… volume and complexity of risks … increasing extensively …
2020 The State of Risk Oversight, NCS
… less than 20% of organizations view their risk management process as providing important strategic advantage …
2020 The State of Risk Oversight, NCS
I look at the these two NYS Poole messages with a lot of optimism. On one hand, the risk landscape is evolving. Hence, the management of new risks is a challenge and provides ample opportunity for ERM-professionals to deploy our skills.
Secondly, there is much more work to do in providing real strategic value to all stakeholders. This is a call to all of us to demonstrate the real value by embracing the forward-looking, strategic aspects of good ERM.
ERM has a bright future!
ISO 31000 – the ERM Gold Standard?
I’ve written and podcasted (see the embedded YouTube video) about ISO’s approach to ERM previously. In this post I’ll add more depth to my views and some practical considerations.
31000:2018 what is it?
ISO has updated its Risk Management framework in 2018. Subsequently, many institutions and practitioners have provided explanations and comments to the update.
In a nutshell, the ISO framework is
comprehensive, yet concise and understandable
free of guff and lingo
applicable to any organisation and industry
ISO 31000 places great emphasis on senior management involvement, the iterative aspect of good ERM and its strategic value!
I’m a fan of ISO 31000. Having said that, a few points need to be added:
The document states several times that risk management needs to be “comprehensive”. However, the actual term “enterprise risk management” is not used. Whilst this is not a big deal per se, I would have preferred if they would have used the “e” word – at least occasionally.
The standard is comprehensive and quite easy to understand from a structure, flow and vocabulary perspective. However, there is very little practical guidance as to the actual “how to”. ISO leaves that to the community. Maybe I should publish an “ISO 31000 – How To for Dummies” guide. In other words, if an organisation is new to ERM, this ISO document will likely not be of much help.
Having said that, the ISO guide is an extremely helpful tool to ensure one’s ERM-approach is really covering all pertinent aspects.
Another little niggle I have, is the omission of board of directors’ responsibility. The document clearly refers to “leadership by top management”. However, top management is not necessarily equivalent to a board of directors. Maybe I am nit-picking here, but this aspect is important. Good risk culture starts at the very top (not just the top) of any organisation.
It’s great that the standard makes explicit reference to “connectivity between risks”. Hence, one of the major pitfalls of silo-ed risk management is addressed.
Lastly, I wish ISO would have been a bit more explicit with regards to the “velocity of change” in the risk landscape. Having said that, they do explicitly mention “emerging risks”.
The ISO standard is a great checklist providing all the necessary ingredients to good ERM.
Megrow Consulting has completed several ERM-mandates in recent years. We contributed to relevant text books and know the standards (ISO and others) well. Most importantly, we have worked with customers through the big picture risk landscape all the way down to the tiniest minutia.
I have blogged about the roll-out of the COSO ERM update back in 2017. In 2018, ISO updated their well-known risk management standard, too. Since then, I’ve spent considerable time studying and using both standards. Hence, I now feel comfortable and confident to share my opinion about those two well-known ERM frameworks. In other words, bienvenu to the COSO vs ISO battle.
Specifically, my comments pertain to the ISO 31000:2018 standard and the “COSO Enterprise Risk Management, Integrating with Strategy and Performance – June 2017” edition. The latter being quite a “mouth-full”.
In this post I set the scene for my considerations and share some high-level, more general comments about each of the standards. The following instalments will contain more detailed elaborations and considerations.
Admittedly, I am an erstwhile COSO-fan who voluntarily turned more into an ISO supporter over the past few years. Over the course of this article I outline why I have changed my preference.
If you prefer to listen the audio version of this blogpost, click on the image below.
standards – why do we need standards?
The world is beautifully diverse, every company is different, and jurisdictions and regulations vary across the globe. Hence, why do practitioners need risk management standards in the first place?
Very strong arguments must be made in favour of standards:
activities and outcomes of ERM-work undertaken by different companies and in different locations are easily comparable on a like for like basis
standards set a common tone
standards set a baseline, i.e. no more need to explain the basics
practitioners and consumers of their work can focus on the outcomes and not the underlying methodology – particularly important for Board of Directors
and there always is the “best practice” argument and defence
Which standard ?
Risk management standards are commonplace for a long time. Auditing bodies, ISO, COSO, the IRM, RIMS, AS/NZS 4360 and many other institutions have issued and are updating RM-manuals and standards. For this series of podcasts, I will focus on the most recent releases of the ISO and the COSO standards, respectively.
