplistic approach adopted by some companies towards BCM in their outsourced operations will just not work. Contracts and service level agreements are, of course, important for normal business, but partnership and strategic cooperation are much more effective in dealing with the consequences of a major incident. Just asking suppliers to confirm they have a BCM plan is worse than useless.

What is needed are common standards for BCM that can be applied across all business sectors and geographical areas. This is a complex task, but one that is more vital for supply chain managers than almost any other group of professionals. Many people look to the International Organization for Standardization (ISO) for a commonly accepted standard, and this is likely to emerge eventu-ally. however, we find that various national standards are being promoted with the uK BS25999 The BCM Standard currently the forerunner.

The adoption of standards should ultimately lead to improve-ments in quality and consistency in the delivery of business continuity, and increasing confidence from procurement personnel in the resilience of their supply chains and the quality of their key suppliers BCM programmes. It will certainly go a long way towards bridging the gap in business continuity maturity levels between the established BCM countries and those just starting out, particularly in Asia.

opportunity and riskfor many companies, supply chain management provides one of the greatest opportunities to increase profitability and perfor-mance. however, it also creates what may be the greatest risk to an organisations ability to continue as a viable business. for example, the big corporate decisions now are often about changes to business processes: typically, outsourcing, offshoring, rationali-sation of distribution centres and supply chain optimisation.

Such decisions put companies at risk much more than loss of an office block, a data centre or even critical personnel can ever do. Errors can ruin its reputation, market share and credibility overnight. I suspect most supply chain managers would recognise the risks to business continuity in all of them, without necessarily involving their BCM specialists, but for the BCM profession, supply chain business continuity is becoming a serious concern.

BCM has historically tried to eliminate single points of failure, to diversify activities so as to improve resilience and to ensure adequate resources to deal with unexpected contingencies. Applied to the supply chain, this strategy might suggest multiple suppliers, geographically spread facilities and inventory levels suitable to cover for supply interruptions.

This is not an easy approach to pursue given the increasing drive towards single source business partnerships, larger, fully automated distribution centres and just-in-time delivery. however, there is much that BCM can do to help without the risk of making the business uncompetitive. Issues resulting from single points of failure are entirely manageable provided you have good business impact analysis data. Knowing where in the chain you might be vulnerable to interruption is vital, because it is then often possible to remove the risk by changing the design, the specification or the manufacturer. This is food and drink to your business continuity professional, so you really need to involve him or her in key supply chain decisions.

BCM people often talk about planning for the end-to-end supply chain, and clearly that makes sense. Longer supply lines mean more chance of disruption and less time to make alterna-tive arrangements. When anything goes wrong, there can be an immediate impact and, perhaps, alternative suppliers around the world to be contacted and re-deployed. Doing this with language difficulties and time zone differences in a state of confusion is not easy.

If this sounds a familiar message; it is. It is exactly what business continuity planning is all about dealing with the unexpected. BCM no longer concerns just technical solutions or voluminously documented plans; it is more about process reliability and contin-uous improvement. In other words, BCM deals with precisely the things that should be driving your supply chain programme.

Lyndon Bird is Technical Services Director of the Business Continuity Institute (BCI), a member with IRM of the Risk Federation.

lyndon.bird@thebci.orgwww.thebci.org

BCI have agreed to support and promote IRMs Diploma, particularly the specialist Business Continuity module.

14 July 2007 InfoRM

The Speak Out pages are dedicated to views and opinions. We welcome comment on any aspect of IRMs operations, including InfoRM. Contact the editor, Lee Coppack at editor@theirm.org

IRMInterview

The

Speak Out

Can you introduce yourself to InfoRM readers?

My name is David Crichton. I graduated in economics and worked for many years as an insurance underwriter and underwriting manager for major insurers. In 1999, I set up my own business providing consultancy advice to insurance companies on climate change strategies. Since then I have worked all over the world.

I am a Visiting Professor at Benfield Hazard Research Centre, University College London and at Middlesex University Flood Hazard Research Centre, London. I am also an Honorary Research Fellow at the University of Dundee, the home of the first UNESCO water research centre in Europe and the British Flood Insurance Claims Database.

I have a lovely, patient wife, two grown up children and a friendly, large dog who needs lots of exercise. I live in a small village in Scotland near woods, mountains and beaches, which suits the dog very well.

What aspects of climate change worry you most?

We do not have much time left. Almost all of our weather happens in a very thin layer of air around the planet, as thin as four miles at the poles. The amount of greenhouse gases in that layer is increasing by nearly 1% a year. A 10% increase in greenhouse gases will produce sufficient temperature rise to have disastrous consequences for the global economy and society. We need to adapt our buildings and infrastructure

for the safety of our children and grandchildren, but there is little sign of this happening.

Do you think organisations are taking sufficient account of climate change in their risk management?

