The top priority for digitized companies Moreover according

The research for this literature review was
detailed and comprehensive covering a multitude of factors, topics and
considerations that will help the author to determine which Enterprise Risk
management Framework would be suitable for the NHS. Once the author discovered
which framework was suitable the focus was then switched to which methodology
type would be required, methodologies would be discussed from a variety of
sources both academic and otherwise within the scope of this report to give a
clear and informed answer.

5.1 What is Risk Management

Risk management is a process that
allows individual risk events and overall risk to be understood and managed
proactively, optimising success by minimising threats and maximising
opportunities. These threats, or risks, could stem from a wide variety of
sources, including financial uncertainty, legal liabilities, strategic
management errors, accidents and natural disasters. IT security threats and
data-related risks, and the risk management strategies to alleviate them, have
become a top priority for digitized companies

Moreover according to (Tita and
Simpson, 2009) the NHS has two types of risk management here is a summary view
of those risks:

Clinical Risks:  Patient-centred risk e.g. Clinical errors,
Patient safety risks

Non-clinical Risk: Risks relating
to patient care e.g. use of facilities by staff, patients, contractors and
other visitors e.g. Health and Safety Risks, Financial Risks, Reputational
Risks, Information Governance Risks etc

The nature of this study is to
determine the use of methodologies in a business sense therefore the author
will focus on non-clinical risks. As per (Institute of Risk Management, 2018) a
large organisation such as the NHS which is a complex organisation will employ
Enterprise Risk Management (ERM) which is an integrated and joined up approach
to managing risk across an organisation and its extended networks.

5.1.1 Enterprise
Risk Management

can be defined as the overall risk management approach to business risks
according to (D’Arcy and Brogan, 2001). They also go on to explain that
corporate risk management, business risk management, holistic risk management,
strategic risk management and integrated risk management are forerunners to ERM
but they may differ due to a slightly different focus.

provides a framework for risk management, which typically involves identifying
particular events or circumstances relevant to the organization’s objectives
(risks and opportunities), assessing them in terms of likelihood and magnitude
of impact, determining a response strategy, and monitoring progress. By
identifying and proactively addressing risks and opportunities, business
enterprises protect and create value for their stakeholders, including owners,
employees, customers, regulators, and society overall.

study is based on the NHS and as such the author will now proceed to define the
NHS as an enterprise to determine which business category it falls into.
Furthermore according to (Ways Resources, 2018) defines an enterprise as
another word for a “for-profit business or company” the word profit and NHS do
not go hand in hand so this would therefore rule out the NHS as an enterprise,
this requires further investigation. There are according to (BusinessDictionary,
2018) a state owned enterprises which can be defined as a business entirely or
in part owned by the government. This clearly defines the NHS which is owned
and funded by the UK government.

5.2 Which Enterprise Risk Management Framework?

ERM process should be tailored towards the organisations needs in this case the
NHS as a point of reference; there are many different frameworks to choose from
ISO 31000 Risk Management, BS31100 Code of Practice for Risk Management, COSO Enterprise
Risk Management, FERMA Risk Management Standard, OCEG Red Book 2.0 (GRC
Capability Model) etc. due to the word limitations of this study the author
will only discuss the first 3 frameworks:


2.       COSO Enterprise Risk Management

3.       BS31100 Code of Practice for Risk

does not mean that the ones left out are not suitable, unfortunately the author
does not have the capacity to include them in this study.