ISO and COSO – A High Level View
Both standards are well known and respected globally. In the same breath, the two guides desperately needed an update. ISO brushed-up after nine years: they released the most recent version in 2018. COSO on the other hand, took 13 years to update. Their most modern publication now dates to 2017.
At first glance, the ISO standard got more comprehensive in its coverage whilst shrinking in size. This was achieved by moving certain parts to other standards and focusing more on principles and high-level frameworks.
In stark contrast, the COSO document is impressive in length, the executive summary already covers 16 pages. The most eye-popping change is the abandonment of the famous COSO cube. COSO developed something akin to a triple helix to describe their view of ERM.
At this stage of the “COSO vs ISO smack down”, the score is even.
The first thing I noticed when reading through the ISO 3100:2018 is the lack of the word “enterprise” almost throughout the document. Has ISO gone back to the bad old days of silo-risk management? I don’t understand this apparent lack of the “E”-word. Having said that, the ISO standard goes to great length and detail referring to the enterprise and its entity, so there is nothing to worry, it seems.
I have a great liking for fluff-free written and spoken communication. ISO scores VERY big in this department. Simple, short sentences. Very little lingo & if there is specific vocabulary, then it gets explained separately in ISO 73.
ISO updated its definition of “risk” to a more modern meaning. They now give attention to the up-side and the downside of risk (FINALLY). Their previous focus on classical hazard risk, which by default knows only down-side, was a serious detractor to use ISO in a strategic and entrepreneurial context. I emphasise that proper management of hazard risk is very important, but ERM is so much more than that. The 2018 update emphasises more on strategic aspects of risk. In addition, it repeatedly calls the board of directors and senior management to duty.
ISO 31000:2018 focuses on principles and guidelines for ALL risks faced by any entity. On the flipside, the ISO document is rather generic and provides very little, detailed guidance for practitioners. That is a fair point of critique, however basic principles are – by the very nature of the term – generally applicable. The customisation to an industry, company-size and other idiosyncrasies is best left to the practitioners. In addition, regulators, trade bodies and other stakeholders often prescribe certain ERM standards, so the localisation is taken care of by other institutions.
When I set out as a full-time ERM-pro, I was immediately drawn to COSO. The main attraction was the strong link to business, opportunity risk and strategy. Almost like love at first sight.
My miss-perception that ISO is all about sequential processes that provide no entrepreneurial freedom and dictate compliant business almost how to sharpen their pencils added even more oil into the fire. Going through an ISO 9000 certification many many moons ago didn’t help either.
the “TRIPLE HELIX”
COSO abandoned their famous “cube” and developed something akin to a triple helix. The new shape is supposed to be as comprehensive as possible and depict the entire value chain. I give COSO a lot of credit for having the courage to defect one of their key “trademarks”. Having said that, the new triple helix appears to be too much of a good thing. It reminds me of the myriad of physicists who try to develop the unified “world formula”. This endeavour is a great thing. However, how many people will truly understand it and how practical is it?
The new COSO framework has the dimensions of a study textbook. Kudos for being that comprehensive. The illustrations look contemporary. However, I have a strong preference for a shorter and crisper version, something like the “core” ERM-approach. The more elaborate considerations, together with examples could have been published in a separate “book”.
COSO’s approach is very comprehensive. New risks, such as the ongoing development of technology and the ever-increasing connection between risks take an important spot in their framework. Furthermore, I like the ongoing emphasis that ERM is linked to strategy and performance. And lastly, COSO published a separate document delving into practical examples. Sadly, this compendium comes at an extra cost.
I give COSO a lot of credit for their (attention dear listeners: guff alert!!) reach-out to stakeholders through various channels. The authors and publishers released a comprehensive Podcast series, e-distributed brochures and set-up a YouTube channel.
Having said that, the executive summary that reaches almost 20 pages (with all due respect and consideration that COSO needs to give to various stakeholders) is a detractor. Depending on the format you choose, the COSO executive summary is about half the length of the entire ISO 31000 standard.
COSO vs ISO: THE VERDICT
After round one of the COSO vs ISO smack-down my score is as follows: taking conciseness, guff-free language and strong focus on general principles and guidelines into account, my verdict after round one is clear: “GAME and SET for ISO”. Bear in mind though, the match isn’t over yet!
