03/Feb/2023

blog listEnterprise Risk Management A Process and a Way of Life

Although risk management dates back to the inception of the insurance market in the early 1600s, it has only been during the past 100 years, or even less, that organizations have sought to formalize their approach to risk management.  Risk management essentially looks to define the nature of the risks an organization faces and to either accept, mitigate, or transfer those risks.  Since risk management grew out of the insurance industry, it tends to focus on defining threats and the corresponding risks for which insurance is available.  Decisions about whether a particular risk is acceptable or how much should be spent to mitigate the risk are predominately based on the cost of an insurance policy that will cover the risk.  Given that risk management has been predominately used as a tool for determining whether to purchase insurance coverage and how much insurance coverage to purchase, risk management is typically handled in many organizations by the Chief Financial Officers or their designees.


In the mid-1970s, risk management thought leaders, such as Felix Kronman, Gustov Hamilton and Neil Crockford, began pushing for a revolutionary approach to risk management that involves elevating the process of crafting the risk management strategy to the enterprise level by an organization’s Board of Directors, rather than merely the CFO or someone farther down on the organization chart.  Over the next couple of decades, they and others refined and expanded this concept to create the concept and practice of Enterprise Risk Management (ERM).


The elevation of risk management to the enterprise level is advantageous for several reasons, including:

•   despite their high-level positions, the CFOs typically work within their own silos and have limited views across the various units in the organization to identify and define their risks;

•   absent board and executive-level buy-in, identification of and planning for hypothetical risks is frequently seen as a waste of time when employees have other, more immediate concerns such as sales, marketing, and new-product development;

•   the CFO does not always have the authority to impose ERM steps upon other business units which, from a practical perspective, leaves the CFO with the determination of only whether a risk is acceptable or could be transferred, thus introducing operational and budgetary inefficiencies; and, finally,

•   determinations of when and how business units should be prioritized for risk management initiatives cannot be effectively made by the CFO alone.

 

Economic and Operational Advantages of ERM 

 ERM enables organizations to plan for and address a wide range of risks, including those arising from the organization’s supply chain, natural disasters, workforce actions, environmental problems, wars and other conflicts, cybersecurity incidents and data breaches.  These risks all have significant impacts on brand loyalty as well as the organization’s profitability, sustainability, and the wellbeing of the employees and even the surrounding community


This enterprise-level approach permits the organization to be nimbler, better addressing new risks as they arise.  From the financial and environmental to the cybersecurity and data privacy arenas, a solid ERM program gives the entire organization the information needed to make intelligent, consistent, and reasonable decisions.


 Expecting perfection is one of the major reasons cybersecurity and data privacy programs fail.  No security program will ever be perfect, and mistakes will inevitably be made.  This is true regardless of whether we are considering line employees, technical employees, or senior management.  They are all going to make occasional mistakes, regardless of the quality of the team or the level and frequency of their training and supervision.  We are all human and expecting perfection leads to even bigger problems and costs when the inevitable mistakes are made.  By embracing this reality and ensuring that there are proactive practices in place to detect those mistakes, management can significantly mitigate the potential impact of many of the organization’s risks.


  To be clear, expecting mistakes does not mean that employees escape accountability.  In fact, reasonableness requires that the risk-management program have built-in measures that allow the organization’s employees to understand what is expected of them and to hold themselves accountable.  By putting in place the transparency we recommend, the organization can catch the mistakes sooner.  Our techniques also allow the organization to more quickly identify those mistakes that are truly accidental as opposed to those that are malicious.   


  An organization’s ERM exposures cannot be solved by simply adding new tools.  Instead, the organization’s senior leadership needs to ensure that their organization has in place appropriate processes to identify and correct mistakes.  This includes ensuring that the organization’s culture accepts that mistakes are inevitable and has the transparency necessary to ensure timely, robust responses.  To do this, an organization must:

·       adopt cultural and managerial changes that frame how the organization approaches ERM, and how the organization will address the corresponding risks;

·       integrate cybersecurity and data privacy into the broader, risk-based approach to managing the organization;

·       establish policies and procedures that address the organization’s approach to handling a wide variety of risks, including but not limited to legal and regulatory risks, and documents the decisions made in shaping those policies and procedures;

·       select and implements tools, when available and appropriate, that help the organization address the risks; and, lastly

·       create comprehensive compliance programs which ensure the risks are addressed in a manner consistent with the policies procedures, and which reports and escalates identified compliance failures until they are remedied.

     

The Types of Risks

 

1. Simple Risks

 Simple risks are those that can be managed through the application of basic formulas or checklists.  The act of creating the formulas or checklists, which in many organizations may take the form of written procedures, helps to identify potential inefficiencies and to streamline operations. 

For example, a bakery might see creating an inedible batch of cookies as a risk.  The bakery will manage the risk by creating a recipe that describes the ingredients for the cookies, the order and techniques used to mix the ingredients, and the temperature and other preparations around the baking of the cookies.  The bakery could further manage this risk by having a checklist alongside the recipe, and requiring the baker to mark off each step as it is taken.



2. Complicated Risks

 Complicated risks still follow a set pattern, but they require decisions to be made while they are being managed.  The management of these risks requires the application of skills and knowledge typically gained by repeatedly having performed the formulas and checklists associated with the simple risks.  Although an organization’s risk tolerance may permit line employees to make decisions associated with complicated risks, these are generally addressed at the business process level.


To stick with the baking analogy, the human resource risks the bakery faces would likely be considered complicated risks.  Although the bakery’s goal should be to reduce as many of these risks to simple risks as possible, the complications associated with, e.g., when to hire a new employee (staff shortage/morale risks), employee training (product quality and brand image risk), creating employees’ schedules (employee morale and production risks), likely will require  collecting information from a variety of sources before a reasonable decision can be made as to how the risks will be managed.  In fact, the risk management process for any of these risks is likely to involve making a number of multivariable decisions.  However, it is still possible to define a set of parameters as the lenses through which these decisions will be scrutinized.


