We just released the most recent episode of the Megrow podcast. Two cyber experts shared their views about cyber with us. Their focus is on risk management and how insurance plays a vital part in the mitigation of this ever-evolving topic. Listen in and enjoy!
Should the embed shown above not work, you can access the recording via this link.
Stay tuned for the next episode and please subscribe to our channel!
Proud to share that Megrow just completed five years of successful Interim Management and Risk Consulting.
a big thank you to all our clients and partners!
it has been a “great five years”
Most sincerely, we appreciate that you are and hopefully will be supporting a small, professional and independent business!
Noteworthily, it is great to have partners along the journey. Veromont in Switzerland, Acacia in Hong Kong, Dennis Bessant in Manila, Qalybrate in Malaysia and Covolve in Singapore.
Interim Management and Risk Consulting complemented by tailor-made Training are the core services of Megrow. These three pillars will remain essential to what we do.
our track-record as successful “C-suiters” is at your service for interim management assignments
You need an interim C-suite executive to lead a transition or a special project? Reto Brosi and his partners have a significant track record of getting the right things done well.
we make your ERM-journey efficient and effective
Struggling to see the value in ERM and frustrated with slow progress and high costs? Our main goal is to make your ERM-journey efficient and effective. We produce tangible, measurable outcomes with and for you.
we coach and train risk management and reinsurance
Clients have repeatedly engaged us for trainings and workshops. Our training and coaching sessions combine solid knowledge with practical experience. We pride ourselves in adapting our training modules to your specific needs. Whatever we take out of our “drawers”, we adapt it to your circumstances and your specific training needs.
We have published a short podcast to celebrate Megrow’s anniversary. Click below to listen and watch. Thank you for leaving a “like” and some comments.
We podcast about ERM and other topics. Occasionally, we have guests on the show as well!
Please, subscribe to our channel. You can access contents from almost any internet-capable device at your own leisure time.
Just published the most recent episode of the Megrow podcast. I thoroughly enjoyed the conversation with Andreas Zell, the founder and owner of AKR Zell Consulting in Singapore. Specifically, we spoke about the future of the actuarial profession in Asia and how ILS can help to close the insurance protection gap.
Thanks for listening, stay safe and please subscribe to this podcast and stay tuned for the next episode.
You got all the intent, ambition and ERM-skills lined up in your company: and still you are struggling to get much further than the first few hundred meters of the proverbial ERM-marathon?
If that sounds familiar to your mental ears, then read on. In this post, I guide you over some of the well-known ERM-mountains to make your ERM-voyage more effective and efficient.
This blogpost is the third installment of Megrow’s new “3 minutes ERM” series, which we publish on YouTube, LinkedIn and on this site.
miss-perceptions and patchy communication often stall good ERM-efforts
Over the past years I came across a number of perceptions about ERM. As the word implies, perceptions are an individual’s or a group’s impressions, thoughts, preference and views. Hence, it is important that ERM practitioners are aware of these perceptions and deal with them empathetically and professionally.
A random sample of perceptions:
(if you prefer a broader source of information, just google “useless enterprise risk management” and you will not be surprised)
etc etc etc … you get the point
Regardless how much real and/or perceived truth lies in these statements, perceptions amongst stakeholders do exist and we must deal with them early, best in an anticipatory manner. As practitioners we have both the opportunity and the mandate to deal with these views professionally.
I hope you find my ponderings useful for your day-to-day work. The specialists within Megrow’s network possess a wide variety of skills to successfully and efficiently navigate ERM hurdles. You can contact us via the buttons below.
Enjoy whatever you are doing, stay safe, please connect with Megrow over LinkedIn and/or Twitter.
.. the Risk Champion of an organization must be a super-hero ..
Not quite, but close enough….
Actually, a strong risk leader has a capability that many superheroes lack: the CRO can deploy different key skills at different levels at different time points! The “standard” comic superheroine and -hero often comfortably dwell within the realms of their existing superpowers.
I have written about the base-line skill of a good risk leader in a number of previous posts. In this blog, I share my thoughts how a successful risk leader deploys different skills at different levels of impact and intensity during different stages of an organization’s ERM-journey. I refer to these skills as the “adjustable skill set”.
Risk maturity frameworks are an excellent tool to illustrate many aspects of ERM. Below is a condensed summary of the risk maturity concept.
I use the simplified framework as the baseline of my considerations. Specifically, the framework describes the x-axis of all the charts that I’m sharing in this post.
