Topic 5

Corporate Risk Controls and Operation

Risk Management

Summary
1.0

Principles of Risk Control (Hazard RM)

Introduction
- Risk control : risk avoidance & risk reduction
- Risk Avoidance : avoid activities that create risk :
negative & last resort
- Risk reduction : treat or influence risk
i) Loss prevention : reduce probability (frequency) of
loss
ii) Loss control : reduce severity of loss
1

Theory of Accident Causation

- Domino Theory : industrial accident research
(human behavior approach to RR )
- Energy Release theory : automobile accident
research (engineering / mechanical approach to RR)
2.0

Corporate Risk Control Program (Hazard risks)

- Property risk control : fire prevention program

- Liability loss control : product liability loss control

3.0

Operation Risk Management

- Employee dishonesty / fraud prevention

- IT risk management
4.0

Crisis Management & Business Continuity

Management (BCM)

- Effect responses during the crisis event and

recovery from business interruption

1.0 Principles of Risk Control

- Risk control : Reduce number of risks or amount of
loss that arise
- Techniques : risk avoidance and risk reduction

1.1 Risk Avoidance

-Decisions that prevent a risk from coming into
existence : reduce probability of loss to zero

- Negative approach : forgo / sacrifice benefit from

risky activity : firm may not be able to achieve its
profit objective
4

Example :
1) Avoid production of certain medical drugs due to
potential large liability claims
2) No nuclear power plant; no hand phone ( ear
cancer!)
3) Business risks : o/s expansion, M & A, new product
line;
- Assume benefit is less than cost imposed by risky
activity
- Last resort in dealing with risk : NO other
alternatives
- Appropriate for exposure that has catastrophic loss
potential and risk cannot be reduced or transferred.
5

1.2 Risk Reduction

- Techniques aimed to reducing expected loss. : loss
prevention & loss control
a) Loss prevention
- Efforts aim at reducing occurrence of loss :
reducing expected loss by reducing frequency of loss

Example :
- Ban smoking : reduce probability of fire loss
- Impose speed limit : reduce frequency of road
accident

b) Loss control (Hazard & operation risk)

- Reducing expected loss by reducing severity of
losses
Example:
-Installation of fire extinguishers or automatic
sprinkler : minimize fire damage
- Air bags : reduce injury in road accident

Note : Most risk reduction measures reduce both

probability and severity of loss
Example
- Reduction of storage of inflammable goods reduce
probability as well as severity of fire damage
- Speed limit; burglar alarm; enforcement of work
safety rules

1.2.1 Cost - Benefit Analysis

- In theory, risk control measures should be used :
most effective technique for a particular risk
- Subject to : Marginal cost equals marginal benefit
- Decision : cost - benefits analysis : complicated by
several factors.
i) The benefits are in the future and are elusive,
requiring measurement of something that does not
happen (losses).
ii) Immediate large cost : Inability to obtain funds

Example : Installation of automatic sprinkler system

Potential benefits
- reduce fire insurance premium
- reduce loss retained under the policy deductible
Costs
- cost of equipment and installation
- cost of maintenance
- Deciding whether to invest in the sprinkler system
to increase firm value requires the the comparison
between the expected benefits and cost incurred
discounting expected cash flow to present value

Information Available
Cost of sprinkler system
Saving in annual insurance premium
Annual maintenance cost
Reduction in uninsured loss (cost)

RM10,000,000
RM1,900,000
RM400,000
RM500,000

Expected life of equipment = 10 years

Firms cost of capital is 10 %
- Evaluate whether installation of the equipment will
increase the firms value
Decision rule
- If the discounted net cash flow is positive, the firm
value will be increased by the installation of this
equipment.

10

Computation of the discounted net cash flow

RM
Initial Cash Outflow
Cost of sprinkler system

- (10,000,000)

Annual Net Cash Flow:

Saving in annual insurance premium 1,900,000
Annual maintenance cost

(400,000)

Reduction in uninsured loss (cost)

500,000

Annual net cash inflow

2,000,000

11

The present value of positive cash inflows for 10 years

at a discount rate of 10% is RM 10,289,000
The present value of benefits and cost
=(+) RM289,000 (positive value).
Decision
-The benefits exceeds cost ; increase share holder
value;
- Company should install the equipment if there is no
other financial constrains face by the company.

12

1.2.2 Role of Government in Risk Control

- Businesses: reluctant to invest in risk control
measures if costs exceed future benefits :
- Safety legislation : compel business to implement
desired safety measures
Example
: Fire Safety of buildings (Fire Safety Act 1988) and
employee work safety (Occupation Safety and Health
Act 1992)

13

2.0 Theory of Accident Causation

- Two major theories : explanatory and predictive
value.

1) the Domino Theory : by Heinrich, a safety

engineer and pioneer in the field of industrial
accident safety.