There are still too many individuals in large organisations who are not taking the risks seriously. Some do not think climate change will affect them. Some prefer to believe the pseudo scientists funded by the fossil fuel industry. They may not realise that human induced climate change is now unanimously accepted as fact by all reputable scientists.

Do you agree that there are opportunities as well as risks associated with climate change?

Certainly. Buildings will need to be redesigned to use less embedded-energy materials, such as timber, instead of concrete and steel, and they will need to be more resilient to floods and storms. There will be a resurgence of rural lifestyles driven by the demand for bio-fuel crops and the need for more self-sufficiency.

have you personally made any changes to your lifestyle or future plans as a result of your beliefs about climate change?

I live in the country and work from home as much as possible. Modern communications make this easy. My house is well insulated and has low energy lights throughout. The garden is big enough for three composting bins which help with recycling. This year we fitted new doors and windows made in

Norway from engineered timber which have been very effective in keeping in the heat, and we have a gas fire which uses a catalytic converter rather than a flue so is 100% efficient in heating. I am afraid that I do fly a lot, but it means that I can be in the City of London within three hours of leaving home, and I pack a lot of meetings into these trips.

What is the most valuable thing you learned at university?

This may sound a bit sad, but I spent 100 hours in one week teaching myself to touch type really fast for writing essays. I had blisters on my fingers by the end of the week but also 50 words per minute. It is a skill you never forget and now comes in very handy. I can rattle off 2,000 or 3,000 words an hour without thinking about where the keys are.

Where is your favourite place in the world and why?

Scotland. The scenery, history and climate suit me very well. I also love North Wales my wife comes from there and speaks Welsh with a Scottish accent which really confuses the locals.

What is your favourite book?

I am a Terry Pratchett addict and like all of his books. I read so much serious scientific stuff that I find his fantasy world a refreshing change with some very amusing and imaginative satire, especially about scientists.

Professor Crichton will give a keynote address, sponsored by HSBC Insurance Brokers, to the IRM Risk Forum 2007.

A comment from the sponsor The risks emerging out of the climate change agenda are complex and numerous, ranging from carbon emissions liabilities, reputational damage (from not doing anything) and increased physical damage to fixed assets. for the proactive, alert companies, these risks can be converted into opportunities. We believe that risk managers have an important role in determining the ultimate winners and losers arising out of climate change through early assessment and action.

Sunny Sehgal, Head of the environmental risks team for HSBC Insurance Brokers

InfoRM July 2007 1

Speak Out

I once gave a presentation called Why Use Risk? that went badly. My mistake was to presume that my listeners had difficulty understanding risk, whereas having dodged the traffic to get to the venue, they not only knew about risk but also about managing it: they did it automatically.

Since the sum total of human success seems to exceed the sum total of its failure, managing risk is something we evidently do quite successfully, and even if we cannot formulate probability and exposure, it seems we can judge it well enough.

This automatic ability to balance probability and associated benefits and disadvantages is very much the grist of the daily grind. There is scarcely a business in the country that does not have someone appointed to manage its risk. The fact that our economy, our infrastructure and our public services all came into being and sustained themselves for years before risk management supports my view that we instinctively know how to manage risk. It prompts a question, though. Would the sponsors of all of these risk related appointments pay for them if they were spending their own money? If the answer is that they would not, what is the justifica-tion for spending someone elses, presumably that of shareholders or the taxpayers? I would like to attempt that justification.

I still give presentations on risk, but if everyone is a natural risk manager, why? Is it for self assurance, a feigning of excellence through repetition, a liturgical expression of faith to fellow converts? Maybe it is all of them, but I think that risk manage-ment has a message that people in business need to hear. It is this: without the risk assessment that underpins risk management, we do not know what a prospective investment will cost, when it will complete nor what its returns will be.

finding the answer to this compound problem is a daily trial for managers, and often the strategy chosen was simply to give it a go and see what happened. Nowadays, because of risk assessment and management, this is no longer the case. Informed investment decisions are possible. Indeed, risk assessment may so highlight an option that the choice is obvious.

Think of an invitation to tender. It would be imprudent for a risk averse business to submit a highly competitive bid if its exposure on winning would be sufficient to collapse the balance

sheet if the job went wrong. Both the bid team and the client need to be aware that not only is the money they are committing to the deal not theirs, but neither are the balance sheets they are putting at risk. Risk assessment can show this.

Risk assessment is the technique best equipped to inform investment decisions. It is the only one able in a single sweep to take into account costs, time scales, revenues, safety provisions, environmental assurances and the business environment, among others. I could go further, and show their interaction with each other in a way that compares and contrasts likely gains and losses. Done well, risk assessment does what the old advertising campaign claimed for heineken beer: it refreshes the parts other analyses cannot reach.

Many funders will not back a project unless they receive the figures generated by risk assessment because they need the insight they can bring. however, the assessment does need to be fit for their purpose, or as I often describe it, necessarily sophisticated. Attaining necessary sophistication has seen assessment become one of the most exciting areas of development in the discipline, and I believe it will come to dominate the profession in future, particularly as evidence based models of risk behaviour emerge.

