Risk intelligence Learning to manage what we don't know; by David Apgar; Harvard Business School Press (2006).

It is tempting for a big organisation to analyse its risks in isolation, perhaps half in the belief that the effort of understanding and managing them should be enough for the business to retain a competitive edge. The key thesis of David Apgar's book is that this is not enough. He argues that the ability to learn risks must always be seen relative to a competitor's ability to do the same, and perhaps to do it better and faster.

Risks, according to Apgar, fall into learnable and unlearnable categories. The latter are the random risks, and they are primarily financial. Where random risks are concerned, it does not matter whether it is the impact of interest rates or the random walk of a stock market which are at issue; the fact that one analyst's guess is as good as another's creates a level playing field in which no competitor has a particular advantage.

The same is not true, he argues, of most other risks, especially operational risks and project risks. And the fact that a competitor may be in a better position to learn the risks - whether through longer or more diverse experiences or better sources of knowledge - should be an important factor in deciding whether the risk is acceptable. He cites several instances, from aircraft design to mobile phones, where one organisation's better understanding of the risks involved has led to a competitor suffering severe disadvantage or having to abandon the market altogether.

This leads him to four golden rules for determining risk intelligence: recognise which risks are learnable; identify risks you can learn about fastest; sequence risky projects in a 'learning profile', and keep networks of partners to manage all risks.

The four rules and their implications for dealing with risk are then expounded in detail, but usually with an admirable degree of clarity. At the heart of this section of the book is Apgar's guidance on how to construct a 'risk intelligence score', which is the tool he suggests using to assess an organisation's ability to learn individual risks.

There are plenty of case studies along the way - most of them, this being an American book, from the US. Other avenues, which directly follow from learning and exploiting risks are explored. Of particular interest, perhaps, are Apgar's ideas on diversification of risk as a strategic necessity, and on how to manage risks over their natural life-cycle. In the latter case, he argues that a successful project naturally accumulates more, rather than less, risk as it becomes more important to a business. There is therefore a need to by move from being a 'customer umbrella' - taking most of the risk of a new project oneself - to becoming a risk distributor and seeking to transfer some of the load elsewhere.

An interesting book then, inevitably focused on risk within competitive industries, but well written and with some thought-provoking ideas. It is doubtful that any risk manager will immediately tear up proven strategies as a result of reading it, but it may well provide some stimulus towards looking at alternative ways of doing things.In effect, it provides an extended thesis on a different way of looking at risk, and gives plenty of food for thought.

A risk management approach to business continuity Aligning business continuity with corporate governance; by Julia Graham and David Kaye; Rothstein Associates (2006).

This is an excellent compendium of the modern theory and practice of business continuity, gathering virtually everything you might need know about the subject between its covers. The authors have taken the view that business continuity is rapidly evolving beyond the traditional realms of simply ensuring that IT systems or office facilities are well backed up in case of failure, and is becoming recognised as being among the most important risks an organisation must face.

The authors do not waste too much time arguing this case, for the book is designed above all to be a practical manual, even for organisations whose boardroom priorities are 'strategy, reputation and lunch'. Indeed, the authors argue, the fact that reputation appears on this list at all suggests that business continuity is of vital importance, even to the most laid-back business.

This being the case, the authors have set about making the book as comprehensive as possible and also as simple as possible, appealing not just to the multi-national organisation with infinite resources, but equally to the smaller enterprise which may never have thought carefully about the subject before.

They have certainly succeeded in this, at the minor expense of producing a volume that is fairly weighty, and one which at times reads a little like a higher education textbook. Chapter topics and objectives are clearly laid out, and practical points are well illustrated by numerous case studies.

The book starts from the point of view that many of the risks which can destroy a business faster than seems credible, are simply not insurable. Insurance has its place, but business continuity planning needs to go a great deal further. Hence the emphasis of the sub-title that business continuity and corporate governance should be intimately linked, and that an organisation's culture, driven by boardroom awareness, plays a vital role in ensuring the survival of the business.

A careful and clear sequence of chapters lead the reader through the different aspects of the art. The creation and auditing of a business continuity plan comes at quite a late stage. In keeping with the authors' thinking, it is necessary first to consider culture, stakeholders and strategy, conduct a detailed business impact analysis and use the information from it. We side-step into supply-chain risk, technology, communications and people and consider useful tools and principles, before finally arriving at the plan - structure, rehearsal, benchmarking and audit.

Each of these subjects is covered in sufficient detail to describe the risk, suggest the importance of its impact, and look at ways of dealing with it within the overall context of a culture which sees business continuity as something fundamental to the organisation.

So this is a comprehensive coverage of the subject, practical rather than theoretical, and very successful in its aim of being a one-stop resource for all those directly or indirectly involved with ensuring the long-term survival of their business.

Topics