3. Complex Risks

 Complex risks are those for which the inputs may not be as well understood as with complicated risks, and thus may require “out of the box” thinking.  Management of these risks generally requires knowledge and insight from across the organization, and perhaps even from outside the organization.  These risks frequently have a significant impact on the organization, and thus mitigation decisions typically are made at the senior-executive level. 

In the bakery hypothetical, complex risks include decisions about whether to open another store (financial risk, operational risk, brand reputation risk), where to open it (physical security risks, supply chain risks), and what products to serve (brand reputation risks, customer experience risks). 


4. Chaotic Risks

 Chaotic risks are those which, by their inherent nature, must be managed in very short time period and without much of the information one would ordinarily desire.  These may involve “bet the company” decisions that are made exclusively at the senior executive level.


In the bakery hypo, a fire in one of the bakeries is an example of a chaotic risk.  Although some basic steps can be described (e.g., pull the fire alarm) in a corresponding risk management plan, the state of affairs at the time the fire is discovered will likely require snap decisions without time to acquire full information.  The decision-maker is relying more on experience and instinct than on a specific set of written procedures.


Chaotic risks are frequently a significant distraction for the entire organization.  Unfortunately, many organizations exist in a state where almost every risk winds up being managed as a chaotic risk.  Senior management needs to be involved in almost every decision that is made because they have not taken the time to think through their approach ERM. Conversely, by defining the organization’s overall approach to risk, including identifying key known risks and the techniques for managing those risks, the organization can significantly reduce the likelihood of chaotic risks. 


An organization’s senior executives can use the Enterprise Risk Management guidelines that we describe below to supply those in the mission/business process level with a decision-making framework, including expected inputs, relative priorities, and other information that helps drive the complexity out of many risks.  It empowers those at the business-process level to make decisions on their own, because they better understand how the senior executives expect the decisions to be made.  This frees up the senior management to focus on the truly complex risks, where their skills are best utilized.  Those working at the business-process level, in turn, can better understand how the risks that they are seeing can be translated into, and managed as, simple risks.


 A 10-Step ERM Guidance Plan

1.  Identify  and quantify the risks 

SWAT Analysis:

        Strengths

        Weaknesses

        Opportunities

        THREATS (Risks) 

Quantify the Risks

  


2.  Introduce ERM

        The methods and processes used by an organization to manage risks and to seize opportunities related to the achievement of the organization’s objectives.

        A plan-based strategy that aims to identify, assess, and prepare for dangers, hazards, and other potentials for disaster.


3. Categorize the risks

        Hazard Risks: Tort liability; property damage; natural disasters

        Financial Risks:  Asset risks; balance sheet risks; cash flow (going concern) risks

        Operational Risks: Reputational risks; ‘customer’ satisfaction risks; employee quality, recruitment and retention risks

        Strategic Risks: Global competition; technology competition; alternatives competition


4. Establish the magnitudes of the risks

        The likelihood of the risk occurring

        The impact of the risk if it does occur

        Plus a confidence rating 


5. How to get started

Audit: What is your organization doing already?

·       Meeting regulatory requirements?

·       What policies are already in place?

Establish the context for ERM:

        Organizational vision and mission

        Strategic Plan

        Divisional Plans


Gather support:

        The Board of Directors/Trustees and Senior Management

        Key Players: Legal counsel; risk-management and/or insurance manager(s); director of public safety or security, or chief of the organization’s police; chief IT officer; director of corporate communication; facilities director; president of the union (if any)

        Champions:  May or may not be drawn from categories one and two

Support from the top:

        A Board Resolution?

        A Board Sub-Committee?

        A Letter from the President?


6.  Establish an inclusive ERM Committee

        Mid-level administrators and staff

        All divisions


7.  Committee identification of risks (see the “heat chart”, above)


8.  Evaluate the results

     Confidence Rating (how much do we trust our “heat chart”?)

        4. Very high confidence

        3. High confidence

        2. Moderate confidence

        1. Low confidence

 

   Analytic confidence:

     Analytic confidence is a rating employed by intelligence analysts to convey doubt to decision makers about a statement of estimative probability. The need for analytic confidence ratings arises from analysts' imperfect knowledge of a conceptual model. An analytic confidence rating pairs with a statement using a word of estimative probability to form a complete analytic statement. Scientific methods for determining analytic confidence remain in infancy.”[https://en.wikipedia.org/wiki/Analytic_confidence]

 Confidence in the data:

        Quality of data

        Quantity of data

        Data Gaps

        Anomalies

        Contradictions

        Dissenting views


9.  Practice “imperfectionism”

        “Great is the enemy of good.”

        We can’t settle for not making the effort to rate

        Apply what we’ve learned from academic assessment:

-        Close the feedback loop

-        Then readjust


10. Options for managing identified risks

        Avoidance: Exit the activity creating the risk

        Reduction: take actions that decrease either the likelihood or the potential impact

        Spreading: Share the risk via insurance, joint venturing, or other tactics

        Accepting:  Take no action, because the returns justify the risk

 Like what you just read?  Then you won’t want to miss the Assent Global/Portum Group four-hour bootcamp on 

  • Data Privacy
  • Compliance
  • Cybersecurity
  • Enterprise Risk Management


When:  Friday, March 10  1:00-5:00 PM EST

Register right here: https://assentglobal.us/webinar/1929/The-Four-Pillars-of-Organizational-Resilience--Data-Privacy,-Compliance,--Cybersecurity,-and-Enterprise-Risk-Management