At the same time, migrating towards necessarily sophisticated assessments, and away from navely simple ones, does not change the core message: that without risk assessment, businesses do not know all they could know and with it, they do. Even if the assess-ment requires calculus, the benefits remain the same: an insight into the future and how the risks it brings can best be managed.

perhaps then, in my presentation, I should not have tried to promote assessment by reference to its fascinating intricacies, but rather I should have explained the sheer all round wonderfulness of it. It truly is the king of analyses.

Derek Salkeld MIRM is Chairman of risk consultant, DS+A, and risk analyst for the London CrossRail project.

derek.salkeld@dsa.uk.comwww.dsa.uk.com

Talk back: Do more risk professionals need technical analytical skills? Send your comments to editor@theirm.org

Analysis is KingDerek Salkeld

16 July 2007 InfoRM

A Day is All It Takes21st Century Business RisksGareth Tungatt

Business Continuity

IT risk in its various forms is one of the most significant threats posed to companies operations.

Less than half a day of IT system downtime can be enough to jeopardise the survival of an entire business. A quarter of uS companies that suffered an IT breakdown of two to six days went bankrupt immediately. These startling figures come from a business resilience research project conducted by the Economist Intelligence unit (EIu) earlier this year.

Many business models are now built around the ability to participate in a global environment from the workstation, and much corporate information and documentation is run from a network of servers and computer terminals. The operation of electronic devices has become so critical to the operation of organisations that many simply could not function without them, and this reliance is set to increase as new technologies emerge.

The EIu spoke to 181 risk executives, a third of whom worked for financial services companies, and found that among the most important operational risks to their organisations, 36% mentioned loss of data, 31% said systems failure, 28% named malicious attacks on IT systems and 22% mentioned unplanned downtime of online systems.

Among the most common reasons cited for putting business continuity plans into action were power failures (27%), unplanned downtime of online systems (27%), virus or worm attack (23%), application failures (22%) and hacker attacks (8%).

further evidence of the critical role of IT in many businesses today came from the 2006 global Security Survey of financial institutions by the consultants Deloitte. Seventy percent of those questioned named hardware and software failures as the number one cause of downtime for critical business systems.

Risk managementManaging these risks creates several new challenges for risk professionals, not least of which is that most risk managers do not have a technology background. In the EIu research, 40% of risk managers rated their understanding of IT risk as moderate or poor.

Close collaboration between the risk and IT functions is, therefore, imperative to ensure security is not compromised. highlighting an area that needs improvement, 42% of risk managers in the EIu research cited poor communication between the IT and risk functions as a significant difficulty in managing technology risk.

from our experience undertaking underwriting due diligence, it is surprisingly often the well known and established organisa-tions, who are well versed on risk, whose security or contingency measures to mitigate potential IT exposures fall short.

for instance, in many cases it is clear that vast investment has been made on protection from external attack, but little has been done in respect of internal exposure that could result from the actions of their own employees, and many of these firms employ many thousands of people.

One of the more common areas highlighted is companies failure to impose strict user revocation processes that instantly cancel access to the network in the event of employment termina-tion. As a result, the user may still be able to log on remotely from home, with the potential to cause huge disruption.

Sabotage within the IT department is as much as a concern as it is by employees on the shop floor. for example, a multinational company may allow one IT administrator effectively to have full access to control and override all areas of the network, without referral, a situation which is open to huge manipulation. There is little reason for one administrator to have full access, and companies need to set pre-designated rights and limited privileges for all employees, including those within the IT department.

how much IT downtime to jeopardise your company?

Less than four hours

Four-12 hours

12-24 hours

One day- one week

One week - one month

More than one month

Don't know

%

13

20

1432

12

64

Source: Economist Intelligence unit(Total > 100% because of rounding)

InfoRM July 2007 17

Business Continuity

Managing the potential financial impact of such risks also requires additional attention, and we believe risk managers should consider insurance policies specifically designed for digital risks, since these are excluded from most traditional property and business interruption coverage. Many businesses may, therefore, be uninsured in the event of cyber perils interrupting or corrupting their business processes.

Insurance products such as our Dataguard cover have been specifically developed to provide protection to companies against such losses, and complement other risk management tools.

how vulnerable are you?

use the following checklist to identify your key processes:

Does your organisation rely on automated stock control?

Does your organisation use real time cash or credit card transactions?

Does your organisation use the network to process and track orders?

Does your network operate machinery and plant either on site or remotely?

Is your organisation a paperless office relying on the network to store documentation, plans, and designs as digital data?

Does your organisation update and manage client, customer or patient files?

Does your organisation process accounting functions/issue documentation?

Does your organisation run telecommunication or security CCTv systems?

When these critical networks are not available (system downtime), the operations of the business are disrupted or cease. When business stops, it gets expensive. There is also a serious risk of damaging reputation.

