CERM Bootcamp Lessons Learned

We just ended our first Certified Enterprise Risk Manager(R) Bootcamp in Seattle.  Five days of risk bonding, sharing of risk information, and risk learnings.  it was a great success.

We had a number of lessons learned:

Enterprise Risk Management (ERM) is reshaping many industries from pharma, electric power, water, food, etc.  These industries are developing ERM standards.  The challenge is that many of these standards have not been deployed or adopted.

Adoption of ERM is still early in most companies.  Publicly held companies often have mature ERM as part of their internal control over financial reporting programs to comply with Sarbanes Oxley and other regulations.  The operational ERM programs are still in their infancy.

Material risks are more often in operations, technology, and IT.  Engineering, IT, quality, supply management, and other operational professionals need to learn and implement risk management in their areas.

Tell us your ERM experiences?  Are they the same as our lessons learned?

Morphing Professions – Greg Hutchins

Greg Hutchins pixQur firm – Quality + Engineering – provides professional engineering, forensics, and risk management.  In the last two months, we’ve been contacted to:

1.  Manage outsourced quality operations.
2.  Reframe a much smaller quality group into a risk management group.
3.  Do a combination of the above.

Continue reading

#9 – ERM INTEGRATED FRAMEWORK FOR AUDITORS – GREG HUTCHINS

Greg Hutchins pixToday’s quality auditors need to move from detection to analytical auditing.  Quality auditors need to know how to evaluate internal and external controls that manage enterprise risks that result from changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain.

ERM controls or commonly called internal controls are the now the hallmark of good corporate governance because they offer the following benefits:

  • Promote operational efficiency and effectiveness.
  • Manage surprises.
  • Ensure reliability of financial statements.
  • Ensure compliance with regulations and laws.

Quality auditors must be able evaluate the effectiveness of an enterprise risk management consisting of the following eight interrelated components:

  • Internal environment.
  • Objective setting
  • Event identification
  • Risk assessment.
  • Risk response
  • Control activities.
  • Information and communication.
  • Monitoring.[i]

Internal Environment
The control environment is basically the culture of the organization. The environment establishes the ethic of the organization. Senior management sets the ‘tone at the top,’ which permeates the organization; guides, role models, and reinforces behaviors; and influences the control ethic of all stakeholders. The control environment is the foundation of all elements of the control system

The control environment includes:

  • Core values.
  • Oversight by the board of directors.
  • Credibility of the board of directors and senior management.
  • Integrity of the organization.
  • Ethical values.
  • Senior management’s operating style and philosophy.
  • Management deployment of authority and responsibility.

Objective Setting
In quality land, we are very familiar with how quality strategies, plans, tactics, and objectives are deployed down the organization. In much the same way, risk strategies, plans, tactics, and objective are developed and deployed.  Mission critical business objectives have associated risks in terms of not being able to identify, mitigate, and manage these risks.  Risk events are occurrences that can prevent deployment of risk strategies, plan, tactics, and objectives.
Event Identification
The second law of thermodynamics says that entropy, chaos, and risk tend to increase.  This is the natural state of physical systems as well as organizational systems.  Senior management and key process stakeholders must be able to separate the ‘critical few’ variables or events from the ‘insignificant many’ variable event.  The critical few variables are those that that have significant risks.

Events can be identified based on:

  • Historical analysis.
  • Process analysis.
  • Interview with critical stakeholders and subject matter experts
  • Upper and lower limit real time triggers.

Risk Assessment
Risk is the key filter for senior management decision-making. An organization faces risk from many sources; from within and outside the organization.  How it identifies, monitors, controls, mitigates, and ultimately manages overall risk determines how successful and profitable it will be.

All organizations have mission-critical strategies, objectives, tactics, and plans, which are deployed down the organization and into the supply chain. One definition of risk is the ability to meet these objectives consistently. In other words, the ability to assess and ultimately manage risks reflects on the ability of an organization to meet its business objectives.

Risk assessment includes:

  • Determining critical business objectives.
  • Identifying risks that impact the ability to meet objectives.
  • Developing a system to manage the risks.
  • Developing mechanisms for managing change.

Risk Response
The risk response is based on the likelihood and magnitude of the event.  High dollar, health/safety/environment exposure, or few internal controls require higher levels of assurance and control.  A cost-benefit decision is then made based on these and other criteria to bring risk within the tolerance or acceptance range of the organization.

