Categories
Other

3 minutes: risk appetite

Risk Appetite in a Nutshell

This micro post focuses on “risk appetite” and its relations to risk bearing capacity, capital efficiency and the corresponding safety margins.

a glass well used

I use a glass to illustrate the total risk bearing capacity of an organization. In a first step, we set the total capacity of this glass to hold liquid as the organization’s maximum risk bearing capacity. The Board and Management need to have a solid, quantitative view of this capacity. For simplicity’s sake, we omit considerations of buying a second glass or putting the glass into the second larger container.

a glas to illustrate risk bearing capacity
the appetite

In a second step senior management and the board decide how far up they want to fill the glass. In other words, how much risk will the organization take. Theoretically, anything between empty and full is a go.

must have a risk appetite definition….
the glass is full
very efficient and rather risky…

On the other hand, filling the glass up the top is very efficient. However, several stakeholders, such as shareholders, credit rating agencies and/or regulators might take a view that the firm should leave some buffer. Just in case anything causes turbulences to the liquid in the glass. Hence, organizations would under most circumstances leave some capacity unused.

the glass is empty
very very safe, likely rather inefficient

Having said that, if the glass is (almost) empty, then the company is not taking any risks. Hence, the organization is excessively risk averse and/or dormant. In other words, capacity (i.e. capital) usage is very low. This, over the long term, is inefficient.

flexibility
you gotta move it move it…

The beauty about this concept is its flexibility. Should the business environment be very favorable, companies can decide to “fill up” the glass, ie increase revenue. Vice versa, if the environment is challenging, the glass remains less filled. Efficient capital management would then ask for a smaller glass – that is a topic of another blog.

Thank you very much for reading this post. Enjoy what you are doing and stay safe. For any questions pertaining to Enterprise Risk Management, please contact Megrow over LinkedIn or Twitter or the coordinates on the contact page.

PS: an audio/video edition of this blog:

Categories
skills

we do risk register

> 1000 views of our “how to make a risk register” post on LinkedIn!

Reto Brosi, MD of Megrow

A few weeks back, we released a tutorial-style article/blog post on LinkedIn and got over a 1000 views already! Some readers have asked to build on the post and add more ‘practical’ content to it.

So here we go

we are doing risk register

Proudly presenting: episode 7 of the Megrow podcast – we are doing risk register

Keen to know more? Contact Megrow via the social media and contact buttons at the bottom of the page.

Categories
skills

the risk register

a key building block of efficient and effective enterprise risk management

synopsis

This post describes how to structure and populate a good risk register. I will describe the key components, how they interlink and the recommended information requirements.

the risk register – what is it?

When you internet-search the term “risk register”, plenty of examples and tutorials will yield. Often, these samples are very well presented, easy to comprehend and relatively simple to adapt to your organisation’s specific circumstances. Having said that, at closer inspection many of them don’t pass muster even for the smallest and minimally complex organisations.

The image below represents a sample of what you will find with an internet search:

an example of an incomplete risk register
sample of a risk register found on the www

The example

  • has a clear structure
  • outlines a risk of possibly loosing key employees
  • assigns a medium impact to it
  • allocates responsibility to the HR department
  • and leaves room for more risks

So you might wonder what is missing. After all, a risk is identified, its potential impact is being considered, and somebody is assigned to the risk. All sounds good, or doesn’t it?

The good news is that risk identification has taken place in this imaginary organisation. Furthermore, all three statements shown in this example are valid statements. However, they need to be brought into proper context and quantified. Additionally, some key ingredients need to be added. Hence, it is highly likely that this organisation needs to upgrade the register to reap the benefits of good ERM.

The risk of “loosing key staff” – as shown in the table above – is a real issue for many organisations. However, the statement needs context and explanation.

  • what does “key” really mean?
  • how does the “medium” fit into the strategy/priorities of the organisation. In other words, what would “low” or “high” signify?
  • and finally, what is the duty of the HR-department?

The model risk register

Let’s leave this example aside and move on to the build-up of a comprehensive, clear and more tangible risk register. How does a good risk register look like? I focus on content and the key building blocks. IT-considerations and data analytics are the subject of a different conversation.

High Level Structure
six building blocks of a good risk register
6 building blocks
The header describes the risk at sufficient level of detail. I call this the “ID” block.
Right underneath the ID-block we draw three vertical blocks. They encompass quantification, risk treatment undertakings and the respective outcomes. This is the “quant/mod” block.  
In the blocks at the bottom we record and store important additional information, such as follow-up actions and access rights. I call one of them the “add-on” block and the other one the “gov” block.
Building Blocks
“ID” block
risk identification building block

Key components are:

  1. A unique risk identification. This can be a number or an alphanumeric code; you can decide to use existing internal codes or just a plain integer. Both approaches have advantages and disadvantages.
  2. classification: risks need to be grouped following a pre-determined nomenclature and structure. You can use your own one or you can follow the guidance of the respective regulatory body or any other system that is suitable. Important is to cover ALL activities that your company is undertaking! The classification should span 2-3 levels for easy grouping and identification. Going back to our example, level 1 could be “operational risk”; level 2 “human resource risks” and level 3 “staff”.
  3. description: provide a basic description of the risk in free text form.
  4. impact: qualitative comments pertaining to expected impact should the risk materialise.
  5. And importantly, who is responsible for managing this risk.
quant & mod” blocks
quant block 1

The block on the very left displays estimates of likelihood and corresponding severity should the risk under consideration materialise. These values – as the name implies – should be numeric. Best practice and knowledge must be applied when determining them. Preferably, a solid probabilistic model is used. Alternatively, deterministic scenarios might be used or past experience is taken as a reference.

Generic statements like “often” or “expensive” are easy to come up with. However, they are very vague. Hence, try to use quantitative statements as often as possible.

Having said that, it is crucial to be cognisant and explicitly note uncertainties associated with any projections (regardless of method) made in this section.

