ERM Challenge #10: Losing ERM Momentum in Year 2 and beyond; Keeping ERM Fresh & Relevant
ERM Objective:
Maintain high levels of support and engagement in your ERM program
The Trap:
Rolling the same risks over year to year will quickly devalue your ERM program. Key stakeholders will begin to see it as a “tick-the-box” exercise. This approach contradicts the strategy of identifying risks as part of your annual strategic planning cycle.
The Solution:
Change how you identify risks each year to keep the process fresh and relevant. Bring in outside experts to brainstorm your risks. Conduct risk identification in workshop formats that include all key stakeholders for a given objective or project.
Integrate risk identification and assessment into the annual budgeting cycle. If budgets cannot be approved without a current risk assessment it will prompt renewed thinking each year.
Finally, risk informed decision making requires management to consider risks in advance of their strategic plan. Ensure the ERM team participates in these strategic planning cycles to keep management informed of 2 types of risk; The risk of executing a strategy, and the risk of NOT executing a strategy.
WILSON's View on Risk Management
ERM is powerful when designed as a performance-focused activity. It's not an audit, nor a compliance process. ERM manages the barriers that prevent organizations from achieving their objectives.
Author:
Richard Wilson develops Performance Risk Management capabilities for complex organizations. He has helped the largest companies in North America manage the barriers to their desired performance.
richard.m.wilson@ca.pwc.com | (416) 941-8374
Thursday, June 28, 2012
Saturday, June 2, 2012
ERM Challenge Series: #9: Risk Relationships; Treating Risks as Isolated Events
ERM Challenge #9: Risk Relationships; Treating Risks as Isolated Events
ERM Objective:
Understand the cause and effect relationship between risks.
The Trap:
Most companies do not have a practical, relatively simple method to understand this. The other challenge is when to perform this analysis, which is BEFORE your risk assessment.
The Solution:
Risks do not necessarily exist in isolation of each other, many are interconnected. If one risk occurs, which other risks may occur? Chain reactions of risk events happen, but this is rarely considered when assessing risk.
I have helped my clients understand their most influential “upstream” risks that can trigger “downstream” risks to also occur. Upstream risks have a larger Impact once you consider the full extent of their influence on your organization.
Conducting this simple analysis before a risk assessment will change how management scores the Impact scale.
ERM Objective:
Understand the cause and effect relationship between risks.
The Trap:
Most companies do not have a practical, relatively simple method to understand this. The other challenge is when to perform this analysis, which is BEFORE your risk assessment.
The Solution:
Risks do not necessarily exist in isolation of each other, many are interconnected. If one risk occurs, which other risks may occur? Chain reactions of risk events happen, but this is rarely considered when assessing risk.
I have helped my clients understand their most influential “upstream” risks that can trigger “downstream” risks to also occur. Upstream risks have a larger Impact once you consider the full extent of their influence on your organization.
Conducting this simple analysis before a risk assessment will change how management scores the Impact scale.
Sunday, May 27, 2012
ERM Challenge Series: #8: Isolating your Top Risks; Most Top 10 Risks are Not the Risks to Address
ERM Challenge #8: Isolating your Top Risks; Most Top 10 Risks are Not the Risks to Address
ERM Objective:
Allocate resources to the correct risks based upon strategic priorities.
The Trap:
After completing your risk assessment you will have a prioritized risk register, typically using Impact and Likelihood criteria. Many firms then focus on the Top 10, 5, or even 3 risks on the list. The issue is that your Top 10 risks are typically not the most important risks to address. The third key question has not been answered, which is, “Which risks should we manage differently than we do today?”. Not answering this third question potential causes you to apply more resources to the incorrect risks.
The Solution:
Determine Risk Tolerances:
After your risk assessment, set a target level for each risk (a tolerance). This determines where the risk needs to be on the Impact and likelihood scales. You can now give the risk owner a clearer idea of what the risk looks like when successfully managed (within tolerance). You will also clarify if you are reducing the likelihood, impact, or both (and why?).
In my experience, 40-60% of risks in the Top 10 list do not require additional mitigations.
ERM Objective:
Allocate resources to the correct risks based upon strategic priorities.