Risk response usually involves one or a mixture of the following:

  • Risk reduction
  • Risk sharing
  • Risk avoidance
  • Risk acceptance

Control Activities
All organizations today face uncertainty and risks.  The solution is to develop internal controls that mitigate uncertainty and manage risk.  These controls are:

“…any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur).”[ii]

Controls activities occur through the organization and into the supply chain. There are basically two types of controls: 1. soft controls and 2. hard controls.  Soft controls deal with the messages and reinforcers that the board of directors and senior management want to communicate. This is sometimes called ‘tone at the top.’ Hard controls include policies, procedures, and work instructions that detail how management directives and work is carried out. These help ensure that the necessary actions are anticipated and taken to address the risks of not meeting an organization’s objectives.

Information and Communication
Reliable data and accurate information are required to control processes and activities. Without them, there is no control. So critical control information must be identified, captured, and communicated to the right parties so it’s relevant for informed decision making and external reporting. The information must also be in a form and timeframe so process owners can meet their responsibilities.

Information should be captured based on critical needs of the organization. Risk points are identified throughout the organizational value chain and externally into the supply chain. Communication is also reported externally to customers, suppliers, regulators, and shareholders. Risk points become organizational points of control. Information from these points, nodes, or areas may be communicated up, across and down the organization.

Monitoring
Once processes are stable, capable, and improving, these processes must be monitored.  Monitoring may mean first party assessments; real time monitoring; second party evaluations such as internal auditing; or third party audits such as by regulatory authorities.

Monitoring ensures critical system, process, and product performance improves over time. Management should Pareto (80 – 20 rule) critical risk-control points within the organization.  The scope and frequency of monitoring depends on the evaluation of the control effectiveness to manage critical risks. Then, control deficiencies are reported to process owners, senior management, or the board of directors depending on the risk, materiality, or exposure to the organization.[iii]

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:


[i] COSO Enterprise Risk Management Framework (draft), 2003.

[ii] Source: IIA Redbook

[iii] “Executive Summary of the Integrated Framework,” www.COSO.com, p. 3, 2003.

#5 – INTEGRATED ERM AND CYBERSECURITY – PETER MALPASS – TECHNOLOGY@RISK

Under the Sarbanes-Oxley Act, publicly traded corporations must apply appropriate methods to ensure controls over the organization, one of which is enterprise risk management (ERM). The Federal Information Security Management Act (FISMA) states federal government agencies must comply with guidance and standards of the National Institute for Standards and Technology (NIST) in its Special Publications 800 (SP800-nn) series for Information System Security (ISS) also known as cybersecurity. It’s good advice that commercial firms are well served by adopting too. Cybersecurity as a sub-discipline of Information Technology (IT) has had problems communicating with middle management and executives. In December 2010, NIST published a second draft of its guidance, “Integrated Enterprise-Wide Risk Management” (NIST SP800-39) that works with its rapidly evolving cybersecurity special publications series to try to bridge that gap.

Background
In the hierarchy of problem solving methods, Bob Charette[1]described the differences between risks and problems and between risk management (RM) and problem management (problem solving) very clearly.

  • Risk – a future event or situation with a realistic likelihood of occurring and an unfavorable consequence or impact on the successful accomplishment of well-defined goals if it occurs
  • Problem – a condition or obstacle which makes it difficult to achieve a desired goal, objective or purpose
  • Risk Management is an organized, systematic decision-support process that identifies, assesses or analyzes, and effectively mitigates or eliminates risks in order to achieve objectives. (PMBoK). RM concerns managing the potential future effects of current decisions, and tries to eliminate the root causes of risk
  • Problem Management deals with managing the current effects of past decisions, and in so doing creates new risks

The differences between problem and risk management are primarily in time frame, control span, and information domain: problem management has a short time frame, tight controls, and needs only narrow information. Risk management has a long time frame, loose controls, and wide information needs. Indeed problem management is a subset of risk management. Charette1 points out that lack of time, control, or information often is the root cause of risks, and that lack of risk management mostly leads to more severe and repetitious instances of problems. The management of risk is the management of change and of the choices that come with change.

Risk Management
RM methods exist in many domains. The NIST (security) risk management cycle[2] is in Figure 1. It also is a form of action inquiry (frame, advocate, illustrate, inquire), a technique from high-capability organizational transformation[3]. The initial step is framing the context in which to identify risks and defining them. This can be organizational context or individual risk context. Risk owners may be assigned in this step or the next. Risk assessment involves identifying the likelihood and impact or consequences of the risk becoming a problem, but also a) the indicators and their threshold values when the risk mitigation should be activated, and b) the priorities to address the risks. Risk mitigation is what one chooses to do to reduce the likelihood or impact of the risk if its indicator threshold is exceeded. Risk monitoring tracks the risks and status of mitigations and activates mitigations as indicated.