In a next step, benchmark the outcome against your organisation’s risk appetite to determine whether any treatment is necessary. This benchmarking is important to ensure that treatment efforts are spent on risks that really matter.

mod block

The middle block describes the chosen treatment actions in detail; furthermore, treatment costs are elaborated on.

quant block 2

The block to the right contains similar information as the one on the very left. However, all values and conclusions are recorded POST the mitigation/treatment efforts have taken place. Again, scale the values against the risk appetite. Furthermore, compare the outcomes to the actual cost of treatment. And lastly, note the the effectiveness and efficiency of the treatment.

These latter points are crucial. One needs to determine and decide whether the treatment(s) achieve their objectives and what the cost/benefit of the treatment is. For instance, if the treatment of a certain risk costs “1.25” to cure a non-recurring impact of “1”, then it is likely not worth the effort!

In our example we would have specified what we mean by “key staff”. Henceforth, it will be easier to assign a probability and an impact should that individual or team leave. As a mitigant, you can think about development opportunities, flexible work arrangements, incentives and other measures.

Certainly, the “ID” and the “quant/mod” blocks are the most challenging and interesting components of the risk register. Populating those blocks often leads to in-depth discussions and sometimes heated arguments amongst all the contributors. But it’s always interesting and often fun to travel this segment of the ERM-journey. Having said that, a risk register without the remaining two blocks is almost like a house without basement! Hence, I strongly recommend completing the bottom two blocks as well.

“add-on” block

You need to determine how often you will review each entry. Some risks change very rapidly. Take Cyber, where the risk landscape evolves constantly. Hence, Cyber-related risks need to be reviewed very frequently. At the other end of the spectrum, certain operational risks (under most circumstances) evolve much slower. Hence, your organisation can review these less frequently.

The second component of the add-on block are considerations are about additional classifications. Whilst we have grouped risks already in the “ID” block, it is advisable to do some more classification at this stage. Highly recommended is to classify or rank risks according to impact on strategy and materiality. Importantly, you should generate a “top 10” list of the risks that really really matter to your organisation. I borrow a term from a global consulting company: McKinsey make explicit reference to “the company’s big bets”.

senior mgmt and the BoD focus their attention on the organisation’s KEY risks.

And last but absolutely not least: you need to establish linkages between individual risks should they correlate. This is key, even if the correlation at first sight appears marginal only.

“gov” block
the governance building block

And finally, some important “housekeeping” matters complete the register:

  1. assign an “owner” of the entire risk register. This person/function is the overall owner of the risk register. Note though, that the owner of the register is (in most cases) different from the risk owner!
  2. state the author of the current register (in smaller organisations, this might be the same person/function as the “owner)
  3. add a version number, and a date(s) for upcoming general revisions
  4. make reference to the register’s exact storage location
    AND, crucially
  5. determine “access rights” and “confidentiality”; the challenge is to find the right balance between being transparent and inclusive, whilst keeping some key strategic matters confidential. For instance, in the case of a key strategic risk, most information, especially the treatment and the impact, might be kept strictly confidential.

the gist of it

In this blogpost, I describe the set-up and design of a functional and comprehensive risk register. Six interlinked core components make up a complete register. If you have questions, kindly contact us via the social media buttons below.

XIV/IV/MMXX

Categories
Enterprise Risk Management

ISO 31000 and ERM

… volume and complexity of risks … increasing extensively …

2020 The State of Risk Oversight, NCS

less than 20% of organizations view their risk management process as providing important strategic advantage

2020 The State of Risk Oversight, NCS

I look at the these two NYS Poole messages with a lot of optimism. On one hand, the risk landscape is evolving. Hence, the management of new risks is a challenge and provides ample opportunity for ERM-professionals to deploy our skills.

Secondly, there is much more work to do in providing real strategic value to all stakeholders. This is a call to all of us to demonstrate the real value by embracing the forward-looking, strategic aspects of good ERM.

ERM has a bright future!

ISO 31000 – the ERM Gold Standard?

I’ve written and podcasted (see the embedded YouTube video) about ISO’s approach to ERM previously. In this post I’ll add more depth to my views and some practical considerations.

31000:2018 what is it?

ISO has updated its Risk Management framework in 2018. Subsequently, many institutions and practitioners have provided explanations and comments to the update.

In a nutshell, the ISO framework is

  • comprehensive, yet concise and understandable
  • contemporary
  • free of guff and lingo
  • applicable to any organisation and industry

ISO 31000 places great emphasis on senior management involvement, the iterative aspect of good ERM and its strategic value!

suggested add-ons

I’m a fan of ISO 31000. Having said that, a few points need to be added:

The document states several times that risk management needs to be “comprehensive”. However, the actual term “enterprise risk management” is not used. Whilst this is not a big deal per se, I would have preferred if they would have used the “e” word – at least occasionally.

The standard is comprehensive and quite easy to understand from a structure, flow and vocabulary perspective. However, there is very little practical guidance as to the actual “how to”. ISO leaves that to the community. Maybe I should publish an “ISO 31000 – How To for Dummies” guide. In other words, if an organisation is new to ERM, this ISO document will likely not be of much help.

Having said that, the ISO guide is an extremely helpful tool to ensure one’s ERM-approach is really covering all pertinent aspects.

Another little niggle I have, is the omission of board of directors’ responsibility. The document clearly refers to “leadership by top management”. However, top management is not necessarily equivalent to a board of directors. Maybe I am nit-picking here, but this aspect is important. Good risk culture starts at the very top (not just the top) of any organisation.

It’s great that the standard makes explicit reference to “connectivity between risks”. Hence, one of the major pitfalls of silo-ed risk management is addressed.

Lastly, I wish ISO would have been a bit more explicit with regards to the “velocity of change” in the risk landscape. Having said that, they do explicitly mention “emerging risks”.

and finally

The ISO standard is a great checklist providing all the necessary ingredients to good ERM.

Megrow Consulting has completed several ERM-mandates in recent years. We contributed to relevant text books and know the standards (ISO and others) well. Most importantly, we have worked with customers through the big picture risk landscape all the way down to the tiniest minutia.