The Trap:
After completing your risk assessment you will have a prioritized risk register, typically using Impact and Likelihood criteria. Many firms then focus on the Top 10, 5, or even 3 risks on the list. The issue is that your Top 10 risks are typically not the most important risks to address. The third key question has not been answered, which is, “Which risks should we manage differently than we do today?”. Not answering this third question potential causes you to apply more resources to the incorrect risks.
The Solution:
Determine Risk Tolerances:
After your risk assessment, set a target level for each risk (a tolerance). This determines where the risk needs to be on the Impact and likelihood scales. You can now give the risk owner a clearer idea of what the risk looks like when successfully managed (within tolerance). You will also clarify if you are reducing the likelihood, impact, or both (and why?).
In my experience, 40-60% of risks in the Top 10 list do not require additional mitigations.
Saturday, April 21, 2012
ERM Challenge Series: #7: Getting Beyond the Assessment; Holding Risk Owners Accountable
ERM Challenge #7: Getting Beyond the Assessment; Holding Risk Owners Accountable
ERM Objective:
Hold risk owners accountable to manage their risks.
The Trap:
Confusing risk assessment with managing risk is common. When we set strategic plans we establish measurable targets. However, when we identify risks the mandate is often simply to “manage the risk”.
The Solution:
Essentials for risk management accountability:
ERM Objective:
Hold risk owners accountable to manage their risks.
The Trap:
Confusing risk assessment with managing risk is common. When we set strategic plans we establish measurable targets. However, when we identify risks the mandate is often simply to “manage the risk”.
The Solution:
Essentials for risk management accountability:
- Describe with great clarity what each risk looks like when it is properly managed (we rarely eliminate risks, so what does the successfully managed risk look like
- Don’t ask risk owners to “manage” risks that are already within tolerances, they will not understand what they are supposed to do (see Challenge #8)
- Management MUST review risk response status reports with the same frequency that they review corporate performance
- Corporate risk responses should have board visibility quarterly
Sunday, March 4, 2012
ERM Challenge Series: #6: Relevance of Risks to Owners; The Importance of Creating 2 Layers of Risk
ERM Challenge #6: Relevance of Risks to Owners; The Importance of Creating 2 Layers of Risk
ERM Objective:
Create relevant risks for your executive and middle management alike
The Trap:
Creating a single set of risks for both your organization.
The Solution:
The Solution:
Your executive owns your organization's corporate objectives. Identifying the risks associated with these objectives will create Management’s risk universe (typically 20-35 risks)
Similarly, each department will have its own set of objectives and related risks. (typically 10-20 risks per department)
Aggregating these 2 distinct layers of risk into a single risk group is counter-intuitive. Management regards the list as “in the weeds” and middle management considers the risks to be “bigger than my department’s mandate”.
Allow each level to own the risks that are related to their objectives.
ERM Objective:
Create relevant risks for your executive and middle management alike
The Trap:
Creating a single set of risks for both your organization.
The Solution:
The Solution:

Your executive owns your organization's corporate objectives. Identifying the risks associated with these objectives will create Management’s risk universe (typically 20-35 risks)
Similarly, each department will have its own set of objectives and related risks. (typically 10-20 risks per department)
Aggregating these 2 distinct layers of risk into a single risk group is counter-intuitive. Management regards the list as “in the weeds” and middle management considers the risks to be “bigger than my department’s mandate”.
Allow each level to own the risks that are related to their objectives.
Saturday, February 18, 2012
ERM Challenge Series: #5: Integrating ERM into Routine Processes
ERM Challenge #5: Integrating ERM into Routine Processes
ERM Objective:
All relevant stakeholders in your organization embrace the risk management process because they understand its link to desired performance.
The Trap:
The ERM process is designed layered on top of the business. If your ERM advisor wants to document a stand-alone ERM process your program is not destined for success.
The Solution:
Build upon existing processes and use existing documentation:
Asking people to suspend their “day job” to engage in a risk management process does not work. It is the responsibility of the ERM team to integrate every step of the new ERM process into existing processes and documentation.
This does not suggest that the ERM team cannot create a multitude of new documents and tools for their own team to facilitate the program and generate reports. However, risk owners will be far more likely to embrace a risk program that is woven into their current daily routines.
ERM Objective:
All relevant stakeholders in your organization embrace the risk management process because they understand its link to desired performance.