In case you are interested in more detail about risk frameworks, type “risk maturity framework” into the search window of your browser. You will end up on the sites of RIMS or AON / Wharton or Hopkins and many others.
I focus on those CRO skills that are needed at different levels for different stages of an organization’s ERM-journey. They complement the base-line skills such as the understanding of the value chain the organization operates along. I have written about some of the baseline skills in a previous post.
During early stages of risk maturity risk leaders often need to influence and convince all stakeholders that an improved ERM and resilience approach is beneficial to the organization. Hence, the change agent or “influencer” is a key CRO skill at this stage.
The importance will diminish somewhat once the machine is up and running (level 2 and 3). However, once the organization aspires to progress towards level 4, another “thrust” of change can propel the organization forward accordingly.
A good ERM set-up is appropriate and adequate to the organization’s current and foreseeable circumstances and complexity. Hence, architecting is a crucial skill at the onset of an ERM-journey. Especially during stage 1, significant efforts go into “architecting” the right approach and pathway. This will successfully pave the way for level 2 and 3. The curve does not drop to zero, since the framework will evolve to support changes in strategy, advances in methodology and other circumstances.
ERM-methods are no secrets (ISO sells it for app CHF 100). Peer reviews, google-able tips and tricks are abundant and external service providers can supply certain parts of the framework. However, once the organization wishes to become a true, recognized leader, then innovation skills are a must. The innovative, sometimes disruptive mindset of a risk leader is in high demand the higher up an organization is and desires to be on the risk maturity ladder.
Once an organization’s ERM effort is out of the starting blocks, execution is key to generate an efficient and effective risk management output. The risk leader must quickly initiate and complete transition from “agreed concept” to “flawless implementation”. Good execution remains key throughout the entire journey.
Certain CRO skills, such as understanding ERM methodology, support the entire journey. In addition, strong risk leaders, deploy other traits at different levels of impact depending on the status quo of the organization’s risk maturity. Ultimately, the strong risk leaders know when to deploy which skill at which level!
I hope you find my ponderings useful for your day-to-day work. The specialists within Megrow’s network possess a wide variety of skills to make your ERM-journey efficient and effective. Contact details below.
Enjoy whatever you are doing, stay safe, please connect with Megrow over LinkedIn and/or Twitter.
This micro post focuses on “risk appetite” and its relations to risk bearing capacity, capital efficiency and the corresponding safety margins.
I use a glass to illustrate the total risk bearing capacity of an organization. In a first step, we set the total capacity of this glass to hold liquid as the organization’s maximum risk bearing capacity. The Board and Management need to have a solid, quantitative view of this capacity. For simplicity’s sake, we omit considerations of buying a second glass or putting the glass into the second larger container.
In a second step senior management and the board decide how far up they want to fill the glass. In other words, how much risk will the organization take. Theoretically, anything between empty and full is a go.
On the other hand, filling the glass up the top is very efficient. However, several stakeholders, such as shareholders, credit rating agencies and/or regulators might take a view that the firm should leave some buffer. Just in case anything causes turbulences to the liquid in the glass. Hence, organizations would under most circumstances leave some capacity unused.
Having said that, if the glass is (almost) empty, then the company is not taking any risks. Hence, the organization is excessively risk averse and/or dormant. In other words, capacity (i.e. capital) usage is very low. This, over the long term, is inefficient.
The beauty about this concept is its flexibility. Should the business environment be very favorable, companies can decide to “fill up” the glass, ie increase revenue. Vice versa, if the environment is challenging, the glass remains less filled. Efficient capital management would then ask for a smaller glass – that is a topic of another blog.
Thank you very much for reading this post. Enjoy what you are doing and stay safe. For any questions pertaining to Enterprise Risk Management, please contact Megrow over LinkedIn or Twitter or the coordinates on the contact page.
PS: an audio/video edition of this blog:
> 1000 views of our “how to make a risk register” post on LinkedIn!
Reto Brosi, MD of Megrow
A few weeks back, we released a tutorial-style article/blog post on LinkedIn and got over a 1000 views already! Some readers have asked to build on the post and add more ‘practical’ content to it.
So here we go
Proudly presenting: episode 7 of the Megrow podcast – we are doing risk register
Keen to know more? Contact Megrow via the social media and contact buttons at the bottom of the page.
a key building block of efficient and effective enterprise risk management
This post describes how to structure and populate a good risk register. I will describe the key components, how they interlink and the recommended information requirements.