Making your ERM-journey

efficient and effective

is our key mission.

Reto Brosi, MD of Megrow
Categories
Enterprise Risk Management ERM

THE COSO vs ISO SHOWDOWN

background

I have blogged about the roll-out of the COSO ERM update back in 2017. In 2018, ISO updated their well-known risk management standard, too. Since then, I’ve spent considerable time studying and using both standards.  Hence, I now feel comfortable and confident to share my opinion about those two well-known ERM frameworks. In other words, bienvenu to the COSO vs ISO battle.

Specifically, my comments pertain to the ISO 31000:2018 standard and the “COSO Enterprise Risk Management, Integrating with Strategy and Performance – June 2017” edition. The latter being quite a “mouth-full”. 

In this post I set the scene for my considerations and share some high-level, more general comments about each of the standards. The following instalments will contain more detailed elaborations and considerations.

Admittedly, I am an erstwhile COSO-fan who voluntarily turned more into an ISO supporter over the past few years. Over the course of this article I outline why I have changed my preference.

If you prefer to listen the audio version of this blogpost, click on the image below.

Megrow Podcast, Episode 6

standards – why do we need standards?

The world is beautifully diverse, every company is different, and jurisdictions and regulations vary across the globe. Hence, why do practitioners need risk management standards in the first place?

Very strong arguments must be made in favour of standards:

  • activities and outcomes of ERM-work undertaken by different companies and in different locations are easily comparable on a like for like basis
  • standards set a common tone
  • standards set a baseline, i.e. no more need to explain the basics
  • practitioners and consumers of their work can focus on the outcomes and not the underlying methodology – particularly important for Board of Directors
  • and there always is the “best practice” argument and defence

Which standard ?

Risk management standards are commonplace for a long time. Auditing bodies, ISO, COSO, the IRM, RIMS, AS/NZS 4360 and many other institutions have issued and are updating RM-manuals and standards. For this series of podcasts, I will focus on the most recent releases of the ISO and the COSO standards, respectively. 

ISO and COSO – A High Level View

Both standards are well known and respected globally. In the same breath, the two guides desperately needed an update. ISO brushed-up after nine years: they released the most recent version in 2018. COSO on the other hand, took 13 years to update. Their most modern publication now dates to 2017.

At first glance, the ISO standard got more comprehensive in its coverage whilst shrinking in size. This was achieved by moving certain parts to other standards and focusing more on principles and high-level frameworks.

In stark contrast, the COSO document is impressive in length, the executive summary already covers 16 pages. The most eye-popping change is the abandonment of the famous COSO cube. COSO developed something akin to a triple helix to describe their view of ERM.

At this stage of the “COSO vs ISO smack down”, the score is even.

ISO

the “E”

The first thing I noticed when reading through the ISO 3100:2018 is the lack of the word “enterprise” almost throughout the document. Has ISO gone back to the bad old days of silo-risk management? I don’t understand this apparent lack of the “E”-word. Having said that, the ISO standard goes to great length and detail referring to the enterprise and its entity, so there is nothing to worry, it seems.

the “SPEAK”

I have a great liking for fluff-free written and spoken communication. ISO scores VERY big in this department. Simple, short sentences. Very little lingo & if there is specific vocabulary, then it gets explained separately in ISO 73.

the “CONTENT”

ISO updated its definition of “risk” to a more modern meaning. They now give attention to the up-side and the downside of risk (FINALLY). Their previous focus on classical hazard risk, which by default knows only down-side, was a serious detractor to use ISO in a strategic and entrepreneurial context. I emphasise that proper management of hazard risk is very important, but ERM is so much more than that. The 2018 update emphasises more on strategic aspects of risk. In addition, it repeatedly calls the board of directors and senior management to duty. 

the “APPROACH”

ISO 31000:2018 focuses on principles and guidelines for ALL risks faced by any entity. On the flipside, the ISO document is rather generic and provides very little, detailed guidance for practitioners. That is a fair point of critique, however basic principles are – by the very nature of the term – generally applicable. The customisation to an industry, company-size and other idiosyncrasies is best left to the practitioners. In addition, regulators, trade bodies and other stakeholders often prescribe certain ERM standards, so the localisation is taken care of by other institutions.

COSO

When I set out as a full-time ERM-pro, I was immediately drawn to COSO. The main attraction was the strong link to business, opportunity risk and strategy. Almost like love at first sight. 

My miss-perception that ISO is all about sequential processes that provide no entrepreneurial freedom and dictate compliant business almost how to sharpen their pencils added even more oil into the fire. Going through an ISO 9000 certification many many moons ago didn’t help either.

the “TRIPLE HELIX”

COSO abandoned their famous “cube” and developed something akin to a triple helix. The new shape is supposed to be as comprehensive as possible and depict the entire value chain. I give COSO a lot of credit for having the courage to defect one of their key “trademarks”. Having said that, the new triple helix appears to be too much of a good thing. It reminds me of the myriad of physicists who try to develop the unified “world formula”. This endeavour is a great thing. However, how many people will truly understand it and how practical is it?

the “SPEAK”

The new COSO framework has the dimensions of a study textbook. Kudos for being that comprehensive. The illustrations look contemporary. However, I have a strong preference for a shorter and crisper version, something like the “core” ERM-approach. The more elaborate considerations, together with examples could have been published in a separate “book”.

the “CONTENT”

COSO’s approach is very comprehensive. New risks, such as the ongoing development of technology and the ever-increasing connection between risks take an important spot in their framework. Furthermore, I like the ongoing emphasis that ERM is linked to strategy and performance. And lastly, COSO published a separate document delving into practical examples. Sadly, this compendium comes at an extra cost. 

the “APPROACH”

I give COSO a lot of credit for their (attention dear listeners: guff alert!!) reach-out to stakeholders through various channels. The authors and publishers released a comprehensive Podcast series, e-distributed brochures and set-up a YouTube channel.