2) the Energy Release Theory: by Dr. William

Haddon, a highway safety specialist

14

1) The Domino Theory

- Base on study of industrial accidents
Proximate cause of accident at work
- Study of 75,000 industrial accidents,
88% of accidents : unsafe acts of individuals
10% of accidents : dangerous physical or
mechanical conditions.
2% of accidents : "Acts of God.
Note : 98% of all accidents are preventable and
unsafe acts were the main cause

15

Definition of an accident
An accident is any unplanned, uncontrolled event in
which the action or reaction of an object, substance,
person, or radiation could result in personal injury or
property damage
- Injury in accident : end result of the combination of
five factors in sequence manifest in a chain reaction
- An "accident" is one the five factor in a sequence of
factors that may lead to an injury.
- A series of dominoes standing on edge; when one
falls, the linkage required for a chain reaction is
completed.

16

The Five domino Factors

1) A personal injury (the final domino) occurs only as
a result of an accident.
2) An accident occurs only as a result of a personal
or mechanical hazard.
3) Personal and mechanical hazards exist only
because of the fault of persons.
4) Faults of persons are inherited or acquired as a
result of their environment.
5) The environment is the conditions into which an
individual is born
17

Personal Injury

Accidents

Personal or Mechanical Hazard

Faults of Persons

Ancestry or Environment

Heinrichs Domino Theory

- If one of the factors in the sequence leading to an

accident can be removed, the loss can be prevented.

- For example, eliminating personal hazard( unsafe

act) or mechanical hazard (factor 3 of the dominos)
makes the action of the preceding factors ineffective
Inference from this theory
- Risk control : concerned primarily with accidents
and proximate causes of accidents.
- Factor preceding accident (the unsafe act of persons
or the mechanical hazard) should receive the most
attention
19

- Focus on accidents prevention by removing unsafe

act of persons (or mechanical hazard) , not on
minimization of injuries or property damage
Conclusion
- Provides a five factors explanation of a loss event
of which the hazard factors are the most important.
- Suggest the human behaviour approach to risk
control emphasizing on influencing the hazard factor (
unsafe act persons) through education and
enforcement

20

2) Haddon Energy Release Theory

- Treats accidents as a physical engineering problem.
-Accidents : a result where energy of a system is out
of control putting more stress on a structure (property
or person) than that structure can tolerate without
damage.
- Examples : fire losses, accidents, industrial injuries,

21

- Focus on the mechanical hazard that influence

accident ; engineering approach to risk control
- Propose strategies designed either to suppress
conditions that produce accidents or to enhance
conditions that retard accidents.

22

Examples of engineering approach

i) Control the amount of existing energy or rate of
release through engineering approach
ii) Protect person / property from energy released
through the use of mechanical devices
iii) Using mechanical devices to reduce the impact of
energy release on person or property

23

Comparison between the two Theories

- The difference : difference in emphasis
- Both theories explain a sequence that leads to
damage or injury.
- Heinrich places most of the cause of accidents on
faulty human behavior.
- Haddon concentrates on the physical engineering
aspects of the conditions that give rise to accidents.

24

Domino theory : 5 factors chain reaction

Accident ( a factor in chain reaction)
Persons--------------------------------------------------------- Injury
Hazard : Unsafe Act
- Risk control strategy : human behavior approach to
remove unsafe acts
Energy Release Theory
Accident : uncontrolled release of energy
Automobile --------------------------------------------------- Damage
Mechanical hazards
- Risk control strategy : engineering approach to remove
mechanical hazard or to provide physical protection to
property

25

2.1 Principle of Risk Control Measures

2.1.1 Engineering Approach
- Loss prevention efforts aimed at mechanical and
environmental factors, and seek to eliminate hazards.
( Energy Release Theory)
- Emphasizes the elimination of unsafe physical
conditions by such measures as fire resistive
construction, burglary resistant safes, boiler
inspections, and safer cars.
2.1.2 Human behavior approach.
- Most accidents are caused by unsafe acts
26

- Loss prevention measures focus on the individual,

and seek to modify human behaviors

- Stresses safety education / motivation of persons &

enforcement
- Education : making people aware of the benefits of
safety and motivate them to act or behave in the safe
manner
- Enforcement. : compelled to follow safety rules or
subject to punishment

27

2.13 Classification of risk control Measures

1) Based on the focus of the risk control measure
i) Focus on the person :
- Aim at removing unsafe act or other undesirable
human behaviour ( the human behaviour strategy)
ii) Focus on the mechanical hazard or the environment
within which the accident occurs ( engineering
strategy)
- Aim at influencing the mechanical hazard of the risk
or providing protection to property exposed to risk

28

2) Focus on the time at which the risk control

measures are applied.
i)

pre-event actions

ii)

simultaneous-with-event actions

iii)

post-event actions

Prior to
Event

At Time of
Event

After Event

Individual
Machinery

29

Question
Classify the following fire control measures in the
matrix in the previous slide
-Fire safety campaign; Fire drill; Fire safety rule
;Smoking ban
-Installation of fire alarm; smoke detector; portable
fire extinguisher
-Fire resistance building
-Use of non flammable raw materials
-Salvage of partially damage stock after the fire
-Disaster plan or contingency plan

