A significant part of my role is helping my client ERM teams build strong working relationships with other stakeholders in their company. This can involve reversing previous perceptions about the role of ERM, which has often been positioned as more of an audit or compliance activity. While audit and compliance are essential processes, there is no need to duplicate these with the ERM process. Alternatively, ERM can focus on assisting Management, and each department, to achieve their objectives. The process provides value by routinely helping objective owners prioritize the key challenges (risks) they face, and then identifying the resources necessary to address them.
In my experience I have found that when the Management team and other departmental leaders recognize the valuable process that the ERM team offers, they are much more interested in embracing the process. This situation is further supported if the ERM team can guide the Board and Management to build a risk culture where identifying risks is rewarded, rather than rebuked.
As key stakeholders recognize the way a performance focused ERM program supports their goals, they will increase their trust in both the process and the ERM team.
Tuesday, December 21, 2010
Sunday, October 17, 2010
Ensure every action contributes to your objectives
The risk management industry has done itself a disservice. The term ERM usually conjures up images of compliance, assurance, and unwanted processes that slow down productive business activities. Too many CEOs, referring to poorly executed ERM processes, ask: “Aren’t we doing this already?” In my experience what they are really saying is: “You have presented me with a list of risks, but I don’t understand how they relate to our performance, and I think we are managing many of them well already.” Let me explain why the ERM process they have been presented is leading them to this correct conclusion.
The baseline for all well-designed ERM activities is the annual strategic plan, which contains all strategic priorities that the ERM process must support. The question, “What keeps you up at night?” is out-dated as it lacks relevance to the company’s goals. The fundamental question that the ERM program must continually ask is, “For each corporate and departmental objective, what are the barriers that will prevent us from successfully achieving these targets?” Every risk must find its roots in a key objective.
This process of linking objectives to risks challenges the process of traditional risk categorization (e.g. HR, IT, Financial, Environmental etc.). Management teams have been breaking down these types of silos for decades. So why do ERM Teams so often group their risks this way? In my former CEO role, I always insisted that risks be reported alongside the objectives to which they were related. This ensured that the risks were always presented in the context of my company’s performance. In other words, the company’s objectives were the risk categories. It was a continual reminder to all stakeholders that risk management was a performance activity. Simply stated, risks that were not related to corporate objectives didn’t make the list.
This repositioning of the role of ERM has been a revelation to the more than 40 companies that I have worked with and advised over the past decade. A year ago, when I began advising a prominent Canadian CEO about risk, he conveyed a great deal of scepticism about ERM based upon the lack of value he had witnessed to date. After building this performance-focused ERM process, he describes it as, “A significant competitive advantage” for his company. I have since relabelled this methodology Performance Risk Management to help companies appreciate its focus on what matters most – ensuring every action contributes to your objectives.
Wednesday, June 2, 2010
$peak management's language... $
If we manage risk to help organizations achieve strategic objectives set forth by management, then risk managers should communicate to management using a similar set of metrics and language. Too many operational risk managers use an entirely different set of measures. Management speaks in terms of revenue, profit, and cost, while operational risk managers report likelihood, impact, and controls. While the latter 3 metrics are important to assessing risk, you are well advised to translate risk management metrics into management's language. Without a common set of metrics management often dismisses risk management's value to the organization - it is seen as either a "nice to have", or worse a compliance effort.
The good news is that you may not have to change your current process, but rather add a few more steps to your risk analysis and reporting. You can also apply some practices from the credit risk world. "Risk adjusted" performance metrics will translate your current risk reports into something that management can relate to more closely. For example;
[Rich]
richard.m.wilson@ca.pwc.com
The good news is that you may not have to change your current process, but rather add a few more steps to your risk analysis and reporting. You can also apply some practices from the credit risk world. "Risk adjusted" performance metrics will translate your current risk reports into something that management can relate to more closely. For example;
- Risk Adjusted Revenue (RAR) shows management what the predicted revenues are when you account for the residual financial impact of the risks you are currently managing
- Risk Adjusted Profit (RAP) shows (similarly to RAR) the relative impact to profit
- Risk Adjusted Costs (RAC) predicts costs factoring in residual operational risk impacts (not the cost of risk management, the cost of risk exposures)
[Rich]
richard.m.wilson@ca.pwc.com
Monday, May 10, 2010
SEC’s new rules = half the risk management story
The US Securities and Exchange Commission (SEC) recently approved “new rules to enhance the information provided to shareholders so they are better able to evaluate the leadership of public companies.” Their focus is on corporate governance, compensation, and risk. While the SEC has made progress creating transparency for governance and compensation, they are still struggling to properly reveal a company’s risk management profile.