Having said that, the executive summary that reaches almost 20 pages (with all due respect and consideration that COSO needs to give to various stakeholders) is a detractor. Depending on the format you choose, the COSO executive summary is about half the length of the entire ISO 31000 standard.

COSO vs ISO: THE VERDICT

After round one of the COSO vs ISO smack-down my score is as follows: taking conciseness, guff-free language and strong focus on general principles and guidelines into account, my verdict after round one is clear: “GAME and SET for ISO”. Bear in mind though, the match isn’t over yet!

Stay tuned for upcoming editions of the Megrow blog, in which I will take this COSO vs ISO contest into the next rounds. In the meantime, if you have questions about ERM or would like an outside-in-view at your current or planned ERM-efforts, kindly contact me via the links at the bottom of the page.

Categories
tech

Megrow Podcast: Episode 5

“The Making Of”

Several listeners have asked me to talk about the technicalities of podcasting. This blogpost summaries my approach of preparing, recording, editing and publishing the Megrow podcast. As a general rule, I strive to combine a decent quality outcome with the use of relatively modest hard- and software. Note though: many roads lead to Rome!

This blogpost is the (almost) verbatim script of the recently released Megrow Podcast Episode 5. If you prefer listening to it, click on this link or the image just below. Otherwise enjoy the reading.

GEAR

You do NOT need to spend thousands of dollars on high-tech equipment or rent a professional studio to record a podcast at decent quality. However, some good equipment is needed to produce professional podcasts. Nothing worse than high quality content that loses its impact due to poor recording and shoddy processing!

A decent quality microphone is the single most important investment to make. Almost any external microphone is better than the built-in microphones in your laptop / tablet / PC / mobile phone.

I purchased a Yeti Blue, for around USD 130, because

  • all the reviews I read, attested the Yeti a very good sound quality
  • the price, whilst not cheap, felt reasonable
  • it connects via USB to any computer
  • no additional hardware, like sound mixers, needed
  • simple plug-in and record, no need to install apps or software
  • both the microphone and the stand feel very robust
  • micro can be adjusted for solo podcasting or interview-type conversations
  • and, I do like the design and the colors
The Yeti microphone is ideal for podcasting
the YETI microphone..

The detailed technical description of the microphone and the color choice is available on the Yeti website. The Yeti is NOT a light-weight!

I also invested 20 USD into a pop-screen. When buying one, make sure it is big enough to cover the entire microphone. Make sure the lock comes with mounting clamps or screws to fix the screen on your mic or the table/stand that you put your recording gear on.

the pop blocker screen
recording studio set-up

recorder

Both iOS and W10 have built-in voice recorders. They work perfectly well for podcasting purpose.

Important: regardless of the device/app you use, make sure it can record with at least 44.1 kHz sampling rate. Most apps have a “setting” or “preference” option where you can adjust audio quality to “maximum” or whatever the terminology of your preferred OS is. 44.1 kHz records sound at excellent quality whilst keeping the audio files at a manageable size.

One thing to note: when using a good quality microphone at 44.1 kHz settings, be absolutely sure that you record in a quiet environment to avoid picking up background noise. Our brains are excellent at filtering out low level noise emanating from air conditioners or cooling fans of computers. However, a good microphone will register fan noise, which will distort your recording. Hence be wary of “silent” noise when recording.

One additional point to note, especially when your recording device runs a different OS than your post-processing device(s). You need to record your audio in a format that the “receiving” OS and software can open and process. 

soft-wear

Once you have recorded your ramblings, you may want to do some post-processing to enhance the messaging of your podcast.

Depending on the operating system you use, different options (at no extra cost) are available for editing your recordings. I mostly edit on a W10 machine using DaVinci Resolve 16 from Blackmagic. This editor is extremely feature rich, requires a journey along a steep learning curve and is available as a free download from the Blackmagic website. I use DaVinci because I grew reasonably familiar with it during the early days of my personal YouTube channel.

On the side: iMovie on your Mac will do the job just as nicely. 

A voice-only editor is insufficient for me, because I add images, titles, lay-over text, video snippets and music to the voice recording.

PROCESS

content creation

Thus far, I’ve had a smooth journey in terms of finding content. I do a lot of Enterprise Risk Management consulting work, hence ERM is a given topic. Let’s hope the creative vibes stay with me for a long time!

I could easily record an entire podcast episode without preparation. However, I prefer to script each episode at great level of detail. Putting my thoughts on paper (aka MS Word) forces some discipline into my thought process. In addition, a script eases content management and instills more focus on the actual delivery. Reading off a script also makes recording quite straight forward. 

And lastly, I release an accompanying blogpost on the Megrow website concomitantly to the podcast. The blog is a very close copy of the actual podcast script, so very little work is needed to cover two communication channels in one go.

Episodes usually last for about 10 minutes. I believe that 10 minutes provide enough time to get some detailed content across without “hand-cuffing” listeners for too long.

quality control

Once I have an almost final version of the script, I choose the “read-aloud” function in MS Word for proofing. Listening to the computer voice whilst following the text is such an efficient way of spotting mistakes and errors. Additionally, I also record the time needed for MS word to read the entire text – just to make sure I stay within the ten minutes target duration.

I’m obviously not a native English-speaker, so spell- and grammar check is a given.

the studio

Once I’m OK with the script, I set up the recording hardware. Mostly, I just put the laptop on top of a cardboard box, place the microphone next to it and fit the pop-blocker in front of the Yeti. It might not look very professional, but this set-up is fast and practical. For best sound quality, the Yeti needs to stand vertical and you need to talk into the microphone from the front. 