30

2.1.4 Specialized Loss Control Measures

1) Separation of Assets
- control severity of loss by limiting the value of
property exposed to loss. Example : storage
finished goods in two independent warehouse
2) Salvage
- preserving the value of damaged goods by
preventing them from further damage
3) Rehabilitation
- reduce the financial cost arising from injury to
workers ( reduce medical cost)
4) Redundancy (duplication)
- minimize the effect of accident by providing
standby property. Example : electric generator for
power failure
5) Non-insurance Transfers
- hold- harmless contract : transfer liability to another
third party by contract

31

3.0 Corporate Risk Control Program

- Control of two significant pure risks (enterprise
risks)
i) Property risk control ( Fire risk control )
ii) Liability risk control (Product liability risk control)
3.1

Principle of Fire Prevention and Control

- A fire : combustion : combustible substance ( fuel )

burns in oxygen with release of heat & light
- For a fire to start : ignition energy (heat);
combustible material ( fuel ) and oxygen ( air ) : the
fire triangle
32

a) Prevention of fire
- Removal of one of three elements of a fire triangle
(fire prevention measures)
- Ban smoking; No heating or welding process; No
electricity current?
b) Minimization of fire loss
-Extinguishing fire( remove one of the elements in the
fire triangle) : water (remove heat); powder (remove
air); foam (remove air)
-Use of non-combustible material; separation of
storage of goods ; construct fire resistance walls to
prevent quick spread of fire
33

- More specifically, prevention & protection measures

in practice are broadly divided into four aspects :
1)

Structural fire protection (LC)

- Passive fire protection; containment of fire
using structural fire barriers

2)

Elimination of source of ignition (LP)

- Identify and remove heat source from fuel

3)

Detection of existence of a fire (LC)

- Early detection that leads to quick
extinguishment

4)

Fire extinguishment (LC)

- fire extinguishment by various extinguishing
equipment

34

1)

Structural fire protection

- Prevent the spread of fire in building
- Reduction of fire development materials
: non combustible materials
- Fire resistance structural frames ,
compartment walls and floors, enclosure
vertical / horizontal openings.

35

2)

Elimination : sources of ignition

- Identification : avoided or minimized.

Ignition Sources Preventive Measures
Chemical

-Prohibiting smoking /
-Good Housekeeping (spont./combustion,
LP; reduced fuel & spread of fire, LC)

Mechanical

- Separate area for welding

(welding /cutting)
- hot work permit system
- Removal or protection of all combustible
materials in the work areas, with provision
for fire watch ( including extinguishing
equipment

Electrical

- Proper maintenance
- Proper training
- Adequate wiring

36

3) Detection : Automatic fire Alarms

- Detect early to extinguish at source
- Automatic fire alarms : indicate fire & leads to
extinguishment.
Three fire alarm systems :
- Heat detector : detect rise in temperature
- Smoke detector : detect smoke
- Flame detector : detect infra red radiation emitted
by flames

37

4) Fire Extinguishment
Fire extinguishing Agent
- water, chemical power, carbon dioxide,foam
Fire extinguishing equipment
a) Portable fire extinguishers
b) Automatic sprinkler system

38

3.2

Comprehensive Approach to Fire Prevention &

Control for Industrial Buildings
Selecting a type of building construction that
can withstand the fire hazards likely to arise
out of the activities conducted in that
structure.
Creating an adequate number of clear fire
divisions beyond which fire will not spread.
Minimizing exposures (spread of fire) from
nearby building

39

Controlling sources of ignition, particularly

through safeguards in the use of flammable
liquids, electricity, and machinery, as well as
controlling human activities ( such as
smoking) that pose substantial fire hazards.
Design appropriate internal fire detection /
suppression / signaling system to be used
in conjunction with fire extinguishers,
patrolling squads, and fire brigade to
recognize and respond to hostile fire.
Establishing appropriate fire safety
conditions, procedures, and rules for such
activities as storage, spray painting, handling
of flammable liquids and computer operation
40

 Monitoring these fire safety measures

- ensure the good house keeping- there is no
build up of flammable rubbish and wastes,
especially in areas where ignition sources are
present.
- Control of smoking : compliance to no
smoking / no naked flame areas
- Burning, welding and hot work : is hot work
permit procedure being implemented fully ?
- Monitoring of electrical wiring and
installation of electrical equipment and
appliances in preventing electrical fires.
41

- Monitoring of process fire and explosion

risks : The operation of boilers, furnaces,
kilns, drying and heating units should be
check by instrumentation monitoring and by
visual monitoring using trained staff.
- monitoring the storage, handling and the use
of inflammable substances
- Review measures for prevention of arson.
Security control systems and methods may
need to be updated to combat this increasing
problem.