The SEC is striving to make corporate leaders act in an ethical, accountable manner. They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest. However, regulating a company to disclose how it manages risk is trickier. Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives. Therefore disclosing your key risks will also disclose your strategic secrets. Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
The SEC’s approach as a result remains limited to revealing the board's role in the risk oversight of the company. It’s an arm’s length view of the company’s risk profile. Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks. The SEC is now distinguishing between good ethics, and sound strategic risk management. The former is appropriately disclosable, the latter is not.
The SEC is only one oversight body who is trying to increase risk management in companies. For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers. But ultimately, risk management is about ensuring corporate performance, and maintaining stakeholder confidence in your company. Don’t rely on third parties to manage public expectations about your company’s risk management program. Use your website and other corporate communications to instill confidence that you are effectively managing risk.
[Rich]
richard.m.wilson@ca.pwc.com
The SEC is striving to make corporate leaders act in an ethical, accountable manner. They are effective at legislating corporate transparency, disclosure, and exposing conflicts of interest. However, regulating a company to disclose how it manages risk is trickier. Highly effective risk management identifies and manages risks that can prevent an organization from achieving its key objectives. Therefore disclosing your key risks will also disclose your strategic secrets. Publishing your detailed corporate objectives would be tantamount to competitive suicide, hence the SEC’s challenge.
The SEC’s approach as a result remains limited to revealing the board's role in the risk oversight of the company. It’s an arm’s length view of the company’s risk profile. Understanding the Board’s role in risk oversight is a long way from understanding how much risk a company is adopting or how it is addressing its risks. The SEC is now distinguishing between good ethics, and sound strategic risk management. The former is appropriately disclosable, the latter is not.
The SEC is only one oversight body who is trying to increase risk management in companies. For example, Standard and Poor’s is beginning to apply high level risk management analysis to the companies it covers. But ultimately, risk management is about ensuring corporate performance, and maintaining stakeholder confidence in your company. Don’t rely on third parties to manage public expectations about your company’s risk management program. Use your website and other corporate communications to instill confidence that you are effectively managing risk.
[Rich]
richard.m.wilson@ca.pwc.com
Sunday, May 2, 2010
How to identify your hidden catastrophic risks
I was talking to a client recently about the bigger risks that could seriously harm their company. He cited a recent example where a newly acquired small entity almost caused the parent company to be delisted from their exchange. The acquired company refused to share some of their financial information with the parent and as a result they weren't able to file quarterly reports until the subsidiary was sold. They came within a inch of being delisted.
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Every company has hidden liabilities such as this. Some are obvious such as having too much reliance on a single customer for revenue, or too much reliance on a single supplier for goods or services. In other cases the problem is equally risky but not as obvious. An effective way to get visibility on ALL of these major risks is to combine business continuity planning (BCP) with risk management.
Risk management tries to determine the likelihood of uncertain events occurring, while BCP assumes these uncertain events occur and plans alternate routes and recoveries. During your risk identification process you will inquire about events that may prevent your company from achieving its objectives. Try reverse engineering this process to say, "assume that this objective fails - what events could cause this to happen?". The answers you receive will include catastrophic risks that no one assumes will happen.
For example, asking about risks related to loosing a big revenue stream may result in a limited list of risks due to optimism about how the company is operating. However, assuming that the big revenue stream just disappeared, and asking for potential causes, will uncover new potential risks. The optimism that blinds you to potential risk will be replaced by creative thinking about previously unconsidered risks.
A case in point is the recent volcanic eruption in Iceland that grounded entire fleets of planes. If you asked what risks would ground an entire fleet, volcanoes may not have been identified. But assuming the entire fleet has just been grounded, and asking for potential reasons why, will prompt potentially uncreative people to think more broadly.
[Rich]
richard.m.wilson@ca.pwc.com
Saturday, May 1, 2010
Why "What keeps you up at night?" is the wrong question
When identifying risks, the question often asked is "What keeps you up at night?". Let me explain why this is a, well... risky question to ask.
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Consider that the principle goal of risk management is to ensure that an organization performs as expected. In other words, it achieves its objectives. Therefore the risks that you identify need to be directly related to your organizations objectives. Risks not related to the achievement of corporate goals are off strategy - a distraction.