The Trap:
The ERM process is designed layered on top of the business. If your ERM advisor wants to document a stand-alone ERM process your program is not destined for success.
The Solution:
Build upon existing processes and use existing documentation:
Asking people to suspend their “day job” to engage in a risk management process does not work. It is the responsibility of the ERM team to integrate every step of the new ERM process into existing processes and documentation.
This does not suggest that the ERM team cannot create a multitude of new documents and tools for their own team to facilitate the program and generate reports. However, risk owners will be far more likely to embrace a risk program that is woven into their current daily routines.
Tuesday, January 3, 2012
ERM Challenge Series: #4: Risks as Events; The Importance of Documenting your Risks Correctly
ERM Challenge #4: Risks as Events; The Importance of Documenting your Risks Correctly
ERM Objective:
Draft risks that are easily understood, unambiguous, and interpreted the same way by all who view them.
The Trap:
A majority of companies create confusion or frustration with their ERM program by drafting risk statements poorly. Risks beginning with the following phrases are not risk events, and will result in a frustrated group of executive risk assessors and risk owners:
X May Happen: This process is intuitive and the outcome is a risk register that is easily interpreted by all of your stakeholders. It is as simple as “X may happen”.
Another insight – your risk register should not contain a risk such as, “Reputational damage may occur”. Reputational damage is a component of your Impact assessment. Over half of your risks can lead to reputational damage, so don’t consolidate all reputational considerations into just 1 risk.
ERM Objective:
Draft risks that are easily understood, unambiguous, and interpreted the same way by all who view them.
The Trap:
A majority of companies create confusion or frustration with their ERM program by drafting risk statements poorly. Risks beginning with the following phrases are not risk events, and will result in a frustrated group of executive risk assessors and risk owners:
- “An inability to…”
- “…leading to…”
- “And / or”
- “A lack of…”
- “…as a result of…”
X May Happen: This process is intuitive and the outcome is a risk register that is easily interpreted by all of your stakeholders. It is as simple as “X may happen”.
Another insight – your risk register should not contain a risk such as, “Reputational damage may occur”. Reputational damage is a component of your Impact assessment. Over half of your risks can lead to reputational damage, so don’t consolidate all reputational considerations into just 1 risk.
Monday, December 12, 2011
ERM Challenge Series: #3: Designing a Risk Management Culture; The Benefits of Participating in the ERM Process
ERM Challenge #3: Designing a Risk Management Culture; The Benefits of Participating in the ERM Process
ERM Objective:
Generate support for ERM from the board through to the front lines.
The Trap:
There is a negative cascading effect when the ERM team cannot generate management support for the program. If there is no tangible link between the ERM process and the organization’s performance, then ERM is regarded as a cost centre rather contributing to achieving targets. When middle management regards ERM as a departure from their day job, or as a compliance or audit, then they will be reluctant participants.
The Solution:
The KEY question is, “What’s the benefit for me to support risk management?” Answers to this question include:
ERM Objective:
Generate support for ERM from the board through to the front lines.
The Trap:
There is a negative cascading effect when the ERM team cannot generate management support for the program. If there is no tangible link between the ERM process and the organization’s performance, then ERM is regarded as a cost centre rather contributing to achieving targets. When middle management regards ERM as a departure from their day job, or as a compliance or audit, then they will be reluctant participants.
The Solution:
The KEY question is, “What’s the benefit for me to support risk management?” Answers to this question include:
- Board, “I will have greater assurance that management understands and manages their risks effectively”
- Executive, “To increase the likelihood of achieving my performance targets”
- Risk Owners, “To make a logical argument to management about the resources that I need allocated in order to achieve my targets”
Tuesday, October 18, 2011
ERM Challenge Series: #2: ERM Reporting; Why Management Cannot Relate to the Reports they See
ERM Challenge #2: ERM Reporting; Why Management Cannot Relate to the Reports they See
ERM Objective:
Create a high degree of relevance between risks and key stakeholders within your company (i.e. The board, executive team, and middle management)
The Trap:
ERM team report lists of risks that have been separated from their strategic priorities (See Challenge #1). As a result management regards the risk reports as a “disembodied list of reasons why the organization will fail”. Most companies report their risks under siloed categories such as IT, HR, or Safety. Management works hard to break down silos, so why do we report risks by them? It’s a reporting flaw that prevents ERM from being strategic.
