Let’s look at your investment in education. If you graduated from high school, you spent about twelve years in a structured, organized, and a managed school program. Excluding homework and travel to-from your school your in class time may have consumed 2,100 to 2,200 days or about 10,800 to 11,000 hours of your life. If you have a four-year university or college degree, you may have spent another 36 to 45 months in school. Add to your school time hours of your life spent in other training and education programs for specialized work related certifications, licenses, and professional recognitions and four things become evident. Continue reading
Category Archives: Life@Risk™ –
#9 – ERM INTEGRATED FRAMEWORK FOR AUDITORS – GREG HUTCHINS
Today’s quality auditors need to move from detection to analytical auditing. Quality auditors need to know how to evaluate internal and external controls that manage enterprise risks that result from changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain.
ERM controls or commonly called internal controls are the now the hallmark of good corporate governance because they offer the following benefits:
- Promote operational efficiency and effectiveness.
- Manage surprises.
- Ensure reliability of financial statements.
- Ensure compliance with regulations and laws.
Quality auditors must be able evaluate the effectiveness of an enterprise risk management consisting of the following eight interrelated components:
- Internal environment.
- Objective setting
- Event identification
- Risk assessment.
- Risk response
- Control activities.
- Information and communication.
- Monitoring.[i]
Internal Environment
The control environment is basically the culture of the organization. The environment establishes the ethic of the organization. Senior management sets the ‘tone at the top,’ which permeates the organization; guides, role models, and reinforces behaviors; and influences the control ethic of all stakeholders. The control environment is the foundation of all elements of the control system
The control environment includes:
- Core values.
- Oversight by the board of directors.
- Credibility of the board of directors and senior management.
- Integrity of the organization.
- Ethical values.
- Senior management’s operating style and philosophy.
- Management deployment of authority and responsibility.
Objective Setting
In quality land, we are very familiar with how quality strategies, plans, tactics, and objectives are deployed down the organization. In much the same way, risk strategies, plans, tactics, and objective are developed and deployed. Mission critical business objectives have associated risks in terms of not being able to identify, mitigate, and manage these risks. Risk events are occurrences that can prevent deployment of risk strategies, plan, tactics, and objectives.
Event Identification
The second law of thermodynamics says that entropy, chaos, and risk tend to increase. This is the natural state of physical systems as well as organizational systems. Senior management and key process stakeholders must be able to separate the ‘critical few’ variables or events from the ‘insignificant many’ variable event. The critical few variables are those that that have significant risks.
Events can be identified based on:
- Historical analysis.
- Process analysis.
- Interview with critical stakeholders and subject matter experts
- Upper and lower limit real time triggers.
Risk Assessment
Risk is the key filter for senior management decision-making. An organization faces risk from many sources; from within and outside the organization. How it identifies, monitors, controls, mitigates, and ultimately manages overall risk determines how successful and profitable it will be.
All organizations have mission-critical strategies, objectives, tactics, and plans, which are deployed down the organization and into the supply chain. One definition of risk is the ability to meet these objectives consistently. In other words, the ability to assess and ultimately manage risks reflects on the ability of an organization to meet its business objectives.
Risk assessment includes:
- Determining critical business objectives.
- Identifying risks that impact the ability to meet objectives.
- Developing a system to manage the risks.
- Developing mechanisms for managing change.
Risk Response
The risk response is based on the likelihood and magnitude of the event. High dollar, health/safety/environment exposure, or few internal controls require higher levels of assurance and control. A cost-benefit decision is then made based on these and other criteria to bring risk within the tolerance or acceptance range of the organization.
Risk response usually involves one or a mixture of the following:
- Risk reduction
- Risk sharing
- Risk avoidance
- Risk acceptance
Control Activities
All organizations today face uncertainty and risks. The solution is to develop internal controls that mitigate uncertainty and manage risk. These controls are:
“…any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur).”[ii]
Controls activities occur through the organization and into the supply chain. There are basically two types of controls: 1. soft controls and 2. hard controls. Soft controls deal with the messages and reinforcers that the board of directors and senior management want to communicate. This is sometimes called ‘tone at the top.’ Hard controls include policies, procedures, and work instructions that detail how management directives and work is carried out. These help ensure that the necessary actions are anticipated and taken to address the risks of not meeting an organization’s objectives.
Information and Communication
Reliable data and accurate information are required to control processes and activities. Without them, there is no control. So critical control information must be identified, captured, and communicated to the right parties so it’s relevant for informed decision making and external reporting. The information must also be in a form and timeframe so process owners can meet their responsibilities.
