Header Space reserved for Publication
Yoshihiro Ito, Takeshi Kaneko
Musashi Institute of Technology
1-28-1 Tamazutsumi, Setagaya-ku, Tokyo 158-8557 Japan g0718703@sc.musashi-tech.ac.jp
Recently, incidents of aircraft parts coming off during flight, information leaks, automobile recalls, and other types of corporate accidents and incidents have occurred. Those scandalous affairs could be risky to domestic companies in Japan. These affairs could give damages to stakeholders and administrative management of the companies. The continuance of the enterprise could be in risk. They are implementing measures in order to avoid these risks, but the measures are not functioning well so far. In this study, therefore, it is designed to propose a management consulting tool which enables the managements and persons in charge of the risk management judge if the management of the risk management functions fine. Also, it is important to cycle PDCA in the risk management. In such case, a supplementary tool to cycle PDCA will be made by using the management consulting tool to be proposed in this study. Specifically, it gives a diagnosis whether a management relating to an important risk is conducted properly.
Recently, incidents of aircraft parts coming off during flight, information leaks, automobile recalls, and other types of corporate accidents and incidents have occurred. Those scandalous affairs could be risky to domestic companies in Japan. Further, many natural disasters, such as earthquakes and typhoons, can also be a risk for companies. These events could harm stakeholders and the administrative management of the companies. The continuance of the enterprise could be at risk.
They are implementing measures in order to avoid these risks, but the measures are not functioning well so far.
However, risk countermeasures are very costly, so smaller businesses need to implement risk management to identify the scope of the risks and focus on specific risks. There are few risk management corporate diagnostic tools however. For example, from the perspective of personal information leakage there is the privacy mark. But this only verifies personal information protection. There is this type of individual risk evaluation, but no risk management company diagnostic tools that can serve as a comprehensive management index.
Furthermore, risks are always changing. During the time of rapid economic growth, we were not concerned about risks like environmental pollution, but now we have to consider such risks. Therefore, we need to make tools for management assessment available for general use.
Page Number

Header Space reserved for Publication
In this study the author proposes a tool for corporate diagnosis which can determine if the administration and the person in charge of risk management coping well with the risk management. And it is crucial to turn the PDCA cycle in risk management. Using the corporate diagnostic tool that is proposed in this study will help PDCA to function as an auxiliary measure.
In the case of the Kashima[1] study they implemented on the evaluation of risk measures. That study identified differences in the level of measures taken depending on the scale of the company. However they did not evaluate risk management. On the other hand, managements have set standards in various fields. For example, ISO includes a quality management system standard and an environmental management system standard. These standards do not actually evaluate the outputs, but they do evaluate the process. It is important to evaluate if risk measures are being handled well rather than to evaluate the risk measures themselves.
There are many companies that conduct risk management. Only 15 % of companies had specialists who specialize in corporate risks in this country in the 1980’s. But in 2002, that percentage grew up to 33.7%. There are strong concerns regarding corporate risks in this country. Recently, stakeholders have also become interested in and focus on them. Companies have been implementing risk measures and corporate responsibilities into forms, posting CSR (Corporate Social Responsibility) reports on their websites, and also providing reports in the booklets and disclosing information. But there are no cases in which they are evaluated objectively if the proper management is done for the risk management evaluation.
With the corporate diagnostic tool that is proposed in this study, the purpose is to diagnose how appropriately management of important risks is being conducted. First, the important risks in each industrial field must be listed. The important risks in each field need to be identified by taking a questionnaire survey of 500 companies. The management model case will be made step by step, following a guide to JISQ2001, structuring risk management system, and then the corporate diagnostic tool will be developed based on the model.
Important risks are defined as risks that need to be focused on in each industry. It is possible for risks to strike businesses. It is not good to take measures that narrow the risk range. But it costs too much to respond to all risks, so it is impossible to do so. There are certain risks that have to be focused on in each industry. An example is an information risk for the service industry. Since businesses in the industry need to deal with customer’s personal information, they will sustain damage if the information is leaked, which could cause them to go out of business. A second example is an industrial accident risk for the machine industry. The more labor workers there are the more accident risk there is. The important risks differ from industry to industry.
Table1-Risk items
Page Number

Header Space reserved for Publication
Figure1- Type of industry and risk item
A questionnaire survey of 500 domestic businesses was conducted. The questionnaire asked respondents to select three risks, except for compliances, from the 18 items in Table 1 that they aggressively try to deal with. Answers from 28 companies have been received thus far. The data from the questionnaire was analyzed. It was learned from the analysis that they focus on information risks in the service industry, on environmental contamination and labor accidents in the machine industry, and on soil contamination and business practices in food companies (See Fig. 1). The reason for this is that the main activities in the service industry deal with information, the environmental damage to local residents and worker’s security risk to the company are fundamental in the machine industry, and dealing with safe food is very important in food companies.
Page Number

