"The Advisory has excellent articles about how to embed risk management and motivate staff to make it business-as-usual.”
Barry Jones, Director, Marine & Safety, Ecosafe Limited
Welcome to this series on the basics of risk management implementation. This series is not about the process for risk assessment or risk management – that you’ll find well covered in the many standards and frameworks such as ISO 31000 and COSO. Instead, I’ll provide advice on “How to implement risk management so that it becomes an integral part of your organization’s business practices and culture.”
First some background… Over the past 10-15 years, I have seen ERM initiatives fail to gain traction in many organizations. The most common mistake is an over-focus on the design of the ERM framework while completely underestimating the size of the culture change task of implementing ERM. To bring ERM to life, you need to make sure your people know how to use your framework. You also need to build feedback loops that will drive desired risk-taking behaviour. Like any exercise in organizational development and change management, it typically takes 5-10 years to complete.
Last year I reviewed a dozen management maturity models. I concluded that most maturity models have a narrow focus on how much STRUCTURAL capital (e.g., ERM framework and processes) an organization has developed. However, they provide little or no insight on the HUMAN capital (e.g., ERM knowledge skills and culture) and the RISK INTELLIGENCE capital (e.g., the flow of information that drives optimal organizational results) required to bring its ERM structures to life. Note: I chose the term 'capital' to reinforce that ERM is an investment in the organization's future success.
To bridge the gap, I developed the Risk Wise ERM Maturity Model that consists of a four-stage ERM Implementation Cycle of organizational learning:
The Risk Wise ERM Maturity Model is a distillation of the experience I’ve gained over my 20+ year career dedicated to helping organizations implement effective and sustainable risk management programs. It encapsulates both the basics of risk management and today’s leading practices.
Over the next four issues, I’ll provide advice on how to implement each of the four stages of the Risk Wise ERM Implementation Cycle.
This article will cover the first stage in the ERM Implementation and Learning Cycle: Define the context and criteria for ERM. I’ll share basic risk management tips for implementing the three main tasks in this first stage:
It is important to set a context for ERM that enables an appropriate risk-reward balance. In other words, both a defensive stance of value protection (i.e., to minimize exposure to threats) and an offensive stance of value creation (i.e., to fully exploit opportunities).
Traditional approaches to risk management focus on value protection and pay only lip service to value creation. Their risk identification processes begin and end with the question “What can hurt us?” This tends to create a large list of risks, most of which are not significant to enterprise performance or viability.
One way to achieve a balance between the defensive and offensive stance is to begin the risk identification task by asking “What do we want to achieve?” followed by “What drives uncertainty in the achievement of those objectives?” or “What could help or hinder us in the pursuit of our objectives? It is essential to clearly articulate the organization’s mission, goals, and objectives because they serve as the main point of reference for identifying and analyzing risks. A strong focus on objectives also helps to keep us connected to what is required for value creation.
For far too long, risk professionals, coming from a value protection stance, have relied on using the magnitude of a risk as the sole criteria for deciding how much attention it merits. The logic goes like this: Focus lots of effort on big risks and proportionally less effort on smaller risks. The big problem with this approach is that it ignores the risk-reward relationship.
To help ensure consistent and appropriate risk-taking, an organization needs to articulate its appetite and tolerance for its principal enterprise risks. There is a lot of debate about the definition of risk appetite and risk tolerance. Here is how I define them. Risk Appetite refers to the level of threat exposure an organization is comfortable taking on in order to ensure it has ample opportunity to achieve its objectives. Risk Tolerance refers to the acceptable amount of variance around the targeted level of risk appetite. For an example, see the March 2008 Feature Article.
Articulating your risk appetite clarifies your comfort zone for the risk-return trade-off. Risk appetite and tolerance will vary depending on the set of threats and opportunities associated with a particular decision or strategy. For example, in some situations, we are willing to take big risks if they will help us to improve our performance or strategic positioning and if we believe that they can be managed appropriately. In other situations, we can’t stomach even a small amount of risk, e.g., most organizations will invest a lot of resources into compliance activities, even if there is only a small risk that they might breach laws and regulations.
Articulating risk appetite is easier than you think. This month’s Bonus Resource article is An Example of a High-Level Approach for Boards to Determine Risk Appetite from Douglas W. Brooks, President and CEO of AEGON Canada. For advice on how to overcome the reluctance of senior managers to articulate their risk appetite,read the March 2008 Feature Article.
At the first stage of the ERM implementation cycle, it’s essential to assess the organization’s operating environment. While environmental scanning is a standard practice for strategic planning, many organizations don’t yet use the results of the environmental scan to help them understand their enterprise risk management context.
The environmental scan you do for strategic planning can easily be expanded to identify the trends and risk factors that can have an impact on your organization’s risk profile and on its preferred position on the risk-reward continuum. The ERM-oriented environmental scan gives a sense of the possibilities and potential limitations for both creating and protecting organizational value.
In recent years, it has become a risk management best practice to conduct an environmental scan prior to the annual risk profiling exercise.The trouble is, some drivers of risk can change rapidly and therefore should be monitored more frequently than once a year. One way to leverage the environmental scanning exercise is to distinguish between high velocity risk factors that can occur quickly with little or no warning (e.g., an earthquake, a disruptive technology) from risk factors with a lower velocity that can be foreseen (e.g., changes in employee demographics, seasonal variations).
The velocity of a risk factor is an important consideration in the development of effective risk detection strategies and risk treatment plans that occur in Stage 3 of the ERM Implementation cycle.
Effective ERM is predicated on understanding the business environment and defining the expected risk-taking culture. The first step is to get clear on your objectives and risk appetite and on the key drivers of uncertainty for your business.
For Risk Wisehelp in benchmarking your organization's ERM maturity, contact Diana Del Bel Belluz at: Diana.Belluz @ riskwise.ca or (416) 214.7598
Follow the links to:
Moving Beyond the Risk Map to Operational Vigilance
Read more about the Risk Management Made Simple Advisory.
"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Kinross Gold Corporation
Neuroscience and the Nonprofit Manager (written by Andy Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.