42

3.2 Risk Control for Product Liability

3.2.1 Legal liability for defective products
-

Manufacturers or distributors of a faulty product

that injures someone or damages property may be
held legally liable, and such liability may be
established on one of three bases:

1. Negligence
2. Breach of Warranty
3. Strict Liability

43

3.2.2 Product Liability Loss Control

- Product design should be safe complying with
standards of Consumer Product Safety Commission

- High standards of quality control in the production

process are needed to guarantee that finished
products meet specifications ( Total Quality
Management, TQM)

- The design and production quality control measures

should be documented

44

- Packaging and labeling should be reviewed by firms

legal counsel
- Instructions for use of product and warnings about
hazards or side effects are attempts by a
manufacturer to meet prudent man rule
- Contracts with suppliers should be reviewed and
revised when necessary to make certain that
suppliers of components for firms product assume
liability for failure of their component-product.
-Contingency plan to be activated in the event of a
product defect crisis : Allow the company to recall
defective products or locate consumers and repair
faults (Toyota Motor & other car manufacturer)
45

4.0

Operation Risk Management (ORM)

4.1

Introduction

- Operational

risks(OR) : risks arising from execution

of a companys business functions
- Definition : OR is risk of loss resulting from
inadequate or failed internal processes, people or
systems or from external events (the Basel ll Accords )
- Very broad concept : fraud risk, legal risk,
production risk, environmental risk, personnel risk
(HR department),business processes, etc
Human errors, system (IT) failures, inadequate
procedures and internal control (Baring Bank, UK),
inefficient business process & technology
46

- Fraud, false financial reporting ( Enron); high rate of

defective products ( Toyota Motor, Japan), errors of
incompetence staffs, high staff turnover, etc
- ORM is coordinated centrally or implemented in
different operational units with heads of department
as risk-owners (e.g. IT department responsible for IT
risks; HR department takes care of personnel risk,
etc)
- ORM is especially important in banking and financial
institutions (significant risk) : subject to international
risk management standards : the Basel ll Accords
- Focus on control of two significant operational risks
in any company : Fraud / employee thefts risk and
information technology (IT) risks
- ORM : key components of

ERM

47

4.2

Internal Control for Employees Thefts/ Fraud

- Organisations worldwide suffer larger and frequent

crime losses committed by employees than by losses
due to robbery / burglary.
- Theft by employees ( with or without cooperation
from outsiders) is known as embezzlement : loss of
money and other property of organisation.
4.2.1 Conditions Leading to Embezzlement and
Fraud
1) Negligence of Management
- Managements failure to examine internal theft
exposures critically or to take preventive action

48

- Naivet : incorrect assumptions about peoples

honesty.
- Wrongfully assumption : lower income workers more
likely than upper level employees to steal. In fact,
more serious embezzlement and fraud are attributable
to managers
- Reasons for embezzlement committed by persons in
authority and position of trust
i) Familiar with security routines
Ii) Access to money /valuables and opportunity to
take them
Iii) Opportunities to get into difficult personal financial
positions
49

Example : In banking, presidents , vice presidents,

managers and head cashiers are most frequently the
culprits.
2) Lack of Control
- Lack of sound procedural controls for maintaining
security
- Controls and procedures should be designed for the
activities such as : screening and selection of
employees; separating among several persons
functions that involving cash.

50

4.2.2

Internal Control Measures for Embezzlement

and Fraud Risks (Risk control Measures)

Broadly be divided into :

i) Loss prevention measures which decrease the
probability of employee theft
ii) Loss reduction measures reduce probable loss
severity by increasing the probability that employee
thefts will be discovered or by limiting the amount
that can be taken without discovery.
1)

Accounting Controls

-Stringent accounting controls, to keep track of cash

flows and detect any improprieties, limit loss caused
by manipulating of a firms records.
Examples : internal auditing, patrolling, observing and
use of standard procedures.

51

2) Access Controls
-Stringent access controls reduces theft of
merchandise and other property ( including currency,
confidential documents and trade secrets) by limiting
access to target property to a limited number of key
employees.
-Authority to sign cheques, purchase orders, and
contracts : selected employees who cannot operate
without this access
3) Personal Screening :
-Proper screening filters out dishonest applicants.
-Gathering information about applicants background
and referee before applicants is hired
52

4) Separation of duties :
- Proper separation of duties makes it difficult for any
one employee to steal without the collaboration or
cooperation of at least one other employee.
-Conditions for effectively separation of duty :
a) No individual should have total control over every
phase of any significant transaction or sensitive job.
Example, those who maintain inventory records do
not participate in physical stock check
b) Work flow should proceed from one person to
another so that, without duplication, the work of the
second acts as a check upon that of the first.
53

c) Those who authorise use of assets should not also

be responsible for their custody ( the inventory clerk
releases material only upon receipt of an
authorisation from a department head)
d) Record keeping and bookkeeping activities should
be separated from the handling and custody of
assets. ( The account receivable clerk should not also
open mail containing cheques).
Case
Bankkruptcy of Baring Bank, UK (1995) : failure of
internal control and separation of duties of employees
(derivative trading/ accounting / risk analysis &
control / reporting functions : All performed by a
single person Mr Leeson)
54

4.3

Informaton Technology (IT) Risk Manageemnt

4.3.1

Introduction

- Increase productivity : Heavy reliance on computer

networks& internet
- Dependency : serious potential risks (IT risk) serious losses if proper security is not inatalled
- IT risk : accidental and malicious.