Header Space reserved for Publication
CMM (Capability Maturity Model) is the general term that indicates the concept of maturity figuring out the capability and developing the ability of corporations, organization, and project teams. It originates in SW-CMM, which Mark C Poke and his team developed to measure software development ability. SW-CMM was adopted worldwide as an indicator that helps find a good supplier to develop software and to improve the process.
And CMM is also accepted as a general standard for determining pay raises and promotions and is in use in various fields.
In this study, a risk management maturity model will be made with the use of JISQ2001 issued from Japan Standard Association. Making
JIS the standard promotes better awareness of risk management in the organization, and makes the entire society more resistant to crisis.
It is the unified way to go beyond the organization. And it was developed and proposed as a common guide and social foundation.
The JIS standard features three points. The first point proposes a principle and elements to build a risk management system. The second point recommends preparing the structure for building and maintaining the risk management system prior to presenting the elements of the standard will consist. The third point is that the JIS standard is the basic system of PCDA which stands for Plan, Do,
Check and Action to put the organizational risk management into practice. The JIS standard is structured for all risks. The proposed diagnostic tool evaluates the management of each risk. So the JIS standard was adopted instead of a standard proposed by Australia, New
Zealand, and Canada.
Figure2-The principles of a risk management system
In this study, a model will be made according to the principles of the risk management system from JISQ2001. The risk management system consists of seven principles. The first principle is to confirm putting the risk management into practice. This means the organization makes risk management its policy and makes sure to implement it. The second principal is to make the risk management plan. This means the organization maps out the plan which is confirmed in the first principle to implement the policy. The third principle is to carry out the risk management. According to the references, ability development and supporting organization development are included in this. Organizing the system and frame work to maintain risk management is also included in the third principle in this study.
The fourth principle is to assess the risk management performance and the effectiveness of the risk management system. This means the
Page Number

Header Space reserved for Publication organization estimates, monitors, and evaluates the risk management performance, and evaluates the effectiveness of the risk management system. The fifth principle is to correct and improve the risk management system. This means the organization assesses the risk management performance and the effectiveness of the risk management system. But in this study the purpose is to diagnose and improve the risk management, so this item is omitted. The sixth principle is to be reviewed by the top management. This means the top management in the organization reviews the risk management system and keeps on improving it to improve the risk management performance all across the organization. The seventh principle is to organize and sustain the system and frame work. This means the organization has to acquire a system and frame work for maintaining the risk management. From the perspective of PCDA, the first and second principles are P (plan), the third principle is D (Do), the fourth and fifth principles are C (Check) and the sixth principle is A
(Action). The items in the principles list that have to be checked are made by referring to the references. As examples -Clarification of the risk management policy- in Table 2.
Table2-Clarification of the risk management policy
First of all, when implementing the risk management, the items in Table 3 that must be done at the minimum and the other items should be separated. Doing this work must be done before putting the risk management into practice. If this work is neglected, it will not be possible to move on to the next development model. This work is really needed to move on to the development model.
Page Number

Header Space reserved for Publication
Table3
－
Item which must be performed at a minimum
Page Number

Header Space reserved for Publication
Next is discussed how risk management develops. The development of risk management is assumed to change along two axes, the applicable range of a risk measure and the person in charge of implementing the risk management. First, the definition of the applicable range of a risk measure. The applicable range is divided into four categories, -A section of the organization-, -All sections of the organization-, -Stakeholders-and -Public without the organization-. -A section of the organizationis defined as the place where compliance and measures for risks that can cause damage to the particular organization are undertaken. -All sections of the
Page Number

Header Space reserved for Publication organization- are defined as the place where measures for risks that can cause damage to them are undertaken. –Stakeholders- are defined as the activities for which measures for risks that can cause damage to them are undertaken. -Public without the organization- is defined as the place where measures for risks are undertaken. Next is the definition of the behavior range of a person in charge of risk management. The behavior range is divided into four categories, -Chief executive officer-, -A person in charge-,-Stakeholders-, and –A third person except for stakeholders-. – Chief executive officer - is defined as the activity of risk management by a decision maker in the organization. –A person in charge- is defined as the activity that the person can plan the risk management by himself or herself. -All sections of the organization- are defined as the activity that all sections of people are aggressively in charge of risk management.
–Stakeholders- are defined as the activity that all the measures are underway for them. –A third person except for stakeholders- is defined as the activity where the risk management is implemented with tips from a third person without stakeholder.
Table4-Risk Management growing model
Next, a level model for each principle is made. Level 1 of the first principle is where the policy to implement the risk management can be seen. Level 2 is where the policy to apply the risk management within the organization can be clarified. Level 3 is where the policy to apply the risk management within stakeholders can be clarified. Level 4 is where the policy to apply the risk management beyond stakeholders can be seen.
Level 1 in the second principle is where the basic plan for compliance in risk management is executed. Level 2 is where the possible risks are found by the person in charge and the risk measures are appropriately executed. Level 3 is where all the specific risks can be appropriately found and the risk management in the organization can be executed.
Level 4 is where the specific risks for a stakeholder can be found and the plan is being executed. Level 5 is where appropriate discovery of specific risk for social contribution are discovered and the plan is executed.
Level 1 of principle 3 is the stage where the procedures and status for risk management execution can be identified. Level 2 is where in-company preparations for risk management activities can be made.
Page Number

