Last year I read an article that said today’s risk managers are tomorrow’s CEO’s. I was intrigued and wanted to advance my career. This is my story with Carnegie Mellon University’s Chief Risk Officer (CRO) program.
The Carnegie-Mellon Chief Risk Officer (CRO) course is timely. Having attended the inaugural CRO course, some observations and thoughts might be of interest. First off, the curriculum, faculty, advisers, and facilities are all first rate.
And, the amount of material provided to digest is significant. If you want to learn the nuances of creating a likelihood scale for the occurrence of adverse events, different building materials resistance to fire, earthquake scales (it is not just Richter you know), project schedule assessment or a Prouty Matrix, then this is not the course for you. But, if you want to learn the concerns of senior executives and boards of directors and their language, this course will provide the knowledge and skills to effectively communicate risks at these levels.
It just might be a path to a C-level suite
Risk management has taken on more prominence in the last several years. Developing expertise in risk management techniques, enterprise risk management (ERM) frameworks and implementation may help prepare for a promising future career choice. Risk is everywhere, healthcare, aviation, financial, project, insurance, pick your area. The challenge is learning the fundamentals while at the same time begin positioning for a role that has enterprise impact. Placement and access as some might say. Along the way one has to be familiar with change management and organizational culture, not exactly a hard science field. And if you aim for a CRO position, the language and focus is different than that of risks a project or program manager are concerned with. Instead of technical, interface, scope change, schedule, and cost risks, the focus shifts to enterprise level concerns and reporting upward where concerns include enterprise sustainability, reputation, and achievement of strategy and business objectives.
The certificate is designed around a combination of five days of in class lecture, six live virtual modules, in person work sessions, and a team practicum presentation. Ten topic areas are covered in the course: Role of the CRO/Building a Risk Program; Leadership and Team Building; Building a Risk Program; Coordination among lines of defense; Operational and Enterprise Resilience Management; CRO Role in Cyber Risk Management; Business Execution; Risk Tools and Techniques; Risk Assessment and Measurements; and Risk as a Competitive Advantage.
CMU STRUCTURE
Knowledge gained during the course is applied in a Practicum (project) by small teams of three to four people. Of the teams in my course, most selected topics outside of their professional expertise, for example, retail and entertainment businesses. Teams researched not only the business sector for existing and emerging risks, but also the business they chose. Most large companies have an extensive internet presence, and publicly traded companies are required to file Security Exchange Commission reports such as 8-K, 10-K, and 10-Q, making the research task manageable. For example, the retail sector has seen numerous bankruptcies and the presence of Amazon is pervasive. Circuit City, Radio Shack, Sports Authority, Claire, and Toys R Us are examples of long standing businesses that have succumbed to changes in the market. These are just a few examples. The list is lengthy, however. Competing in the retail sector is fraught with risk.
While risks may be many, deciding on what risks to present to a senior executive council or board of directors is another matter. One of the most valuable aspects of this course was the team’s presentation to a panel composed of distinguished representatives with a broad cross-section of experience not only in business, but also in Enterprise Risk Management.
HOW TO GET STARTED?
While there are a number of frameworks to choose from that may be used for Enterprise Risk Management, including ISO 9001:2015 and ISO 31000:2018. The 2017 version of the COSO ERM Framework released in September 2017 was the obvious choice for three reasons. First, it is the latest available. Second, it is explicitly focused on linking risk to business strategy and objectives with obvious appeal to senior executives and board members. Third, the COSO ERM Framework is the most widely used.
Do I recommend this course?
Yes, if you are interested in ERM, this just might be the course for you. The course provides – exposure to a variety of contemporary topics in Enterprise Risk Management-related areas, a faculty rich with real world experience, a prospective network of students from a cross section of business and government, and access to faculty and staff both during the course and after course completion. CMU provides a “go-to” ERM resource.
WANT EVEN MORE ERM KNOWLEDGE?
Then you might also invest in the Certified Enterprise Risk Manager® (CERM) certificate program “boot camp” developed by Quality Plus Engineering for professionals to learn risk-based problem solving and risk-based decision making tools based on ISO 31K, COSO, IEC, NIST 800, and other risk frameworks. The Bootcamp is based upon and requires 1000 pages of review of the following textbooks that are core to the Bootcamp; Risk Based Thinking, Standard Manual of Risk Based Process Auditing, and ISO 31000 Enterprise Risk Management.
Having the good fortune to have attended a boot camp before the CMU CRO course, I found that the knowledge provided gave me a solid foundation for getting the most out of the CRO course.