"What keeps you up at night?" is a disembodied question that will result in both relevant and irrelevant risks. Here is the question to ask...
"Considering the objective to... (describe a key objective), what events may prevent the organization from achieving this objective?".
The result will be risk events that are well aligned with management's goals. Feel free to present your interviewee with a list of potential risk internal and external risk categories to refer to when answering the question. For example, economic, competitive, strategic, HR, financial, technology, information, and corporate integrity are some of the major categories. There are up to 100 subcategories that fall under these major categories as well (business is complex!).
This objectives-focused question will ensure that your risk management process is strategic and focused on corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Tuesday, April 27, 2010
Positioning Risk management at the C-Level
In 2010 it's not uncommon for a Board to give their management team a mandate to implement a risk management capability. I'm seeing it more and more. In this situation the internal or external consulting team engaged to implement the mandate will need to approach the management team in a very specific way.
Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance. It is important to communicate the benefits of an ongoing risk management process upfront. Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:
Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk. This will result in higher product/service quality, fewer incidents, and better planning overall.
Finally, show your CEO how the market rewards companies with sound risk management practices. Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.
These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.
[Rich]
richard.m.wilson@ca.pwc.com
Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance. It is important to communicate the benefits of an ongoing risk management process upfront. Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:
- Increase the likelihood that your organization will achieve its objectives (by integrating risk management with the strategic plan)
- Lowering business volatility by increasing visibility on events that can derail your performance
- Treating risk as "neutral" so that opportunities can also be identified and pursued
- Creating a centralized view or risks and creating efficiencies in risk identification and treatment
- Closing the gap between risk management and capital allocation
- Etc...
Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk. This will result in higher product/service quality, fewer incidents, and better planning overall.
Finally, show your CEO how the market rewards companies with sound risk management practices. Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.
These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.
[Rich]
richard.m.wilson@ca.pwc.com
Don't Confuse Risk Assessment with Risk Management
Let me overstate the obvious. Risk management is about managing risk. But if it is so obvious, why do many risk management professionals focus primarily on the assessment side of the equation?
Perhaps they are treating it as a project, as opposed to implementing an ongoing process. It could result because the consulting resources engaged to help with the up front risk identification and assessment often don't participate in the follow-on risk treatments. Or finally it could result from the challenge of harnessing the necessary internal resources to treat risks thoroughly.
Remember that all the work that leads up to the risk treatment phase, albeit important, is only providing you with business insights which you will use to prioritize your risks. Schedule the appropriate time and resources to develop and execute your risk treatments. Only once your risks are addressed will you derive the desired link between risk management and corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Perhaps they are treating it as a project, as opposed to implementing an ongoing process. It could result because the consulting resources engaged to help with the up front risk identification and assessment often don't participate in the follow-on risk treatments. Or finally it could result from the challenge of harnessing the necessary internal resources to treat risks thoroughly.
Remember that all the work that leads up to the risk treatment phase, albeit important, is only providing you with business insights which you will use to prioritize your risks. Schedule the appropriate time and resources to develop and execute your risk treatments. Only once your risks are addressed will you derive the desired link between risk management and corporate performance.
[Rich]
richard.m.wilson@ca.pwc.com
Sunday, April 25, 2010
Risk Appetite - more than just a concept
I recently met with a senior management team to establish a risk appetite statement. It was the first time they had been through this type of exercise. I drafted a proposed statement in advance that in 2 sentences described how much risk the company should typically take on in any transaction. Once confirmed by management, this simple statement could be communicated to everyone in the company as another way of to heighten consistency of risk taking.
For example your a risk appetite statement for a bank could state that every transaction in the bank must follow standard procedures governed by internal controls to ensure the risk is minimized and to protect shareholder value. Whereas a more risk-oriented company might state that to ensure aggressive growth in new markets risk-informed decisions will guide decision making to maximize return to shareholders.
At the beginning of our meeting the exercise was met with some skepticism - it felt too academic for some. But when I asked each participant to state what the company's risk appetite on a scale of 1-5 (1 being highly risk adverse and 5 being risk accepting), their answers ranged from 1 to 4. A 2 hour discussion followed where a great deal of consensus was created around how the company considers and manages risk. in the end the skeptics became the greatest supporters of the process as it aligned a myriad of opposing opinions about the company's approach to risk.
In short, if management isn't aligned on how much risk to adopt and how to manage it, then the same will follow for front line management as well. As one participant stated, "If we aren't in agreement about managing risk can you imagine how confused our employees will be?"