Header Space reserved for Publication
Principles 4 is performance evaluation and validity evaluation. However, since the evaluations differ for these, they are treated separately in this model. First is performance evaluation. Level 1 is the stage where the execution procedures for the risk measures can be clarified, compiled in a procedural manual, and risk management evaluated objectively. Level 2 is the stage where it is possible to evaluate the results of the risk management activities and whether verification through recreation is possible. Level 3 is the stage where risk measure evaluation comes from the simulation results, and where risk management becomes firmly established throughout the entire organization. Level 4 is the stage where an evaluation can be performed to see whether risk management is being appropriately executed for stakeholders .
Next, Principle 5 is validity evaluation. Level 1 is the stage where the stage where the risk management system is continuously evaluated. Level 2 is the stage where validity evaluation is performed when exposed to a risk. Level 3 is the stage where, when a potential risk is discovered in the company, a risk management validity evaluation similar to the risk is carried out. Level 4 is the stage where validity evaluation of the risk management of the company is performed based on the case in which another company is exposed to a risk.
Principle 6 is the review of the chief executive officer. It was deemed that Principle 6 did not have a stage.
Principle 7 is where the stages are created by division into the 5 categories of education, simulation, communication, text, and risk discovery.
The first is education. Level 1 is at the stage where the person in charge has capability. Level 2 is at the stage where risk management education is carried out for employees. Level 3 is at the stage where risk management is performed while envisioning the risks that could occur in each department. Level 4 is the stage where the educational results can be output.
Second is simulation. Level 1 is the stage where simulation can be performed and the results evaluated. Level 2 is the stage where the simulation environment can be set appropriately.
The third is communication. Level 1 is the stage where risk communication is carried out. Level 2 is the stage with the skill for the necessary minimum communication. Level 3 is the stage where the risk communication is done depending on the subjects level.
Level 4 is the stage where a system for dissemination throughout society is possible.
The forth is a text. Level 1 is the stage where the created text can be arranged. Level 2 is the stage where storage of the created text can be appropriately done and where measures for disposal can be established.
The fifth is risk discovery. Level 1 is the stage where risk discovery is conducted within the range of the person in charge. Level 2 is the stage where risk discovery including the stakeholders can be done. Level 3 is the stage where risk discovery from reports, such as in newspapers, is possible. Level 4 is the stage where information regarding a discovered risk can be gathered.
As mentioned above, in order to diagnose risk management, a gradual model of each principle of the risk management system of
JISQ2001 was created. Moreover, as described in Section 5-5, the principles of a risk management system were mapped. You can determine where you are by using Table 5-5. You can also see which risk management you should conduct in the future and where management efforts should be concentrated.
Table 5-Risk Management Policy Clarification Development Levels
Page Number

Header Space reserved for Publication
Next is discussed a tool for risk management diagnosis. There are two reasons for needing to create a diagnostic tool. The first is to learn where company management is weak. The second is to support continuous improvement by showing the current status of the risk management in each company. The diagnosis format calls for each company to perform a self check of the diagnostic items for each principle in each company and further to enter the industry type. This tool uses these results to diagnose each risk and show the important risks for every type of industry. First, the risks identified in Section 4 are designated as important risks and then the important risks are determined by inputting the industry type. Next, the diagnostic results are output. First, the score for each principle is shown as demonstrated in Figure 3 with text stated what areas in Table 5 are weak to create a system that identifies where management efforts should be concentrated
Figure3-Company diagnostic output
The diagnostic tool proposed by this study can be used to identify the strong and weak points of risk management. However, specific improvement measures are not proposed. When actually use in a company, the results must be tied to specific risk measures.
Page Number

Header Space reserved for Publication
Hiraku Kashima (2007), A Study of Business Diagnostic Methods for Risk Management , Journal of the Japan Society for Production Management
Vol13, No.2, pp.63-68
InterRisk Research Institute & Consulting, Inc (2005), Practice Risk Management the second edition , Economic Legal Research Institute
Toshimasa Suzuki, RMKONSOSHIA21 (2007), the 2nd edition of Risk Management Systems , Nikkan Kogyo Shimbunsha
Tadao Oikawa, Hiroshi Osada, Masaru Hase, Takahumi Mitoma (2006), Framework and Assessment Method for New Risk Management for
Management Innovation , Journal of Japanese Society for Quality Control Vol36, No.1, pp.110-123
Japanese Standards Association (2001), Guidelines for Development and Implementation of Risk Management System
Carnegie Mellon University Software Engineering Institute (1998), Software Development that Succeeds: Guidelines by CMM , Ohmsya
Page Number