The Solution:
Risks are always reported beside the objective, process, project, IT system, or supply chain element that they are related to. As a result risks are correctly regarded as a natural part of the strategic focus of the organization.
Integrate your risks into your balanced score card. This continually positions the risks within the context of the strategic plan. Management can view the entire landscape as follows:
Strategy | Target | Risk | Risk Response = Performance
ERM Objective:
Create a high degree of relevance between risks and key stakeholders within your company (i.e. The board, executive team, and middle management)
The Trap:
ERM team report lists of risks that have been separated from their strategic priorities (See Challenge #1). As a result management regards the risk reports as a “disembodied list of reasons why the organization will fail”. Most companies report their risks under siloed categories such as IT, HR, or Safety. Management works hard to break down silos, so why do we report risks by them? It’s a reporting flaw that prevents ERM from being strategic.
The Solution:
Risks are always reported beside the objective, process, project, IT system, or supply chain element that they are related to. As a result risks are correctly regarded as a natural part of the strategic focus of the organization.
Integrate your risks into your balanced score card. This continually positions the risks within the context of the strategic plan. Management can view the entire landscape as follows:
Strategy | Target | Risk | Risk Response = Performance
Saturday, August 13, 2011
ERM Challenge Series: #1: Relevance to the Board & Management; Aligning ERM and Strategy
ERM Challenge #1: Relevance to the Board & Management; Aligning ERM and Strategy
ERM Objective:
Align the ERM process with management’s priorities to ensure it consistently creates value for the organization. The board and management view ERM as essential to achieving annual targets.
The Trap:
The ERM process is perceived as an audit or assurance exercise, rather than as a PERFORMANCE-focused process. Identifying risks via traditional categories (e.g. IT, HR, Finance, etc.) loses the relationship between objective and risk. Mapping risks back to objectives after the fact is ineffective. The key question is, “If this is our objective, what will prevent us from achieving it?”
The Solution:
ALL risks are identified for each of your organization’s strategic priorities. There is direct line of sight between performance targets and the risks you must manage to achieve them. Risks are not identified by traditional siloed categories. When you report your risks, ALWAYS list the risks beside the relevant objective.
ERM Objective:
Align the ERM process with management’s priorities to ensure it consistently creates value for the organization. The board and management view ERM as essential to achieving annual targets.
The Trap:
The ERM process is perceived as an audit or assurance exercise, rather than as a PERFORMANCE-focused process. Identifying risks via traditional categories (e.g. IT, HR, Finance, etc.) loses the relationship between objective and risk. Mapping risks back to objectives after the fact is ineffective. The key question is, “If this is our objective, what will prevent us from achieving it?”
The Solution:
ALL risks are identified for each of your organization’s strategic priorities. There is direct line of sight between performance targets and the risks you must manage to achieve them. Risks are not identified by traditional siloed categories. When you report your risks, ALWAYS list the risks beside the relevant objective.
Thursday, May 26, 2011
The importance of measuring ERM performance
In my experience I have found that a key challenge companies face is motivating various departments to adopt the ERM process. The root cause for this is often that ERM teams layer their processes and tools on top of the business, rather than integrating them into existing processes. A good example of this is risk mitigation planning. For illustration purposes consider the Customer Retention department. A VP of Retention has just confirmed her annual plan with Management, and has a list of initiatives that her department needs to accomplish this year. Human Resources has also confirmed her performance metrics and bonus structure based upon this annual plan.
A week later, the ERM team facilitates a risk assessment workshop that includes the risks related to Customer Retention objectives. The VP of Retention is asked to document a mitigation plan based upon the outcome of the workshop. ERM provides her a standalone ERM Mitigation Form. She completes the form and submits a copy to the ERM department. At the end of that year the VP of Retention successfully completes all initiatives in her annual plan and receives her bonus. The risk mitigation plan, which was not incorporated into her annual plan, remains incomplete. Not surprisingly, the VP of Retention focused on the initiatives upon which she is measured.
This inability to motivate participation in the ERM process is a very common situation. My advice for ERM teams is to work diligently with the Strategic Planning department to integrate risk mitigation plans into department leaders’ annual plans. This annual plan already contains the key initiatives that they need to complete, and risk mitigations are simply additional initiatives that require equal focus and attention.
