governance across an organization. Some drivers
that were identified for integrating risk across an
• The need to view strategic risks and their impacts
beyond the bounds of their organizational origin.
The workshop provided the opportunity for participating
drinking water utilities to present their experiences,
challenges, and successes with integrating risk across their
organizations. Anthony Fitzsimmons from Reputability Ltd
presented on lessons for boards and risk professionals.
He presented findings from a root cause analysis of
18 risk event case studies. Three core conclusions were:
unrecognized risks cause crises even to well respected
companies, the risks resulting in events are not on typical
risk registers, and only boards can force the evolution
of risk analysis, risk management, and internal control.
Unrecognized risks frequently emerge from an insufficient
appreciation of the importance of “soft skills” relating
to organizational ethos/culture/behavior, from poorly
aligned incentives, and from inadequately managed
communication, learning, and change.
Martin Carter from E.ON UK plc presented on risk
management of safety critical systems. He presented
a model that focused on identifying barriers to, and
mitigating effects from, an incident. The current
condition of our defensive barriers, not the originally
assumed condition, dictates the level of exposure. The
“bow-tie” concept used widely in process risk analysis
encourages a focus on controls and barriers, assuming
that managing barriers results in managing risk (Figure 3).
Critical knowledge that risk managers can get from the
upcoming guidance includes:
• Reaching a common and sufficient understanding of
risk management at the organizational level, including
terminology and desired outcomes.
• Developing a formal organizational structure that
• Appreciating effective communication and securing
investment for training to ensure that people are
aware and competent regarding the tools available for
• Recognizing how to prioritize resources from the
perspective of senior management.
• Understanding the impact of misrepresenting the
importance of a risk, and requiring an iterative peer
review and assessment process.
• Comprehending financial exposure and opportunity
value for risk reporting.
The draft guidance document that synthesized the research
findings, case studies, and workshop outcomes was provided
to the Foundation in May 2012 and the final document is
expected to be available by the end of the year.
Figure 3. Bowtie model example, used widely in process risk analysis.