03/Feb/2023
blog listEnterprise Risk Management A Process and a Way of Life
Although risk management dates back
to the inception of the insurance market in the early 1600s, it has only been during
the past 100 years, or even less, that organizations have sought to formalize
their approach to risk management. Risk
management essentially looks to define the nature of the risks an organization
faces and to either accept, mitigate, or transfer those risks. Since risk management grew out of the
insurance industry, it tends to focus on defining threats and the corresponding
risks for which insurance is available.
Decisions about whether a particular risk is acceptable or how much
should be spent to mitigate the risk are predominately based on the cost of an
insurance policy that will cover the risk.
Given that risk management has been predominately used as a tool for
determining whether to purchase insurance coverage and how much insurance
coverage to purchase, risk management is typically handled in many
organizations by the Chief Financial Officers or their designees.
In the mid-1970s, risk management
thought leaders, such as Felix Kronman, Gustov Hamilton and Neil Crockford,
began pushing for a revolutionary approach to risk management that involves
elevating the process of crafting the risk management strategy to the
enterprise level by an organization’s Board of Directors, rather than merely
the CFO or someone farther down on the organization chart. Over the next couple of decades, they and
others refined and expanded this concept to create the concept and practice of Enterprise
Risk Management (ERM).
The elevation of risk management to
the enterprise level is advantageous for several reasons, including:
• despite their high-level positions, the CFOs
typically work within their own silos and have limited views across the various
units in the organization to identify and define their risks;
• absent board and executive-level buy-in,
identification of and planning for hypothetical risks is frequently seen as a
waste of time when employees have other, more immediate concerns such as sales,
marketing, and new-product development;
• the CFO does not always have the authority to
impose ERM steps upon other business units which, from a practical perspective,
leaves the CFO with the determination of only whether a risk is acceptable or
could be transferred, thus introducing operational and budgetary
inefficiencies; and, finally,
• determinations of when and how business units
should be prioritized for risk management initiatives cannot be effectively
made by the CFO alone.
Economic and Operational Advantages of ERM
ERM enables organizations to plan
for and address a wide range of risks, including those arising from the
organization’s supply chain, natural disasters, workforce actions,
environmental problems, wars and other conflicts, cybersecurity incidents and
data breaches. These risks all have
significant impacts on brand loyalty as well as the organization’s
profitability, sustainability, and the wellbeing of the employees and even the
surrounding community
This enterprise-level approach permits
the organization to be nimbler, better addressing new risks as they arise. From the financial and environmental to the cybersecurity
and data privacy arenas, a solid ERM program gives the entire organization the
information needed to make intelligent, consistent, and reasonable decisions.
Expecting perfection is one of the major
reasons cybersecurity and data privacy programs fail. No security program will ever be perfect, and
mistakes will inevitably be made. This
is true regardless of whether we are considering line employees, technical
employees, or senior management. They
are all going to make occasional mistakes, regardless of the quality of the
team or the level and frequency of their training and supervision. We are all human and expecting perfection
leads to even bigger problems and costs when the inevitable mistakes are
made. By embracing this reality and
ensuring that there are proactive practices in place to detect those mistakes,
management can significantly mitigate the potential impact of many of the
organization’s risks.
To be clear, expecting mistakes
does not mean that employees escape accountability. In fact, reasonableness requires that the
risk-management program have built-in measures that allow the organization’s
employees to understand what is expected of them and to hold themselves
accountable. By putting in place the transparency
we recommend, the organization can catch the mistakes sooner. Our techniques also allow the organization to
more quickly identify those mistakes that are truly accidental as opposed to
those that are malicious.
An organization’s ERM exposures
cannot be solved by simply adding new tools.
Instead, the organization’s senior leadership needs to ensure that their
organization has in place appropriate processes to identify and correct
mistakes. This includes ensuring that
the organization’s culture accepts that mistakes are inevitable and has the transparency
necessary to ensure timely, robust responses.
