There is a simple question to use when you are identifying risk in your organization.
"What may prevent you from achieving your objectives?".
It is an effective question because it focuses on the risks that are most important to the performance of your company. It also gives your respondent a context to discuss risk. If your head of manufacturing has 4 key objectives this year then you simply ask them this question four times, once for each objective. I also find it very helpful to have a list of risk categories to show someone who is identifying risks to help them consider all the risks related to a given objective.
Remember that risks are events. Therefore as people describe risky situations ask them to clarify what events may occur as these will be your risks.
Taking this approach to risk identification will be very appealing to management and your Board. They will see the direct connection between your risk management efforts and the performance of your company. That's a very good thing.
[Rich]
richard.m.wilson@ca.pwc.com
Wednesday, March 31, 2010
Saturday, March 27, 2010
ISO 31000 Risk Management
Every once in a while you feel like you have a jump on something good. In Q4 of 2009 I had the pleasure of conversing with Jan Mattingly, one of Canada's foremost experts in all things related to risk. Jan was one of the delegates chosen from an international list of risk experts to draft the ISO 31000 standard. Jan announced with excitement that the new standard was close to release and that it was going to bring a new level of excellence to Canada's risk management environment. She was right!
Recently, I had the honour attending the first public ISO 31000 training session in Canada. It validated my understanding about how they are approaching operational risk management. It is an objectives-oriented approach (risk = The effect of uncertainty on objectives.). In my opinion this is crucial. After all, businesses exist to achieve their objectives, there is nothing more important. So risk management needs to be oriented around the achievement of objectives or else it will only be regarded as an academic exercise by management.
There are well articulated principles of the standard as well, but none stands so tall as the first - "Risk management creates and protects value". Again, business is about value creation, so risk management should pursue the same goal. Managing risk is not a defensive strategy, it's part of your offense. As a member of a Board of Directors, this principle should be your first filter when assessing the effeciveness of a risk management strategy.
I expect that there will be a lot of excitement around this standard. It is not a "check-the-box" certification, but rather a sound process that will lead companies in the right direction. Any company who is managing ambiguity around risk is well advised to head down this path.
[Rich]
richard.wilson@bpsresolver.com
Recently, I had the honour attending the first public ISO 31000 training session in Canada. It validated my understanding about how they are approaching operational risk management. It is an objectives-oriented approach (risk = The effect of uncertainty on objectives.). In my opinion this is crucial. After all, businesses exist to achieve their objectives, there is nothing more important. So risk management needs to be oriented around the achievement of objectives or else it will only be regarded as an academic exercise by management.
There are well articulated principles of the standard as well, but none stands so tall as the first - "Risk management creates and protects value". Again, business is about value creation, so risk management should pursue the same goal. Managing risk is not a defensive strategy, it's part of your offense. As a member of a Board of Directors, this principle should be your first filter when assessing the effeciveness of a risk management strategy.
I expect that there will be a lot of excitement around this standard. It is not a "check-the-box" certification, but rather a sound process that will lead companies in the right direction. Any company who is managing ambiguity around risk is well advised to head down this path.
[Rich]
richard.wilson@bpsresolver.com
Subscribe to:
Posts (Atom)
About The Author
- Richard Wilson
- Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.
He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.
He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.