Ok, honestly I hate resolutions, I really do. Gyms love them, I hate them. The last resolution I made was not to make any more resolutions. Ironically, I’m going to break that resolution.
The fact is that enterprise risk management is finally being adopted at a fantastic rate. Businesses are realizing that a holistic approach to identifying, assessing and managing key risks in order to maximize return on equity is an incredibly good management technique. But while managing risk is certainly not new, managing it in a complete and comprehensive way is still very much an evolving process.
So, as the intrepid risk manager, you established a risk framework, you documented your risk taxonomy, you developed good risk and control self-assessments (RCSAs), you built a basic executive dashboard with your “Top 10,” you identified a handful of KRI’s and you more or less have gotten institutional buy-in. Excellent. But you also know that there is so much more to do and so many more program elements that need to be added or improved.
Therefore, I submit for your review a list of 2012 ERM Resolutions for your consideration. Face it, you’re not going to do all of these this year, but maybe you can do half or two-thirds? That’s ok. Every little improvement you make strengthens your organization’s ability to manage risk more effectively, and that’s a very good thing.
- RESOLVE to get better at documenting assumptions – You have your department list, your function list, your threat list, your process list and your internal controls list. Fantastic. Now go back to those processes and work with the business area to go even farther in documenting their base assumptions. Why do they feel that the threat is real? What was their rationale for assessing the potential impact? Why exactly do they believe they have mitigated 90% of the risk? What is their understanding of their residual risk? Are they being realistic? Are they being honest? Assumptions are built on a foundation of both truth and lies (intentional or otherwise). Your job is to help them discover truth.
- RESOLVE to build more end-to-end process maps – Yes, they are a ton of work. Yes, they are frustrating to build and don’t always seem particularly useful at first. But neither were world maps until somebody decided to start making them and now we can’t live without them. End-to-end process maps are great for training, for documenting assumptions, for identifying boundary risks and for connecting the dots between functional areas. Get the business areas started and just accept that it will take you a year (or more) to get them done.
- RESOLVE to break down more silos – Risk management is all about breaking down barriers in communication. If you have operational silos, use the end-to-end process maps and related assumption documentation to educate people about the other parts of the process and how their work affects them. If the silo is in the risk disciplines, help educate people about other types of risk and the related boundary issues. Either way, building this kind of awareness is very healthy for the program and for the company.
- RESOLVE to do more training – You think that everybody “gets” why enterprise risk management is so important? Here’s a bit of hard truth, they don’t. Even worse, many don’t really care. But when I work with clients in implementing ERM programs, the #1 complaint I get from line managers is that they don’t feel like they have been properly trained in the program, the framework or the ERM objectives. Awareness breeds ownership and ownership breeds accountability.
- RESOLVE to take scenario analysis really seriously – It’s been on your to-do list for three years now; get started. Start with functional areas with either high-risk processes or the most moving parts. Schedule a day where a healthy cross-cut of staff and managers from that unit are sequestered in a room, preferably off-site. Facilitate a dialog around a whole range of scenarios involving not just a single point of failure, but multiple points of failure, and compare your analysis against your risk assessments. Do they stand up? The money part of this exercise is in that people tend to approach risk and self assessments using narrow views of process failure. Once you open it up a bit to consider compound scenarios, it’s amazing how much you can learn. If you don’t have the expertise to facilitate these exercises, bring someone in that does. Finally, document everything. You’ll be amazed at how much you forget by your morning coffee.
- RESOLVE to play nicer with Internal Audit – Remember, you’re all on the same team and even though they are primarily focused on one particular part of the ERM framework, (control validation) they have great insights into risk. Most importantly, you need to make sure that the ERM risk assessment and Internal Audit’s risk assessment (that they use to set their IA schedule) are structurally similar. You cannot have a situation where Risk Management and Internal Audit are playing off of different sheet music. If you find that you are coming up with dramatically different perspectives on key risks, you need to put the two side by side and figure out whose assumptions are off.
- RESOLVE to move the dashboard reports from paper to tablets – This is 2012, paper is so last century. Steve Jobs finally got it right and now everybody makes a tablet. The power of being able to view a dashboard report with a moderate amount of drill-down capability is an incredibly powerful management tool. For instance, say you display a metric (e.g., staff turnover rate last quarter) and by touching the data value you are shown a pop up with the last 12 quarters’ values with a rolling average. Information on demand, when needed, otherwise not cluttering up the main report. That’s just smart.
- RESOLVE to build or identify a few more KRIs – Do not go crazy here. Do not try to define hundreds of KRIs. Trust me, you will not like it. But this year, resolve to find 10 really, really good key risk indicators that have proven to be reliable leading indicators to the business and are closely correlated with a key risk. Get them in your risk dashboard.
- RESOLVE to write better risk appetite and risk tolerance statements – Stop being afraid of these, as they’re not as hard as you think. Articulate risk appetite in broad terms describing the risk profile that senior management and the Board find acceptable within different functional areas and risk types. Then use risk tolerance statements to more accurately describe precisely what level of losses or performance they are willing to accept. Put a stake in the sand, get something on paper, and then fine-tune them over time.
- Finally, RESOLVE to show some backbone with that department that does minimalist RCSAs in order to “check the box” and make you go away. Gently, but firmly, let them know that their work is unacceptable, but you can help. If necessary, sit down with them and help them really think through their real risks, their real exposure and an honest assessment of their internal controls. Trust me, in the end they’ll thank you for it.
Wouldn’t it be nice to get all of these done this year? It’s probably not going to happen and that’s alright. But, pick a handful and write them on your white board. Give yourself some realistic deadlines, put together an action plan and get started. Well, once everybody’s back from vacation that is.
For more information about taking your ERM program to the next level or for help in addressing any of the areas described here, contact Eric Holmquist at Accume Partners at (856) 793-1581 or email@example.com. Visit accumepartners.com.
Good points all.
One thought – many risks have the same/similar impact, so there is an “economy of scale” arrow for the quiver.
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale FL
JohnGlennMBCI at gmail dot com
True. And developing a standard risk library as well as a control library can be very helpful to save people from reinventing the wheel when doing risk assessments, assuming that they have similar risks and controls to another area.
Great points Eric, and I would also suggest, for those who have spare time on their hands this could be a good year to upgrade the metadata on the ERM program in the ERM manual (or write one). It is also a great time to include some of the sources of review for risk identification specific to your organization such as specific process flow charts, patents,facilities or sources and uses of committed capital. Happy Not-bored New Year.
Excellent points as well. I always say you simply don’t have enough documentation.
P.S. “…spare time on their hands…” Ha, as if.
Eric, I think you’ve given risk managers their 2012 plan. I’d like to see ERM integrated with strategy at Board level. Risk appetite statements and KRI’s used to inform business planning. Only then will Board actually visualise risk management in motion.
I’d love to see that as well. Thanks for the comment.
Great points Eric,
I would add “Share your ideas publicly as a Risk Officer to increase the awareness and add more value to your work” 🙂
Thank you Alpaslan. I often say that transparency is a very good thing.