A simple formula to helps to estimate the financial impact is:

Productivity impact + revenue impact = downtime estimate

productivity impact can be calculated on the basis of average employee salary or rate multiplied by the number of business hours the users would be impacted.

Revenue impact can be calculated on the average monthly gross revenue for the critical business application multiplied by the number of business hours that the application is affected.

Security Breaches to system security remain a major source of danger. growing sophistication among hackers and other cyber criminals creates a major difficulty in managing digital risk. Businesses are protecting themselves more effectively against viruses: in Deloittes survey only 9% had experienced serious business interruption in this manner. Attackers, however, are moving away from mass virus and worm attacks that attract attention and publicity and turning to more covert methods to avoid detection.

The criminal profile is shifting from the solitary geek to well funded, organised crime rings whose around-the-clock, across-the-globe attacks yield big financial payback. More money is made from cyber crime than from the drug trade, according to gregg Day, Senior Security Strategist at McAfee, the internet security software providers. Citing an fBI report, Day said organised crime represents a $1 trillion-per-year industry.

According to the Deloitte survey, more than half the global

Case StudyA computer programmer for a Fortune 500 company had a feeling he would be fired, so he created his own insurance policy. He wrote a program that instructed the computer to delete the entire customer database if his name was ever removed from the personnel database. As expected, he was fired. The customer database vanished. The company, brought to its knees, hired him back at double his previous salary to rebuild (and now secure) the customer database. (www.senseient.com)

Statistics 62% of UK businesses had a computer security

incident in 2006. (Parliamentary Office of Science & Technology)

On average, large UK businesses suffer 19 serious security breaches a year, with the average cost of the worst breaches amounting to 90,000. (PWC Information Security Breaches Survey 2006)

Acts of sabotage and data theft were most often committed internally. In addition, over a third of recent incidents of financial fraud were either partially or wholly conducted by employees. (National Hi-Tech Crime Unit survey)

financial services companies have experienced phishing, specially crafted email purporting to come from a genuine company website in order to gain personal identity information, or pharming, an attack aiming to redirect a websites traffic to a bogus website.

Identity theft and account fraud are two priorities on which financial institutions are focusing, the Deloitte survey showed. Identity theft is typically associated with credit card and mail fraud, but new methods such as spear phishing (targeted and convincing email attacks) are constantly emerging.

Identity theft is on the increase through authorised or unauthor-ised access. Malicious outsiders are targeting organisations computer systems through direct connections and unauthorised access. Taking advantage of software flaws or errors in configu-ration, they are able to bypass access controls to directly access applications and data.

A significant emerging risk is the boom in mobile and wireless technology, putting pressure on an organisation to protect users information. Security controls have not kept pace with the prolifer-ation of mobile technology and controls to mitigate risk are often perceived as a nuisance factor that interferes with productivity.

In a world so reliant on the operation of technology, intangible assets like electronic data are the crown jewels of many businesses. The threats to them are many and continually changing, and cannot be ignored without exposing the business to potentially mortal exposures.

Gareth Tungatt is Senior Underwriter, ACE Europe. He specialises in IT and cyber risks.

gareth.tungatt@ace-ina.comwww.aceeurope.co.uk

InfoRM July 2007 19

Project Management

Layer of Protection Analysis A Tool for Decision MakingRamesh Babu

Layer of protection analysis (LOPA) is a semi-quantitative risk assessment method that can be employed during conceptual and design stages of a project. It provides an objective method for evaluating the risk of a hazard scenario and comparing it with accepted risk criteria to decide on the adequacy of safeguards.

Increased demand for sophisticated synthetic products and booming oil prices have stimulated a large number of expansion and new projects in the oil sector and process industry. Both corporate safety standards and statutory requirements warrant careful review of these projects from a risk management perspective.

various standards, such as the British petroleum Standard (ETp-gp-48-1), define a project as any development comprising

A new process plant, manufacturing installation, pipelines and associated facilities

A new research and development (R&D) installation

A major modification that cannot be satisfactorily reviewed using the local modifications review procedure

great Britain has implemented Eu directive 96/82/EC (known as Seveso II) as the Control of Major Accident hazards Regulations (1999), or COMAh. Depending on the quantities of dangerous substances present at an establishment, COMAh contains a general duty which the health & Safety Executive (hSE) interprets to mean as there must be some propor-tionality between the risk and the efforts taken to control the risk.

Often, it becomes a cumbersome task for designers to identify the proportion-ality between the risk and safeguards and effectiveness of the safeguards to mitigate

the risks. While selecting the process or technology, they make a decision on the number of safeguards on a subjective assessment which in turn may result in higher risk levels being retained.

