CASE STUDIES AND VALUE OF RESEARCH
Risk Management at United Utilities
United Utilities (UU) manages risks with a process called the Business Unit Risk Assessment or BURA, which allows
any member of staff to enter issues of concern. This forms a key part of UU’s corporate governance and ensures that
risk is dealt with on a consistent basis. Any risk is defined as a product of the consequence and the probability of
its occurrence. UU uses an eight tier model where issues with financial, regulatory, service, operational, compliance,
systems, people, political, and media relations consequences are entered onto a matrix. Each issue is then assigned a
probability rating and multiplying these provides a total score as shown in the figure below. All risks are maintained on
UU’s Risks and Issues database (RAID).
Any risks that fall on the light blue area of the chart are required to be actively managed by an assigned owner of the
risk and are formally reviewed on a monthly basis. Management of risks entails considering mitigating actions, which
are represented on RAID as actions to be monitored. Top risks are upwardly reported with the most serious risks being
considered in the monthly board meetings. The effectiveness of mitigation is closely monitored.
Risk assessment and quarterly scenario planning are undertaken looking at a five year horizon. New risks are added to
the RAID with the help of a BURA manager. UU has found that the BURA manager is essential to ensuring a consistent
approach and that any risk is neither under or overstated. UU also uses a standard form to provide a discipline in
defining and explaining any risk. The BURA process is used for internal business governance and control and can also
be used for external communication with regulators and with insurers.
Unlikely Likely Very Likely
Probability of occurrence