New website = RiskCommentary.ca
What are the key questions of senior executive in considering the adoption or remediation of enterprise risk management? Answers to these questions form an overview to guide the successful roll-out of ERM.
Key questions entertained by the C-suite with regard to ERM likely include these three:
a. What exactly is ERM?
Due to uneven development in the field, definitions are many. I offer a carefully crafted definition.
b. Is there a verifiable value proposition?
c. How can it be integrated, quickly and efficiently, with existing planning and management?
An elaboration on these answers is given over the course of the podcast series.
Main points:
1. Enterprise Risk Management is rational planning.
2. Business Continuity and Emergency Planning.
3. A multiplicity of definitions.
4. The planning regime.
5. Survey results.
6. High Quality Risk Assessment.
7. Principles of program success.
8. Titles and job descriptions.
9. Conceptual hurdles.
10. Scenario analysis and Future Scenarios Planning.
11. Prove the value of Enterprise Risk Management.
KEY QUOTE
”Enterprise Risk Management holds the promise of capturing the entire spectrum of risk across the organization. This book answers the need for a generic ERM methodology, proven by experience in the field, in both public and private sectors.” (Robertson 2016 back cover)
LINKS
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
Blog posts addressing risk tolerance:
Risk Tolerance: Non-Finance Examples
Making Sense of Risk Tolerance, Risk Appetite
New website = RiskCommentary.ca
What is the “upside” of risk? Does ERM manage opportunity meaningfully? It leads to a structured innovation program that risk managers can lead with confidence.
1. Opportunity - origin of the idea in ERM
2. Opportunity - how can we make sense of the idea?
3. Opportunity - as innovation
4. Innovation
a. an established discipline
b. within the grasp of the risk manager; an expanded role
5. Innovation - Free Online Introductory Course
6. Innovation - Paid Course
Summary
KEY QUOTE
”...risk managers can borrow from the practice of innovation and use a structured method to seek out, evaluate, greenhouse and develop new ideas” (Robertson 2016 p.112)
LINKS
Risk Commentary podcast books and courses.
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
Technology implementation - 3-part discussion, LinkedIn audio posts:
New website = riskcommentary.ca
[Re-edited for clarity.]
Due diligence is not the same as risk assessment; they are complementary.
Due Diligence and High Quality Risk Assessment: how could they be used?
1. Quote: the hope for a less quantified, more qualified and thoughtful approach.
2. Due diligence definition vs risk assessment.
3. Order of operations:
a. select using matrix with criteria;
b. conduct risk assessment.
4. Maturity matrix definition.
5. Thought experiment: due diligence for investment project using maturity matrix.
6. Maturity matrix (semi-quantitative analysis) with categories:
7. After d.d scoring, do risk assessment.
8. This proposed method would help the management team.
9. “High returns = high risk”. Is it strictly accurate?
10. Application of Due Diligence and High Quality Risk Assessment in stages of major projects.
Summary
KEY QUOTE
“The practice of due diligence has evolved into SOX checklists... Best practice awards are given to the weightiest presentations (by the pound) and third part vendors are predominantly selling ‘perfect solutions’ for enterprise risk management that will seriously impede your ability to conduct business.” (L. Burke Files, Due Diligence for the Financial Professional, 2010, p.6)
LINKS
Robertson, E. Enterprise Risk Management Tools and Templates, 2016. p. 35 - Enterprise Risk Management maturity matrix, based on Carnegie-Mellon methodology.
Mark C. Paulk, Bill Curtis (CAST Research Labs), Mary Beth Chrissis, Charlie Weber Capability Maturity Model for Software (Version 1.1)
The original article whose methodology has been borrowed and applied to many aspects of business.
New website = riskcommentary.ca
ERM, for some, consists solely of Financial Risk Management. Is this sound? We offer commentary on quantitative modelling and its place in Enterprise Risk Management.
Summary
KEY QUOTES
”...a new kind of blindness: the one induced by new technology and elaborate quantitative models.”
(B. Voyles ) Voyles and other financial experts mentioned quoted in Robertson, p.98
”...much more is being underwritten, correlated, and contemplated [by major insurers] than the traditional hazard risks.”
Interview with LoriAnn Lowery-Biggers and Sean Murphy by John Czuba; see EP01.
LINKS
Blog post: Economic Crisis: Why ERM Did Not Fail
E. Robertson 2016 Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = RiskCommentary.ca
ERM mid-life crisis: how to rejuvenate and validate the program.