The Making Of: a simple, highly mobile and flexible recording studio set-up
the recording studio

I record each episode in chapters. Recording in slices makes the process much easier. When I stumble over my own words, I can simply discard the current chapter and re-record it. In addition, bite-sized audio slices also speed up my editing workflow.

editing

My editing process is relatively straight-forward:

  • set the editor – DaVinci Resolve in my case – to 1920×1080 Full HD resolution. This is currently the best choice when considering file size and quality
  • match quality setting of the audio track in your editing software to the high-quality settings used for voice recording
  • add opening screen, the intro and the outro from my templates stock. The intro and outro form the boundaries of the podcast in the editing software’s story line
  • mark chapters in the podcast with distinct titles for easy navigation
  • add images, URLs and video snippets when needed
  • pre-view the episode a few times for final quality control
  • export the project at full HD and upload to YouTube

going live

Recorded and edited, how will the world find your podcast and listen to it?

The state-of-the-art publishing process encompasses publication on one of the well-known Podcast feeders, such as Apple Podcasts or “Podcast Addict” for Android (to name just two). I was initially considering going down that route as well, but after a bit of thinking and tinkering, I decided to simply publish the Megrow podcast on YouTube. 

YouTube has a very distinctive set of advantages

  • it is a very well-known, easily accessible and omnipresent platform
  • tagging and onwards distribution/linking to other Social Media channels is easy
  • I’m familiar with the platform
  • listeners can subscribe to my channel and post comments
  • show notes can be added easily
  • device and platform independent, only needs a browser

My current method of reaching out to my audience is a five-pronged approach:

  • post on YouTube
  • announce the Episode on my Megrow Twitter account
  • put the link on Megrow’s LinkedIn page
  • post link on “my” LinkedIn page
  • publish the (almost) verbatim podcast on Megrow website as a blogpost.

OUTRO

I hope my thoughts will be helpful to some of you who are current or aspiring podcasters! Thank you very much for reading this blogpost. Other blogposts are here. You can contact me via the buttons at the bottom of the page.

Categories
Other

Megrow Podcast Episode 4

the intro

Thank for reading the (almost) verbatim script of the recently released Megrow Podcast Episode 4. If you prefer listening to it, click on this link or the image just below. Otherwise enjoy the reading.

there should be a Megrow logo here…. probably a bug in the Gutenberg plug-in…

This episode, the forth one I’m releasing in 2019, is a little different from my previous ramblings. My favorite topic, ERM, is taking a breather for now. Instead, I will share some of the experiences I made setting up and running Megrow. Hopefully, my thoughts are helpful to others who are in a similar situation prior to a start-up journey or any other career move.

the why and the how

Often, I get asked “how and why did you choose to leave the corporate world and embark on this journey”? Before setting up Megrow, I went through a high-level, structured thought process designed to help me in answering the “what’s next” question. I wholeheartedly recommend this approach to anybody who is looking to make any career move. 

This thought-process is about answering three related, yet different questions pertaining to your skills, your preferences and perceived opportunities. If there is overlap between answers, I consider the manifestation of this overlap as an attractive career move. 

the three circles

  1. First, think about what you are really good at. This can be any combination of hard and soft skills.
  2. Second, reflect on your professional passion, in colloquial terms “what gets you out of bed in the morning”.
  3. Third, you need to be very clear whether the intersection of your skills and passion has a “market” now and is likely to have a “market” in the future. I use the term “market” in the very widest sense of the word in this context. This can be anything from entrepreneurship to arts to charity work.

The intersection of the three circles – or more specifically the answers to the questions is a very good starting point to plan.

the three circles model

I came up with this three-realms-idea, when I helped a charity to guide young students along their journey. It is somewhat linked (but NOT a copy) to the well-known Japanese method of “Ikigai”. Ikigai is more complex and philosophical than my simple three circles method. 

Whilst I find this approach very intuitive and extremely helpful, it is crucial to be open-minded for new ideas and opportunities that lay outside of the three realms. Sometimes a good opportunity comes along, hence it is important to stay alert and curious all the while. After all, outcomes matter not processes.

In my case, I am very passionate about Enterprise Risk Management, because it is a greatly undervalued strategic tool; secondly there is a current and future market for it and most humbly, I also think I acquired hard and soft skills necessary to support customers along their ERM-journey.

I’ll share a few examples from my Megrow journey where the three circles overlap well; and other cases where there was not even a touch point, let alone an overlap.

the perception

Often, people ask or challenge me about the benefits of entrepreneurial freedom. More casually put, “life must be wonderful without a boss”. This is the single, biggest misconception about a micro enterprise. I do agree that processes are lean and mean, and Megrow is nimble and efficient. I do have entrepreneurial freedom to manage my time and yes, nobody can “commandeer” me around. However, the pressure and expectation are of a totally different nature when running your own company. As a micro-entrepreneur I am acting in splendid isolation or in “intellectual loneliness”.

I realized this risk of being an eremite very early on and started building a network of like-minded professionals who are in similar situations. I’m grateful to Acacia Ltd in Hong Kong, AKR Zell Consulting and Covolve Pte Ltd in Singapore, Qalybrate in Malaysia and Dr. Bessant in Manila for being such great sparring and business partners over the years! We really do help each other as peers, idea reviewers, we share practicalities, sometimes act as mutual IT-helpdesks and much, much more.

“you are doing your current best and you keep improving”.

my self-mantra

the emotions

The most gratifying experience is direct, positive feedback from a client. Believe me, it doesn’t get better than this.

Clients have told me that my work or what I’ve delivered together with Megrow’s partners has made tangible impact to their bottom line, has solved some of their communication challenges, has opened new sources of revenues or drove their strategic thinking. This feedback is so valuable, especially since I use “outcomes matter” as a tagline very often. In other words, there were moments of grandiose joy and reasons to celebrate lavishly!

Having said that, there have been difficult and challenging periods.

For instance, at one moment in the not too distant past, my name card stock was gravitating towards zero. Despite ongoing and numerous sales efforts, not a single, new mandate was in-sight. At that stage, I was pondering for a very brief moment, whether I really need to print another stack of name cards or just let it all hit “zero”. Of course, I did print a new box of name cards, but still…

the challenges

How do I deal with these challenges? I’d like to share a few points that certainly have helped me over the years.