The simple act of drafting a risk appetite statement can be very effective in aligning everyone in the company to manage risk in a consistent manner. Later it can tactically translate into specific risk tolerances for each area of risk. It's simple and very effective.
[Rich]
richard.m.wilson@ca.pwc.com
For example your a risk appetite statement for a bank could state that every transaction in the bank must follow standard procedures governed by internal controls to ensure the risk is minimized and to protect shareholder value. Whereas a more risk-oriented company might state that to ensure aggressive growth in new markets risk-informed decisions will guide decision making to maximize return to shareholders.
At the beginning of our meeting the exercise was met with some skepticism - it felt too academic for some. But when I asked each participant to state what the company's risk appetite on a scale of 1-5 (1 being highly risk adverse and 5 being risk accepting), their answers ranged from 1 to 4. A 2 hour discussion followed where a great deal of consensus was created around how the company considers and manages risk. in the end the skeptics became the greatest supporters of the process as it aligned a myriad of opposing opinions about the company's approach to risk.
In short, if management isn't aligned on how much risk to adopt and how to manage it, then the same will follow for front line management as well. As one participant stated, "If we aren't in agreement about managing risk can you imagine how confused our employees will be?"
The simple act of drafting a risk appetite statement can be very effective in aligning everyone in the company to manage risk in a consistent manner. Later it can tactically translate into specific risk tolerances for each area of risk. It's simple and very effective.
[Rich]
richard.m.wilson@ca.pwc.com
Sunday, April 18, 2010
The "Management" in Risk Management
Once your risks have been assessed and prioritized, how do you develop your risk treatment plan?
A company can do an excellent job of identifying and assessing risk, but ultimately, if the organization doesn’t do anything with what you’ve learned, it isn’t actually risk management yet.
There are many different ways that an organization can respond to risk. For instance you can terminate the risk area if you decide that the risk is higher than your company would prefer to tolerate.
Another response is to transfer the risk. Most commonly companies accomplish this through insurance —you pay another organization to assume their risk. Alternatively, you can contractually transfer or outsource some of those activities to a third party and have them assume both the activity and much of the risk as well.
A third response is the approach many people think of first mitigate risk. In this situation, you apply controls to lower the likelihood of the risk occurring, or lower the impact if it does occur. There are a few different ways to mitigate a risk. First, there are preventative controls which attempt to prevent the situation from happening in the first place. There are also detective controls which alert you that a risk has occurred. If the magnitude of a risk is lower, a detective control can be a fine solution if the impact of the risk is lower.
Another response is to exploit the upside of a risk by capitalizing on new opportunities. By embracing and adopting risk, a company may find that there is a larger business opportunity there than was previously considered.
A final response is to tolerate the risk as it currently exists because it fits within predefined tolerance levels. It is important that management publish within its risk management policy a statement about the company’s risk appetite. The risk tolerances should be aligned with the corporate risk appetite.
These risk treatments constitute the “management” in risk management. Engage risk owners to develop their risk treatments so that they take responsibility for the execution of them as well. Finally, make sure these treatments are reported upon to celebrate successes and ensure accountability.
[Rich]
richard.m.wilson@ca.pwc.com
A company can do an excellent job of identifying and assessing risk, but ultimately, if the organization doesn’t do anything with what you’ve learned, it isn’t actually risk management yet.
There are many different ways that an organization can respond to risk. For instance you can terminate the risk area if you decide that the risk is higher than your company would prefer to tolerate.
Another response is to transfer the risk. Most commonly companies accomplish this through insurance —you pay another organization to assume their risk. Alternatively, you can contractually transfer or outsource some of those activities to a third party and have them assume both the activity and much of the risk as well.
A third response is the approach many people think of first mitigate risk. In this situation, you apply controls to lower the likelihood of the risk occurring, or lower the impact if it does occur. There are a few different ways to mitigate a risk. First, there are preventative controls which attempt to prevent the situation from happening in the first place. There are also detective controls which alert you that a risk has occurred. If the magnitude of a risk is lower, a detective control can be a fine solution if the impact of the risk is lower.
Another response is to exploit the upside of a risk by capitalizing on new opportunities. By embracing and adopting risk, a company may find that there is a larger business opportunity there than was previously considered.
A final response is to tolerate the risk as it currently exists because it fits within predefined tolerance levels. It is important that management publish within its risk management policy a statement about the company’s risk appetite. The risk tolerances should be aligned with the corporate risk appetite.