KEY QUOTE
“The result [of High Quality Risk Assessment] is a body of risk information that is fresh and revelatory, leading to problem solving. When that happens at your risk ID session, it is unmistakable. People see the logic of the method and acknowledge that it is working.”
LINKS
Free introductory course: Innovation: How Can My Organization Get Started?
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.ca
How to implement an Enterprise Risk Management regime that is readily accepted and endures? Answer: by mastering the principles of program success, which will set you apart as an administrator.
Edited for length.
Employ proven success factors for program implementation shown in studies.
1. clear goals and objectives - how to formulate them?
2. senior executive support - how to secure meaningful exec support?
3. staff buy-in, the age-old problem - how to get take-up? is software the answer?
4. program adequacy - how does bad ERM design scuttle the program?
5. adequate resources - how to support people’s efforts
6. program champion - significant role for organizational change
7. incremental implementation - avoid common fail in a monolithic imposition
Value add: How to compile more risk criteria specifically for your business.
and
Summary
[see unedited transcript for full discussion]
Use all these principles as Risk Categories in your next risk ID session.
KEY QUOTE
“Master the principles of program success that have already been studied, and really apply to all administrative programs, all management initiatives -- not just ERM.”
LINKS
Edited transcripts: The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books.
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
Program implementation -- failure and success factors: please see the resources I listed in Episode 3.
New website = riskcommentary.ca
How can we roll out Enterprise Risk Management with a minimal footprint?
Edited for length
Principles-based approach
Summary: How do we maintain a minimal footprint in the implementation?
KEY QUOTE
“Program managers of new initiatives are under pressure to show results, and it is easy (but risky) to communicate promises rather than demonstrate the work. Focus on a low-key approach that relies on evidence of benefits.” (Solving the ERM Puzzle... p.75)
LINKS
Edited transcripts: The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books.
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.ca
Enterprise risk management implementation: Who is the champion?
Edited for length.
Significance of the Enterprise Risk Management champion
Principles of program success (discussed in full E15):
A few success factors and their relation to ERM
Summary of traits of ERM champion
KEY QUOTE
”the ERM champion’s success in instituting ERM will not hinge on the degree of authority leveraged. The reason is that willing participation in genuine Enterprise Risk Management... is not a response to formal authority. It is an outcome of seeing the value of the new process.” (Robertson 2016, Solving the ERM Puzzle, p.24)
LINKS
Edited transcripts:
The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books.
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.ca
High Quality Risk Assessment: What is the true significance of the risk register you’ve built so carefully? How does it lead to dramatic, breakthrough risk mitigation?
Facilitating risk assessment
Breakthrough Risk Mitigation
Creativity and innovation
How is the risk register used going forward?
Summary
KEY QUOTE
”Poorly understood chronic problems often have to do with the nebulous and difficult questions of communications and working relationships...” (Robertson, p.58, Section 2.5 Risk Mitigation and Review)
LINKS
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = RiskCommentary.ca
High Quality Risk Assessment implies comprehensive risk identification and a sensible assessment using four key criteria. I share a generic methodology developed and refined over years with clients.
Review of the advantages of round table method
Risk identification - finer points of risk formulation
Facilitation - finer points of facilitation
LIFT: Listen; Interpret; Formulate; Test
Risk assessment - four aspects
Summary
KEY QUOTE
Definition of High Quality Risk Assessment
“The comprehensive identification and analysis of phenomena that could prevent the achievement of objectives, or compromise associated values, of a researched and planned program, followed by a principled response.” (Solving the ERM Puzzle, p.11)
LINKS
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
(Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
RIMS document, pdf download Exploring Risk Appetite and Risk Tolerance
New website = RiskCommentary.ca
The process of risk identification itself. We can do so with confidence, because all of the procedural and conceptual elements we need are finally in place.
Recap
High Quality Risk Assessment: Preferred method: round-table of experts
Prepared session: agenda, context paper and facilitation aids
Risk formulation rules - see blog post.
Points in facilitation
Review: conceptual and procedural foundatio
Notice that in our preparatory work, we have:
The question arises once more: is all of this too much work?
Summary statement of your expected result:
As required in our definition of High Quality Risk Assessment (Ep. 4), we have to identify risk:
So, there we have a summary description of all the prerequisites and elements of an effective risk identification exercise. In the next episode, we can continue our work in the the round table session by assessing the risks, once they are identified and formulated.