5.2.1 ISO 310000

310000 is the industry standard for risk management as per (ISO.ORG, 2018) who
go on to state that managing risk effectively will aid the performance of an
organisation while protecting their economic performance and professional
reputation. ISO 310000 achieves this by providing comprehensive principles and
guidelines; this standard helps organisations with their risk analysis and risk
assessments. The NHS is a public enterprise so it can benefit from ISO 310000, because
it applies to most business activities including planning, management
operations and communication processes. What are the benefits?         

improve operational efficiency and governance

stakeholder confidence in your use of risk techniques

management system controls to risk analysis to minimize losses

management system performance and resilience

to change effectively and protect your business as you grow

COSO Enterprise Risk Management

Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal
control framework was released in 1992 as a three volume publication, according
to (Moeller, 1991). This Internal Control – Integrated Framework received a
comprehensive update in 2013 and according to (Opgenorth, 2017) she also goes
on the explain that COSO is the de facto
framework used by more than 99% organisations in the USA which must comply with
Section 404 – Internal Controls over Financial Reporting (ICFR) requirement of
the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act

public companies in the USA must comply with SOX as per (Rouse, 2013) which is
similar to the Data Protection Act (DPA). COSO defines ERM as “The culture, capabilities
and practices integrated with strategy-setting and its execution that organisations
rely on to manage risk in creating, preserving and realising value” as (Opgenorth,
2017)explains it. In short COSO provides a range of documents regarding risk
management internal controls and financial reporting, it defines eight ERM
components discusses key ERM principles and concepts, suggests a common ERM
language, and provides clear direction and guidance for enterprise risk
management. What are the benefits?         


1 3 dimensional Matrix of COSO ERM framework

2017) presents a three dimensional matrix of COSO ERM framework which includes
objectives across the top, divisions on the right and the eight components of
ERM.  Below are a summarised view of the
four objectives and the eight components of COSO ERM.


These objectives are high level and are aligned with an entity’s mission.

These objectives refer to the effective and efficient use of resources.

These objectives surround an entity’s need for reliable reporting.

These objectives refer with an entity’s need to comply with applicable laws and

new framework COSO:

greater insights into strategy and the role of ERM in setting and executing

alignment between organizational performance and ERM;

expectations for governance and oversight;

the continued globalization of markets and operations and the need to apply a
common, albeit tailored, approach across geographies;

fresh ways to view risk in the context of greater business complexity;

risk reporting to address expectations for greater stakeholder transparency;

evolving technologies and the growth of data analytics in supporting

5.2.3 BS 31100 Code of Practice for Risk

the British Standards Organisation issued its code of practice in 2008 which
was updated in 2011. It is designed to help managers develop, implement and
maintain effective risk management within the business. Using BS 31100 can help
managers better their company’s performance. BS 31100 is a broad overview of
risk management, which is not only concerned with the negative aspects of risk,
but also the opportunities it could present to businesses.

BS31000 outlines the risk management process so that all the different
divisions in the business works in a manner that will provide consistency
throughout the organisation by interpreting the processes being administered by
BS31000.  (IT Governance, 2018) explain
that BSI 31000 provides guidance for ISO 31000 and they align together. What are the benefits?         

benefits according to (IT Governance, 2018) are summarised below:

risks are proactively managed in specific areas or activities.

risk management in an organisation.

assurance on an organisation’s risk management.

to stakeholders, for example through disclosures in annual financial
statements, corporate governance reports or corporate social responsibility

ISO 31000




Simple to Implement


Robust Global Standard

Links to internal control framework

Easier to understand & User friendly

Audit and controls focused

Risk focused

Stronger Corporate governance

Flexible, easily tailored





Detailed ERM

High level

Prescriptive, rigid


Hard to implement


Hard to understand


Cube can be confusing

Table 1 pros and cons of two ERM frameworks

5.3 Purpose of Enterprise Risk Management Strategy

purpose of the ERMS is to detail the National Health service (NHS) framework
within which the NHS leads, directs and controls the risks to its key functions
in order to comply with compliance requirements and key regulatory requirements
such as Care Quality Commission, and its strategic objectives which includes;
quality aspects of governance, aligning with Monitor’s approach to assessing
corporate and financial governance.

to patients, staff and organisations are ubiquitous in healthcare, therefore it
is important for any large enterprise to employ qualified healthcare risk
managers who will assess, develop, implement, and monitor risk management plans
with the goal of minimizing exposure. There are a multitude of issues faced by
an enterprise as large as the NHS such as finance, data protection, safety and
most importantly patient care.