            Figure 1: NIST Risk Management Framework2

Risk Management can be done at many organizational levels. Traditionally Enterprise Risk Management (ERM) has been in the domain of finance or actuarial science. As Greg Hutchins[4] says, “Would you trust me, an engineer, to audit your books? Then why would you trust a CPA to audit your technical processes?” An enterprise needs both financial and technical risk management at appropriate levels, but it has to be affordable and cost-effective.

“Integrated Enterprise Risk Management” provides a detailed description of how three tiers of risk management can integrate to provide an appropriate context for cybersecurity as the lowest tier RM mechanism as in Figure 2. The focus of SP800-39 is on inter-tier deliverables rather than methods at each level.

There is a spectrum of ways to define risks during framing step from simple brainstorming (open) through model-based approaches to checklists (closed). Which method is appropriate varies as to situation, the organization’s risk culture and appetite, and its governance mechanisms as well as different techniques available at different organizational levels. Figure 3 provides the primary focus of each tier. Charette1 notes that the lower the organizational level, the more bounded the risk set and so checklists are more appropriate but they are almost never all of the risks that should be defined in framing risk. RM is about managing change so static checklists can’t provide good risk identification for long. Figure 2: Multi-tiered Enterprise Risk Management2  ©1993, Robert Charette Figure 3: Risk Approaches by Organizational Tier1

The risk framing and identification techniques used in Tier 1 range from traditional strategic planning: Political, Economic, Social, Technology / Strengths, Weaknesses, Opportunities, Threats (PEST/SWOT) brainstorm analyses (open) through Model-based approaches of COSO[5] brainstorming to checklists generated from trade journal and economic factor lists and financial ERM methods. Tier 2 techniques range from brainstorming ala Force-Field Analysis[6] (open) through an appropriate Business Value Model-based brainstorm to discipline-specific or functional checklists such as Westerman’s “IT Risk Management” checklists.[7] Tier 3 methods run from simple brainstorms to risk-area-based brainstorms (Office of Management and Budget’s Circular A-11, Exhibit 300, 2005 list of 19 risk areas in which all investment programs had to identify risks), to checklists (NIST SP800-53A 400+ security controls that might be required of an information system).

The COSO5 model for Tier 1 is shown graphically in Figure 4. The risk management process is the eight rows, while the four bands across the top are the areas in which to brainstorm risks at organizational (and supply chain) tiers.

Copyright 2004-2011. Committee of Sponsoring Organizations of the Treadway Commission (COSO).  All rights reserved.  Used with permission.

Figure 4: COSO5 ERM Framework as Model for Brainstorming Risks

An example of how to initiate a Tier 2 business value model-based brainstorm is shown in Figure 5. The core, value-production process is in the center with support areas (probably multiple processes each) at the top and a risk or how to find risks noted. References for how to do the rest of the above methods are in the appendix. For examples send an email to the author.

© John Wiley & Sons, Inc. 1998

This material is reproduced with permission of John Wiley & Sons, Inc.

Figure 5: Value-Shop Model Basis for an IT Organization Risk Generation Exercise[8]

There is no canned approach yet to integrate RM across tiers. The best approach is from Russell Ackoff[9] where he describes how to establish interlocking governance boards across levels. That is, one member from boards below or above or both is on a governance board presenting and carrying back results of the other board’s dialog and decisions. NIST SP800-39 describes the roles and responsibilities of each tier and the way each provides input and feedback to the others.

Managing Change to RM
With respect to adoption of RM, in 1993 Charette1 was concerned that RM would follow the trajectory of Total Quality Management (TQM) as a bottom up method that would not become a stable executive behavior. His thesis was that without executive and middle management understanding of the difference between risk management and problem solving, RM would become bureaucratic and then disappear from its own weight. The newest change management methods are from Leadership Development Framework (LDF) and Action Inquiry method3. Leaders may be at one of seven stages (See Figure 6). The leader, usually manager, sets the culture of the group s/he manages to his or her stage given enough time. Thus how you work with a group tends to depend on how you would work with its leader. Depending on the level, there are mechanisms to use to engage them in change.

For leaders / groups of stage 5 and up (15% of people), there is usually not a problem in being heard and having the idea of RM reviewed and prioritized among other opportunities to be pursued. For a leader or group at stage 4 (30%), one has to raise the RM idea and sell it, but the leader will not dismiss it immediately. A good business case[10]will be sufficient to get RM in the set of opportunities to pursue.