KEY QUOTE
The deliverable for a risk ID and assessment session: "A comprehensive list of risks, arranged in several categories of analysis, with criticality rankings and mitigation measures, arrived at by consensus, to inform an improved business plan." (Robertson p.36)
LINKS
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
Blog post - How to Write Risk Statements
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = riskcommentary.ca
Looking carefully at conventional advice, we discover why risk ID can be ineffectual.
Confusion entrained by the supposed risk ID methods set out in conventional literature.
· interviews and surveys, questionnaires
· audits, physical inspection
· brainstorming
· networking with peers, industry groups
· judgemental - speculative, conjectural, intuitive
· history, failure analysis
· examination of personal experience or past agency experience
· incident, accident and injury investigation
· scenario analysis
· decision trees
· SWOT analysis
· flow charting, system design review
· work breakdown structure
Conclusions
Procedures in this list can certainly inspire the search for risk, but are problematic for various reasons.
By contrast High Quality Risk Assessment is specified to identify uncertainty in relation to goals.
KEY QUOTE
“Such a multiplicity of [risk ID] methods might entrain confusion about the object of the exercise.” (Robertson, p.42)
LINKS
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = RiskCommentary.ca
Context for risk assessment could mean projects, contracts, administrative workflows, technical processes, etc.
Summary of the series to date.
High Quality Risk Assessment.
Establish the Context.
Context Paper - The purpose is twofold:
- to create a highly useful aid to facilitation; and
- to create a testament to due diligence.
Trap of trying to identify risk in business settings where goals are poorly formulated.
What if we don't have hierarchical “goals” and “objectives”?
Examples of Special Contexts
a. budgets
b. formal projects (project management)
c. contracts
d. workflows: administrative procedures or technical processes
e. performance management regimes
f. specialized disciplines
Alternative contexts must still somehow express goals or intended actions that are clear.
Summary
KEY QUOTE
“The ERM champion must scrutinize the planning and even coach managers to adopt a complete planning practice... As a consequence, the risk information ultimately developed will make clear sense.” (Robertson, p.31)
LINKS
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016). The discussion on Establish Context begins in Chapter 2.2.
New website = RiskCommentary.ca
“Establish the Context” - the most misunderstood and underrated step in the whole risk management process.
Recap of topics so far
Establish the Context
What do the standards mean by “Establish the Context”?
What are the elements and true significance of “Establish the Context”?
The headings in what I call the Context Paper, used to prep a risk ID session:
1. Title of the plan under scrutiny
2. Goals and objectives of that plan
3. Corporate values
4. Risk categories
5. Stakeholder analysis
6. Procedural and due diligence points (constraints)
7. Deliverable
KEY QUOTE
“Do not introduce as risk things into the risk ID session which should, properly speaking, simply be trends and conditions that are already known -- that should have been taken into account in the formulation and design of the plans themselves.”
LINKS
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
The discussion on Establish Context begins in Chapter 2.2.
Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
New website = RiskCommentary.ca
Foundation for ERM: you must have the best organizational planning practice you can muster.
Recap: 3 basic steps in strategic planning process
Three types of planning
Broader schema
Is strategic planning dead?
Recommended practices in strategic planning:
Note on the use of academic studies
Conclusions: significance of good strategic planning:
Is it too much to ask that risk managers look at planning?
Summary
KEY QUOTE
“Traditional planning fails to take into account the creative processes and discoveries that generate breakthroughs.” (article ~ Wall, S. and Wall ,S.R.)
LINKS
Aldehayyat J & Anchor J (2010) “Strategic Planning Implementation and Creation of Value in the Firm”
Wall, S. & Wall, S R (1995) “The Evolution (Not the Death) of Strategy”
E. Robertson Strategic Planning: Process, Templates and Effective Implementation (2019)
New website = RiskCommentary.ca
The all-important risk identification process: High Quality Risk Assessment. The first step is actually to fix the organization’s planning practise!
Six steps in High Quality Risk Assessment
Investigate and fix the planning practice.
Complete planning practice
Summary
KEY QUOTE
“Why do so many strategic plans end up on the shelf? It’s curious, given that strategic planning is among the most popular of management tools.” (Robertson, 2019, p. iv)
LINKS
E.Robertson Strategic Planning: Process, Templates and Effective Implementation (2019)
New website = RiskCommentary.ca
Time to get into the ERM process! Let’s start with definitions that reflect a precise method.