When you internet-search the term “risk register”, plenty of examples and tutorials will yield. Often, these samples are very well presented, easy to comprehend and relatively simple to adapt to your organisation’s specific circumstances. Having said that, at closer inspection many of them don’t pass muster even for the smallest and minimally complex organisations.
The image below represents a sample of what you will find with an internet search:
The example
So you might wonder what is missing. After all, a risk is identified, its potential impact is being considered, and somebody is assigned to the risk. All sounds good, or doesn’t it?
The good news is that risk identification has taken place in this imaginary organisation. Furthermore, all three statements shown in this example are valid statements. However, they need to be brought into proper context and quantified. Additionally, some key ingredients need to be added. Hence, it is highly likely that this organisation needs to upgrade the register to reap the benefits of good ERM.
The risk of “loosing key staff” – as shown in the table above – is a real issue for many organisations. However, the statement needs context and explanation.
Let’s leave this example aside and move on to the build-up of a comprehensive, clear and more tangible risk register. How does a good risk register look like? I focus on content and the key building blocks. IT-considerations and data analytics are the subject of a different conversation.
| The header describes the risk at sufficient level of detail. I call this the “ID” block. |
| Right underneath the ID-block we draw three vertical blocks. They encompass quantification, risk treatment undertakings and the respective outcomes. This is the “quant/mod” block. |
| In the blocks at the bottom we record and store important additional information, such as follow-up actions and access rights. I call one of them the “add-on” block and the other one the “gov” block. |
Key components are:
| “quant & mod” blocks |  |
The block on the very left displays estimates of likelihood and corresponding severity should the risk under consideration materialise. These values – as the name implies – should be numeric. Best practice and knowledge must be applied when determining them. Preferably, a solid probabilistic model is used. Alternatively, deterministic scenarios might be used or past experience is taken as a reference.
Generic statements like “often” or “expensive” are easy to come up with. However, they are very vague. Hence, try to use quantitative statements as often as possible.
Having said that, it is crucial to be cognisant and explicitly note uncertainties associated with any projections (regardless of method) made in this section.
In a next step, benchmark the outcome against your organisation’s risk appetite to determine whether any treatment is necessary. This benchmarking is important to ensure that treatment efforts are spent on risks that really matter.
The middle block describes the chosen treatment actions in detail; furthermore, treatment costs are elaborated on.
The block to the right contains similar information as the one on the very left. However, all values and conclusions are recorded POST the mitigation/treatment efforts have taken place. Again, scale the values against the risk appetite. Furthermore, compare the outcomes to the actual cost of treatment. And lastly, note the the effectiveness and efficiency of the treatment.
These latter points are crucial. One needs to determine and decide whether the treatment(s) achieve their objectives and what the cost/benefit of the treatment is. For instance, if the treatment of a certain risk costs “1.25” to cure a non-recurring impact of “1”, then it is likely not worth the effort!
In our example we would have specified what we mean by “key staff”. Henceforth, it will be easier to assign a probability and an impact should that individual or team leave. As a mitigant, you can think about development opportunities, flexible work arrangements, incentives and other measures.
Certainly, the “ID” and the “quant/mod” blocks are the most challenging and interesting components of the risk register. Populating those blocks often leads to in-depth discussions and sometimes heated arguments amongst all the contributors. But it’s always interesting and often fun to travel this segment of the ERM-journey. Having said that, a risk register without the remaining two blocks is almost like a house without basement! Hence, I strongly recommend completing the bottom two blocks as well.
You need to determine how often you will review each entry. Some risks change very rapidly. Take Cyber, where the risk landscape evolves constantly. Hence, Cyber-related risks need to be reviewed very frequently. At the other end of the spectrum, certain operational risks (under most circumstances) evolve much slower. Hence, your organisation can review these less frequently.
The second component of the add-on block are considerations are about additional classifications. Whilst we have grouped risks already in the “ID” block, it is advisable to do some more classification at this stage. Highly recommended is to classify or rank risks according to impact on strategy and materiality. Importantly, you should generate a “top 10” list of the risks that really really matter to your organisation. I borrow a term from a global consulting company: McKinsey make explicit reference to “the company’s big bets”.
senior mgmt and the BoD focus their attention on the organisation’s KEY risks.
