#157 – HOW TO START AN ERM INITIATIVE? – INTERVIEW WITH GEARY SIKICH

Untitled1-150x150Tell us a little about yourself and your latest risk engagements?

I have over 30 years of experience in what I will term the broad base of risk management.  I have been engaged by over 100 clients nationally and internationally, representing major components of the public and prvate sectors. I have written four books on crisis management, business continuity, pandemic planning and have published over 380 articles relating to crisis, risk, business continuity, pandemic planning and contingency planning issues.

 I have been working with several companies nationally and internationally to develop methodologies to provide alternative analysis of threats, risks, hazards and vulnerabilities.  The methodologies provide a baseline for assessment and for development of contingency plans to buffer against risk realization.

What is enterprise risk management (ERM) and why is it becoming more critical in business?

Enterprise risk management is a comprehensive methodology that is employed to identify, quantify and buffer risk within organizations at the strategic, operational and tactical levels.  As business and government becomes more complex and have more “touchpoints” within their spheres of interest, responsibility and influence they face the potential for catastrophic failures.

Can you give us an example how ERM works and its benefits?

Since risk is not static the ERM process has to continually identify, assess, buffer against risk realization.  ERM can, in a well developed and deployed system provide seamless communications throughout the organization; allowing for alternative analysis and information sharing to reduce risk exposure.

What are the first steps to start an ERM program?

The first steps include, but are not necessarily limited to: 

  • Getting top management buy-in
  • Providing outside and objective evaluation, while being inside and aware
  • Allowing fearless skeptics to express themselves (with finesse) without fear of reprisal
  • Having an array of tools that that can be deployed as needed
  • Being willing to hear bad news and act on it
  • Creating a team that can “war game” effectively

 Of course you also have to identify opportunities, focus the opportunities, seek solutions, analyze ideas, select top solutions and implement, monitor, control and change as necessary.  There is no standard process that organizations have to follow; they have to find out what works for them and embrace the process, internalizing it.

A critical issue that often comes up is determining the appropriate risk management framework to use.  Can you provide us insights on this important question?

I created an assessment tool that is patterned off of the military targeting system known as CARVER.  The version that I created is called LMSCARVERtm and is an eight section format that incorporates the business aspects of assessment, such as, work in progress, financial exposure, etc.

How does a company establish a culture of risk based, problem solving and risk based, decision making?

I think that this is one of the biggest challenges for ERM.  You have to make ERM a way of doing business and not an adjunct to the business being done.  It has to be embedded at all levels and there has to be buy-in regarding the value added by the ERM process.  Allow for analysis that is counterintuitive; recognize organizational and individual biases and not allow them to influence the decision-making regarding risk.

What are the critical issues to consider in sustaining a successful ERM initiative?

A dedicated and funded working group that represents a mix of talent from within the organization is one key to success.  This group should be chartered to act independently and their recommendations should be acted upon.  This begets a responsibility for the group to provide timely analysis and alternatives that expand the decision makers thought process.  Some concluding thoughts that may prove helpful:

  • We think we can manage risk by predicting extreme events – worst case scenarios are always overshadowed by the next worst case.
  • We are convinced that studying the past will help us manage risk – risk is in the future and it is not static, we do not operate in the same environment as we did in the past.
  • We don’t listen to advice about what we shouldn’t do – there is a need for counterintuitive analysis, alternate analysis and critical thinking.
  • We assume that risk can be measured by standard deviation – we cannot estimate the probability of what is uncertain and/or unknown, it’s simply impossible.
  • We don’t appreciate that what’s mathematically equivalent isn’t psychologically so – the biases of the organization and the individual will almost always overrule the mathematics
  • We often seek advice from those who have “no skin in the game” – unless I am vested in the process, you have more to lose than I.

What do you see as the future of risk management and enterprise risk management?

In the near future I see risk management as a practice in a state of turmoil.  This turmoil is the result of new perspectives clashing with established, albeit, a myopic view of risk management as it has been traditionally practiced.  You have new standards, such as, ISO 31000 and regulations that are expanding.  Additionally, I see that C-Suite executives and board of directors putting more emphasis on expanding the role of risk management.  This is due partly to the aforementioned standards and regulations, and because of increased liability (personal as well as corporate) that these managers face.  The Cyber Threat has really put an emphasis on doing everything that can possibly be done to address this risk and the broad base of risk that is linked to cyber and information systems in general.

On the long term, I see risk management as a C-Suite initiative – a permanent position with input on strategy, operations, continuity, contingency and security planning, etc.  I also see more representation on the board of directors, stakeholders, regulators agendas and the “Value Chain” touchpoints that the organization has (customers, suppliers, vendors, etc.).

 Risk management is being transformed by complexity, uncertainty and velocity – today, and tomorrow, you cannot simply say you have your risks addressed because you have insurance, did a risk assessment or developed plans to address the risks you have identified.  Risk is not static, whatever you do to buffer against risk, changes the risk; and whatever others do to buffer against the risk further changes your exposure and buffering strategies.

About the Author

Geary W. Sikich is the author of “It Can’t Happen Here: All Hazards Crisis Management Planning” (Tulsa, Oklahoma: PennWell Books, 1993). His second book, “Emergency Management Planning Handbook” (New York: McGraw-Hill, 1995) is available in English and Spanish-language versions. His third book, “Integrated Business Continuity: Maintaining Resilience in Uncertain Times,” (PennWell 2003) is available on www.Amazon.com.  His latest book, entitled, “Protecting Your Business in a Pandemic: Plans, Tools, and Advice for Maintaining Business Continuity” is published by Praeger Publishing.  Mr. Sikich is the founder and a principal with Logical Management Systems, Corp. (www.logicalmanagement.com), based near Chicago, IL.  He has extensive experience in management consulting in a variety of fields. Sikich consults on a regular basis with companies worldwide on business-continuity and crisis management issues. He has a Bachelor of Science degree in criminology from Indiana State University and Master of Education in counseling and guidance from the University of Texas, El Paso.  Geary can be reached at (219) 922-7718.

Leave a Reply

Your email address will not be published. Required fields are marked *