Insider Business Club: risk management

Can you make exceptions in your risk management policy?

Roger Southgate, past president ISACA – London

You have two key components, you obviously need a high level policy and those
should almost be tablets of stone. These are, if you like, our business
principles – this is what we expect, this is the way we, as an organisation,
will behave forever. And if anybody wants to look for an example, Johnson &
Johnson’s credo is probably one of the most famous sets of tablets of stone that
you can have a look at.

And then everything else should come off that. From there we want to take
this high level policy and turn it into appropriate procedures but, alongside
this, you must also have a formal exception process. Because there will be
times, and there will be areas of your business activity, where actually
maintaining our existing policy and procedures is singularly inappropriate.

But what you certainly don’t want to do is to get people to turn a blind eye
and navigate their way round that and hope that they can explain later. It is
much better to have a proper visible process where people say, ‘this is an
exception for this reason, therefore we are going to expose ourselves to this
much extra risk potentially.’

How do you define risk management systems or how unique to the
organisation do you have to be?

Jonathan Forshaw, BI sales director, UK region, Oracle

I think it can be extremely unique to the organisation, as you move away from
the transactional environment. So, I think it is always interesting to look at
what, or where, people have been successful in the transactional world, then
taking a step back and look at how you could apply that same rigour on
management processes.

You need a system that supports you from a technology viewpoint but not be as
prescriptive as say a transactional system. You need to have that flexibility
in there to have the competitive advantage – the uniqueness in the way that the
organisation works. But you still then need a way of translating that into
making sure people comply with it.

We are starting to get those forward-thinking organisations looking at how
they can actually do something more rigorously in the management processes, to
make sure that they are compliant with the regulations, but at the same time
have that balance between risk and performance.

What’s the best way to demonstrate risk management policies?

Lisa Osofsky, financial services adviser, corporate investigations,
Control Risks

You’ve got to have a top down culture of compliance. You have got to see the
CEO stand up there and actually put in place the kind of policies that you are
asking the rest of the organisation to follow. You have got to make sure that
everybody understands the policies, the policies are clear and everybody is
expected to comply with those policies. It is very important that those get
applied fairly across an organisation, because all you need to do is see
nepotism at work, or somebody who seems unjustly rewarded for behaviour that you
know is not appropriate, [and] you undermine the credibility of those policies.

So you have to make sure that they are both clear and transparent and that
they are adhered to in a uniform and fair way.

Do people avoid difficult decisions and wait for regulators to lead the

David Jones, director, Paragon Consulting

Yes there is some of that. Sarbanes Oxley in the US seems to have done very
little to protect US investors from fraud and it’s done an enormous amount of
good for European capital markets as people have withdrawn from their US
listings. I don’t think it’s been a positive outcome at all. I think well run
companies do worry about risk to the right degree of all types. They will put
their own concerns about how to manage risk in their business above and beyond
what the regulator will ask for because, actually, they will know where the real
risks lay.

They will also know where the regulator’s rule book can be of some assistance
in managing a risk. The rest of it is box ticking and form filling that actually
doesn’t prevent a risk occurring at all.

Chaired by Damian Wild

Watch the events and sign up at

Related reading

New Logo Saffery Champness