ERM Challenge #10: Losing ERM Momentum in Year 2 and beyond; Keeping ERM Fresh & Relevant
ERM Objective:
Maintain high levels of support and engagement in your ERM program
The Trap:
Rolling the same risks over year to year will quickly devalue your ERM program. Key stakeholders will begin to see it as a “tick-the-box” exercise. This approach contradicts the strategy of identifying risks as part of your annual strategic planning cycle.
The Solution:
Change how you identify risks each year to keep the process fresh and relevant. Bring in outside experts to brainstorm your risks. Conduct risk identification in workshop formats that include all key stakeholders for a given objective or project.
Integrate risk identification and assessment into the annual budgeting cycle. If budgets cannot be approved without a current risk assessment it will prompt renewed thinking each year.
Finally, risk informed decision making requires management to consider risks in advance of their strategic plan. Ensure the ERM team participates in these strategic planning cycles to keep management informed of 2 types of risk; The risk of executing a strategy, and the risk of NOT executing a strategy.
Thursday, June 28, 2012
Saturday, June 2, 2012
ERM Challenge Series: #9: Risk Relationships; Treating Risks as Isolated Events
ERM Challenge #9: Risk Relationships; Treating Risks as Isolated Events
ERM Objective:
Understand the cause and effect relationship between risks.
The Trap:
Most companies do not have a practical, relatively simple method to understand this. The other challenge is when to perform this analysis, which is BEFORE your risk assessment.
The Solution:
Risks do not necessarily exist in isolation of each other, many are interconnected. If one risk occurs, which other risks may occur? Chain reactions of risk events happen, but this is rarely considered when assessing risk.
I have helped my clients understand their most influential “upstream” risks that can trigger “downstream” risks to also occur. Upstream risks have a larger Impact once you consider the full extent of their influence on your organization.
Conducting this simple analysis before a risk assessment will change how management scores the Impact scale.
ERM Objective:
Understand the cause and effect relationship between risks.
The Trap:
Most companies do not have a practical, relatively simple method to understand this. The other challenge is when to perform this analysis, which is BEFORE your risk assessment.
The Solution:
Risks do not necessarily exist in isolation of each other, many are interconnected. If one risk occurs, which other risks may occur? Chain reactions of risk events happen, but this is rarely considered when assessing risk.
I have helped my clients understand their most influential “upstream” risks that can trigger “downstream” risks to also occur. Upstream risks have a larger Impact once you consider the full extent of their influence on your organization.
Conducting this simple analysis before a risk assessment will change how management scores the Impact scale.
Sunday, May 27, 2012
ERM Challenge Series: #8: Isolating your Top Risks; Most Top 10 Risks are Not the Risks to Address
ERM Challenge #8: Isolating your Top Risks; Most Top 10 Risks are Not the Risks to Address
ERM Objective:
Allocate resources to the correct risks based upon strategic priorities.
The Trap:
After completing your risk assessment you will have a prioritized risk register, typically using Impact and Likelihood criteria. Many firms then focus on the Top 10, 5, or even 3 risks on the list. The issue is that your Top 10 risks are typically not the most important risks to address. The third key question has not been answered, which is, “Which risks should we manage differently than we do today?”. Not answering this third question potential causes you to apply more resources to the incorrect risks.
The Solution:
Determine Risk Tolerances:
After your risk assessment, set a target level for each risk (a tolerance). This determines where the risk needs to be on the Impact and likelihood scales. You can now give the risk owner a clearer idea of what the risk looks like when successfully managed (within tolerance). You will also clarify if you are reducing the likelihood, impact, or both (and why?).
In my experience, 40-60% of risks in the Top 10 list do not require additional mitigations.
ERM Objective:
Allocate resources to the correct risks based upon strategic priorities.
The Trap:
After completing your risk assessment you will have a prioritized risk register, typically using Impact and Likelihood criteria. Many firms then focus on the Top 10, 5, or even 3 risks on the list. The issue is that your Top 10 risks are typically not the most important risks to address. The third key question has not been answered, which is, “Which risks should we manage differently than we do today?”. Not answering this third question potential causes you to apply more resources to the incorrect risks.
The Solution:
Determine Risk Tolerances:
After your risk assessment, set a target level for each risk (a tolerance). This determines where the risk needs to be on the Impact and likelihood scales. You can now give the risk owner a clearer idea of what the risk looks like when successfully managed (within tolerance). You will also clarify if you are reducing the likelihood, impact, or both (and why?).
In my experience, 40-60% of risks in the Top 10 list do not require additional mitigations.
Saturday, April 21, 2012
ERM Challenge Series: #7: Getting Beyond the Assessment; Holding Risk Owners Accountable
ERM Challenge #7: Getting Beyond the Assessment; Holding Risk Owners Accountable
ERM Objective:
Hold risk owners accountable to manage their risks.
The Trap:
Confusing risk assessment with managing risk is common. When we set strategic plans we establish measurable targets. However, when we identify risks the mandate is often simply to “manage the risk”.
The Solution:
Essentials for risk management accountability:
ERM Objective:
Hold risk owners accountable to manage their risks.
The Trap:
Confusing risk assessment with managing risk is common. When we set strategic plans we establish measurable targets. However, when we identify risks the mandate is often simply to “manage the risk”.