Bottom line, people do what they are measured upon.
A week later, the ERM team facilitates a risk assessment workshop that includes the risks related to Customer Retention objectives. The VP of Retention is asked to document a mitigation plan based upon the outcome of the workshop. ERM provides her a standalone ERM Mitigation Form. She completes the form and submits a copy to the ERM department. At the end of that year the VP of Retention successfully completes all initiatives in her annual plan and receives her bonus. The risk mitigation plan, which was not incorporated into her annual plan, remains incomplete. Not surprisingly, the VP of Retention focused on the initiatives upon which she is measured.
This inability to motivate participation in the ERM process is a very common situation. My advice for ERM teams is to work diligently with the Strategic Planning department to integrate risk mitigation plans into department leaders’ annual plans. This annual plan already contains the key initiatives that they need to complete, and risk mitigations are simply additional initiatives that require equal focus and attention.
Bottom line, people do what they are measured upon.
Thursday, February 10, 2011
Don't Overcomplicate ERM
A well designed ERM program supports many complex challenges, such as:
• Achieving corporate and departmental objectives;
• Strengthening compliance processes;
• Increasing corporate security and reducing fraud;
• Protecting reputation;
• Safeguarding assets;
• Building value;
• Enabling the Board and Management to make risk informed decisions; and
• Sustaining high levels of confidence in the organization across all stakeholders.
The final challenge for the ERM Team, however, is providing a practical, achievable process for all participants to use. A strong ability to read your audience is critical. Too many ERM practitioners impose complex, abstract processes on the business. For example, there are only a select few in any organization who embrace the concept of assessing risk on an inherent basis. For an Internal Audit scoping process it is a valuable metric. For the head of Sales, Customer Retention, Product Development, or any other non-assurance function it provides more confusion than value. As a result, I recommend that all operational risk assessments simply employ residual risk assessments. Risk assessors will appreciate the practicality of the process and will be more likely to buy-into the results.
• Achieving corporate and departmental objectives;
• Strengthening compliance processes;
• Increasing corporate security and reducing fraud;
• Protecting reputation;
• Safeguarding assets;
• Building value;
• Enabling the Board and Management to make risk informed decisions; and
• Sustaining high levels of confidence in the organization across all stakeholders.
The final challenge for the ERM Team, however, is providing a practical, achievable process for all participants to use. A strong ability to read your audience is critical. Too many ERM practitioners impose complex, abstract processes on the business. For example, there are only a select few in any organization who embrace the concept of assessing risk on an inherent basis. For an Internal Audit scoping process it is a valuable metric. For the head of Sales, Customer Retention, Product Development, or any other non-assurance function it provides more confusion than value. As a result, I recommend that all operational risk assessments simply employ residual risk assessments. Risk assessors will appreciate the practicality of the process and will be more likely to buy-into the results.
Tuesday, December 21, 2010
Demonstrating ERM Value
A significant part of my role is helping my client ERM teams build strong working relationships with other stakeholders in their company. This can involve reversing previous perceptions about the role of ERM, which has often been positioned as more of an audit or compliance activity. While audit and compliance are essential processes, there is no need to duplicate these with the ERM process. Alternatively, ERM can focus on assisting Management, and each department, to achieve their objectives. The process provides value by routinely helping objective owners prioritize the key challenges (risks) they face, and then identifying the resources necessary to address them.
In my experience I have found that when the Management team and other departmental leaders recognize the valuable process that the ERM team offers, they are much more interested in embracing the process. This situation is further supported if the ERM team can guide the Board and Management to build a risk culture where identifying risks is rewarded, rather than rebuked.
As key stakeholders recognize the way a performance focused ERM program supports their goals, they will increase their trust in both the process and the ERM team.
In my experience I have found that when the Management team and other departmental leaders recognize the valuable process that the ERM team offers, they are much more interested in embracing the process. This situation is further supported if the ERM team can guide the Board and Management to build a risk culture where identifying risks is rewarded, rather than rebuked.
As key stakeholders recognize the way a performance focused ERM program supports their goals, they will increase their trust in both the process and the ERM team.