  • first, never never never stop the marketing and the networking.
  • second, spread the marketing wider than the target client base; often, an indirect recommendation or source of information is most valuable.
  • third, it is OK to chill occasionally, but keeping a good professional routine combined with a balanced lifestyle is such a great baseline! Mens sana in corpore sano – the old Romans knew that already.
  • fourth, occasionally re-do the skills – preference – market thinking process. Especially in times of great innovation, a certain skill can lose its edge rapidly. Or another skill becomes a rare commodity overnight. Think of film cameras or radiologists. I emphasize on the “occasionally”, because if you feel the need to reevaluate your three circles several times a day, something isn’t right with at least one of them.
  • And last, but not least: reflect on your value proposition: is it really unique what and how you are delivering? You might have the greatest product or service on a stand-alone basis, but if somebody offers your service or product as (a free) part of another package, then the market simply isn’t there and, in all likelihood, will not return.

d.y.i. or ?

If you start out and remain a micro enterprise, you have to decide and regularly reevaluate what you will do your-self and what is best outsourced. I probably could do most “internal” tasks, such as accounting, statutory reporting, data management, compliance and logistics myself. However, how efficient is this “solo” approach? And secondly, will I achieve the best outcome if I really do – or try to learn how to do – all these things myself?

I’ll pick three examples to share my experience, the thought process behind my decision and the outcomes.

the logo

passion: yes; skills: NO; market: yes --> outsource

Almost every time I give a name card to somebody, I note from their facial expression and subsequent comments how much they like the Megrow logo. I think it is a stroke of genius. Did I design the logo? I wish I could create an item of such beauty – but no chance. The three-circle model that I described a few minutes back, led me very quickly to the conclusion that designing a logo is NOT something I should try to do myself or aspire to learn.

The detailed self-assessment reads as follows: 

  • I really love creating visual things; hence circle No. 1 gets a tick mark
  • Secondly, there definitely is a market for well-designed logos. In other words, two boxes are ticked already.
  • However, do I have the skills to design a logo or could I acquire them within a meaningful time frame: the straightforward answer is “NO”. I realized the latter a long time ago, so I didn’t even bother thinking about designing a logo myself.

Luckily, my partner JC is very good with colors, shapes and designs, so all credit to her for designing this beauty of a logo. If you are interested in the history and “making of” the logo, head over to the “about” page.

In conclusion, the logo-design is a clear case, where a do-it-yourself approach would not have resulted in anything meaningful.

www

passion: yes; skills: yes; market: yes --> DYI

The Megrow website initially served a compliance purpose. I wanted potential clients to get background information about Megrow and myself. Furthermore, all stakeholders who visit the site should get the impression, that a real business, run by a professional, drives the content. 

When I launched the website a few years ago, I wanted to have more and better content than just “what we do” and “about us”. Driven by this urge, back in 2015 I overdid it with the content. Hence, the web-page became bloated with duplicated and triplicated content. Over time, I have reduced the number of pages and most new content flows into the “blog” section, keeping the other pages stable. The “width” and “breadth” of the site feels very appropriate now.

The list of required features for the website was and remains straightforward: a light design that scales well on different devices, operating systems and browsers; standard fonts and colors; easy to manage, security taken care of; provides for “pages” and a platform for regular “blogging” and the basic social media buttons must be there. Lastly, the platform needs to be coding-free and WYSIWIG-style editing.

After a bit of trying and tinkering, I settled with the official WordPress theme in 2017 and its subsequent updates. I switched over to the controversial Gutenberg editor halfway through 2019, because I find it intuitive and easy to use. Very soon, I might consider migrating the layout to the official 2020 WordPress theme.

more on www

A few years into being webmaster and content creator, I feel comfortable making the following recommendations:

  • as long as your web-presence consists of a few static pages plus a blog, there really, really is NO need to invest in expensive web-design, plug-ins and other customisation.
  • get a proprietary URL for your company.
  • leave no stone “un”turned in finding a good class host; speed, reliability, security and service is of paramount importance no matter how big or small the business is. I chose Axac Pte in Singapore, because they flawlessly host my personal website for 15 years. Their service is excellent, I never had a security issue, back-ups are available, and support is as fast as I need it.

As a side note: if you are a WordPress user, there are meet-ups of the local WordPress community in most bigger cities, highly recommended events to network and learn. I got many an inspiration from such meetups.

must do better

passion: yes; skills: ?; market: yes --> outsource

The final example is a great learning out of an old-school marketing approach. Together with a partner company of Megrow, I spent a lot of time, using modernist templates, to compile a content-rich, hard-copy brochure outlining the “things we do”. We invested significant time and other resources on it, had our fun and our discontent, got it printed on high quality paper and distributed quite a few. Initially, we were quite elated with the outcome. Clients “took” the leaflets and stashed them away.

megrow brochure
the front page of the flyer

More recently, however, each time I pick up a copy in my office and look at it, my enthusiasm to take it to a client meeting gravitates closer to zero. To a point where I don’t use the brochures anymore. There should be much more “ooommmpf” in the leaflet. The more I think about it, the more obvious it gets: we should have outsourced the design and lay-outing. Hence, if I ever decide that Megrow needs a hard-copy brochure again, I will spend money on the design. A lesson learnt!

the journey continues

What are the plans for Megrow heading into year five and further? I’m closing this blog by going back to the “three circles” approach that I described earlier in the podcast.

ERM will remain a core offering of Megrow, because all three circles get a “tick” mark.

Secondly, I have rediscovered my passion for teaching and coaching; Asia remains knowledge hungry (allow me the generalization for now) and I have honed my teaching and coaching skills. Hopefully, knowledge and experience sharing will become a slightly stronger leg to stand on going forward.

And lastly, my track record as an executive, particularly in generating growth and positive results, is another valuable asset to Megrow’s clients in the form of strategy advice or an interim mandate as a C-level executive.

Hopefully, you got some helpful information for your own journey out of this blog-post.