Action Logic

Characteristics

Utility

Frequency

Magician Generates societal transformations, integrating material, spiritual, and social Good for leading cultural changes

1%

Strategist Generates organizational transformations: uses joint inquiry, care, vulnerability Effective leader to transform an organization pro-actively

4%

Individualist Integrates organizational and personal processes by creating unique ways to close plan-actual gaps Effective in consulting and new developments

10%

Achiever Meets strategic objectives via teams, balancing people needs and results Good operations manager with desire for action and need to achieve

30%

Expert Approaches problems from expertise in logic of a discipline, seeking efficiency Good contributor

38%

Diplomat Nice, avoids open conflict, values-based decisions Social binder, support for others

12%

Opportunist Narcissistic, manipulative, power-seeking Good when collateral damage isn’t important (emergencies, used car sales)

5%

Figure 6: Leadership Development Framework Stages

Stage 3 Experts (38%) – engineers are the archetype – tend to be comfortable with the processes that they use and in which they have roles. They also value observations over theory. Describe RM as a process and how it can be embedded as very minor changes in current processes to address requirements of “looking before we leap.” Give stage 3 experts a concrete example of how RM might have helped versus hindsight. The analogy that RM is like looking through the windshield at where you’re going, while quality (process) assurance is like looking out the side windows, and quality control / test is like looking in the rear view mirror may resonate as well.

Stage 2 Diplomats are nice. They appreciate niceness and conformity to espoused organizational values. RM may be something they can support as an organizational value. FAA has a passion for aviation safety (inherently risk-based) or fear of something not nice happening if RM is not tried. Al Cole at CIA once said that government managers, especially executives have three motivations. The first is to get into the good old boys (and girls) club. This may not be in the organization but outside. Pressure may be made to exist via the phenomenon of management fads. Second, and three times higher motivation than getting into “the club,” is fear of being accused of not being a team player. To use this motivation, someone must have adopted RM and others should be talking about it. Third and the most powerful motivator of all is to show the manager or executive how s/he can say, “Aren’t I wonderful?” for helping you. All of these reflect stage 2 Diplomat thinking.

Finally, a stage 1 Opportunist may be sold that riding the RM train will bring him/her fairly instant gratification and rewards. However, they are not good at any kind of input or feedback, so it may be better to find another manager or group rather than take the risk of trying to sell RM to a narcissist. Send an exciting (but short) article about how RM saved an organization or caused it to excel.

The FAA adage is also true for all of the above. “If you want anything to change you have to build a coalition, and if you invite anyone to the table, you have to have some quid pro quo, even if it’s only your own time and effort, which it always will include.”

Summary
Risk Management is likely to be an excellent island of stability in the current sea of change. Unlike a lot of other changes, some of the techniques such as Force Field Analysis can be performed and show value to the participants in as little as 20 minutes for tactical or even middle management decisions about the future. As with other methods, it is better if the whole organization adopts its use within a short period, and the culture changes too. Integrated ERM is a new concept, but without its adoption, the other RM types are less likely to either deliver maximum value or fail to be sustained.

Previously published in IEEE USA Today’s Engineer

References for methods: Brainstorming – http://en.wikipedia.org/wiki/Brainstorming PEST analysis – http://en.wikipedia.org/wiki/PEST_analysis SWOT analysis – http://en.wikipedia.org/wiki/SWOT_analysis Force field analysis – http://en.wikipedia.org/wiki/Force_field_analysis COSO ERM – http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf


[1] Bob Charette, “Fundamentals of Risk Management,” SEI 2nd Symposium on Risk, 1993
[2] NIST, “Integrated Enterprise-Wide Risk Management,” www.nist.gov, Gaithersburg, MD, 12/2010
[3] David Rooke & Bill Torbert, “Seven Transformations of Leadership,” HBR, Cambridge, MA, 4/2005
[4] Greg Hutchins, personal communication on Value Added Auditing, 21 Mar 2005.
[7] G Westerman & R. Hunter, “IT Risk: Turing Business Threats into Competitive Advantage”, Harvard Business School Press, Cambridge, MA 2007
[8] C. Stabell & O. Fjelstad, “Configuring Value for Competitive Advantage: On Chains, Shops, and Networks,” Strategic Management Journal, 19, pp419-437 (1998)
[9] Russell Ackoff, “The Circular Organization: an update,” The Academy of Management Executive, 3(1), pp. 11-16, (1989)
[10] Email pgmalpass@hotmail.com