These risk treatments constitute the “management” in risk management. Engage risk owners to develop their risk treatments so that they take responsibility for the execution of them as well. Finally, make sure these treatments are reported upon to celebrate successes and ensure accountability.
[Rich]
richard.m.wilson@ca.pwc.com
Monday, April 12, 2010
Ask the people on the ground first
Over the past few years I have uncovered a terrific approach to operational risk assessments. There are a few ways in which to gather risk assessment data. The first source of good information can be gathered through online risk assessments with key process owners. This information enables you to look for risk trends across the organization. Try aggregating all of the risk scores from all departments to create a risk profile at the corporate level. Then drill down to see the risk profile of each department. Finally, segment your data by level to see how senior managers score risks versus middle management.
Once you have the broad risk assessment picture conduct an executive-level risk self-assessment (RSA) workshop. Use software, such as Resolver*Ballot, to anonymously gather the impact and likelihood scores for each risk. This risk assessment software allows you to gather that information free from the typical peer pressure and politics that naturally exist in senior level meetings since the results are anonymous.
In the executive workshop gather their first set of risk scores. Then show them how the rest of the organization scored the risks in the online risk assessment. Typically about 75% of the scores will be similar, but there are often a few surprises. If the executive team scored a risk lower than the online assessors then it tells them that they need to take it more seriously than previously expected.
The result of this two tiered assessment is a higher confidence by senior management that they understand the risk profile in the company. It also creates wider buy-in to the risk treatment phase outside of the C-suite.
[Rich]
richard.m.wilson@ca.pwc.com
Once you have the broad risk assessment picture conduct an executive-level risk self-assessment (RSA) workshop. Use software, such as Resolver*Ballot, to anonymously gather the impact and likelihood scores for each risk. This risk assessment software allows you to gather that information free from the typical peer pressure and politics that naturally exist in senior level meetings since the results are anonymous.
In the executive workshop gather their first set of risk scores. Then show them how the rest of the organization scored the risks in the online risk assessment. Typically about 75% of the scores will be similar, but there are often a few surprises. If the executive team scored a risk lower than the online assessors then it tells them that they need to take it more seriously than previously expected.
The result of this two tiered assessment is a higher confidence by senior management that they understand the risk profile in the company. It also creates wider buy-in to the risk treatment phase outside of the C-suite.
[Rich]
richard.m.wilson@ca.pwc.com
Friday, April 9, 2010
Risk: It's how you word it
One of the greatest risk management challenges I have seen over the years is wording risks properly. It sounds simple enough (and it is!). So why is there such inconsistency in wording risks? The first reason is that there is no universal standard to follow. The second is that there are too many interpretations about what risk is. Finally, risk carries a negative connotation in many organizations, (sadly), so people try to describe their risks in a positive way to position them more favourably.
Well worded risks are a cornerstone to a successful risk management program. If people across your organization end up with multiple interpretations about your risks, the credibility around your risk scores will fall. Getting the wording right is pretty important.
Allow me to suggest an easy and reliable way to word your risks. To begin with, remember that a risk is an event. Secondly, it is an event that may prevent you from achieving your objectives. Therefore, the simplest way to word your risk is" X may happen". For example, "Sr. executives may leave the company", or "Production at the plant may fall by 20%", or "Interest rates may rise above 5%". All of these risks are clear, and since they are worded in the future, should not be threatening to newly emerging risk management cultures.
Follow each risk with "context bullet-points". These are the data points about the risk that people should consider. For example:
Production at the plant may fall by 20%
[Rich]
richard.m.wilson@ca.pwc.com
Well worded risks are a cornerstone to a successful risk management program. If people across your organization end up with multiple interpretations about your risks, the credibility around your risk scores will fall. Getting the wording right is pretty important.
Allow me to suggest an easy and reliable way to word your risks. To begin with, remember that a risk is an event. Secondly, it is an event that may prevent you from achieving your objectives. Therefore, the simplest way to word your risk is" X may happen". For example, "Sr. executives may leave the company", or "Production at the plant may fall by 20%", or "Interest rates may rise above 5%". All of these risks are clear, and since they are worded in the future, should not be threatening to newly emerging risk management cultures.
Follow each risk with "context bullet-points". These are the data points about the risk that people should consider. For example:
Production at the plant may fall by 20%
- our packaging supplier is in financial trouble
- our competitors are trying to hire away plant staff
- our plant wages are not competitive
- unpredictable weather patterns in that region are expected
- etc...