You can contact me via social media, LinkedIn and Email. The respective buttons are at the bottom of the page. Thank you for reading.



Categories
Other

Happy Birthday Megrow!

Heading Into Year 5

Megrow Consulting has turned four. A big “THANK YOU” to all clients, business partners, advisers, service providers and supporters for another fruitful year! Time really flies. Sometimes it is hard to believe that Megrow now is in its fifth year of operation.

I am also quite humbled by the high click-rates my “Happy Birthday Megrow” post got on LinkedIn. Close to 2000 views after approximately 1 week!

Looking Back

I’m grateful to some of Megrow’s past and current customers who allow me to display their logos on our site. Head over to the client section of the site to get an impression of our past and current customers. Most notably, the list keeps getting longer every year.

The work my partners and myself have done over the past year has slightly shifted in nature compared to the previous period. ERM did remain a key activity and service. Teaching activities and a significant interim mandate as the Chief Executive of a Lloyd’s of London entity in Singapore complement the 2018/2019 palmares.

High Level Analytics of Megrow's current and past portfolio. Happy Birthday Megrow!
Happy Birthday Megrow! Diversification has improved

ERM remains an important pillar of Megrow’s deliveries. However, the past year has seen a wider diversification of mandates, notably teaching and interim management services grew significantly.

Reto Brosi, founder of Megrow Pte Ltd

The analytics above are the result of a straightforward approach, i.e. I simply counted the number of contracts per category. More accurately, I should have used “hours spent” or “outcomes”. However, for the purpose of a high level view on how the portfolio is developing, this simplified approach is good enough.

The Podcast

I have launched the Megrow Podcast early 2019 and thus far published three episodes. A podcast or more precisely a VLOG on YouTube is a good complement to the other marketing and branding activities that I undertake. You can access the latest episode via the embedded link below.

Episode 3 of the Megrow Podcast, October 2019

The podcast is slowly getting traction, I’m happy with that. Episode 4 is scripted and ready for recording. Furthermore, ideas for a few more releases are ready. Stay tuned! However, all my “shout-outs” for interviews and guest contributors haven’t born fruit yet. Maybe I need to advertise the podcast a bit more emphasizing the high “click” rate the podcasts gets on LinkedIn.

if you would like to appear on the Megrow podcast, contact me via the links at the bottom of the page!

If you like the contents, please subscribe to the channel to stay current with the latest episode.

Looking Forward

Business School teaching and common sense indicate that Megrow is at a stage of either “scale up” or “pack up”. Needless to say, the “scale up” challenge is what keeps me awake at night. From a more transactional perspective, both risk management and teaching are future-proof activities. Naturally, the contents and modes of delivery will evolve. Hence, I need and will “stay modern” in these aspects.

The more challenging consideration, however is the question “how to scale up a micro-enterprise”? Some early successes are emerging, but I’m not yet “at peace” with a more strategic and scalable approach. I’m sure the Happy Birthday Megrow! blog post in a years time will have interesting news to share.
In the meantime, stay tuned for updates on this blog and on Megrow’s YouTube channel.



Categories
Other

Megrow Podcast: Episode 3

Episode 3 of the Megrow Podcast is live ! It focuses on the tangible benefits that good ERM brings to a company. If you like to listen to the video podcast, click the embedded link below. However, if you like to read the (almost) verbatim script, just scroll down and enjoy.

The Script of Episode 3

Megrow Podcast Episode 3 picks-up the topic trail where episode two ended. Back in episode 2, I scratched on the importance of making ERM a tangible benefit to any business. In this episode I will elaborate substantially more on this topic and most importantly share some examples to illustrate my point.

the evolution of the benefit slides

I start with a slide that is a core part of Megrow’s marketing materials since almost day 1 of the company. When I show this slide to colleagues and clients, the reactions are always very positive.

all stakeholders benefit from good enterprise risk management

Everybody seems to see the message of “benefits to business” right away. Naturally, some people tell me that the looks of the slide is borderline childish and inappropriate for business. However, the many spontaneous, “eyes wide-open” positive reactions I got and keep getting from different audiences convince me that it is a good slide. Hence, it keeps its important spot in many of my presentations.


Having said that, as I keep acquiring and completing more mandates, I felt the need to give the slide a good second look and decided to overhaul it: more focus and a slightly more polished look. So, here is the new version of the slide:

Good ERM improves results!

The diverse, colorful head image is the best representation of the variety of stakeholders that benefit from good ERM. For the updated version, I reduced the number of “benefits boxes”. Furthermore, I significantly enlarged the “improved results”. The “improved results” text box now sits right below the image – simply to give it the importance it deserves!

On to the real topic now: I will focus on a few, very tangible benefits of good Enterprise Risk Management.

ERM and Credit Rating

I start with the lever that Enterprise Risk Management has on credit rating.

Credit rating is the combination of balance sheet strength analysis and a number of adjustment factors; ERM being a crucial adjustment factor to derive a final credit rating. I refer to AM Bests’ credit rating approach, because I’m most familiar with their method. Having said that, all credit rating agencies use similar ways to go about it.

AM Best increase their assessment by one “notch” for a leading ERM-approach and, most importantly, lower their rating by up to 4 “notches” for an nonexistent ERM-approach. 

”Minus four notches” – that is very very significant. In other words, it pays off greatly to be at the “good practice level” for ERM. At the other end of the scale it is devastating to have a sub-standard ERM-output.

Higher credit rating means access to additional business, hence higher profits. Furthermore, a higher credit rating also lowers financing cost for a company. In reverse, a lowered credit rating closes some doors to business and makes access to some forms of capital more expensive. Hence, good ERM translates 1:1 to improved profit.

ERM Eases Communication

I’m very grateful to the CEO of a customer who “lifted” me onto the second “benefit” I highlight in this paragraph.