What is LoPA?Layer of protection analysis (LOpA) is a simplified risk assessment method. LOpA is applied when a scenario is too complex or its consequences are too severe for the hazard and operability (hAZOp) study team to make a sound judgment based solely upon the qualitative information. On the other hand, the team can screen scenarios as a precedent to a quantitative risk assessment. LOpA helps organisations make consistent decisions on the adequacy of the existing or proposed layer of protec-tion against an accident scenario. It is a potential tool for statutory compliance purposes in the united Kingdom and an effective process safety management tool satisfying Occupational Safety and health Administration (OShA) requirements in the united States.

LOpA helps the user to determine the risks associated with the various hazardous events by taking account of their potential severity and probability. The risk reduction measures employed by the industry concerned, such as process design, are estimated and credit is given for such measures when the severity and likelihood of the event are estimated. The industry can set its corporate risk standard or follow the risk acceptability levels specified by its local governments. Most of these risk reduction measures are to be planned and implemented in the conceptual and design stage of the project.

The LoPA processLOpA is based on the assessment of single initiating event and consequence scenarios. Although multiple initiating events can lead to same consequence, all these initiating events must be used to develop scenarios for subsequent assessment.

Let us discuss the terminology used in

the process with the help of the example of fire resulting from the release of liquefied petroleum gas (Lpg) from a cylinder.

event initiating and enabling An event is an occurrence leading to an accident. The initiating event starts the chain of events leading to the undesired consequence. An enabling event or enabling condition is required for the initiating event to unleash a scenario. In our example, the Lpg leak from the cylinder can be the initiating event, while the presence of an ignition source in the area can be the enabling condition. Both the events are expressed in probabilities.

CauseThe condition or state resulting from the events that allowed the loss of contain-ment to occur is called the cause. In our example, a faulty valve is the cause of the Lpg leak.

Loss of containment (LoC)Loss of containment is defined as the top event in a scenario that the company aims to prevent. Ignition of the Lpg vapor- air cloud is the loss of containment.

ConsequenceThe consequence or effect is defined as the undesired outcome of an accident scenario. Consequences are expressed in terms of material damage, environmental pollution, injuries, fatalities etc. In our example, both the material damage and injury due to Lpg fire are the consequences.

Independent protective layers (IPL)Independent protective layers are devices, systems or actions that can prevent a scenario from proceeding to an undesired consequence or mitigate the consequences if it does occur, and all these layers are independent from one another so that any one failure of the layer will not affect the functioning of the other layers. Examples of preventive independent

0 July 2007 InfoRM

Project Management

protective layers include inherently safe design features, physical protection, such as relief devices, and safety instrumented systems. post-release physical protection, like fire protection systems and plant and community emergency response etc., can be considered as mitigating protec-tive layers. provision of a valve cap on the cylinder when not in use can also be an independent protective layer.

Table 1: Guidelines on consequence estimation from the Center for Chemical Process Safety

Consequence size 1 10 pound release (0.45 4.5kg)

10 100 pound release

100 1,000 pound release

1,000 10,000 pound release

10,000 100,000 pound release

> 100,000 pound releaseRelease characteristic

Extremely toxic, above Bp*

Category 3 Category 4 Category 5 Category 5 Category 5 Category 5

Extremely toxic, below Bp or highly toxic, above Bp

Category 2 Category 3 Category 4 Category 5 Category 5 Category 5

highly toxic, below Bp or flammable, above Bp

Category 2 Category 2 Category 3 Category 4 Category 5 Category 5

flammable, below Bp Category 1 Category 2 Category 2 Category 3 Category 4 Category 5

Combustible liquid Category 1 Category 1 Category 1 Category 2 Category 2 Category 3

* Bp = atmospheric boiling point

Consequence category Spared or

non-essential equipment

plant outage < 1 month

plant outage 1 3 months

plant outage > 3 months

vessel rupture 3,000 10,000 gal100 300 psig

vessel rupture>10,000 gal>300 psigConsequence

characteristic

Mechanical damage to large main product plant

Category 2 Category 3 Category 4 Category 4 Category 4 Category 5

Mechanical damage to small by-product plant

Category 2 Category 2 Category 3 Category 4 Category 4 Category 5

Consequence cost (uS$)

$0 $10,000$10,000 $100,000

$100,000 $1,000,000

$1,000,000 $10,000,000

>$10,000,000Consequence characteristic

Overall cost of event Category 1 Category 2 Category 3 Category 4 Category 5

Figure 1: A typical LoPA scenario chainMitigating layerspreventive layers

Initiating event

Enabling event

Cause LOC Consequence

IpL1 IpL2 IpL3 IpL4

Criteria for evaluationThe crucial step of LOpA is the evaluation process for which criteria need to be selected. Three criteria are considered for LOpA study: Consequence class characteristics Likelihood estimation Tolerance limits fixed by local legislation

The hAZOp team members choose three to five levels of

classification to define consequence class characteristics. Consequences are measured in terms of damage to people, property and environment, or in terms of financial loss. To reduce subjectivity, the uS Center for Chemical process Safety (CCpS) has developed guidelines for estimation of consequences based on the quantity of chemicals involved in the scenario.