- Do any of your risks begin with "A lack of...", or "The inability to..."? (If so, they are describing situations within which a risk may occur and not the event itself.)
- Do any of your risks contain the words "and", or "or"? (If so, you have combined two events which will be difficult to score.)
- Are your risks worded as objectives in the positive? For example, "Retain our senior executives". It's a great objective but doesn't describe the effect of uncertainty on objectives.
- Is the risk tied to one or more objectives so that it is clear where the challenge to the organization lies?
- Do your risks have contextual data points attached to them?
[Rich]
richard.m.wilson@ca.pwc.com
Wednesday, March 31, 2010
Where do you look for risk?
There is a simple question to use when you are identifying risk in your organization.
"What may prevent you from achieving your objectives?".
It is an effective question because it focuses on the risks that are most important to the performance of your company. It also gives your respondent a context to discuss risk. If your head of manufacturing has 4 key objectives this year then you simply ask them this question four times, once for each objective. I also find it very helpful to have a list of risk categories to show someone who is identifying risks to help them consider all the risks related to a given objective.
Remember that risks are events. Therefore as people describe risky situations ask them to clarify what events may occur as these will be your risks.
Taking this approach to risk identification will be very appealing to management and your Board. They will see the direct connection between your risk management efforts and the performance of your company. That's a very good thing.
[Rich]
richard.m.wilson@ca.pwc.com
"What may prevent you from achieving your objectives?".
It is an effective question because it focuses on the risks that are most important to the performance of your company. It also gives your respondent a context to discuss risk. If your head of manufacturing has 4 key objectives this year then you simply ask them this question four times, once for each objective. I also find it very helpful to have a list of risk categories to show someone who is identifying risks to help them consider all the risks related to a given objective.
Remember that risks are events. Therefore as people describe risky situations ask them to clarify what events may occur as these will be your risks.
Taking this approach to risk identification will be very appealing to management and your Board. They will see the direct connection between your risk management efforts and the performance of your company. That's a very good thing.
[Rich]
richard.m.wilson@ca.pwc.com
Saturday, March 27, 2010
ISO 31000 Risk Management
Every once in a while you feel like you have a jump on something good. In Q4 of 2009 I had the pleasure of conversing with Jan Mattingly, one of Canada's foremost experts in all things related to risk. Jan was one of the delegates chosen from an international list of risk experts to draft the ISO 31000 standard. Jan announced with excitement that the new standard was close to release and that it was going to bring a new level of excellence to Canada's risk management environment. She was right!
Recently, I had the honour attending the first public ISO 31000 training session in Canada. It validated my understanding about how they are approaching operational risk management. It is an objectives-oriented approach (risk = The effect of uncertainty on objectives.). In my opinion this is crucial. After all, businesses exist to achieve their objectives, there is nothing more important. So risk management needs to be oriented around the achievement of objectives or else it will only be regarded as an academic exercise by management.
There are well articulated principles of the standard as well, but none stands so tall as the first - "Risk management creates and protects value". Again, business is about value creation, so risk management should pursue the same goal. Managing risk is not a defensive strategy, it's part of your offense. As a member of a Board of Directors, this principle should be your first filter when assessing the effeciveness of a risk management strategy.
I expect that there will be a lot of excitement around this standard. It is not a "check-the-box" certification, but rather a sound process that will lead companies in the right direction. Any company who is managing ambiguity around risk is well advised to head down this path.
[Rich]
richard.wilson@bpsresolver.com
Recently, I had the honour attending the first public ISO 31000 training session in Canada. It validated my understanding about how they are approaching operational risk management. It is an objectives-oriented approach (risk = The effect of uncertainty on objectives.). In my opinion this is crucial. After all, businesses exist to achieve their objectives, there is nothing more important. So risk management needs to be oriented around the achievement of objectives or else it will only be regarded as an academic exercise by management.
There are well articulated principles of the standard as well, but none stands so tall as the first - "Risk management creates and protects value". Again, business is about value creation, so risk management should pursue the same goal. Managing risk is not a defensive strategy, it's part of your offense. As a member of a Board of Directors, this principle should be your first filter when assessing the effeciveness of a risk management strategy.
I expect that there will be a lot of excitement around this standard. It is not a "check-the-box" certification, but rather a sound process that will lead companies in the right direction. Any company who is managing ambiguity around risk is well advised to head down this path.
[Rich]
richard.wilson@bpsresolver.com
Subscribe to:
Posts (Atom)
About The Author
- Richard Wilson
- Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.
He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.
He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.