Information should be captured based on critical needs of the organization. Risk points are identified throughout the organizational value chain and externally into the supply chain. Communication is also reported externally to customers, suppliers, regulators, and shareholders. Risk points become organizational points of control. Information from these points, nodes, or areas may be communicated up, across and down the organization.
Monitoring
Once processes are stable, capable, and improving, these processes must be monitored. Monitoring may mean first party assessments; real time monitoring; second party evaluations such as internal auditing; or third party audits such as by regulatory authorities.
Monitoring ensures critical system, process, and product performance improves over time. Management should Pareto (80 – 20 rule) critical risk-control points within the organization. The scope and frequency of monitoring depends on the evaluation of the control effectiveness to manage critical risks. Then, control deficiencies are reported to process owners, senior management, or the board of directors depending on the risk, materiality, or exposure to the organization.[iii]
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below:
[i] COSO Enterprise Risk Management Framework (draft), 2003.
[ii] Source: IIA Redbook
[iii] “Executive Summary of the Integrated Framework,” www.COSO.com, p. 3, 2003.
When You’re in the Box, You Can’t See the Box
It’s a Bird … It’s a Plane … No,It’s a Meteor Attack
I saw the meteor crash into Russia yesterday. I heard and felt the sonic boom from the YouTube videos. It was hugely scary.
If the Soviets had seen this 20 years or more ago, they would probably have thought it was a preemptive nuclear strike. The Soviets would have retaliated and that would have been the end of the world as we know it.
Could this be the beginning of a new type of space warfare against incoming huge meteors? Speculation. Not really. A few years ago, there was a movie made on this very topic. Huge meteor was going to hit the planet. A strike force was sent up to destroy the comet which they did successfully.
It’s strange how other worldly risk events, such as meteors can take our focus away from the day to day concerns.
#3 – WHY INVEST IN YOUR ENVIRONMENTAL HANDPRINT? – JON BIEMER – ENVIRONMENT@RISK
There is a huge risk associated with exclusively focusing on the damage we do to our environment – our footprint. The world knows that glaciers are melting, that the average temperature is rising, and that it would take eight planets worth of resources if everyone consumed as much as the American middle class. But Katrinas, Gulf Oil Spills and Fukishima Daichis generally do not change our personal behavior. With our current mindset we probably will not do enough to turn things around, no matter how much we recycle or how many Priuses we buy.
Better ways to practice our values are needed. The environmental handprint represents one such paradigm shift.
Simply stated, the environmental handprint is the good you do for the world. Here are a few examples: Exploring nature with a child, so she can grow up to care about it. Improving the quality of wind generation. Requiring a five cent pass-through charge on paper bags in grocery stores. Promoting organic food labeling. Writing a book such as Sand County Almanac by Aldo Leopold, inspiration for the Wilderness Act. Making compact fluorescent lighting user friendly. Inventing and commercializing and buying LED lighting. Planting a tree. `
Can you feel the positive energy exuding from these efforts, large and small? Can you see the leverage in working with children? Can you celebrate how some efforts keep on giving long after you and I are done?
Here are five reasons why focusing on one’s environmental handprint is a lower risk strategy than focusing on one’s footprint:
- Creativity, idealism, love, profit, and play are more powerful motivators than guilt, admonitions and fear. Have you noticed how fundraisers are accompanied by entertainment? The only bad news that motivates most of us happens in our back yard.
- A positive feedback loop tends to amplify while negative feedback tends to dampen. Good energy from creating good things feeds upon itself. Profit provides incentive and capital for further innovation.
- Handprinting plays on America’s strength. With founding principles like Liberty and Self Reliance, we have become better capitalists than stewards.
- You can magnify your own impact by influencing others. By designing a more efficient aircraft engine, an engineer (and associated managers, investors and technician)reduces the CO2 releases of an entire industry. By writing this article I hope to motivate you.
- The impact of your handprint is theoretically unlimited. You can surpass the inevitable damage you do – your footprint. In 1993 I helped organize a conference focusing on industrial energy efficiency. It has continued biennially ever since.
Financial advisors often say, “Sure there is risk in investing in the stock market. But there is also risk in not investing in the market.” The market outperforms inflation in the long run, even when you take into account recessions and the great depression.
Let us invest our time, money and energy improving our environmental handprint. Our collective returns, our legacy, will be commensurate with our effort.
Disclaimer: Your personal returns may vary.
BIO: As a project manager with Quality + Engineering and principal of Creating Sustainability Jon Biemer focuses on Organizational Development. He and his wife live in Portland, Oregon without owning a car. Mr. Biemer is a Certified Enterprise Risk Manager and a registered Professional Mechanical Engineer.