Stay tuned for upcoming editions of the Megrow blog, in which I will take this COSO vs ISO contest into the next rounds. In the meantime, if you have questions about ERM or would like an outside-in-view at your current or planned ERM-efforts, kindly contact me via the links at the bottom of the page.
I’m very pleased to announce the release of Episode 1 and Episode 2 of
the Megrow Podcast.
The Podcast is hosted on Megrow’s YouTube channel. I aptly named it the “Asia Risk and Opportunity Podcast” or “AROC” for short.
Episode one is a general, introductory episode explaining the why / what / how:
Episode two dives right into the core matter of Enterprise Risk Management: what are the benefits to business?. I use CyberRisk as an example to demonstrate the tangible outcomes of good Enterprise Risk Management. “Tangible” in this context clearly refers to dollars and cents.
I’ve been thinking for quite some time about which channels are best suited to share my thoughts about ERM. Obviously, this blog is my first choice, followed by LinkedIn and then Twitter. These three avenues all have their benefits and particularities. But I always felt something was missing. After quite some pondering, I decided to try a Podcast to complement my current channels.
looking for contributors
This podcast is fully open to anybody who is looking for a channel to share ideas and views about risks and opportunities. However, I have two border conditions: first, the message must be of practical value and secondly, a distinctive focus on matters in and across Asia is sought. Ironically, I broke my second rule with Episode 2 already, so next time I need to do better.
I’m planning to release a few episodes over the course of 2019.
However, neither do I want to stress nor limit myself by an overly specific
target. If I find sufficient speakers, I might release an episode every 2
weeks, otherwise there will be just a handful in 2019.
The beauty of this podcast lies in its flexibility with regards to
length and looks. It can be a 60 seconds video or a 30 minutes conversation –
and anything in between.
Hence, if you are passionate about a risk-relevant topic with a
distinctive Asia-relevant touch to it: please please stand-up and get in touch
with me. Recording and editing isn’t a big anymore. Let us have a chat soon!
I’m constantly praising the tangible business benefits of good ERM. A number of blogposts here and on other social media are testimony to this. Until a few month ago, I felt like the proverbial “lonely prophet”. A lot of ERM-related publications had a distinctive retro- / crisis-touch to it and nobody appeared to pay much attention to the strategic aspects of it.
Then things changed. First, COSO issued a compendium of “real business cases” in 2018, which was great. However, I was rather disappointed that this compendium required extra subscription, instead of providing it together with the release of the revised framework.
And now, academia is following suit. The NC State Poole College of Management released a study titled “The Value Proposition for ERM: From Intangible to Tangible”. When I spotted to article, I was elated to see the increased focus on the tangible benefits of ERM! Finally, I’m no longer the sole preacher in the desert.
The document is available here. They provide an executive summary, which really is a summary. Secondly, it is well written and concise. And most importantly, they cite a number of tangible, real life cases.
Two points stand out from that work:
the link between ERM and strategy. ERM is a forward-looking tool.
the identification of emerging risks and converting them into opportunities (vs only looking at the downside).
btw: the NC state university website is valuable resource for ERM matters in general. Suggest you head over and spend some time there.
COSO released a significant update of its well-known ERM-framework in late 2017. An executive summary is accessible on their website. The ERM community, especially the “COSO-istas” most eagerly awaited the update. Additionally, the wider stakeholder community was excited to see how the new framework will benefit businesses. I’m a fan of COSO because their approach is forward looking and tries to integrate strategy and performance with Enterprise Risk Management.
So far so good.
who is the target?
Once I started reading the executive summary, a few questions came to my mind. First, who is the target audience? Second, how many ERM-sceptics can this update convince? And lastly, where are the increased, practical benefits of this version versus its predecessors? I’ve shared some of my supportive and critical views about the new framework in a few blogposts.
Lo and behold, pwc, one of the key contributors to the revision, published a blog reflecting on the “so what” question one year after the update. I really like the open and candid views in that blogpost. Hurdles, miss-conceptions, prejudices, resistance to change… not surprisingly, it’s all there. My advice: “NEVER EVER GIVE UP”. Having said that, it is no surprise to me that “take up” of the new framework probably isn’t where the authors envisaged it.
Talking to practitioners and clients across Asia, I noticed that the new framework needs significantly more marketing. It appears not to be known (almost) at all. Out of the many people I spoke to, only ONE (yes 1) appears to have read the new framework.