55

1) Accidental risks : human errors, accidental

damage, power failures. (threats to computer
facilities : the hard-wares) & system failure
2) Malicious risks : breaches of network security hacking (inside and outside of network), malicious
code & computer fraud. (threats to soft-wares)
-Needs - protection of computers & information : risk
controls : ensure adequate & cost - effective security.

56

3.2 Loss Exposures and Risk control measures

(1) Risk : Physical integrity of computer facilities &
equipment
(2) Risk : threaten data : Data exposurs
3) System Failure
1) Facilities and Equipment Exposures
-Perils that threaten the computers or computer
installation

57

i) Fire, building collapse, explosion, leakage from

plumbing, and fire suppression systems
ii) Theft of computers : laptops and memory drivers
Risk control measures
- fire protection and tight security measures

58

iii) Sabotage - deliberate destruction of by hostile

persons
Risk control :
-Effective access control positive personnel
identification with tight supervision of computer
operations and equipment,
- Adequate personnel selection & screening - ensure a
high level of trustworthiness in IT personnel

59

2)

Data- Related Exposures

- Perils :
- Fraud, embezzlement, and sabotage, which occur as
a result of manipulation of data
- Theft of data through surreptitious listening gear or
the covert removal of tapes
a) Unauthorised access
- staff either out of curiosity or malice
- An intruder ( hacker )
- Both resulting in loss of secret or loss of data
60

Risk control
-i) Firewall effective defense against many hackers
ii) Passwords : unique to individual and change
frequently.
- Monitor the number of failed passwords : targeted by
hackers
- Implementing policies & procedures that guarantee
high level of security
b) Viruses
-Viruses : malicious program that enter computer
network and set out to cause damage to the data
( logic/time bomb; worm; Trojan horse
- Source : download from internet or introduce from
program disk

61

Risk control Measures

i) Anti-virus scanning software
ii) Monitor both internal and remote network
communications and update regularly
3) System Failure
- Potential cause : viruses attack, software faults,
overheating and human error
- May result in business interruption : loss of earnings
and reputation

62

- Downtime : expensive
- Measure time lapse after which an IT system
downtime will affect turnover & have adverse
consequences on relations with clients
Risk control measures:
i) Back-up procedures and system ( may involve
agreement with hardware and software producers or
reciprocal arrangement with other organizations)
ii) Implementing business continuity and disaster
programs.

63

Financial Impact / Consequences from IT risks

i) Direct financial loss :
-loss or damage to computer facilities
- expenses to get the business on track;
- loss of earning s and cost from business
interruprion;
ii) Potential additional expenses
-

data re-entry and file rebuilding costs; recovering

manufacturing process;

temporary employees / overtime costs;

penalty / compensatory payments from breached

contracts;

damages reputation brand re-establishment

charges from appearing vulnerable

64

Computer Security Considerations

- Is there an independent check of the completed

program and how often.
- Is it possible for the program to be run by a single
operator.
- Do system analysts and data preparation operators
have access to the computer room.
-

65

- Do system analysts and data preparation operators

have access to the computer room.
- Is anyone responsible for data preparation allowed
access to control records.
- How are program changes authorised and records of
changes kept.
- Is a self-checking system incorporated for internal
control.
- Is There a rotational system for operational duties.
- What functions do external auditors exercise in
connection with the system?
66

Cases on Operational Failures

1) Collapse of Baring Bank (1995) (failure of interbnal
control)
- Baring Bank of UK lost $1.3 billion and went
bankrupt in 1995 due to failure in operational (internal)
control on a derivative trader
2) Ericson case : The small fire that caused US$2
billion (indirect loss : business interruption loss)
- Ericson, controlled 40% market share in 1990s. In
2000, the companys supplier, a chip making plant was
strike by lightning and started a fire that lasted only
ten minutes, The plant was a contract -supplier for
both Ericson and Nokia.
67

- Erricson under- estimated interruption and did not

appoint a substitute contractor and its production was
severely interrupted resulting in a loss of US$2.34
billion.
( a serious failure in operation risk management)
- However, Nokia was proactive and appointed a
substitute contractor and ensure its production was
not materially affected & took over Erissons market
share

