Basics of Risk Management – Step 2: Assess Risk and Its Implications for Performance

October 2011 Feature Article

By Diana Del Bel Belluz, M.A.Sc., P. Eng.

In this article, I’ll share tips on how to assess the implications of risks on enterprise performance and stakeholder value. This is the second article in a 4-part series on risk management basics. The series introduces the Risk Wise ERM Implementation and Organizational Learning Cycle of the four essential steps for bringing ERM to life in any organization:

  1. Define the context and criteria for enterprise risk management (ERM)
  2. Assess risks and implications for performance and primary stakeholder value
  3. Integrate ERM into business practices
  4. Close the learning loop to fine-tune & optimize ERM

 The Risk Wise ERM Implementation and Organizational Learning Cycle moves beyond a narrow focus on how much STRUCTURAL capital (i.e., ERM framework and processes) an organization has developed. It contains important information on how to build the HUMAN capital (i.e., ERM knowledge skills and culture) and the RISK INTELLIGENCE capital(i.e., the flow of information that drives optimal organizational results) required to bring your ERM structures to life.

The second step of the ERM Implementation and Organizational Learning Cycle is about understanding the implications of risk on future performance. Are you having difficulty demonstrating the value of your ERM program? If so, you probably have not yet established a measurable link between enterprise risks and organizational performance.

ERM ensures there is an explicit consideration of the risks that affect:   

  • Organizational performance. Knowledge about risks to the achievement of corporate objectives helps you to ensure success in the near-term.
  • Performance capabilities. Knowledge about the risks that threaten your organization’s ability to strategically position itself to deliver stakeholder value helps you to ensure sustainability of the organization over the long-term.

The main task of the second stage of the ERM Implementation and Organizational Learning Cycle is to integrate risk analysis with performance forecasting and performance management by:   

  • Identifying risks, i.e., determining the events or conditions that drive uncertainty in expected enterprise performance or organizational sustainability.
  • Assessing the magnitude of risks, i.e., estimating the size and likelihood of the potential impacts of those risks on performance.
  • Evaluating risks, i.e., deciding if risks are adequately managed or if they require more (or less) management attention.

Here are three tips on how to link ERM and performance management and build the ERM capital (structural, human, and risk intelligence) needed in implementing the second stage of the ERM cycle.

Tip #1. Gauge the Influence of Risks on Objectives

To identify their enterprise risks, most organizations brainstorm on the question: What could harm us? This approach taps into the knowledge and experience of the team involved in the brainstorming exercise, but fails to:     

  • Substantively quantify the impacts (positive or negative) on the organization’s ability to achieve its objectives. In fact, most risk registers don’t indicate the relative importance of individual risks relative to the overall achievement of objectives.
  • Capture the interdependencies between risk factors. Risks that can influence the achievement of the strategic objectives of the organization can often be linked or connected to each other. Because the brainstorming approach evaluates each risk in isolation, it does not enable you to systematically explore how risks might combine or cascade.

Apply objective-oriented risk identification to understand the complexity of the interrelationships between risks and gauge the impact on objectives. Risk models can be qualitative (e.g., influence diagram technique) or quantitative (e.g., Monte Carlo technique).

The influence diagram methodology graphically maps the interrelationships between risks and immediately communicates the complexities of how risks can influence an objective. It enables the visualization of how risks can occur in combination or in sequence. It also pinpoints the factors that need to go right to achieve the objective, providing important insight into the adequacy of the organization’s performance capabilities. See this month’s Bonus Resource to learn how to apply the influence diagram technique.

Tip #2. Cross-examine Your Risk Estimates

Once enterprise risks have been identified, they are assessed or sized. Most organizations use a version of the Delphi method to determine the potential likelihood and impact of each risk. While they do capture the assessment team’s judgment and experience, qualitative risk assessment approaches are extremely prone to bias and blind spots.

The most effective way to guard against bias is to cultivate openness and inquiry in the risk assessment process. To achieve this culture:   

  • Distinguish between the facts and assumptions that underlie assessments of risk.

  • Test assumptions and revise them accordingly.

  • Encourage your people to raise concerns about the assessed level of any risk or the viability of any risk response strategy. Silence can be very dangerous.

See the July 2009 Feature Article for nine tips on how to achieve more robust and transparent risk estimates.

Tip #3. Shift Your Risk Response Mindset from Risk Reduction to Risk Alignment

Once risks have been identified and sized, the next step is to evaluate them to decide what, if anything, needs to be changed in your risk response strategies and actions.

Many executives mistakenly focus all their risk management resources on the risks with the highest combined rating of likelihood and impact. When considered narrowly from the defensive ERM stance of value protection (i.e., minimizing exposure to threats), this approach makes sense.

But, when managers fail to consider the organization’s appetite and tolerance for risks, they preclude the offensive ERM stance of value creation (i.e., exploiting opportunities) that is necessary to pursue strategic objectives and advance the organization’s mission. If your risk response strategies are exclusively focused on reducing risk, consider shifting to a mindset of continually aligning risk exposure with risk appetite.

You can quickly refocus how you evaluate risks by asking How well does our current risk exposure align with the organization’s risk criteria (appetite and tolerance for risks)? A thoughtful answer to that question will give you the information you need to set effective and efficient priorities, targets and timelines for risk response actions.

The Risk Wise bottom line…

A critical ERM success factor is to establish a measurable link between enterprise risks and strategic objectives. This will keep your ERM program focused on supplying and applying the risk intelligence that is crucial for meeting organizational performance targets, enhancing resilience and ensuring long-term sustainability.

*

I’ve coached many clients on how to apply these techniques. If you need help in measuring the link between risks and enterprise performance, contact Diana Del Bel Belluz at Risk Wise: Diana.Belluz @ riskwise.ca or by telephone at (416) 214.7598

Follow the links to:

  • Read this month's Bonus Resource - The Influence Diagram Tool for Analyzing the Cause-Effect Relationships Between Risks and Objectives.
  • Download a printable version of the entire October 2011 issue of the Risk Management Made Simple Advisory.
  • View the Article Index to access back issues of the Risk Management Made Simple Advisory.

Current Special Offers for Subscribers

Current Special Offers for Subscribers

The codes to access the following special offers have been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

Current Special Offers for Subscribers

The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

FREE DOWNLOAD

Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Jump Start your risk management program.

Receive personalized advice from Risk Wise

See Details

Diana's Pick

Neuroscience and the Nonprofit Manager (written by Andy  Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.

The article is based on a workshop that Diana Del Bel Belluz of Risk Wise presented at the 2015 Risk Summit organized by the Nonprofit Risk Management Center.