*Definitions: rationale and approach
1. Enterprise Risk Management
2. High Quality Risk Assessment
Significance of High Quality Risk Assessment process
Summary
KEY QUOTE
“One key message here is: do not fall into the trap of trying to lead a risk ID session, much less implement an entire ERM program, where goals and objectives are poorly defined.” (Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation p.32)
LINKS
*My definition of ERM shows a clear process, whose results were praised by the BC Auditor General. See blog post of Enterprise Risk Management example: 5-part case study of ERM implementation, Camosun College.
E.Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = RiskCommentary.ca
ERM myths, observed by your host over several years’ experience as practitioner and educator. For each point, we will give you the practical take-away to apply in your risk management program.
Myth #8: Managers, directors, analysts, CEOs, etc. know how to implement new programs.
Myth #9: Enterprise Risk Management can best be implemented by using a software application.
Myth #10: Defining risk tolerance is essential to an ERM program.
Myth #11: Monitoring compliance constitutes effective ERM.
Myth #12: Linking corporate strategy to ERM is difficult and complex.
Myth #13: ERM takes 3-5 years to implement.
Myth #14: Good ERM predicts the future; it is effective forecasting.
KEY QUOTE
Do not fall prey to the myth that the technology, in and of istelf, will inspire acceptance and take-up of the new risk management program.
LINKS / NOTES
Program implementation failure
Synopsis of various studies.
Technology implementation failure - Linked in post
Scroll down to innovation: successful tech implementation part one
Risk tolerance vs risk appetite - pdf
Risk & Insurance Management Society: Exploring Risk Appetite and Risk Tolerance
Compliance
Steering clear of compliance pitfalls © Key Media Pty Ltd.
Unattributed, 31 May 2010. Corporate Risk and Insurance. Excerpt:
"The most common pitfall in compliance programs is an overreliance on policies, procedures and systems, according to Ulysses Chioatto, director of SSAMM Management Consulting.
A cursory glance over all the convictions and enforceable undertakings by ASIC in the past five years highlights this overreliance on policies, procedures and systems by financial services providers in their compliance programs, said Chioatto, with little to no work on people – or to put it another way, the company’s culture.
Both internal and external auditors as well as compliance and risk officers pore over documents, flowcharts, plans and reports from computer risk and compliance applications, yet breach registers are overflowing, or worse still, completely empty. "
New website = RiskCommentary.ca
What are common misconceptions that can block success in your Enterprise Risk Management program? Your host Edward Robertson has a list of ERM myths, observed over several years’ experience as practitioner and educator. For each point, we will give you the practical take-away to apply in your risk management program.
Myth #1: ERM is one thing.
Myth #2: International standards (ISO 31000; COSO, etc.) give ERM implementation guidance.
Myth #3: ERM is unproven.
Myth #4: ERM imposes an unacceptable administrative burden.
Myth #5: ERM is the purview of audit & finance.
Myth #6: All the various pre-existing risk disciplines and practices will be replaced by ERM.
Myth #7: Managers in all verticals can reasonably be asked to conduct risk assessment.
LINKS
“over 80 risk management frameworks...”
Ahmad, Saudah et al. (2014) “Enterprise risk management (ERM) implementation: Some empirical evidence from large Australian companies”
“30% of time spent in meetings was unproductive...”
S. Rogelberg, et al. “Wasted Time and Money in Meetings: Increasing Return on Investment”
New website = RiskCommentary.ca
Podcast launch! Is Enterprise Risk Management (ERM) dead? There is a stunning disconnect between the unprecedented need for ERM to be “instilled into the corporate DNA” and lacklustre risk manager survey results. Let’s explore why ERM is broken, and how to fix it.
Welcome to the Risk Commentary podcast
Who is this podcast for?
Mission
Credentials
Is ERM Dead?
Survey results
Why is ERM so incredibly convoluted and seemingly complex?
KEY QUOTES
”We are in an unprecedented and evolving landscape unlike anything that we have ever seen historically.” This from the former President of Lloyd’s of London for North America... and yet only 35% of those surveyed have a full Enterprise Risk Management practice.
LINKS
Book: Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (E.R. 2016)
Interview with LoriAnn Lowery-Biggers and colleague Sean Murphy by John Czuba of Legal Talk Network.
The State of Risk Oversight - An Overview of Enterprise Risk Management Practices by AICPA. April 2021.
