You got all the intent, ambition and ERM-skills lined up in your company: and still you are struggling to get much further than the first few hundred meters of the proverbial ERM-marathon?
If that sounds familiar to your mental ears, then read on. In this post, I guide you over some of the well-known ERM-mountains to make your ERM-voyage more effective and efficient.
This blogpost is the third installment of Megrow’s new “3 minutes ERM” series, which we publish on YouTube, LinkedIn and on this site.
Over the past years I came across a number of perceptions about ERM. As the word implies, perceptions are an individual’s or a group’s impressions, thoughts, preference and views. Hence, it is important that ERM practitioners are aware of these perceptions and deal with them empathetically and professionally.
A random sample of perceptions:
(if you prefer a broader source of information, just google “useless enterprise risk management” and you will not be surprised)
risk management is about managing downside – where is the link to strategy?
a purely internal activity
does not generate sales
only the regulator and/or stock exchange care
red/amber/green plots do not really say anything meaningful
it’s all about filling up spreadsheets for the drawer
another exercise to feed off probabilistic black boxes
etc etc etc … you get the point
Regardless how much real and/or perceived truth lies in these statements, perceptions amongst stakeholders do exist and we must deal with them early, best in an anticipatory manner. As practitioners we have both the opportunity and the mandate to deal with these views professionally.
how to manage?
firstly, transparency and clarity about the expected tangible benefits of good ERM are key
secondly, be cognizant that different stakeholders have different expectations towards the outcome and manage these expectations
thirdly, the output of our work needs to match generally accepted quality standards
furthermore, customize presentation of results to meet different stakeholder’s interest, knowledge, and commitment to ERM
and last but not least, communicate the results of the ERM-related work to show the link of risk management to strategy, business plans and performance.
I hope you find my ponderings useful for your day-to-day work. The specialists within Megrow’s network possess a wide variety of skills to successfully and efficiently navigate ERM hurdles. You can contact us via the buttons below.
Enjoy whatever you are doing, stay safe, please connect with Megrow over LinkedIn and/or Twitter.
Actually, a strong risk leader has a capability that many superheroes lack: the CRO can deploy different key skills at different levels at different time points! The “standard” comic superheroine and -hero often comfortably dwell within the realms of their existing superpowers.
I have written about the base-line skill of a good risk leader in a number of previous posts. In this blog, I share my thoughts how a successful risk leader deploys different skills at different levels of impact and intensity during different stages of an organization’s ERM-journey. I refer to these skills as the “adjustable skill set”.
Risk maturity frameworks are an excellent tool to illustrate many aspects of ERM. Below is a condensed summary of the risk maturity concept.
I use the simplified framework as the baseline of my considerations. Specifically, the framework describes the x-axis of all the charts that I’m sharing in this post.
In case you are interested in more detail about risk frameworks, type “risk maturity framework” into the search window of your browser. You will end up on the sites of RIMS or AON / Wharton or Hopkins and many others.
I focus on those CRO skills that are needed at different levels for different stages of an organization’s ERM-journey. They complement the base-line skills such as the understanding of the value chain the organization operates along. I have written about some of the baseline skills in a previous post.
influencer: drive change when needed
architect: design the right framework
executor: get the right things done well
innovator: seek the new at the right time
During early stages of risk maturity risk leaders often need to influence and convince all stakeholders that an improved ERM and resilience approach is beneficial to the organization. Hence, the change agent or “influencer” is a key CRO skill at this stage.
The importance will diminish somewhat once the machine is up and running (level 2 and 3). However, once the organization aspires to progress towards level 4, another “thrust” of change can propel the organization forward accordingly.
A good ERM set-up is appropriate and adequate to the organization’s current and foreseeable circumstances and complexity. Hence, architecting is a crucial skill at the onset of an ERM-journey. Especially during stage 1, significant efforts go into “architecting” the right approach and pathway. This will successfully pave the way for level 2 and 3. The curve does not drop to zero, since the framework will evolve to support changes in strategy, advances in methodology and other circumstances.
ERM-methods are no secrets (ISO sells it for app CHF 100). Peer reviews, google-able tips and tricks are abundant and external service providers can supply certain parts of the framework. However, once the organization wishes to become a true, recognized leader, then innovation skills are a must. The innovative, sometimes disruptive mindset of a risk leader is in high demand the higher up an organization is and desires to be on the risk maturity ladder.
Once an organization’s ERM effort is out of the starting blocks, execution is key to generate an efficient and effective risk management output. The risk leader must quickly initiate and complete transition from “agreed concept” to “flawless implementation”. Good execution remains key throughout the entire journey.
Certain CRO skills, such as understanding ERM methodology, support the entire journey. In addition, strong risk leaders, deploy other traits at different levels of impact depending on the status quo of the organization’s risk maturity. Ultimately, the strong risk leaders know when to deploy which skill at which level!
I hope you find my ponderings useful for your day-to-day work. The specialists within Megrow’s network possess a wide variety of skills to make your ERM-journey efficient and effective. Contact details below. Enjoy whatever you are doing, stay safe, please connect with Megrow over LinkedIn and/or Twitter.