according to (Aloini, Dulmin and Mininno, 2007) an organisations business goals
and processes must align inside and outside the organisations boundaries thus
without an effective risk management strategy a business may be open to
infiltration. Therefore, the ERM influences the NHS strategy; the principle goals
of the NHS are set by the mission which can then be used to set strategic
objectives. The strategic objectives are aligned with the NHS mission, which will
allow the NHS management team to determine which strategy to use dependant on
the particular goals at the time.

5.3 Responsibility of Risk Management

management is the responsibility of all employees of the NHS. The Chief
Executive, Executive and Non-Executive Directors,
Head of Risk Management, senior
managers, and department heads are responsible more directly for risk
management within their areas of the organisation.

risk manager has certain roles and responsibilities according to (McConnell,
2010) here is a summary view of these roles:

and identify all threats by acknowledging and identifying them.

methodologies and risk analysis tools to identify and analyse the financial
impact of loss to the organisation, employees, the public, and the environment.

all acknowledged risks, apply risk management methodologies and risk analysis
tools that integrate with insurance policies.

the use of realistic and cost-effective opportunities to balance retention
programs with commercial insurance.

risk management and insurance budgets and allocate claim costs and premiums to
departments and divisions.

for the establishment and maintenance of records including insurance policies,
claim and loss experience.

in the review of major contracts, proposed facilities, and/or new program
activities for loss and insurance implications.

cooperation with the NHS trust, maintain control over the claims process to
assure that claims are being settled fairly, consistently, and in the best
interest of the entity.

5.4 The Key to Successful Risk Management?

key to successful risk management involves many factors according to (Stoneburner,
Goguen and Feringa, 2002) here is a summary view of their 5 points:

management’s commitment

2.       The full support and participation of
the IT team

3.       The competence of the risk assessment

4.      The users of the system, who must
adhere to all procedures and controls that safeguard the system

5.       An ongoing evaluation and assessment of
the IT-related mission risks

(Stoneburner, Goguen and Feringa, 2002) are to be believed then the success of a
large enterprises risk management programme is dependent on the defined and
demonstrated support and leadership by all involved.

(Wysong et al., 2017) have a differing view on the 5 key principles here is a
summary view of (Wysong et al., 2017) 5 key principles:

to the Discipline of Risk Management means understanding the business realities
and troublesome market forces and being frank with the stakeholders about
mitigating the risks by altering the organisations’ objectives.

2.       Constructive Board Engagement means
giving the board a clear and defined role on how to achieve the organisations
risk management programme. The risks involved with the differing strategies and
how best the mitigate them.

3.       Effective Risk Positioning means:

Chief Risk Officer (CRO) is viewed as a peer with business line leaders and all
levels of the organisation

has open access to the board

personnel in the business hierarchy understand that managing risk in imperative
to the business success

Management  understand that risk management is an
essential part of the business

CRO is clearly viewed as undertaking a broader risk focus than compliance

CRO’s position and how it interfaces with senior line and functional management
is clearly defined.

4.      Strong Risk Culture means finding a
balance between creating enterprise value through strategy and performance
while protecting the organisation through risk appetite and risk management. Accountability,
effective challenge and collaboration and open communications promote a strong
risk culture.

5.       Appropriate Incentives means that the
risk behaviour of the organisation can be reinforced with the use of incentives
monetary or otherwise to change wrong behaviours of the systems personnel.

differences found at this juncture could be prejudiced by the date differences
between the two articles (Stoneburner, Goguen and Feringa, 2002) and (Wysong et
al., 2017) is a 15 year swing in the date of publication therefore with the
speed in which risk management is evolving further investigation is necessary
to conclude this argument.

study published in 2013 titled The 8 Key Factors in a Successful Risk
Management Program Implementation (Easton, 2013) the 8 factors are discussed in
his paper are summarised here:

leadership commitment: leadership need to sign off on the risk programme and
assign significant resources and direction from the top down of the

2.       Build a team (for development):
corporate safety management system must involve the larger organization in the
development of the program and its tools and rules.