68

5.0 Contingency Plan : Crisis Management &

Business Continuity Management
LESSON SUMMARY
- WHAT IS CONTINGENCY PLANNING
-WHAT IS A CRISIS?
- WHAT IS CRISIS MANAGEMENT?
- WHAT IS A CRISIS MANAGEMENT PLAN?
- 5 KEY ELEMENTS OF A GOOD CRISIS
MANAGEMENT PLAN
- PROCEDURE FOR ESTABLISHING A CRISIS
MANAGEMENT PLAN
-BUSINESS CONTINUITY MANAGEMENT

69

5.1 introduction
- No matter how effective is loss prevention measures
the probability of loss cannot be reduced to zero.
- Losses from risks with low probability and high
severity may occur.
- Need to for potential large losses (the crisis) through
contingency planning
- Contingency plan provides a coordinated, effective
responses through planning and organizing the
companys resources and activities immediately
before, during and after crisis.
70

-Two key components : crisis management plan and

business recovery plan or business continuity
management (BCM) plan
- Crisis management : Actions taken to preserve
organization resources ( assets and people) for fullest
feasible long term recovery (fundamental objective of
risk management)
- Successful crisis management pave the way for an
effective business recovery.
-BCM : provides plan for business to return to normal
operation as quickly and efficiently after crisis has
been successfully controlled by implementing crisis
management plan e.g. provide alternative site for
production & administration
71

Outline of the three phases of contingency planning

Pre - loss Phase

Loss Phase

Post - Loss Phase

Preparation and
practice of
contingency plan

Implement crisis
management : To save
lives & limit damage

Implement business
recovery plan :
To Initiate speedy
and effective
recovery

-Contingency plan acts as the risk control of the last

resort or the safety net of the risk control program to
ensure that the company could survive the
catastrophe event if it occurs.

72

-Relationship between risk management, crisis

management and Business continuity management
(BCM)
l----normal ----l-- Crisis--------l---Bus Recovery-----------l
operation
l --------bus. Interruption ---------------------l

l---Risk Mgt--l--Crisis Mgt----l---Bus Continuity Mgt----l

l______________l___________l__________________l
RM program
Crisis Mgt
Bus Recovery plan
plan
( BCP)(BCM)

73

5.2 Crisis Management

5.2.1

The Nature of Crisis

- A crisis is a situation or time of great difficulty or

great danger (trouble). It is a turning point in an
organization's activities , a point at which crucial
actions will shape significantly the future
-Crisis: broadly defined as an event that may
materially and adversely affect shareholder value
( Example : Toyota Motor : extensive product recalls)
- A crisis arises when there is an imminent or
presently occurring event that can cause catastrophic
loss ( example : a fire and explosion )
- Actions need to be taken immediately in response to
crisis to reduce potential losses

74

- The outcomes of crisis depends on appropriateness,

effectiveness and speed of actions taken which shape
outcomes of the crisis : increase or decrease the
severity of loss
-For positive outcome, responses must be planned &
coordinate actions all personnel during crisis
-Examples : Toyota Motors (product defects); BP ( Oil
spill from production rigs)
5.2.2

Sources of crisis

1) Major property damage event : fire & explosion,

earthquake, or third party action : sabotage,
vandalism or hostilities ( terrorism, hijack of aircraft
or ship) : sudden crisis
75

- Example
1) The Tylenol case (1982) - Crisis created by sabotage
through product tamper (Johnson & Johnson)
2) Union Carbide, USA : Leakage of toxic cyanide
vapour in its factory in India that killed thousands
of residents in the surrounding area.
3) Companies occupied the twin towers of World trade
Centre , terrorist attack
4) Commercial Union Insurance Ltd, UK (terrorist
bombing)
Crisis arising from bombing of its headquarter by
terrorist on Friday . However, it managed to operate
its business on following Monday in an alternate
premise through the implementation of its crisis
management plan : Famous slogan in its
advertisement Business as usual on Monday.

76

2) Non - property damage events (slow developing

crisis)
- Mismanagement of operational risks leading to crisis
: product defect with costly recalls and reputation
damage ( Toyota Motor), white - collar crimes, labour
disputes, class - action lawsuits, financial losses
through derivative trading; HR problems (a Taiwanese
company that produced i-pads for Apple)
- Slow developing crisis ( slow-burn : smouldering
type contrast to sudden crisis)
- Start small and takes days or months before they
getting out of control; Management knew the problem
before develop into crisis proportion : ignored or
unrecognised or denial before they blew up
Case : Toyota Motor; BP

77

- Feature : evolve / develop over a period of time :

- Management responses : incomprehesion and a
refusal to face facts (state of denial) until it escalates
to crisis dimension ( Toyota Motor : defects
complaints began in 2007)
Stages of development of a smouldering crisis
event
External
changes

l
l-->Crisis --->Inaction --->Recognition--->Change-->improvement
l
Management
error

l
Failure

78

- The results of these non - property damage crises

were as serious as the reputation of corporation were
badly tarnished that lead to loss of market share and
serious reduction in shareholder values
i) Failure of internal control : collapse of Baring Bank
ii) Accounting frauds and irregularities : Enron Corp
(2002); Satyam Computer System (India) (2008)
iii) Ericsson : Loss hand-phone business due to
business interruption caused by a small fire that
damage the production facilities of its key supplier
Note :
The smoldering type of crises are more difficulty to
plan and identify at its early stage : most challenging
to manage !!
79