This post describes how to structure and populate a good risk register. I will describe the key components, how they interlink and the recommended information requirements.
the risk register – what is it?
When you internet-search the term “risk register”, plenty of examples and tutorials will yield. Often, these samples are very well presented, easy to comprehend and relatively simple to adapt to your organisation’s specific circumstances. Having said that, at closer inspection many of them don’t pass muster even for the smallest and minimally complex organisations.
The image below represents a sample of what you will find with an internet search:
has a clear structure
outlines a risk of possibly loosing key employees
assigns a medium impact to it
allocates responsibility to the HR department
and leaves room for more risks
So you might wonder what is missing. After all, a risk is identified, its potential impact is being considered, and somebody is assigned to the risk. All sounds good, or doesn’t it?
The good news is that risk identification has taken place in this imaginary organisation. Furthermore, all three statements shown in this example are valid statements. However, they need to be brought into proper context and quantified. Additionally, some key ingredients need to be added. Hence, it is highly likely that this organisation needs to upgrade the register to reap the benefits of good ERM.
The risk of “loosing key staff” – as shown in the table above – is a real issue for many organisations. However, the statement needs context and explanation.
what does “key” really mean?
how does the “medium” fit into the strategy/priorities of the organisation. In other words, what would “low” or “high” signify?
and finally, what is the duty of the HR-department?
The model risk register
Let’s leave this example aside and move on to the build-up of a comprehensive, clear and more tangible risk register. How does a good risk register look like? I focus on content and the key building blocks. IT-considerations and data analytics are the subject of a different conversation.
High Level Structure
The header describes the risk at sufficient level of detail. I call this the “ID” block.
Right underneath the ID-block we draw three vertical blocks. They encompass quantification, risk treatment undertakings and the respective outcomes. This is the “quant/mod” block.
In the blocks at the bottom we record and store important additional information, such as follow-up actions and access rights. I call one of them the “add-on” block and the other one the “gov” block.
Key components are:
A unique risk identification. This can be a number or an alphanumeric code; you can decide to use existing internal codes or just a plain integer. Both approaches have advantages and disadvantages.
classification: risks need to be grouped following a pre-determined nomenclature and structure. You can use your own one or you can follow the guidance of the respective regulatory body or any other system that is suitable. Important is to cover ALL activities that your company is undertaking! The classification should span 2-3 levels for easy grouping and identification. Going back to our example, level 1 could be “operational risk”; level 2 “human resource risks” and level 3 “staff”.
description: provide a basic description of the risk in free text form.
impact: qualitative comments pertaining to expected impact should the risk materialise.
And importantly, who is responsible for managing this risk.
“quant & mod” blocks
quant block 1
The block on the very left displays estimates of likelihood and corresponding severity should the risk under consideration materialise. These values – as the name implies – should be numeric. Best practice and knowledge must be applied when determining them. Preferably, a solid probabilistic model is used. Alternatively, deterministic scenarios might be used or past experience is taken as a reference.
Generic statements like “often” or “expensive” are easy to come up with. However, they are very vague. Hence, try to use quantitative statements as often as possible.
Having said that, it is crucial to be cognisant and explicitly note uncertainties associated with any projections (regardless of method) made in this section.
In a next step, benchmark the outcome against your organisation’s risk appetite to determine whether any treatment is necessary. This benchmarking is important to ensure that treatment efforts are spent on risks that really matter.
The middle block describes the chosen treatment actions in detail; furthermore, treatment costs are elaborated on.
quant block 2
The block to the right contains similar information as the one on the very left. However, all values and conclusions are recorded POST the mitigation/treatment efforts have taken place. Again, scale the values against the risk appetite. Furthermore, compare the outcomes to the actual cost of treatment. And lastly, note the the effectiveness and efficiency of the treatment.
These latter points are crucial. One needs to determine and decide whether the treatment(s) achieve their objectives and what the cost/benefit of the treatment is. For instance, if the treatment of a certain risk costs “1.25” to cure a non-recurring impact of “1”, then it is likely not worth the effort!
In our example we would have specified what we mean by “key staff”. Henceforth, it will be easier to assign a probability and an impact should that individual or team leave. As a mitigant, you can think about development opportunities, flexible work arrangements, incentives and other measures.
Certainly, the “ID” and the “quant/mod” blocks are the most challenging and interesting components of the risk register. Populating those blocks often leads to in-depth discussions and sometimes heated arguments amongst all the contributors. But it’s always interesting and often fun to travel this segment of the ERM-journey. Having said that, a risk register without the remaining two blocks is almost like a house without basement! Hence, I strongly recommend completing the bottom two blocks as well.
You need to determine how often you will review each entry. Some risks change very rapidly. Take Cyber, where the risk landscape evolves constantly. Hence, Cyber-related risks need to be reviewed very frequently. At the other end of the spectrum, certain operational risks (under most circumstances) evolve much slower. Hence, your organisation can review these less frequently.
