The Dept of Defence (Australia) assesses capability in 7 categories: Purpose, Environment, Organisation, People, Process, Data, and Material. Below I have used this methodology to lay out the guiding principles for achieving a successful Enterprise Risk Management (ERM) system.
- Purpose: To Increase Shareholder Value . Unfortunately, there is a preponderance of risk practitioners who still view risk management as the objective, process and outcome of risk management. This art-for-art-sake approach hamstrings ERM to an administrative role preventing it achieving its capability as a value adding strategic role. Restructuring current risk practices to be outcome-focused, instead of process- or control-focused, and to have those outcomes tightly coupled to corporate objectives allows for meaningful aggregation over disparate operations and natures of risk. Evaluating the risk outcome in terms of capital, contribution, metric tonnes, or man-days allows for the simple aggregation of a financial, safety and reputational risk into useable value. Conversely, it also allows executives to understand the importance and value of the application of specific risk controls by their impact on business objectives. By linking risk management back to strategic objectives ERM allows targeting of where, what and how resources are deployed to maximise growth in Shareholder Value.
- Environment: Must implement ISO 31000 . Avoiding the perennial arguments of COSO ERM vs ISO 31000, Technical Risk (Financial) vs OpRisk, etc, any Enterprise Risk Management must be what works for you. COSO isn’t ERM but is a framework while ISO 31000 isn’t a framework but is ERM. In the end ISO 31000, as they say about being rich, isn’t everything but sure beats what’s in 2nd place. Any system you implement must adhere to ISO 31000 principles to have any chance of success. If you accept business is subject to the same laws of physics as the rest of the physical world, then you have to accept the 2nd Law of Thermodynamics’ everything tends to a state of disorder. This means, as most senior business people know, unless you actively work on forever developing your business it will fail. i.e. control is not enough and Continuous Improvement is a mitigation strategy.
- Organisation: Maintain an independent Risk Culture to Organisational Culture. Organisational culture and risk culture are very different. (see The “Risk Culture” Myth ) Obviously they will impact each other, but they are characteristically different. Organisational culture relates to a value system (social responsibility, client focused, employee empowerment) where risk culture relates to behavioural system (awareness and practices). A value system will take years to alter but behavioural systems are capable fast adaption given the right leadership. Risk Culture must remain independent of Organisational Culture to be the “objective” and honest evaluation of situations untainted by belief and philosophic views. Decision biases are the greatest threat to effective decision making and predominantly arise from entrenched belief systems and philosophic views. An organisational Culture embodying customer, employee and community values are vital to the pursuit of the corporate mission and vision. The enthusiasm and direction it engenders in both good and bad times, along with common/shared objectives are the driving force of business success. But without the counter balance of an independent Risk Culture this enthusiasm has the ability to drive the business right off a cliff. The graveyard of corporate collapses is strewn with the results of misguided good intentions.
- People: Be Employee Oriented. Culture and operational performance are driven by staff attitude. Ensuring specific employee attitudes and practices will make or break all the other good work above. Their buy-in is critical i.e. employees must adopt the system as an endemic part of their job. So how do you achieve this elusive end? Anyone involved with change management will tell you that to change a person’s behaviour, the person must see a personal benefit. So stop drawing flow charts and setting rules. Get out and talk to HR. Better yet, skip HR and talk directly to your staff. (see The Secret to Successful Compliance Management? It’s Not the System)
- Process: Fit-for-Purpose. Integrate multiple frameworks . A true enterprise risk management system must allow the coexistence of multiple risk frameworks within the one system and allow for horizontally aggregations as well as the traditional vertical consolidation, even between risks of different natures. Trying to have a single management framework for an entire enterprise is ensuring mediocrity not best practice. Finance doesn’t use a LIFO system for accounting, and production doesn’t use a market forces method for requirements planning. In benchmark best practice, all management systems model the real world environments in which they operate. But they still have to report back to a common framework of corporate objectives. Just as an enterprise resource planning (ERP) system is an integrated set of different modules for different parts of the business, enterprise risk management has to allow each of the different parts of the business to evolve its own risk models applicable to the business environment for that part of the business. This doesn’t preclude the ability to consolidate or interrelate risks. It just needs a smarter method of doing it than purely summation. Under an enterprise risk management system, contrary to what most believe, I see strategic risks not as another type of risk but as the umbrella over the top of the other types of risk. Strategic risks are directly related to business strategies and therefore business objectives.
- Data: Is for Decision Making not Predicting the Future. Risk management cannot predict the future! Enterprise risk management (ERM) is a coordinated linking of all organisation risks into a single model so everyone is aware of the effect immediately. Business can be every bit as chaotic as the weather. Like the weather, although we can’t predict the future, we can prepare for the possible outcomes. Since Risk is defined as the level of uncertainty, the purpose of risk management is to assist in planning for the future. A good ERM lets you quickly respond to opportunities by cross-referencing information from plans, histories and resources. It puts that information at operational management’s fingertips. When it encompasses monitoring of Key Risk Indicators (KRI) showing the effect of influences and drivers on strategic objectives, it allows management to react to threats and opportunities as they occur instead of in a post-mortem review. When alternative scenarios have to be included with board submissions, decisions move from reliance on individuals to monitor-able outcomes.
- Material: Acknowledge. Uncertainty is uncertain and models aren’t fact. Like the servant behind a triumphant Roman General whispering, “You’re just a man”, sometime, when looking at models, I think we need someone whispering “it’s just a scenario”. Business can be more “chaotic” (see Chaos Theory & C-Level Disillusionment With Risk Management) than weather due to fickle “human nature”. History is not always a predictor for the future and models still rely on subjective inputs. Having said that, models still have a key role in indicating the direction of risk events and possible options, and should be looked on as assisting informed decision making. Forget the 5×5 “Risk Matrix”, current best practice tools include Scenario Analysis, Causal Network, Bayesian Inferences, Environmental Scanning, and Watch-list dashboards.
In summary, when developing your ERM keep it practical, make it outcome focused, use as an aid to decision making, promote staff benefits, and forget the old “Risk Matrix”.
Published previously. Used by permission of author.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organizations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.