And last but absolutely not least: you need to establish linkages between individual risks should they correlate. This is key, even if the correlation at first sight appears marginal only.
And finally, some important “housekeeping” matters complete the register:
In this blogpost, I describe the set-up and design of a functional and comprehensive risk register. Six interlinked core components make up a complete register. If you have questions, kindly contact us via the social media buttons below.
XIV/IV/MMXX
… volume and complexity of risks … increasing extensively …
2020 The State of Risk Oversight, NCS
… less than 20% of organizations view their risk management process as providing important strategic advantage …
2020 The State of Risk Oversight, NCS
I look at the these two NYS Poole messages with a lot of optimism. On one hand, the risk landscape is evolving. Hence, the management of new risks is a challenge and provides ample opportunity for ERM-professionals to deploy our skills.
Secondly, there is much more work to do in providing real strategic value to all stakeholders. This is a call to all of us to demonstrate the real value by embracing the forward-looking, strategic aspects of good ERM.
ERM has a bright future!
I’ve written and podcasted (see the embedded YouTube video) about ISO’s approach to ERM previously. In this post I’ll add more depth to my views and some practical considerations.
ISO has updated its Risk Management framework in 2018. Subsequently, many institutions and practitioners have provided explanations and comments to the update.
In a nutshell, the ISO framework is
ISO 31000 places great emphasis on senior management involvement, the iterative aspect of good ERM and its strategic value!
I’m a fan of ISO 31000. Having said that, a few points need to be added:
The document states several times that risk management needs to be “comprehensive”. However, the actual term “enterprise risk management” is not used. Whilst this is not a big deal per se, I would have preferred if they would have used the “e” word – at least occasionally.
The standard is comprehensive and quite easy to understand from a structure, flow and vocabulary perspective. However, there is very little practical guidance as to the actual “how to”. ISO leaves that to the community. Maybe I should publish an “ISO 31000 – How To for Dummies” guide. In other words, if an organisation is new to ERM, this ISO document will likely not be of much help.
Having said that, the ISO guide is an extremely helpful tool to ensure one’s ERM-approach is really covering all pertinent aspects.
Another little niggle I have, is the omission of board of directors’ responsibility. The document clearly refers to “leadership by top management”. However, top management is not necessarily equivalent to a board of directors. Maybe I am nit-picking here, but this aspect is important. Good risk culture starts at the very top (not just the top) of any organisation.
It’s great that the standard makes explicit reference to “connectivity between risks”. Hence, one of the major pitfalls of silo-ed risk management is addressed.
Lastly, I wish ISO would have been a bit more explicit with regards to the “velocity of change” in the risk landscape. Having said that, they do explicitly mention “emerging risks”.
The ISO standard is a great checklist providing all the necessary ingredients to good ERM.
Megrow Consulting has completed several ERM-mandates in recent years. We contributed to relevant text books and know the standards (ISO and others) well. Most importantly, we have worked with customers through the big picture risk landscape all the way down to the tiniest minutia.
Making your ERM-journey
efficient and effective
is our key mission.
Reto Brosi, MD of Megrow
I have blogged about the roll-out of the COSO ERM update back in 2017. In 2018, ISO updated their well-known risk management standard, too. Since then, I’ve spent considerable time studying and using both standards. Hence, I now feel comfortable and confident to share my opinion about those two well-known ERM frameworks. In other words, bienvenu to the COSO vs ISO battle.
Specifically, my comments pertain to the ISO 31000:2018 standard and the “COSO Enterprise Risk Management, Integrating with Strategy and Performance – June 2017” edition. The latter being quite a “mouth-full”.
In this post I set the scene for my considerations and share some high-level, more general comments about each of the standards. The following instalments will contain more detailed elaborations and considerations.
Admittedly, I am an erstwhile COSO-fan who voluntarily turned more into an ISO supporter over the past few years. Over the course of this article I outline why I have changed my preference.
If you prefer to listen the audio version of this blogpost, click on the image below.
The world is beautifully diverse, every company is different, and jurisdictions and regulations vary across the globe. Hence, why do practitioners need risk management standards in the first place?
Very strong arguments must be made in favour of standards:
Risk management standards are commonplace for a long time. Auditing bodies, ISO, COSO, the IRM, RIMS, AS/NZS 4360 and many other institutions have issued and are updating RM-manuals and standards. For this series of podcasts, I will focus on the most recent releases of the ISO and the COSO standards, respectively.