3.       Ask and answer the question WHY: the
risk management team need to understand why the organisation is embarking on
the risk program

4.      Don’t reinvent the wheel: benchmark
other organisations to determine their standards, use their experience to save
time and money by learning from their mistakes.

5.       Define the work, then explore the
risk: Risk is a function of work in the workplace, how you define work will
impact your risk assessments, break up the organisation into convenient logical
chunks to individual assessment.

6.      Trial the assessment tool: the risk
assessment tool itself will need to be tested by running trials to determine
what bugs need to be ironed out for it to be effective.

7.       Risk Metrics: many large enterprises
has Key Performance Indicators (KPIs), the risk assessment will produce a
multitude of new KPIs which can increase the efficiency of the organisation.

8.      It’s not just about the (imperfect)
risk assessment: no risk assessment tool is perfect, due to the subjective
nature of risk assessment and it is fallible to the risk assessors’ whims.
There should be an understanding that the goal is to change the organisational
mind-set from reactive to proactive.

author after summarising the differing points of view can surmise that, with
the speed at which risk management is evolving it would be remiss to say that (Stoneburner,
Goguen and Feringa, 2002) views are completely correct. Moreover it seems that
with (Easton, 2013) has a somewhat balanced view between the 3 articles which
is probably down to his article being dated somewhere between the previous

5.5 Enterprise Risk Management, Governance and

governance and compliance is a holistic approach to strategic risk management
processes and procedures that may help businesses in todays’ challenging market
conditions. Furthermore with new regulatory rules requiring disclosures
regarding the board’s role in risk oversight there is a need for an
enterprise-wide view of risk.

according to (RSM, 2014) large enterprises who have a technology based
infrastructure can streamline their compliance and risk management processes if
they are viewed holistically.  (RSM,
2014) also elude that to be successful ERM identifies and quantifies all risks
because ERM should cover a wide range of risks to be an effective and robust
ERM program.

General Data Protection Regulation (GDPR)

of the driving forces behind an ERM program is the new GDPR which has just come
into effect May 2018. The EUs’ new data protection laws are a change to the
Data Protection Act (DPA) and all business large and small must be aware of it.
One of the key factors that businesses have to be aware of is that you cannot
keep data forever or use it how you want furthermore the more data you have the
more it can go wrong according to (Raywood, 2017). If you put that into context
of the NHS, they have the data of all UK citizens plus the millions of EU
residents and the other illegal or otherwise residents of the UK.

to say that (Raywood, 2017) concludes that businesses would do well to do a
continuous risk assessment, consider accountability within the company and
adequately secure internally and externally. With the fines that can be levied
at organisations that fail to secure their data it is imperative that the NHS
continually assess how they use the data.

5.7 Cyber Security

the steady increase in cyber-crime, many organisations across a variety of
industries are susceptible to cyber-attacks. Recent cyber-attacks indicate that
breaches are inevitable and can be extremely harmful. Cyber breaches can lead
to tangible costs, brand degradation and changes in consumer behaviour.
Although due to the nature of the NHS (‘free health service’) consumer behaviour
may differ to other enterprises as they will not lose custom.

according to (NHS, England, 2017) have a new cyber security programme which
aims to:

enact lessons learned from the May 2017 cyber security incident

ensure that actions related to “Critical” CareCERT alerts are completed

provide assurance that cyber security is being considered at board level and
managed as an ongoing board level risk.

is a new high level initiative that aims to ensure that NHS Digital and NHS
improvement alert Trusts, Clinical commission Groups (CCGs) and Commissioning
Support Unit (CSUs) to their accountabilities and responsibilities and
undertake cyber security actions.