During a past mandate, the senior management team of the customer and I spent a lot of time compiling a good “risk appetite statement”. We managed to find a very sensible balance between some quantitative and a few, selective qualitative statements. In other words, we managed to define a tangible, yet flexible enough risk-appetite description. This enables the company to evaluate the up- and downside risks of some major strategic endeavors against its own perception of risk. I was very happy with that outcome.

The icing on the cake: what the CEO shared with me after the company’s next board meeting. According to the CEO, the revised risk appetite statement made the communication with the board so much more tangible, faster, efficient and easier. The bottom line: a significantly more efficient board of directors meeting!

ERM and Cyber

The risk landscape is continuously evolving; most risks are more interconnected and more challenging to mitigate than ever before. The entire realm of Cyber risk is a prime example. Exposures are interlinked, severity and frequency sometimes difficult to estimate and a plethora of mitigation efforts are deployed. ERM with its company-wide, consistent approach to identify and mitigate risk, is the best tool to “up” the defense for a company. It also is best suited to help a company finding additional business opportunities in the Cyber realm.

Thank you for reading through the transcript of the Megrow Podcast Episode 3. More episodes are in the making already. Megrow is here to make your ERM-journey fast and efficient. Contact details are at the bottom of the page.



Categories
ERM risk managment

CyberRisk: To Insure or To Ensure ?

CyberRisk: To Insure or To Ensure
security increasingly takes center stage in the golden age of the internet

Dr. Dennis Bessant, Specialist Advisor to Megrow, wrote this article in June 2019.

the golden age of the internet

Robert K Merton, an American sociologist, popularised the “the law of unintended consequences” in the 20th century; it says that actions always have effects that are unanticipated or not intended. What has a visionary social scientist got to do with the technical challenges of CyberRisk that besiege enterprises of the 21st century? 
Well, the golden dawn of the internet, the exponential surge of technological change and their benefits have also led to unintended attack by CyberRisks. The days of a simple malfunction of computer hardware or data damage which need a quick IT fix are gone. A new vocabulary emerges: malware, LockerGoga ransomware, state sponsored cyberattacks, NotPetya and so on! 

to insure – is NOT good enough

When significant new risks emerge there is rush to seek insurance solutions to transfer the exposure. But Insurance alone is not Enough! Let’s look closer at what is actually happening in global markets today. 

The impact of technology through cyber has overtaken conventional insurance all risk (or accidental) contract language. The burden of proof lies with Insurers when such CyberRisk claims occur. Based on recently widely reported controversial landmark disputes, these claims are being denied using the conventional war Exclusion in an attempt to understand the nature of their manifestation. There is a lack of contract certainty for cyber claims as insurers attempt to define the right language for these novel and until recently unexpected events. 

Markets are struggling to find a sound foothold for the language to use in insurance contracts. Reinsurers and their retrocessionaires are also having to come to terms with potential aggregation issues and varying contract language. All this creates an air of uncertainty for enterprises facing such complex risks. Of course there is a desire by the insurance markets to respond given the vast potential premium pool globally. But the first port of call for any enterprise….governmental or corporate….is to do the basics themselves with specialist help rather than seek quick fix risk transfer solutions only to find they are exposing their organisations to tens of millions of dollars in potentially unsettled claims.

In Insurance we trust?

Interestingly, research done by the Mactavish group, published here, reveals that a around of third of respondents do NOT think that insurance is the desired solution to their Cyber exposures! Why is that so? Read on…

it is in the contract

Fortunately, attempts to improve the governance of contracts is underway. For example, Mactavish, a well respected adviser in this field in the relatively sophisticated UK market, has suggested the insurance industry eliminate eight ‘flaws’. These ‘flaws’ are prominent in off-the-shelf cyber policies and hence, insurers use them often to deny claims. Insurance is for the unforeseeable. These days, computer and equipment systems, controls, hardware and software are essential components of virtually any enterprise. Critically, the systems intricately link with their human endeavour. Furthermore, their protection is a cost of doing business to Ensure they stay in business. A known and foreseeable necessity is therefore their oversight, governance and control by each enterprise depending on the level of exposure foreseen. 

We need to look the original question of “CyberRisk: To Insure or To Ensure” also from the ensure perspective.

to ensure is better

So what can enterprises do to Ensure CyberRisk is mitigated or reduced without sole dependency to Insure. Find out Tips from the largest global commercial property insurer (FM Global, see below) on where to start and what to do. Think outside the box.

the human factor

Crucially, seventy to eighty percent of cyber deficiencies are human factor related. In other words, the person behind the machine is the weakest link! Awareness and training are vital to reduce risk. Stress testing to ensure business/service continuity and protect customer data is critical. Controls of security, data management, infrastructure oversight and protection will reap huge dividends to Ensure enterprise resilience whilst the insurance industry attempts to wrestle with the complexities of what to Insure in this complex field. The challenge will continue to grow exponentially as local, national, regional and global accumulations and aggregations stack up exacerbated by yet more AI, automation and smart machines! Ensure your enterprise is built to last.

CyberRisk: To Insure or To Ensure

In conclusion, ensurance – in the form of good Cyber hygiene – is a critical component in managing the ever-evolving CyberRisk landscape. In addition, the insurance industry faces significant challenges and opportunities to position itself as a key risk mitigant in the “CyberRisk: To Insure or To Ensure” realm.

references

  • Commercial Risk Europe: Merck Pharma in dispute with insurers over the 2017 NotPetya attack
  • Financial Times: Mondelez sues Zurich in $100mill test for cyber hack insurance; 1,700 servers and 24,000 laptops ‘permanently dysfunctional’
  • The Times UK: Companies at risk as Hiscox rules out DLA Piper’s cyberattack claim
  • Mactavish: Cyber Risk & Insurance Report, November 2018
  • FM Global Insights & Impacts (2018): Cyber Risk: The Answers to Five Big Questions; 5 Questions Every Risk Manager Should Ask; Threats to Physical Security Industrial Controls.”
  • images are used under creative commons license

the author

Dr. Dennis Bessant is Specialist Adviser to Megrow. Find out more about him and read some of his recent publications.