Both standards are well known and respected globally. In the same breath, the two guides desperately needed an update. ISO brushed-up after nine years: they released the most recent version in 2018. COSO on the other hand, took 13 years to update. Their most modern publication now dates to 2017.
At first glance, the ISO standard got more comprehensive in its coverage whilst shrinking in size. This was achieved by moving certain parts to other standards and focusing more on principles and high-level frameworks.
In stark contrast, the COSO document is impressive in length, the executive summary already covers 16 pages. The most eye-popping change is the abandonment of the famous COSO cube. COSO developed something akin to a triple helix to describe their view of ERM.
At this stage of the “COSO vs ISO smack down”, the score is even.
The first thing I noticed when reading through the ISO 3100:2018 is the lack of the word “enterprise” almost throughout the document. Has ISO gone back to the bad old days of silo-risk management? I don’t understand this apparent lack of the “E”-word. Having said that, the ISO standard goes to great length and detail referring to the enterprise and its entity, so there is nothing to worry, it seems.
I have a great liking for fluff-free written and spoken communication. ISO scores VERY big in this department. Simple, short sentences. Very little lingo & if there is specific vocabulary, then it gets explained separately in ISO 73.
ISO updated its definition of “risk” to a more modern meaning. They now give attention to the up-side and the downside of risk (FINALLY). Their previous focus on classical hazard risk, which by default knows only down-side, was a serious detractor to use ISO in a strategic and entrepreneurial context. I emphasise that proper management of hazard risk is very important, but ERM is so much more than that. The 2018 update emphasises more on strategic aspects of risk. In addition, it repeatedly calls the board of directors and senior management to duty.
ISO 31000:2018 focuses on principles and guidelines for ALL risks faced by any entity. On the flipside, the ISO document is rather generic and provides very little, detailed guidance for practitioners. That is a fair point of critique, however basic principles are – by the very nature of the term – generally applicable. The customisation to an industry, company-size and other idiosyncrasies is best left to the practitioners. In addition, regulators, trade bodies and other stakeholders often prescribe certain ERM standards, so the localisation is taken care of by other institutions.
When I set out as a full-time ERM-pro, I was immediately drawn to COSO. The main attraction was the strong link to business, opportunity risk and strategy. Almost like love at first sight.
My miss-perception that ISO is all about sequential processes that provide no entrepreneurial freedom and dictate compliant business almost how to sharpen their pencils added even more oil into the fire. Going through an ISO 9000 certification many many moons ago didn’t help either.
COSO abandoned their famous “cube” and developed something akin to a triple helix. The new shape is supposed to be as comprehensive as possible and depict the entire value chain. I give COSO a lot of credit for having the courage to defect one of their key “trademarks”. Having said that, the new triple helix appears to be too much of a good thing. It reminds me of the myriad of physicists who try to develop the unified “world formula”. This endeavour is a great thing. However, how many people will truly understand it and how practical is it?
The new COSO framework has the dimensions of a study textbook. Kudos for being that comprehensive. The illustrations look contemporary. However, I have a strong preference for a shorter and crisper version, something like the “core” ERM-approach. The more elaborate considerations, together with examples could have been published in a separate “book”.
COSO’s approach is very comprehensive. New risks, such as the ongoing development of technology and the ever-increasing connection between risks take an important spot in their framework. Furthermore, I like the ongoing emphasis that ERM is linked to strategy and performance. And lastly, COSO published a separate document delving into practical examples. Sadly, this compendium comes at an extra cost.
I give COSO a lot of credit for their (attention dear listeners: guff alert!!) reach-out to stakeholders through various channels. The authors and publishers released a comprehensive Podcast series, e-distributed brochures and set-up a YouTube channel.
Having said that, the executive summary that reaches almost 20 pages (with all due respect and consideration that COSO needs to give to various stakeholders) is a detractor. Depending on the format you choose, the COSO executive summary is about half the length of the entire ISO 31000 standard.
After round one of the COSO vs ISO smack-down my score is as follows: taking conciseness, guff-free language and strong focus on general principles and guidelines into account, my verdict after round one is clear: “GAME and SET for ISO”. Bear in mind though, the match isn’t over yet!
Stay tuned for upcoming editions of the Megrow blog, in which I will take this COSO vs ISO contest into the next rounds. In the meantime, if you have questions about ERM or would like an outside-in-view at your current or planned ERM-efforts, kindly contact me via the links at the bottom of the page.