Rethinking Risk Intelligence

November-December 2010 Issue

by Diana Del Bel Belluz, M.A.Sc., P.Eng.

Is your organization risk intelligent? Recently I was asked to present a session on how to assess risk management maturity to The Conference Board of Canada’s Strategic Risk Management Council. My research for the talk revealed three common reasons that organizations fail to achieve risk intelligence:

1.     Many risk management progams are overly focused on the components of their ERM framework (e.g., risk assessment processes and ERM accountability structures). It’s like building a car for someone who doesn’t know how to drive and doesn’t care to leave their house and then wondering why the vehicle just sits in the garage. While developing a risk framework and tools is necessary for a successful ERM program; it’s not sufficient for success.

2.     In developing their implementation plans, many ERM leaders fail to consider the human capital required to actually bring an ERM framework to life.  It is people (not frameworks) who manage risk. ERM programs don’t acheive risk intelligence if they don’t invest effort into the development of their people’s risk knowledge and skills.  

3.     Many ERM leaders pay scant attention to how well the ERM progam is actually working. They mistakenly measure their success based on the ERM reports generated rather than by evaluating how effectively ERM information is applied to improve business outcomes. It’s like judging a meal solely by the ingredients used to create it and not evaluating how good it tastes. As the proverb says the “proof of the pudding is in the eating” and the value of an ERM program lies in how effectively it helps managers to optimize organizational performance and resilience. Ideally an ERM report is the start of a conversation, not the last word.

Here are two tips for improving your organization’s risk management intelligence.

Tip #1. Measure the impact of ERM  

It’s easy to get drawn into the details of the risk framework and risk reporting. One way to stay focused on the overall effectiveness of your ERM program is to measure its impact.

At least once a year, review how well your ERM program is serving the business. As the year draws to a close, it is an excellent time to take stock of where your ERM program has delivered good value and where it hasn’t. Here are three lines of inquiry you can use to spot good opportunities to sharpen your risk intelligence.

 a.  Check the alignment of your key risks with your stated risk appetite and tolerances  

  • Compare your latest risk profile to the one created a year ago. Did the past year’s ERM activities result in a closer alignment of your risk exposure with your stated appetite and tolerance for risk? If the answer is ‘yes’, was it dumb luck or can you point to specific ways the ERM program helped? 
  • What lessons can be drawn from the organization’s successes and challenges in meeting its goals and targets that can be used to enhance your ERM practices going forward?

 b.  Learn from surprises

  • Over the past year, what risk events surprised you? For example, did risk events occur that were not on your radar screen? Or, did you vastly under- or over-estimate the magnitude of any enterprise risks? Why did you miss or miscalculate these ‘surprise’ risks?  
  • What opportunities for improving your processes and skills for identifying, assessing, monitoring, and communicating about risks do these surprises reveal?
  • What can be learned from these surprises about potential weaknesses in how you develop and use risk indicators as early warning signals?

 c.  Spot the opportunities

  • Over the past year, what hasn’t your organization accomplished with respect to its strategic objectives? 
  • What opportunities (i.e., upside risks) could your organization exploit this year to bring it closer to fulfilling its mission and goals?

Tip #2. Integrate ERM into the business

The outputs of ERM processes (e.g., risk appetite statement, risk measurements, risk indicators, etc.) don’t become risk intelligence until they are applied to improve decision processes such as:

  •  Goal setting
  •  Strategy development
  •  Environmental scanning
  •  Scenario exploration
  •  Performance forecasting
  •  Business planning
  •  Business process design and implementation
  •  Performance monitoring and management
  •  Assessment of management effectiveness (including risk management)
  •  Continuous improvement  
  •  Organizational design and development 

The integration of ERM into business processes does not happen spontaneously. It requires effort and intentionality to:

a.     Define optimal flows of risk information between ERM processes and other important business management processes. The feedback (and feedforward) loops are the key to driving risk management behaviour that is aligned with the organization’s risk appetite.

Here are a couple of examples of feedback loops:

  • Management sets risk appetite and the Board approves it. Risk appetite criteria inform the goal and objective setting processs. Managers pull risk appetite criteria into the risk assessment process to help evaluate the adequacy of their current efforts to manage key enterperise risks and allocate resources accordingly. Risk appetite criteria are evaluated periodically by management and the Board to ensure they continue to reflect the organization’s values and aspirations.
  • Risk estimates from the risk assessment process are fed into the business planning process to help develop performance forecasts. On an ongoing basis, peformance forecasts are compared with actual performance, deviations and trends are identified. Managers take action to address potential performance shortfalls. A periodic evaluation of forecast vs. actual performance identifies opportunities for fine-tuning that are fed back to the risk assessment process.

b.    Identify where ERM and/or business processes need to be updated to ensure timely exhange of information and effective feedback loops. Here you may benefit from collaborating with colleagues who are responsible for organizational design and enterprise architechture.

c.     Develop and implement a change management plan to ensure smooth information flow between ERM and other business management processes. Most importantly, the change management effort must ensure your people know what is expected of them and develop the skills required to manage risk.

The Risk Wise bottom line… Achieving risk intelligence requires more than an ERM framework. You need to ensure your people have the knowledge and skills to use ERM processes and tools.  Most importantly, they must be motivated to do so by feedback loops that integrate risk information into key management and decision processes.

Follow the links to:

  • Read this month'sBonus Resource- Recording of Webinar on ERM Resources.
  • Download a printable version of the entire November - December 2010 issue of the Risk Management Made Simple Advisory.
  • View the Article Index to access back issues of the Risk Management Made Simple Advisory.

 

To learn about cost effective ways to increase your organization’s risk intelligence,contactDiana Del Bel Belluzat Risk Wise:Diana.Belluz @ riskwise.ca

Current Special Offers for Subscribers

Current Special Offers for Subscribers

The codes to access the following special offers have been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

FREE DOWNLOAD

Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Diana's Pick

Neuroscience and the Nonprofit Manager (written by Andy  Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.

The article is based on a workshop that Diana Del Bel Belluz of Risk Wise presented at the 2015 Risk Summit organized by the Nonprofit Risk Management Center.