WILSON's View on Risk Management

ERM is powerful when designed as a performance-focused activity. It's not an audit, nor a compliance process. ERM manages the barriers that prevent organizations from achieving their objectives.

Author:
Richard Wilson develops Performance Risk Management capabilities for complex organizations. He has helped the largest companies in North America manage the barriers to their desired performance.

richard.m.wilson@ca.pwc.com | (416) 941-8374

Monday, December 12, 2011

ERM Challenge Series: #3: Designing a Risk Management Culture; The Benefits of Participating in the ERM Process

ERM Challenge #3: Designing a Risk Management Culture; The Benefits of Participating in the ERM Process


ERM Objective:
Generate support for ERM from the board through to the front lines.

The Trap:
There is a negative cascading effect when the ERM team cannot generate management support for the program. If there is no tangible link between the ERM process and the organization’s performance, then ERM is regarded as a cost centre rather contributing to achieving targets. When middle management regards ERM as a departure from their day job, or as a compliance or audit, then they will be reluctant participants.

The Solution:
The KEY question is, “What’s the benefit for me to support risk management?” Answers to this question include:
  • Board, “I will have greater assurance that management understands and manages their risks effectively”
  • Executive, “To increase the likelihood of achieving my performance targets”
  • Risk Owners, “To make a logical argument to management about the resources that I need allocated in order to achieve my targets”

Posted by No comments:

Tuesday, October 18, 2011

ERM Challenge Series: #2: ERM Reporting; Why Management Cannot Relate to the Reports they See

ERM Challenge #2: ERM Reporting; Why Management Cannot Relate to the Reports they See


ERM Objective:
Create a high degree of relevance between risks and key stakeholders within your company (i.e. The board, executive team, and middle management)

The Trap:
ERM team report lists of risks that have been separated from their strategic priorities (See Challenge #1). As a result management regards the risk reports as a “disembodied list of reasons why the organization will fail”. Most companies report their risks under siloed categories such as IT, HR, or Safety. Management works hard to break down silos, so why do we report risks by them? It’s a reporting flaw that prevents ERM from being strategic.

The Solution:
Risks are always reported beside the objective, process, project, IT system, or supply chain element that they are related to. As a result risks are correctly regarded as a natural part of the strategic focus of the organization.

Integrate your risks into your balanced score card. This continually positions the risks within the context of the strategic plan. Management can view the entire landscape as follows:

Strategy | Target | Risk | Risk Response = Performance

Posted by No comments:

Saturday, August 13, 2011

ERM Challenge Series: #1: Relevance to the Board & Management; Aligning ERM and Strategy

ERM Challenge #1: Relevance to the Board & Management; Aligning ERM and Strategy

ERM Objective:
Align the ERM process with management’s priorities to ensure it consistently creates value for the organization. The board and management view ERM as essential to achieving annual targets.

The Trap:
The ERM process is perceived as an audit or assurance exercise, rather than as a PERFORMANCE-focused process. Identifying risks via traditional categories (e.g. IT, HR, Finance, etc.) loses the relationship between objective and risk. Mapping risks back to objectives after the fact is ineffective. The key question is, “If this is our objective, what will prevent us from achieving it?”

The Solution:
ALL risks are identified for each of your organization’s strategic priorities. There is direct line of sight between performance targets and the risks you must manage to achieve them.  Risks are not identified by traditional siloed categories.  When you report your risks, ALWAYS list the risks beside the relevant objective.
Posted by No comments:

Thursday, May 26, 2011

The importance of measuring ERM performance

In my experience I have found that a key challenge companies face is motivating various departments to adopt the ERM process. The root cause for this is often that ERM teams layer their processes and tools on top of the business, rather than integrating them into existing processes. A good example of this is risk mitigation planning. For illustration purposes consider the Customer Retention department. A VP of Retention has just confirmed her annual plan with Management, and has a list of initiatives that her department needs to accomplish this year. Human Resources has also confirmed her performance metrics and bonus structure based upon this annual plan.

A week later, the ERM team facilitates a risk assessment workshop that includes the risks related to Customer Retention objectives. The VP of Retention is asked to document a mitigation plan based upon the outcome of the workshop. ERM provides her a standalone ERM Mitigation Form. She completes the form and submits a copy to the ERM department. At the end of that year the VP of Retention successfully completes all initiatives in her annual plan and receives her bonus. The risk mitigation plan, which was not incorporated into her annual plan, remains incomplete. Not surprisingly, the VP of Retention focused on the initiatives upon which she is measured.

This inability to motivate participation in the ERM process is a very common situation. My advice for ERM teams is to work diligently with the Strategic Planning department to integrate risk mitigation plans into department leaders’ annual plans. This annual plan already contains the key initiatives that they need to complete, and risk mitigations are simply additional initiatives that require equal focus and attention.

Bottom line, people do what they are measured upon.
Posted by No comments:

Thursday, February 10, 2011

Don't Overcomplicate ERM

A well designed ERM program supports many complex challenges, such as:
• Achieving corporate and departmental objectives;
• Strengthening compliance processes;
• Increasing corporate security and reducing fraud;
• Protecting reputation;
• Safeguarding assets;
• Building value;
• Enabling the Board and Management to make risk informed decisions; and
• Sustaining high levels of confidence in the organization across all stakeholders.

The final challenge for the ERM Team, however, is providing a practical, achievable process for all participants to use. A strong ability to read your audience is critical. Too many ERM practitioners impose complex, abstract processes on the business. For example, there are only a select few in any organization who embrace the concept of assessing risk on an inherent basis. For an Internal Audit scoping process it is a valuable metric. For the head of Sales, Customer Retention, Product Development, or any other non-assurance function it provides more confusion than value. As a result, I recommend that all operational risk assessments simply employ residual risk assessments. Risk assessors will appreciate the practicality of the process and will be more likely to buy-into the results.
Posted by No comments:
Subscribe to: Posts (Atom)

About The Author

My photo
Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.

He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.

He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.