I have a few suggestions
The effort to summarise the entire approach into a picture is a great endeavour. However, this double-triple helix (*) needs to be simplified and made more tangible. Only then, business leaders will buy into it. In plain simple English: the current depiction is too complicated.
Nothing beats tangible, $$$-denominated examples. Concepts and frameworks are great, but ultimately businesses will only buy into it, once they see tangible top and bottom line benefits. Preferably, these benefits are palpable within the coming quarter or two. Dear reader: I “hear” you screaming that ERM is a long-term strategic undertaking,,,, but after all,,,,, sales and results drive a business.
I’m also cognisant that a special compendium with “real life” cases has been released. However, why do we need to buy and read even another document to convince us that the first document (the framework) is a good thing? Somehow counter-intuitive..
Whenever I speak or write about ERM, I make a point to emphasise the tangible benefits of good ERM for the business. The benefits come in various shapes and forms:
better understanding of new risks can be transformed into new business
better ERM contributes to positive credit rating evaluation, which will lower capital costs and open doors to new business as well
properly managed Cyber exposures protect the downside and can lead to new business opportunities, too
good ERM will lower compliance costKeen to know more? Contact Megrow via the “buttons” at the bottom of the site and stay tuned for new blogs on www.megrow.asia
(*) the picture is used with permission from COSO as stated on their website.
I’ve shared some technical and practical considerations about ERM in a few previous blogposts. This episode addresses the most important topic: “ERM done – so what”. Whenever I talk about Enterprise Risk Management, I emphasize on its tangible benefits. ERM is about managing downside and creating opportunity.
The picture below displays a wide, although not complete, stakeholder landscape and the tangible benefits of good ERM. The regulatory, governance and credit rating agency related values are clear. Furthermore, an optimal alignment of risk appetite and capital possibly supports increased risk taking. So far, all so good.
IMHO Cyber Risk is one of the best cases in point to illustrate practical benefits of ERM; two aspects:
Firstly, the defensive angle: companies must prepare to deal with Cyber attacks as an “entirety”, silos don’t work. This is relatively new category of risk(s), hence it requires some subject matter expertise and a very diligent look “across” the entire organization. Megrow has done Cyber risk mapping with clients (and for its own good – just to state the obvious). I will not dwell on that here. However, if you are interested in good Cyber-webinars, I highly recommend FireEye.com – excellent!
Secondly, the opportunity angle. Let’s assume an insurer covers small and medium sized enterprises. Very many of these clients could and should do more to identify and manage Cyber risks. Buying Cyber insurance is only one mitigating factor. How can the insurer provide additional value and services for this type of risk? The principles of Cyber Risk management are rather universal. In other words, if an insurer has a good grip on its own Cyber risk landscape, this knowledge can become part of its service offering to insureds. This works exactly the same way as traditional loss prevention services that insurers offer their customers. Any sales person of that insurance company will be more than pleased to have an additional service ace in his/her sleeve!
In other words, we killed two birds with one ERM-stone. Thorough ERM helps this insurer manage potential downside risk of Cyber and enhances the company’s value proposition to its customers. It doesn’t get much better than this!
In an earlier blogpost I wrote about setting risk appetite for insurance companies under the evolving Hong Kong ERM framework. My focus is on firms that develop their own ERM-framework.
In this blogpost, I “continue” the journey to building an ERM-framework and ponder about risk mapping. Whilst occasionally making reference to Hong Kong, most of the scribble is applicable to every insurer who wants to take its nascent ERM-framework to a next level.
I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey. And most importantly, I keep advertising ERM as a strategic tool to support your business and not to paralyze it.
I like doing risk mapping! However, there is a significant risk (hahaha pun intended…) of getting lost along the journey when engaging an entire company in a comprehensive risk mapping exercise.
Plenty of competent bodies, such as COSO, describe risk mapping at great length and detail, hence I will not dwell on the methodology here. Instead, I share a number of practical aspects, pitfalls, successes and other considerations here.
When I lead or coach risk mapping work, I prefer to do it in small groups and over several iterations. Depending on the circumstances, some initial “ice breaking” might be needed. Generally speaking though, insurance practitioners LOVE to talk about risk, so there is little to worry about. That is good news! Having said that, there are a few points to bear in mind.