The Solution:
Essentials for risk management accountability:
- Describe with great clarity what each risk looks like when it is properly managed (we rarely eliminate risks, so what does the successfully managed risk look like
- Don’t ask risk owners to “manage” risks that are already within tolerances, they will not understand what they are supposed to do (see Challenge #8)
- Management MUST review risk response status reports with the same frequency that they review corporate performance
- Corporate risk responses should have board visibility quarterly
Sunday, March 4, 2012
ERM Challenge Series: #6: Relevance of Risks to Owners; The Importance of Creating 2 Layers of Risk
ERM Challenge #6: Relevance of Risks to Owners; The Importance of Creating 2 Layers of Risk
ERM Objective:
Create relevant risks for your executive and middle management alike
The Trap:
Creating a single set of risks for both your organization.
The Solution:
The Solution:
Your executive owns your organization's corporate objectives. Identifying the risks associated with these objectives will create Management’s risk universe (typically 20-35 risks)
Similarly, each department will have its own set of objectives and related risks. (typically 10-20 risks per department)
Aggregating these 2 distinct layers of risk into a single risk group is counter-intuitive. Management regards the list as “in the weeds” and middle management considers the risks to be “bigger than my department’s mandate”.
Allow each level to own the risks that are related to their objectives.
ERM Objective:
Create relevant risks for your executive and middle management alike
The Trap:
Creating a single set of risks for both your organization.
The Solution:
The Solution:
Your executive owns your organization's corporate objectives. Identifying the risks associated with these objectives will create Management’s risk universe (typically 20-35 risks)
Similarly, each department will have its own set of objectives and related risks. (typically 10-20 risks per department)
Aggregating these 2 distinct layers of risk into a single risk group is counter-intuitive. Management regards the list as “in the weeds” and middle management considers the risks to be “bigger than my department’s mandate”.
Allow each level to own the risks that are related to their objectives.
Saturday, February 18, 2012
ERM Challenge Series: #5: Integrating ERM into Routine Processes
ERM Challenge #5: Integrating ERM into Routine Processes
ERM Objective:
All relevant stakeholders in your organization embrace the risk management process because they understand its link to desired performance.
The Trap:
The ERM process is designed layered on top of the business. If your ERM advisor wants to document a stand-alone ERM process your program is not destined for success.
The Solution:
Build upon existing processes and use existing documentation:
Asking people to suspend their “day job” to engage in a risk management process does not work. It is the responsibility of the ERM team to integrate every step of the new ERM process into existing processes and documentation.
This does not suggest that the ERM team cannot create a multitude of new documents and tools for their own team to facilitate the program and generate reports. However, risk owners will be far more likely to embrace a risk program that is woven into their current daily routines.
ERM Objective:
All relevant stakeholders in your organization embrace the risk management process because they understand its link to desired performance.
The Trap:
The ERM process is designed layered on top of the business. If your ERM advisor wants to document a stand-alone ERM process your program is not destined for success.
The Solution:
Build upon existing processes and use existing documentation:
Asking people to suspend their “day job” to engage in a risk management process does not work. It is the responsibility of the ERM team to integrate every step of the new ERM process into existing processes and documentation.
This does not suggest that the ERM team cannot create a multitude of new documents and tools for their own team to facilitate the program and generate reports. However, risk owners will be far more likely to embrace a risk program that is woven into their current daily routines.
Tuesday, January 3, 2012
ERM Challenge Series: #4: Risks as Events; The Importance of Documenting your Risks Correctly
ERM Challenge #4: Risks as Events; The Importance of Documenting your Risks Correctly
ERM Objective:
Draft risks that are easily understood, unambiguous, and interpreted the same way by all who view them.
The Trap:
A majority of companies create confusion or frustration with their ERM program by drafting risk statements poorly. Risks beginning with the following phrases are not risk events, and will result in a frustrated group of executive risk assessors and risk owners:
X May Happen: This process is intuitive and the outcome is a risk register that is easily interpreted by all of your stakeholders. It is as simple as “X may happen”.
Another insight – your risk register should not contain a risk such as, “Reputational damage may occur”. Reputational damage is a component of your Impact assessment. Over half of your risks can lead to reputational damage, so don’t consolidate all reputational considerations into just 1 risk.
ERM Objective:
Draft risks that are easily understood, unambiguous, and interpreted the same way by all who view them.
The Trap:
A majority of companies create confusion or frustration with their ERM program by drafting risk statements poorly. Risks beginning with the following phrases are not risk events, and will result in a frustrated group of executive risk assessors and risk owners:
- “An inability to…”
- “…leading to…”
- “And / or”
- “A lack of…”
- “…as a result of…”
X May Happen: This process is intuitive and the outcome is a risk register that is easily interpreted by all of your stakeholders. It is as simple as “X may happen”.
Another insight – your risk register should not contain a risk such as, “Reputational damage may occur”. Reputational damage is a component of your Impact assessment. Over half of your risks can lead to reputational damage, so don’t consolidate all reputational considerations into just 1 risk.
Subscribe to:
Posts (Atom)
About The Author
- Richard Wilson
- Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.
He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.
He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.