Sunday, October 17, 2010
Ensure every action contributes to your objectives
The risk management industry has done itself a disservice. The term ERM usually conjures up images of compliance, assurance, and unwanted processes that slow down productive business activities. Too many CEOs, referring to poorly executed ERM processes, ask: “Aren’t we doing this already?” In my experience what they are really saying is: “You have presented me with a list of risks, but I don’t understand how they relate to our performance, and I think we are managing many of them well already.” Let me explain why the ERM process they have been presented is leading them to this correct conclusion.
The baseline for all well-designed ERM activities is the annual strategic plan, which contains all strategic priorities that the ERM process must support. The question, “What keeps you up at night?” is out-dated as it lacks relevance to the company’s goals. The fundamental question that the ERM program must continually ask is, “For each corporate and departmental objective, what are the barriers that will prevent us from successfully achieving these targets?” Every risk must find its roots in a key objective.
This process of linking objectives to risks challenges the process of traditional risk categorization (e.g. HR, IT, Financial, Environmental etc.). Management teams have been breaking down these types of silos for decades. So why do ERM Teams so often group their risks this way? In my former CEO role, I always insisted that risks be reported alongside the objectives to which they were related. This ensured that the risks were always presented in the context of my company’s performance. In other words, the company’s objectives were the risk categories. It was a continual reminder to all stakeholders that risk management was a performance activity. Simply stated, risks that were not related to corporate objectives didn’t make the list.
This repositioning of the role of ERM has been a revelation to the more than 40 companies that I have worked with and advised over the past decade. A year ago, when I began advising a prominent Canadian CEO about risk, he conveyed a great deal of scepticism about ERM based upon the lack of value he had witnessed to date. After building this performance-focused ERM process, he describes it as, “A significant competitive advantage” for his company. I have since relabelled this methodology Performance Risk Management to help companies appreciate its focus on what matters most – ensuring every action contributes to your objectives.
Wednesday, June 2, 2010
$peak management's language... $
If we manage risk to help organizations achieve strategic objectives set forth by management, then risk managers should communicate to management using a similar set of metrics and language. Too many operational risk managers use an entirely different set of measures. Management speaks in terms of revenue, profit, and cost, while operational risk managers report likelihood, impact, and controls. While the latter 3 metrics are important to assessing risk, you are well advised to translate risk management metrics into management's language. Without a common set of metrics management often dismisses risk management's value to the organization - it is seen as either a "nice to have", or worse a compliance effort.
The good news is that you may not have to change your current process, but rather add a few more steps to your risk analysis and reporting. You can also apply some practices from the credit risk world. "Risk adjusted" performance metrics will translate your current risk reports into something that management can relate to more closely. For example;
[Rich]
richard.m.wilson@ca.pwc.com
The good news is that you may not have to change your current process, but rather add a few more steps to your risk analysis and reporting. You can also apply some practices from the credit risk world. "Risk adjusted" performance metrics will translate your current risk reports into something that management can relate to more closely. For example;
- Risk Adjusted Revenue (RAR) shows management what the predicted revenues are when you account for the residual financial impact of the risks you are currently managing
- Risk Adjusted Profit (RAP) shows (similarly to RAR) the relative impact to profit
- Risk Adjusted Costs (RAC) predicts costs factoring in residual operational risk impacts (not the cost of risk management, the cost of risk exposures)
[Rich]
richard.m.wilson@ca.pwc.com
Monday, May 10, 2010
SEC’s new rules = half the risk management story
The US Securities and Exchange Commission (SEC) recently approved “new rules to enhance the information provided to shareholders so they are better able to evaluate the leadership of public companies.” Their focus is on corporate governance, compensation, and risk. While the SEC has made progress creating transparency for governance and compensation, they are still struggling to properly reveal a company’s risk management profile.
The SEC is striving to make corporate leaders act in an ethical, accountable manner. They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest. However, regulating a company to disclose how it manages risk is trickier. Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives. Therefore disclosing your key risks will also disclose your strategic secrets. Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
The SEC’s approach as a result remains limited to revealing the board's role in the risk oversight of the company. It’s an arm’s length view of the company’s risk profile. Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks. The SEC is now distinguishing between good ethics, and sound strategic risk management. The former is appropriately disclosable, the latter is not.