The second component of the add-on block are considerations are about additional classifications. Whilst we have grouped risks already in the “ID” block, it is advisable to do some more classification at this stage. Highly recommended is to classify or rank risks according to impact on strategy and materiality. Importantly, you should generate a “top 10” list of the risks that really really matter to your organisation. I borrow a term from a global consulting company: McKinsey make explicit reference to “the company’s big bets”.
And last but absolutely not least: you need to establish linkages between individual risks should they correlate. This is key, even if the correlation at first sight appears marginal only.
And finally, some important “housekeeping” matters complete the register:
assign an “owner” of the entire risk register. This person/function is the overall owner of the risk register. Note though, that the owner of the register is (in most cases) different from the risk owner!
state the author of the current register (in smaller organisations, this might be the same person/function as the “owner)
add a version number, and a date(s) for upcoming general revisions
make reference to the register’s exact storage location AND, crucially
determine “access rights” and “confidentiality”; the challenge is to find the right balance between being transparent and inclusive, whilst keeping some key strategic matters confidential. For instance, in the case of a key strategic risk, most information, especially the treatment and the impact, might be kept strictly confidential.
the gist of it
In this blogpost, I describe the set-up and design of a functional and comprehensive risk register. Six interlinked core components make up a complete register. If you have questions, kindly contact us via the social media buttons below.
I’m very pleased to announce the release of Episode 1 and Episode 2 of
the Megrow Podcast.
The Podcast is hosted on Megrow’s YouTube channel. I aptly named it the “Asia Risk and Opportunity Podcast” or “AROC” for short.
Episode one is a general, introductory episode explaining the why / what / how:
Episode two dives right into the core matter of Enterprise Risk Management: what are the benefits to business?. I use CyberRisk as an example to demonstrate the tangible outcomes of good Enterprise Risk Management. “Tangible” in this context clearly refers to dollars and cents.
I’ve been thinking for quite some time about which channels are best suited to share my thoughts about ERM. Obviously, this blog is my first choice, followed by LinkedIn and then Twitter. These three avenues all have their benefits and particularities. But I always felt something was missing. After quite some pondering, I decided to try a Podcast to complement my current channels.
looking for contributors
This podcast is fully open to anybody who is looking for a channel to share ideas and views about risks and opportunities. However, I have two border conditions: first, the message must be of practical value and secondly, a distinctive focus on matters in and across Asia is sought. Ironically, I broke my second rule with Episode 2 already, so next time I need to do better.
I’m planning to release a few episodes over the course of 2019.
However, neither do I want to stress nor limit myself by an overly specific
target. If I find sufficient speakers, I might release an episode every 2
weeks, otherwise there will be just a handful in 2019.
The beauty of this podcast lies in its flexibility with regards to
length and looks. It can be a 60 seconds video or a 30 minutes conversation –
and anything in between.
Hence, if you are passionate about a risk-relevant topic with a
distinctive Asia-relevant touch to it: please please stand-up and get in touch
with me. Recording and editing isn’t a big anymore. Let us have a chat soon!
Clients often ask me, “what skills should our CRO have”? The answer is very easy and very difficult at the same time. Ideally, the person is a decathlete and holds the world record in each discipline of a decathlon. I chose decathlon over e.g. triathlon, because the CRO really, really needs a very broad skill set! Naturally, such a superhuman doesn’t exist – so what is the practical answer then?
CRO the decathlete
I came up with this picture to describe the CRO’s skill set; this somewhat simplified description has served me well over the years. I will describe it quadrant by quadrant.
Let’s start at the bottom left-hand side. The satellite and the atomic structure depict well, how a CRO should be able to see the “big picture” like a satellite and at the same time should have a view for small items that matter.
The bottom right hand side. Often, good ERM requires a view outside of the box, that’s the reason for the rocket heading up in the drawing. At the same time, the basic tool set of e.g. risk mapping comes in very handy over and over again. The sun and the exclamation mark represent leadership skills and grit, two essential ingredients to get a good ERM framework up and running.
The upper right hand side. It’s all about communication skills. Internal, external, to peers, to the board of directors, to other C-suite members and any colleague(s) within the organization.
And last but not least, the decathlete. Domain knowledge in a few areas is necessary and being “conversant” at least in a few others is very helpful!
superhumans don’t exist – here is the practical approach
A single person might have all the skills shown in the picture above. But this is a rare, fortunate occasion. Mostly, aspiring / incumbent CROs might posses a fair number of the skills, but not all of them.
So how to close that gap? IMHO, nothing beats hands-on growth and development. Megrow Consulting has helped many CROs along their journeys, done onboarding of risk officers and worked with board of directors to define the necessary skill sets for “their” CRO.
The hands-on coaching as described above is best combined with solid knowledge of the methods and procedures. For instance, RIMS or COSO provide ample literature, seminars and e-learning to cover the basics and beyond.
Keen to know how I can support your CRO?
Contact me under email@example.com or via the social media listed at the bottom of the page.