Table 1 : Crisses Reported in Media (2003)

Crisis Categories

White collar crimes

17

Defects and recalls

14

Mismanagement

12

Class action lawsuit

10

Labour disputes

Casualty accidents

Consumer activitism

Work place violence

Catastrophes

Financial damages

Source : ICM

81

Table 2 : Most Crisis- prone Industries (USA)(2003)

( Rank by percentage of crises)
Industries

Rank

Securities and commodities

Supermarket

Gas / oil production

Investment banking

Restaurants

Aerospace industry

Telecommunication

Discount stores

Electric power generation

10

Source : ICM

82

4.2.2 Reasons for Developing a Crisis Management

Plan
- Cries : unsettling & stressful events. Responding
constructively to such events require structure, order
and discipline
- When a crisis arises : too late to plan and implement
adequate responses in the wake of confusion,
emotional, distraction and muddled coordination
- Safety of personal & viability of future business
operations depend on effectiveness of crisis
management plan

83

Benefits of crisis planning are :

1) Adequate time to prepare an effective response
2) An opportunity to investigate and select alternative
responses to different situations
3) Organizing and training of personnel for
appropriate crisis management responses

84

5.2.3

Crisis Management Planning

- Defined as the planning , organizing and controlling

the companys assets and activities in the critical
period immediately before, during and after an actual
or impending major loss event to reduce the loss of
resources essential to the company s eventual full
recovery
- Time available to manage a crisis : relatively short.
Inadequate for many actions to be taken in proper
sequence to protect the corporations essential
resources
- For positive outcome, responses to these crisis must
be planned in advance, thereby coordinating the
actions of all personnel during the crisis
85

Crisis Management Plan

- Provides a coordinated, effective responses through
planning and organizing the companys resources and
activities immediately before, during and after the
crisis.
-Objective : to preserve organization resources
( assets and people) for fullest feasible long term
recovery (fundamental objective of risk
management)
-- Challenges : shortage in time and resources to
implement crisis management measures .
- Sound crisis management rests on thorough pre
crisis planning : the crisis management plan
- Successful crisis management pave the way for an
effective business recovery.

86

Three Phases of Crisis ( arising from events that

cause severe property damage )
1) Threat - likelihood of a major loss is increasing
rapidly, but peril has not yet occurred
e.g. : For a fire & explosion peril, it is when the
temperature of the combustible materials approach
ignition point
2) Warning - occurrence of a peril and a potentially
severe loss is imminent. For a fire,the ignition before
flame spread ( sounding of fire alarm)
3) Impact - when major injuries / serious damage is
occurring

87

Construction A Crisis Management Plan

-A crisis management plan details
- organisation structure of crisis management team
-- various facilities available,
-actions and responses to be implemented before,
during and after crisis.
- Main goal : to ensure the corporation will survive any
foreseeable major accidental losses.
- Achieved : by preserving assets ( human & physical
assets) that are essential to continuous operations

88

4.3.3

Key Elements of Crisis Management Plan

- Five common elements of good crisis management

plans
1) Organizational structure
- Structure: chain of command & special authority
and responsibilities of team members : clearly
established

89

- Unquestioning compliance by all employees : enable

organization to respond promptly and efficiently
- Unified crisis command post : communication
equipments & all essential information
- Two ways communication between crisis command
post & crisis management team members & every part
of organization

90

2) Protection and Evacuation of Personnel

-Survival and full recovery requires resilient personnel
-- Measures to protect all employees from any
foreseeable danger during crisis
-- Appropriate alarm system and training to enable
personnel to carry out evacuation plan
-Detailed evacuation procedure for both injured and
uninjured employees
3) Safe-guarding production Facilities
-- Preserve physical production facilities to enable
organization to continue operations after the crisis
91

- Procedures for shutting down potentially hazardous

operations : do not contribute to the crisis & protected
from further damage
- Plans to restore or find temporary substitute for
damaged or destroyed production facility
4) Provide Emergency Operating Fund
-Provide funds for unanticipated expenses related to
crisis.
-- Establish procedure for authorizing team members
to have access to the fund

92

5) Communication during and after the crisis ( media management)

-During crisis, an organization must preserve its
standing (public image or reputation) in market
- Organization must communicate effectively with
customers, suppliers, regulators , employees & media.
-- Communication : transparency to crisis event
( nature, extent of damages, efficiency in crisis
management and whether crisis is under control) &
keep stakeholders and public informed
-Preserve the organization's reputation by combating
negative rumours and ensuring everyone of the
continual viability of the organization
93