The SEC is only one oversight body who is trying to increase risk management in companies. For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers. But ultimately, risk management is about ensuring corporate performance, and maintaining stakeholder confidence in your company. Don’t rely on third parties to manage public expectations about your company’s risk management program. Use your website and other corporate communications to instill confidence that you are effectively managing risk.
[Rich]
richard.m.wilson@ca.pwc.com
The SEC is striving to make corporate leaders act in an ethical, accountable manner. They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest. However, regulating a company to disclose how it manages risk is trickier. Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives. Therefore disclosing your key risks will also disclose your strategic secrets. Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
The SEC’s approach as a result remains limited to revealing the board's role in the risk oversight of the company. It’s an arm’s length view of the company’s risk profile. Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks. The SEC is now distinguishing between good ethics, and sound strategic risk management. The former is appropriately disclosable, the latter is not.
The SEC is only one oversight body who is trying to increase risk management in companies. For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers. But ultimately, risk management is about ensuring corporate performance, and maintaining stakeholder confidence in your company. Don’t rely on third parties to manage public expectations about your company’s risk management program. Use your website and other corporate communications to instill confidence that you are effectively managing risk.
[Rich]
richard.m.wilson@ca.pwc.com
Sunday, May 2, 2010
How to identify your hidden catastrophic risks
I was talking to a client recently about the bigger risks that could seriously harm their company. He cited a recent example where a newly acquired small entity almost caused the parent company to be delisted from their exchange. The acquired company refused to share some of their financial information with the parent and as a result they weren't able to file quarterly reports until the subsidiary was sold. They came within a inch of being delisted.
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Saturday, May 1, 2010
Why "What keeps you up at night?" is the wrong question
When identifying risks, the question often asked is "What keeps you up at night?". Let me explain why this is a, well... risky question to ask.
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Tuesday, April 27, 2010
Positioning Risk management at the C-Level
In 2010 it's not uncommon for a Board to give their management team a mandate to implement a risk management capability. I'm seeing it more and more. In this situation the internal or external consulting team engaged to implement the mandate will need to approach the management team in a very specific way.
Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance. It is important to communicate the benefits of an ongoing risk management process upfront. Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:
Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk. This will result in higher product/service quality, fewer incidents, and better planning overall.
Finally, show your CEO how the market rewards companies with sound risk management practices. Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.
These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.
[Rich]
richard.m.wilson@ca.pwc.com
Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance. It is important to communicate the benefits of an ongoing risk management process upfront. Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:
- Increase the likelihood that your organization will achieve its objectives (by integrating risk management with the strategic plan)
- Lowering business volatility by increasing visibility on events that can derail your performance
- Treating risk as "neutral" so that opportunities can also be identified and pursued
- Creating a centralized view or risks and creating efficiencies in risk identification and treatment
- Closing the gap between risk management and capital allocation
- Etc...
Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk. This will result in higher product/service quality, fewer incidents, and better planning overall.
Finally, show your CEO how the market rewards companies with sound risk management practices. Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.
These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.
[Rich]
richard.m.wilson@ca.pwc.com
Don't Confuse Risk Assessment with Risk Management
Let me overstate the obvious. Risk management is about managing risk. But if it is so obvious, why do many risk management professionals focus primarily on the assessment side of the equation?
Perhaps they are treating it as a project, as opposed to implementing an ongoing process. It could result because the consulting resources engaged to help with the up front risk identification and assessment often don't participate in the follow-on risk treatments. Or finally it could result from the challenge of harnessing the necessary internal resources to treat risks thoroughly.
Remember that all the work that leads up to the risk treatment phase, albeit important, is only providing you with business insights which you will use to prioritize your risks. Schedule the appropriate time and resources to develop and execute your risk treatments. Only once your risks are addressed will you derive the desired link between risk management and corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Perhaps they are treating it as a project, as opposed to implementing an ongoing process. It could result because the consulting resources engaged to help with the up front risk identification and assessment often don't participate in the follow-on risk treatments. Or finally it could result from the challenge of harnessing the necessary internal resources to treat risks thoroughly.
Remember that all the work that leads up to the risk treatment phase, albeit important, is only providing you with business insights which you will use to prioritize your risks. Schedule the appropriate time and resources to develop and execute your risk treatments. Only once your risks are addressed will you derive the desired link between risk management and corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Subscribe to:
Posts (Atom)
About The Author

- Richard Wilson
- Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.
He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.
He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.