To do this, an organization must:
·
adopt
cultural and managerial changes that frame how the organization approaches ERM,
and how the organization will address the corresponding risks;
·
integrate
cybersecurity and data privacy into the broader, risk-based approach to
managing the organization;
·
establish
policies and procedures that address the organization’s approach to handling a
wide variety of risks, including but not limited to legal and regulatory risks,
and documents the decisions made in shaping those policies and procedures;
·
select
and implements tools, when available and appropriate, that help the
organization address the risks; and, lastly
·
create
comprehensive compliance programs which ensure the risks are addressed in a
manner consistent with the policies procedures, and which reports and escalates
identified compliance failures until they are remedied.
The
Types of Risks
1. Simple Risks
Simple risks are those that
can be managed through the application of basic formulas or checklists. The act of creating the formulas or
checklists, which in many organizations may take the form of written
procedures, helps to identify potential inefficiencies and to streamline
operations.
For example, a bakery
might see creating an inedible batch of cookies as a risk. The bakery will manage the risk by creating a
recipe that describes the ingredients for the cookies, the order and techniques
used to mix the ingredients, and the temperature and other preparations around
the baking of the cookies. The bakery
could further manage this risk by having a checklist alongside the recipe, and
requiring the baker to mark off each step as it is taken.
2. Complicated Risks
Complicated risks still
follow a set pattern, but they require decisions to be made while they are
being managed. The management of these
risks requires the application of skills and knowledge typically gained by repeatedly
having performed the formulas and checklists associated with the simple
risks. Although an organization’s risk
tolerance may permit line employees to make decisions associated with
complicated risks, these are generally addressed at the business process level.
To stick with the baking
analogy, the human resource risks the bakery faces would likely be considered
complicated risks. Although the bakery’s
goal should be to reduce as many of these risks to simple risks as possible,
the complications associated with, e.g., when to hire a new employee (staff
shortage/morale risks), employee training (product quality and brand image
risk), creating employees’ schedules (employee morale and production risks),
likely will require collecting
information from a variety of sources before a reasonable decision can be made
as to how the risks will be managed. In
fact, the risk management process for any of these risks is likely to involve
making a number of multivariable decisions.
However, it is still possible to define a set of parameters as the
lenses through which these decisions will be scrutinized.
3. Complex Risks
Complex risks are those
for which the inputs may not be as well understood as with complicated risks,
and thus may require “out of the box” thinking.
Management of these risks generally requires knowledge and insight from
across the organization, and perhaps even from outside the organization. These risks frequently have a significant
impact on the organization, and thus mitigation decisions typically are made at
the senior-executive level.
In the bakery hypothetical,
complex risks include decisions about whether to open another store (financial
risk, operational risk, brand reputation risk), where to open it (physical
security risks, supply chain risks), and what products to serve (brand
reputation risks, customer experience risks).
4. Chaotic Risks
Chaotic risks are those
which, by their inherent nature, must be managed in very short time period and
without much of the information one would ordinarily desire. These may involve “bet the company” decisions
that are made exclusively at the senior executive level.
In the bakery hypo, a
fire in one of the bakeries is an example of a chaotic risk. Although some basic steps can be described
(e.g., pull the fire alarm) in a corresponding risk management plan, the state
of affairs at the time the fire is discovered will likely require snap
decisions without time to acquire full information. The decision-maker is relying more on
experience and instinct than on a specific set of written procedures.
Chaotic risks are
frequently a significant distraction for the entire organization. Unfortunately, many organizations exist in a
state where almost every risk winds up being managed as a chaotic risk. Senior management needs to be involved in
almost every decision that is made because they have not taken the time to
think through their approach ERM. Conversely, by defining the organization’s
overall approach to risk, including identifying key known risks and the
techniques for managing those risks, the organization can significantly reduce
the likelihood of chaotic risks.