Firstly, we need to ensure that the involved teams cover risks across ALL major business activities. In my experience, operational risk often tends to rank highest in terms of risk “count”. Your risk officer or an experienced third party will need to moderate the mapping efforts to bring balance to the risk universe of your company. Secondly, we also need to ensure that the thinking is current and prospective, looking into the back mirror is important, but only looking backward will not get us very far. Thirdly, quantification efforts need to consistent across the entire risk catalogue, otherwise we compare the proverbial apples with oranges.
Last but not least, probably the hardest step on the mapping journey is prioritization of risks. One “must have item” is a list containing the few, all important strategic and key operational risks. Senior management and the directors will give all their TLC to that all-important set of risks. Yes, every risk is important, but depending on expected frequency and impact, it is handled at the appropriate level of the company! No CEO or board risk committee member wants to look at a risk register with 5000 entries, trust me on this one!
local and global perspective
Good risk mapping focuses on what matter most for the current and prospective market environment. Hence, a focus on Hong Kong (in our example) certainly makes sense. However, other risks, such as “Cyber” are prime examples where good risk mapping must take a bigger picture, global view. Quantification and mitigation of risks that are outside well-known “home turf” are a challenge. The good news is: there are ways and means to deal with that.
Senior management and the directors will sign off the risk map. Subsequently, the register enters its next phase. The risk officer will need to maintain it! After all, good risk management is all about mitigation of existing risks and detecting new risks (and opportunities). An important caveat, enlarging the risk register four times a year by adding new considerations isn’t best practice. Ideally, some risks should disappear from the list over time, otherwise the list will get bloated to an extend that nobody can distinguish the chaff from the wheat any longer.
Stay tuned for more blogposts about ERM in Hong Kong here @megrow.asia !
ERM for Insurers in Hong Kong – the Journey has Started
This series of blogposts ponders about the ERM in Hong Kong as it unfolds for Hong Kong based insurers. I chose Hong Kong for a number of reasons. First, the Insurance Authority (“IA”) launched the ERM process over the course of 2017/2018, so the implementation is in full swing. Second, Megrow has been fortunate to do quite a bit of ERM-related consulting work for companies in Hong Kong. And finally, the Hong Kong approach is a good example of a measured, gradual implementation of ERM, so it might serve well for both practical and theoretical considerations.
I will share my thoughts about some key steps, write about challenges and, of course, how Megrow Consulting can support your ERM-journey.
And most importantly, I keep advertising for ERM as a strategic tool to support your business and not to paralyze it.
All Set to Go?
Hong Kong’s IA has released draft ERM-guidelines for industry consultation. The document is comprehensive and doesn’t contain any surprises per se. However, a myriad of cogwheels needs to fall in place to make ERM work and add value to your company. Definitely, you have some well-established risk management practices already in your company and most certainly, ‘your’ board of directors has its own ideas about risk as well.
How to put this all together in an efficient and effective manner? Certainly, an experienced third party will make your journey efficient and effective. And: you can keep your focus on running your business.
step 1 – the tone from the top
In 2017 Hong Kong IA mandated insurers to establish a board risk committee and assign a risk officer function to a suitably qualified staff. Starting at the top was the right thing to do. Insurers have completed this step over the course of 2017 and early 2018 already. Time to move on.
step 2 – risk appetite
Now with the risk officer and the risk committee in place, what is the next step? In line with the philosophy of “starting from the top”, ideally companies move their attention to comprehensive risk appetite definitions and the implementation thereof. That is exactly what the proposed ERM guidelines suggest doing next on the Hong Kong ERM journey.
what is risk appetite?
I like to use the famous half-full glass analogy to describe my preferred definition of risk appetite.
The capacity of the glass represents the total maximum net risk – across all business activities – your company can bear with the current capital, reinsurance and other hedging mechanisms in place.
Simply, the glass cannot hold more water than its volume. (let’s omit surface tension and other considerations here, it’s not a science class….).
This capacity is largely given by the available capital and regulatory constraints, such as minimum solvency levels. This “capacity” is relatively stable.
How much water you actually decide to pour into the glass is almost entirely the company’s decision. If you overfill, the company will have challenges. If you leave it (almost) empty, then you are not making use of the capital that shareholders gave you. In other words, how full you want the glass to be is your specific risk appetite setting. The great thing is that the water level can vary over time, i.e. companies have some entrepreneurial freedom to accept more or less risk (as long as it doesn’t overflow).
how to set risk appetite?
