"This newsletter provides a comprehensive overview of key concepts for implementation of risk management."
Sandra Parkins, Director, Integrated Risk Management, Fraser Health
Recently a member of the Enterprise Risk Management Association on the LinkedIn business networking site asked "What is the preferred enterprise risk guidelines covering all sectors?" People who ask that question naively search for the perfect decision rule.
In truth, there is no definitive guidance or approach for risk management. The search for it is futile because good decisions don't result from discipline alone; they also require creativity and judgment.
It takes creativity to develop innovative decision options that solve tough problems or seize new opportunities. A disciplined decision-making approach does more than ensure that the best option is selected. It ensures that the judgment of individual decision-makers aligns consistently with corporate values. Indeed, risk appetite and risk tolerance are simply alternate ways of expressing corporate values.
Here are three tips for developing a disciplined approach to risk management.
While there are principles of risk management that will apply broadly, they can't be applied in the same way in any two organizations. This is because of the enormous importance of the role of context. Even organizations in the same sector will differ greatly because of their unique contexts.
For example, two companies I know were in the same industry and located in the same town, but were vastly different. These 'night and day' differences began with their organizational cultures (including their risk mindsets), and extended to the employees and suppliers they attracted (one cultivated a strong relationship with its employees and contractors while the other had a union shop), their business processes and practices (one was able to sustain a high degree of innovation while the other was not), and to their business results (one was consistently profitable while the other was in and out of bankruptcy protection).
To illustrate the importance of context in understanding behaviour, Nobel Prize winning psychologist Herbert Simon used the metaphor of the mind as a pair of scissors. One blade of the scissors represents the brain (i.e., capabilities for perception, analysis, and judgment) and the other represents the brain's environment (i.e., the decision-making context). We cannot understand the operation of the scissors without understanding the simultaneous movement of both blades. Extending the metaphor, unless you understand the organizational decision-making context, you cannot influence risk management behaviour.
Attention to context is critical for effective enterprise and operational risk management because the devil is in the details of implementation. Successful application of risk thinking to decision-making requires attention to the interplay between context (including both the general economic and competitive business environment and the specific nature and time horizon of the particular issue that must be decided) and your risk management capabilities (including your current risk culture and your risk management infrastructure).
The Risk Management Spectrum (see box below) is a simple tool for understanding the maturity of your oganization's risk management capabilities. The four points on the spectrum describe typical milestones along the ERM implementation journey. Organizations that constantly find themselves in Crisis Mode perish. I find most organizations are either in Survival Mode or Quality Mode. Over the last 20 years, I have helped many organizations progress towards the proactive end of the spectrum. Getting to Stewardship Mode requires:
In developing your risk management infrastructure, it is wise to adopt elements of existing guidance that are relevant for your organization. Here is my view on how three sources of ERM guidance each add a valuable perpective on the intersection between understanding the role of context and applying risk management capabilties to strategic and operational decisions.
ISO 31000 (like AUS/NZ 4360, CSA-Q850) does a good job of explaining the importance of business context. Unfortunately, too many practitioners skim over this step and rush to misapply risk assessment tools and then wonder why risk management doesn't gain traction.
In my view, the most important contribution of ISO 31000 is that it puts risk management into the context of organizational design. It includes a helpful discussion of the necessary components of an organization's framework for managing risk and the way in which those components interrelate. This validates the approach I've used for over a decade to assist clients to build and continually improve their risk management framework and decision-making capabilities.
What I find disappointing with most standards is that they start with the implicit premise that the status quo level of risk is either acceptable or too high. I'm inferring this from the stereotypical risk management options they offer which are along the lines of: 'avoid', 'reduce', 'transfer', and 'accept'. I'm delighted to see that ISO 31000 includes a 'take or increase risk' option. Risk management professionals need to get comfortable with risk-taking and exploring the upside of risk if we want our discipline to be relevant to executive decision-makers.
While some financial organizations have embraced the COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM Integrated Framework, a recent survey of executives working in the area of ERM revealed that COSO was not considered a key source of information and guidance. [Note, the survey results were published in the article "Who Reads What Most Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives" by John R.S. Fraser, Karen Schoening-Thiessen, and Betty J. Simkins, Journal of Applied Finance, 2008.] Many risk professionals (myself included) find that the COSO cube is needlessly complex and seems to be aimed more at satisfying auditors than supporting decision-makers.
COSO does provide a strong linkage to the concepts of risk control. In an operational context, managers need to ask 'What could stop us from achieving our objectives using our corporate strategy?', not 'Does this strategy effectively balance risk, reward, and costs?' That's because in an operational context, where reliable execution of strategy is the main objective, an emphasis on control is entirely appropriate. If your people constantly second-guess your corporate strategies, they'll never execute them efficiently.
In the context of developing corporate strategy, an innovation stance is essential for exploring the "opportunity" side of risk. You need to remove your 'risk control' hat and ask questions such as:
A great source of guidance on these types of strategic risk questions is Ready... Or Not: A Risk Management Guide for Nonprofit Executives the new book by Melanie Lockwood Herman (see this month's Bonus Resource for a review of this book).
The Risk Wise bottom line... If you want your people to display appropriate risk-taking behaviour, you need to ensure they have the know-how to tailor the application of your risk management tools to suit the context of each particular decision they make.
*
How well do managers across your organization apply balanced risk thinking to decisions involving strategy and execution? If you want to achieve the Stewardship Mode of risk management, contact Diana Del Bel Belluz at Risk Wise by phone at (416) 214.7598 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Visit our Events page for details on the following events:
SPECIAL OFFER: 10% discount for Risk Management Made Simple Advisory subscribers.
SRECIAL OFFER: $300 discount for Risk Management Made Simple Advisory subscribers.
Follow the links to:
The codes to access the following special offers have been emailed to The Mobilize for Growth™ Advisory subscribers:
SPECIAL OFFER: $500 off for The Mobilize for Growth™ Advisory subscribers on the full program fee Masters Certificate in Risk Management and Business Performance presented by the Schulich School of Business. The next module to be held on September 17-20, 2018 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer). Not yet a subscriber? Don't miss out, click here to sign-up for your complimentary Advisory subscription.
When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.
FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.
"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices."
Sherrie Hyde, Risk Manager, Lutherwood
The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:
SPECIAL OFFER: $500 off the full program fee for Risk Management Made Simple Advisory subscribers on the Masters Certificate in Risk Management and Business Performance . The next program module to be held on September 17-20, 2018 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer). Not yet a subscriber? Don't miss out, click here to sign-up for your complimentary Advisory subscription.
When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.
FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.
"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices."
Sherrie Hyde, Risk Manager, Lutherwood
Moving Beyond the Risk Map to Operational Vigilance
Read more about the Risk Management Made Simple Advisory.
"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation
The Neuroscience of Enterprise Risk Management (written by Diana Del Bel Belluz of Risk Wise) expores findings from the field of neuroscience and shares practical tips on how to apply them to enhance individuals' risk management thinking and implement brain-friendly ERM practices in organizations.
The article was published by The Conference Board of Canada in the Autumn 2017 issue of the journal Risk Watch.