An organization’s senior
executives can use the Enterprise Risk Management guidelines that we describe
below to supply those in the mission/business process level with a
decision-making framework, including expected inputs, relative priorities, and
other information that helps drive the complexity out of many risks. It empowers those at the business-process
level to make decisions on their own, because they better understand how the
senior executives expect the decisions to be made. This frees up the senior management to focus
on the truly complex risks, where their skills are best utilized. Those working at the business-process level,
in turn, can better understand how the risks that they are seeing can be
translated into, and managed as, simple risks.
A 10-Step ERM Guidance Plan
1.
Identify and quantify the risks
SWAT Analysis:
•
Strengths
•
Weaknesses
•
Opportunities
•
THREATS
(Risks)
Quantify the Risks
2. Introduce
ERM
•
The
methods and processes used by an organization to manage risks and to seize
opportunities related to the achievement of the organization’s objectives.
•
A
plan-based strategy that aims to identify, assess, and prepare for dangers,
hazards, and other potentials for disaster.
3.
Categorize the risks
•
Hazard
Risks:
Tort liability; property damage; natural disasters
•
Financial
Risks: Asset risks; balance sheet risks; cash flow
(going concern) risks
•
Operational
Risks:
Reputational risks; ‘customer’ satisfaction risks; employee quality,
recruitment and retention risks
•
Strategic
Risks:
Global competition; technology competition; alternatives competition
4.
Establish the magnitudes of the risks
•
The
likelihood of the risk occurring
•
The
impact of the risk if it does occur
•
Plus
a confidence rating
5.
How to get started
Audit: What is your
organization doing already?
·
Meeting
regulatory requirements?
·
What
policies are already in place?
Establish
the context for ERM:
•
Organizational
vision and mission
•
Strategic
Plan
•
Divisional
Plans
Gather
support:
•
The
Board of Directors/Trustees and Senior Management
•
Key
Players: Legal counsel; risk-management and/or insurance manager(s); director
of public safety or security, or chief of the organization’s police; chief IT
officer; director of corporate communication; facilities director; president of
the union (if any)
•
Champions: May or may not be drawn from categories one
and two
Support
from the top:
•
A
Board Resolution?
•
A
Board Sub-Committee?
•
A
Letter from the President?
6. Establish an inclusive ERM Committee
•
Mid-level
administrators and staff
•
All
divisions
7. Committee identification of risks (see the
“heat chart”, above)
8. Evaluate the results
Confidence Rating (how much do we trust
our “heat chart”?)
•
4.
Very high confidence
•
3.
High confidence
•
2.
Moderate confidence
•
1.
Low confidence
Analytic confidence:
• “Analytic
confidence is a rating employed by intelligence analysts to convey doubt to decision makers about a statement of
estimative probability. The need for analytic confidence ratings arises from analysts'
imperfect knowledge of a conceptual model. An analytic confidence
rating pairs with a statement using a word of estimative probability to form a
complete analytic statement. Scientific methods
for determining
analytic confidence remain in infancy.”[https://en.wikipedia.org/wiki/Analytic_confidence]
Confidence in the data:
•
Quality
of data
•
Quantity
of data
•
Data
Gaps
•
Anomalies
•
Contradictions
•
Dissenting
views
9. Practice “imperfectionism”
•
“Great
is the enemy of good.”
•
We
can’t settle for not making the effort to rate
•
Apply
what we’ve learned from academic assessment:
-
Close
the feedback loop
-
Then
readjust
10.
Options for managing identified risks
•
Avoidance: Exit the activity
creating the risk
•
Reduction: take actions that
decrease either the likelihood or the potential impact
•
Spreading: Share the risk via
insurance, joint venturing, or other tactics
•
Accepting: Take no action, because the returns justify
the risk
Like what you just read?
Then you won’t want to miss the Assent Global/Portum Group four-hour bootcamp
on
- Data Privacy
- Compliance
- Cybersecurity
- Enterprise Risk Management
When: Friday, March
10 1:00-5:00 PM EST
Register right here: https://assentglobal.us/webinar/1929/The-Four-Pillars-of-Organizational-Resilience--Data-Privacy,-Compliance,--Cybersecurity,-and-Enterprise-Risk-Management