The categories shown in the table 1 are defined in terms of effects on plant personnel, community and environment as shown in table 2.

Reproduced with permission from Layer of protection Analysis: Simplified Risk Assessment by the Center for Chemical process Safety, 2002, American Institute of Chemical Engineers. for more information about the Center for Chemical process Safety, please see www.aiche.org/ccps

InfoRM July 2007 1

Likelihood estimationThe frequency of an initiating event is based on the past industry data, company experience or incident histories. If no data are available, an expert team can make a subjective estimate. Some of the data used by the industry for various events have been published in the technical literature.

Total risk level can be estimated in terms of severity and probability and presented as shown below:

Table 3: Typical LoPA format

Project Management

Consequence class plant personnel Community Environment

1/2 No lost time No hazard No notification

3 Single injury Odour/noise permit violation

4 >1 injury One or more injuries Serious offsite impact

5 fatality One or more severe injuries Serious offsite impact

Table 2: Definition of categories of consequence

Location Equipment

Serial no. Initiating event (IE)

probability per year

Enabling event probability per year

Independent protective layers (IpL)

probable failure on demand (pfD)

MitigatingIpL pfD

Consequence

Class frequency

probability f1 f2 p1 p2 p3 p4 p5 p6 f1xf2xp1xp2x p3xp4xp5xp6

After identifying the class and frequency, the results of each envisaged scenario should be compared with the tolerance limits selected by the organisation, based on local regulations or voluntary corporate standards. for example, risk treatment decisions can be made according to the following risk acceptance matrix which is based on Netherlands statutes.

Benefits of using LOPALOpA is used for making risk based decisions including design, capital improvement planning, management of change, evaluating facility siting, mechan-ical integrity programmes and determina-tion of the need and basis for emergency isolation valves and over-pressure protec-tion etc. during the project stage. It has the combined advantages of both qualitative and quantitative tools.

Ramesh Babu MIRM is Deputy General Manager Risk Services in Cholamandalam MS Risk Services, Chennai, India. He is a chemical engineer.

frequency of consequence (/yr)

Consequence category

Category 1 Category 2 Category 3 Category 4 Category 5

100 10-1not acceptable

10-1 10-2

10-2 10-3 Tolerable

10-3 10-4

10-4 10-5

10-5 10-6 acceptable

10-6 10-7

Table 4: Risk tolerance criteria

July 2007 InfoRM

Risk Management News

Norwich Union Risk Services Risk Review Brian Wallace

Lack of sleep leads to more risk takingAn interesting study by psychologists looking at decision-making has suggested that lack of sleep could lead people to take greater risks. The research, published in the journal Sleep, showed that sleep deprived volunteers took more risks while displaying less concern for any negative consequences.

Norwich union Risk Services (NuRS) Training and Consultancy Manager, John phillips, said the study may have implications for work related safety, particularly for employees operating dangerous machinery or those driving at work. he indicated that the pattern was familiar in many workplace incidents where employees seemed willing to cut corners at the risk of serious and sometimes fatal injury.

John said, It is fairly obvious that people who are tired will probably not perform at their best, but it is worrying to hear that they may also be much more willing to take a risky approach to whatever they are doing.

visit: www.journalsleep.org

Power disruption fastest growing continuity threat power related disruptions were the fastest growing form of disaster affecting businesses last year, according to a report by Sungard Availability Services. Sungard said power related disruptions had increased by over 350% between 2005 and 2006, accounting for over a quarter (26%) of its customers disaster declarations and only 7% in 2005.

hardware failure remained the leading cause of disruption, responsible for almost half (48%) of cases. flooding and infrastruc-ture related events were the third most frequent causes.

Some more unusual cases of disruption last year included loss of power to the main server at a business because a cleaner unplugged it to use a vacuum cleaner, and the discovery of unexploded bombs from World War II in a nearby property.

Other incidents highlighted included a fire in a refuse bin set

by youths that blocked access for employees, theft of personal computers and servers, and a sewage blockage that rendered toilets useless forcing employees to move to alternative premises.

Keith Tilley, Sungards Managing Director, said, With IT equipment drawing more power than ever, it is impera-tive that businesses plan around possible interruptions to their power supply. Business impact analysis can help organisations plan around power outages and other phenomena, and is a vital ingredient of BS 25999, the British Standard for Business Continuity Management.

According to the latest Chartered Management Institute (CMI) business continuity survey, less than half of uK organisations (48%) have a continuity plan.

visit: www.availability.sungard.com

Laptop thefts soaring The number of laptop thefts across the united Kingdom has risen dramatically over the past 12 months, according to figures obtained from the police. for organisations, there is a risk of sensitive data being lost if an employee is using the computer for work, as several high profile cases have highlighted.