Two challenges arise for management and the board. First, how full is the glass with the current business and second, how full (or empty…) do we want it to be going forward? In other words, is the glass big enough to support the company’s expansion strategy? The forward-looking angle is very important: that is the linkage of good ERM with strategy!
How to go about determining the “level of water” in the glass? All companies have risk appetite statements readily available. However, these statements might sometimes be insular and sometimes not of recent date. For instance, the investment department might use a different language to describe risk compared to the underwriting department. The true value of risk appetite definitions emerges, once the statements are quantified, comparable and the statements link risk taking to capital.
Ultimately, the best way of going about it to use a capital model, which allocates capital in a consistent way to the main business activities of the company. However, a few years will pass before RBC is mature enough in Hong Kong. So, what is an interim solution for Hong Kong based insurers?
purchase a third-party capital model (I won’t advertise for free here…)
and/or you develop your own capital model
and/or you find an interim, discrete solution and implement HK-RBC capital model along the way.
Every company is unique; hence it is difficult to make general recommendations. A practical view on risk appetite definitions: if you have a credit rating, using the rating agency’s capital model is certainly a way to go. If not, then taking the route via an interim solution would be my preference.
Megrow is well-positioned to support you through the decision-making process and the subsequent development and implementation of the chosen path. We follow industry-standard good ERM-practice, always ensuring that our work is efficient and of practical use. The wheel has been invented, so we focus on other things!
If you would like to know more about putting ERM in place contact me via the buttons shown below and stay tuned for more blogposts about ERM in Hong Kong and elsewhere.
Over previous months, I wrote much about the new COSO ERM framework . Actually, in the middle of 2018 the new framework isn’t exactly that new anymore. I’m an absolute convert with regards to linking ERM to strategy and performance. However, the apparent lack of real life, tangible cases left a sourish taste in an otherwise good meal. So, I kept bickering about it over a number of blogposts, Tweets and G+ posts.
I understand the confidentiality and resource constraints the authors faced. However, it always felt incomplete. A few month back, pwc, one of the key contributors to the framework update, reached out to the community for feedback. Needless to say, I completed the survey most diligently. I’m sure my and other practitioner’s feedback helped!
And lo and behold, a new podcast episode is out. The pwc team announces a case compendium. Can’t wait to see the cases – well done!
Clients often ask me, “what skills should our CRO have”? The answer is very easy and very difficult at the same time. Ideally, the person is a decathlete and holds the world record in each discipline of a decathlon. I chose decathlon over e.g. triathlon, because the CRO really, really needs a very broad skill set! Naturally, such a superhuman doesn’t exist – so what is the practical answer then?
CRO the decathlete
I came up with this picture to describe the CRO’s skill set; this somewhat simplified description has served me well over the years. I will describe it quadrant by quadrant.
Let’s start at the bottom left-hand side. The satellite and the atomic structure depict well, how a CRO should be able to see the “big picture” like a satellite and at the same time should have a view for small items that matter.
The bottom right hand side. Often, good ERM requires a view outside of the box, that’s the reason for the rocket heading up in the drawing. At the same time, the basic tool set of e.g. risk mapping comes in very handy over and over again. The sun and the exclamation mark represent leadership skills and grit, two essential ingredients to get a good ERM framework up and running.
The upper right hand side. It’s all about communication skills. Internal, external, to peers, to the board of directors, to other C-suite members and any colleague(s) within the organization.
And last but not least, the decathlete. Domain knowledge in a few areas is necessary and being “conversant” at least in a few others is very helpful!
superhumans don’t exist – here is the practical approach
A single person might have all the skills shown in the picture above. But this is a rare, fortunate occasion. Mostly, aspiring / incumbent CROs might posses a fair number of the skills, but not all of them.
So how to close that gap? IMHO, nothing beats hands-on growth and development. Megrow Consulting has helped many CROs along their journeys, done onboarding of risk officers and worked with board of directors to define the necessary skill sets for “their” CRO.
The hands-on coaching as described above is best combined with solid knowledge of the methods and procedures. For instance, RIMS or COSO provide ample literature, seminars and e-learning to cover the basics and beyond.
Keen to know how I can support your CRO?
Contact me under firstname.lastname@example.org or via the social media listed at the bottom of the page.