Communication strategies should ;

i) Tailored to each groups interest
ii) Consistent to reduce difference in emphasis that
may cause confusion
iii) Coordinated through one spoke-person or one
department to ensure consistency of response
and to control content of message
iv) Sufficient information provided to protect
organization against unintended admission of
liability or fault

94

v) Maintain a delicate balance between :

tendency towards full disclosure
need to maintain confidentiality to protect
organization's interests & managerial options
However, taking a risk of committing nondisclosure of key information expected by public
or authority, resulting in public outcry of
concealment, misleading, dishonest behaviour
A public relation nightmare!! resulting in
tarnished company image and caused serious
reduction of shareholder value ( the share price
may plunge after such incident)
Example :
The BPs public relation nightmare

95

Specify procedure and personnel involved in

supplying information during & after crisis
i) Extent of losses caused by the crisis
Ii) Organization short- and long term recovery
plans
iii) Effect of crisis on stakeholders
iv) Remedial action to be taken to prevent the
occurrence of such crisis in future

96

Procedure for the Establishing a Crisis Management

Plan
1)Appointment of a crisis management coordinator :
-

trained and experience in responding to

emergency conditions.
select his crisis management team members
collectively design crisis management plans for
various potential future crises

2)Crisis management plans

written and regularly updated
forming part of organization rules & procedures
- Cover the following :
i) Emergency procedures
- to evacuate personnel from each building by at least
two separate routes
97

ii) Procedures : to shutting down potentially

hazardous operations : do not contribute to crisis
and protected from further damage
iii) Procedure for reporting plant emergencies to
public agencies
iv) Appoint a crisis management plan coordinator : the
designated spoke-person to handle news media,
and all employees should be instructed to refer
news media to this person
3) Crisis management plan should be review with new
employees as part of their orientation and
training.
4) Practice drills should be conducted in cooperation
with outside agencies
98

5) A crisis management procedure manual must be

prepared and widely distributed to all the
employee, contaioning the key Information :
i) The structure of the crisis management hierarchy,
including the chain of command and the
composition and the general responsibility of the
crisis management appointed
ii) Evacuation instruction including explanation of the
alarm signals and diagrams of exit routes
iii) Describe operation of crisis management
command posts, and specify alternative means of
communication inside and outside the
organisation

99

Case
Effective Crisis Management : The Tylenol Case
Company : Johnson & Johnson (J & J) USA (1982)
In September 1982, seven people in Chicago died from
taking Tylenol capsules, a pain- killer capsule made by
J & J. Police investigation discovered
that someone had removed the packages from
the shops and added cyanide(a highly toxic
chemical) to the capsules and placed packages back
to the shelves in these shops, ( at the time, tamper resistant proof packaging were not used).

100

Johnson & Johnson( J&J) halted the production of

Tylenol, issued nationwide warning not to consume
any type of Tylenol products and recalled an estimate
31 million bottles of Tylenol with a retail value of $100
million. J&J offered to exchange all Tylenol capsules
already purchased by the public with solid tablets.
The event had significant immediate repercussions for
J&J: its share price fell and the market share or
Tylenol dropped from 35% to 8 %.
101

Within two months J&J had reintroduced its capsules

but in triple sealed packages designed to reveal
whether tampering has occurred. Within a few
months, Tylenol had regained its market dominant
position.
J&J prompt and aggressive and open reactions to the
incident drew praise from the press and the risk
management community. This tragedy is recognized
in the risk management and insurance community as
a defining event. It puts crisis management on the

102

A major corporation has demonstrated the enormous

importance of sound crisis management; of not
panicking, of moving quickly to address the problem (
the golden hour rule in medical case), and
importantly, and of being and being perceived as open
and honest with the affected public.

103

5.3 Business Recovery Planning ( Business

Continuity Management, BCM)

Crisis management plan : ensuring correct

response made quickly to the demands of the
emergency /crisis, to save life and property

After crisis stage has been successfully

controlled, business recovery plan will be
implemented to allow the organization to plot its
path back to normal operations as quickly and
efficiently as possible.

To achieve an efficient and effective recovery, the

business recovery plan must be drawn up ,
concentrate on permitting the most important
operations to be resume as quickly as possible to
minimize the extent of business interruption.
104

Main tasks is to provide alternatives to counter

the disruption caused by crisis event

.
- to provide alternative premises for
manufactures, storage or administration;
- alternative plant and machinery or perhaps
involving contracting out or other channel of
distribution of products.

continuously updated and reviewed regularly to

take into account of the changes in operations,
markets, and all other changes that may take
place after the plan has been first completed.

105

Summary,
- Contingency plan should be carefully developed,
detailed in writing, adequately implemented, and
constantly revised to meet changing conditions of
dynamic business environment.
- Contingency planning enables
i) planning to be done at leisure, when all the
necessary specialist advice can be obtained
ii) organization to take actions with minimum of
delay

106