A freedom of information request submitted by online technology publication Silicon.com revealed that laptop thefts were soaring in places like London, Edinburgh and Manchester. however, such crimes were not just rising in city centres, but areas like Devon, Cornwall and Bedfordshire are also seeing a big increase.

Silicon.com got its figures from a total of 28 police regions across the country. unsurprisingly, the London Metropolitan police area was the worst hit in 2006, with 6,576 laptop thefts recorded - a 15% rise on 2005.

West yorkshire police recorded 2,402 laptops stolen, followed closely by Thames valley (2,149), Leicestershire (1,219) and Bedfordshire (938). The Bedfordshire figure had gone up by 35% compared to 2005.

The most dramatic increase was in Devon and Cornwall where 401 laptop thefts were recorded in 2006 - up 45% from 276 in 2005. Lothian and Borders police, which includes Edinburgh, saw thefts rise by 32%, while greater Manchester and Merseyside both went up by 15%.

The research also revealed that friday was by far the worst day of the week for laptop thefts.

visit: www.silicon.com

Should we stop using the word accident? Opinions are divided over plans to drop the word accident from the new uK Highway Code. Some interested groups welcomed it; others have dismissed it as nothing more than political correctness.

InfoRM July 2007

Risk Management News

Getting Started Risk Assessment Fire Risk Assessment

Rochdale 11 SeptemberReading 25 SeptemberBelfast 26 NovemberNorwich 16 OctoberBristol 30 OctoberStirling 13 NovemberBirmingham 27 NovemberLondon 04 December

Stirling 11 September Reading 26 September London 09 October Rochdale 16 October Norwich 30 October Bristol 13 November Birmingham 28 November Belfast 27 November

Stirling 12 SeptemberBirmingham 20 SeptemberBelfast 28 NovemberLondon 10 OctoberRochdale 17 OctoberNorwich 31 OctoberBristol 14 November

Managing Insurance Claims Controlling Your Contractors Business Continuity

Stirling 13 SeptemberBelfast 29 NovemberLondon 11 OctoberRochdale 18 OctoberBirmingham 08 NovemberNorwich 15 November

Birmingham 19 SeptemberNorwich 17 OctoberBristol 31 OctoberLondon 13 NovemberStirling 20 NovemberRochdale 29 November

Birmingham 18 SeptemberNorwich 26 SeptemberLondon 02 OctoberBelfast 31 OctoberStirling 07 NovemberLeeds 27 November

Accident Investigation Driver and Fleet Safety

Norwich 18 OctoberBristol 01 NovemberStirling 15 NovemberBirmingham 29 November

London 05 DecemberBirmingham 18 SeptemberStirling 14 November

Many professional organisations enable you to claim CPD points for attending a Norwich Union Risk Services short course.

Each course costs 225+VAT including lunch, refreshments, training support and continuing access to our Risk Helpline. Delegates attending IOSH accredited short courses have the option of taking a short validation test leading to the award of a certificate issued by IOSH for an additional fee of 20 +VAT.

For further information:

Call: +44 (0) 500 55 99 77

Email: riskservices@norwich-union.co.uk

Visit: www.nurs.co.uk

Forthcoming courses from Norwich Union Risk Services

Accident has been replaced in the new draft code, prepared by the Driving Standards Agency (DSA), by the words collision, incident or crash. The change reflects a growing trend with some police forces already referring to road traffic collisions instead of road traffic accidents. The new code is expected to be published later this year.

Road safety group, Brake, was one of the organisations that pushed for the alteration. It believes the change could help shift peoples thinking away from viewing crashes as mere mishaps.

A spokeswoman for Brake said, We believe that the word accident implies that road crashes are unavoidable mishaps, which they are not. virtually every road crash is avoidable and preventable, and using the word accident undermines any attempt by us or the government to encourage road users to take responsibility.

however, the Association of British Drivers (ABD) spoke out against the change. Its spokesman said, It implies that people do things on purpose when there are genuine accidents. As long as you have humans driving cars, and humans making mistakes, then you will have accidents.

I think that it is more political correctness really. There is an underclass of illegal drivers, but most ordinary people dont want to go out and kill people.

visit: www.dsa.gov.uk

organisations may face data protection crisisBusinesses and other organisations are facing a data protection crisis as a result of an exemption in the relevant regulations

coming to an end in October 2007, according to the professional services firm, KpMg.

KpMg said that paper records from before October 1998 had been excluded from the full extent of the Data Protection Act (DpA), but this transitional relief exemption was due to come to an end later this year.

The firm said many private and public sector organisa-tions retained paper files that contained personally identifi-able information. It added that organisations with significant amounts of relevant, paper based records in their archives may well struggle to comply with simple requests from members of the public who want to know whether their personal data are accurate and still retained.

failure to supply compliant responses within 40 days may breach the DpA and could damage the organisations reputa-tion. KpMg stated.

however, lawyers at pinsent Masons said that very few organisa-tions would actually be affected by the change, and that talk of a crisis had been overblown. The firms Rosemary Jay commented, It is hard to see where any normal data controller is likely to have significant problems. The end of the transition period only affects information held on structured manual files not all manual files so it is not applicable to all old pieces of paper.

Visit: www.out-law.com/page-7998

Brian Wallace MIRM is Head of Norwich Union Risk Services. For more risk management news see the NURS website www.nurs.co.uk

InfoRM July 2007

Education and Training

International Diploma in Risk Management

Two years ago, IRM started the process of re-engineering the Diploma our primary post-graduate level professional qualification in risk management. We needed to modernise and internationalise the syllabus to ensure that the qualification continued to reflect leading edge thinking in risk management. This process, which has incorporated contributions from many international risk practitioners and academic specialists, is now virtually complete, and enrolment for the first students on the new syllabus will open this October.

Level 1 Core Modules:

Principles of risk

Risk and organisations

Risk decisions

Risk leadership

Risk solutions

Level 2 Technical Modules, to include:

Project risk

Business continuity

Governance

Risk financing Occupational safety and health

Environmental risk

Level 2 Sector Modules, to include:

Public sector

Health sector

Construction

Financial services

Manufacturing

Retail, logistics and supply chain

Transitional arrangements for current studentsWherever possible, we will encourage existing students to move on to the new Diploma structure to complete their studies, regarding it as a positive opportunity for them to gain additional knowledge and skills. Examinations under the old structure will still be available, but only for one year.

Transitional arrangements are as follows: Students with three or fewer modules to finish under the

current Diploma can attempt to complete them under the current syllabus within one year. however, there will be no retake opportunities on the old syllabus after the 2007/8 aca-demic year. Students who fail the whole or part of a module must then move on to the new Diploma structure

Students who have completed three or more modules and who elect to complete their Diploma on the new syllabus will be exempt from the level 3 assignment if they pass all the required modules within two years.

Students who must complete one assessment element (exam or assignment) have one more opportunity to complete the module under the current syllabus, but can still move on to the new Diploma to complete the remaining modules. Again, if students pass within two years they will be exempt from level 3.

Students who have four or more modules to complete must move to the new Diploma but will be exempt from those modules that have the closest fit to those already passed under the previous curriculum. Students who then complete the Diploma within two years will be exempt from level 3.

All students will receive a letter explaining the transitional arrangements, the changes in the academic timetable and the assessment requirements. further details will also be posted on the IRM website over the summer.

If you would like to talk through your individual situation or want further clarification, please contact me on sophie.williams@theirm.org or call +44 (0)20 7709 9808.

The new Diploma structureThe new Diploma has three levels: level 1 comprises five compul-sory core risk management subjects, moving from introductory concepts to insights and solutions; level 2 allows students to select two specialist technical or sector modules, and level 3 consolidates their learning with the completion of an 8,000 word

practical assignment. The assignment is designed to test students understanding and ability to appraise critically what they have learned at levels 1 and 2. Levels 1 and 2 are both assessed through examination and must be successfully completed before moving on to level 3. There will no longer be an assignment element in every module only at level 3.

6 July 2007 InfoRM

Education and Training

June 2007 ExaminationsCertificate in Risk ManagementExamination results will be published during the first week in September. All successful students will receive a certificate of completion. This certificate confers no rights of membership of the Institute or eligibility to use the post-nominal letters CIRM. Therefore, successful students are encouraged to apply for Certificant membership by completing the membership applica-tion form available from the IRM website.

Becoming a Certificant enables you to use the internationally recognised post-nominal letters CIRM, to continue receiving IRM benefits and to demonstrate commitment to keeping professional skills and knowledge up to date.

Retakes winter 2007

for students who are unsuccessful in the June certificate examinations, there is an opportunity to retake failed paper(s) in the winter examinations, which will take place on 29 and 30 November. Retake forms can be downloaded from the IRM website and must be received by the IRM office by 20 September. If you have any questions, please contact Jayshree Negandhi on jayshree.negandhi@theirm.org or Barbara Asieduah on barbara.asieduah@theirm.org

Diploma ResultsExamination results will be published during the first week in September. All successful Diploma students will receive a certifi-cate of completion. This certificate confers no rights of member-ship of the Institute or eligibility to use the post-nominal letters gradIRM or MIRM. Successful students are, therefore, encour-aged to apply for Institute membership as an indication of their achievement and professional standing and to allow them to use the Institutes internationally recognised post-nominal letters. Membership (MIRM) status is available to Diploma holders with three years relevant professional experience; gradIRM status is available as an intermediate status to Diploma holders working towards the experience requirement.

Membership also ensures continuity in receiving IRM benefits and enables you to continue your professional development and subsequently, perhaps, attain fellowship of the Institute.

New Versions of MoRU LaunchedIRM has launched a revised version of its popular Management of Risk and Uncertainty (MoRU) course for UK audiences and