New website = RiskCommentary.caPodcast launch! Is Enterprise Risk Management (ERM) dead? There is a stunning disconnect between the unprecedented need for ERM to be “instilled into the corporate DNA” and lacklustre risk manager survey results. Let’s explore why ERM is broken, and how to fix it.Welcome to the Risk Commentary podcastWho is this podcast for?MissionCredentialsIs ERM Dead? Survey resultsWhy is ERM so incredibly convoluted and seemingly complex? KEY QUOTES”We are in an unprecedented and evolving landscape unlike anything that we have ever seen historically.” This from the former President of Lloyd’s of London for North America... and yet only 35% of those surveyed have a full Enterprise Risk Management practice. LINKSBook: Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (E.R. 2016)Interview with LoriAnn Lowery-Biggers and colleague Sean Murphy by John Czuba of Legal Talk Network.The State of Risk Oversight - An Overview of Enterprise Risk Management Practices by AICPA. April 2021.
New website = RiskCommentary.caWhat are common misconceptions that can block success in your Enterprise Risk Management program? Your host Edward Robertson has a list of ERM myths, observed over several years’ experience as practitioner and educator. For each point, we will give you the practical take-away to apply in your risk management program.Myth #1: ERM is one thing.Myth #2: International standards (ISO 31000; COSO, etc.) give ERM implementation guidance.Myth #3: ERM is unproven. Myth #4: ERM imposes an unacceptable administrative burden.Myth #5: ERM is the purview of audit & finance.Myth #6: All the various pre-existing risk disciplines and practices will be replaced by ERM.Myth #7: Managers in all verticals can reasonably be asked to conduct risk assessment. LINKS“over 80 risk management frameworks...” Ahmad, Saudah et al. (2014) “Enterprise risk management (ERM) implementation: Some empirical evidence from large Australian companies”“30% of time spent in meetings was unproductive...”S. Rogelberg, et al. “Wasted Time and Money in Meetings: Increasing Return on Investment”
New website = RiskCommentary.caERM myths, observed by your host over several years’ experience as practitioner and educator. For each point, we will give you the practical take-away to apply in your risk management program.Myth #8: Managers, directors, analysts, CEOs, etc. know how to implement new programs.Myth #9: Enterprise Risk Management can best be implemented by using a software application.Myth #10: Defining risk tolerance is essential to an ERM program.Myth #11: Monitoring compliance constitutes effective ERM.Myth #12: Linking corporate strategy to ERM is difficult and complex.Myth #13: ERM takes 3-5 years to implement.Myth #14: Good ERM predicts the future; it is effective forecasting. KEY QUOTEDo not fall prey to the myth that the technology, in and of istelf, will inspire acceptance and take-up of the new risk management program.LINKS / NOTESProgram implementation failureSynopsis of various studies.Technology implementation failure - Linked in postScroll down to innovation: successful tech implementation part oneRisk tolerance vs risk appetite - pdfRisk & Insurance Management Society: Exploring Risk Appetite and Risk Tolerance ComplianceSteering clear of compliance pitfalls © Key Media Pty Ltd.Unattributed, 31 May 2010. Corporate Risk and Insurance. Excerpt:"The most common pitfall in compliance programs is an overreliance on policies, procedures and systems, according to Ulysses Chioatto, director of SSAMM Management Consulting.A cursory glance over all the convictions and enforceable undertakings by ASIC in the past five years highlights this overreliance on policies, procedures and systems by financial services providers in their compliance programs, said Chioatto, with little to no work on people – or to put it another way, the company’s culture. Both internal and external auditors as well as compliance and risk officers pore over documents, flowcharts, plans and reports from computer risk and compliance applications, yet breach registers are overflowing, or worse still, completely empty. "
New website = RiskCommentary.caTime to get into the ERM process! Let’s start with definitions that reflect a precise method. *Definitions: rationale and approach1. Enterprise Risk Management2. High Quality Risk AssessmentSignificance of High Quality Risk Assessment processSummaryKEY QUOTE“One key message here is: do not fall into the trap of trying to lead a risk ID session, much less implement an entire ERM program, where goals and objectives are poorly defined.” (Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation p.32)LINKS *My definition of ERM shows a clear process, whose results were praised by the BC Auditor General. See blog post of Enterprise Risk Management example: 5-part case study of ERM implementation, Camosun College. E.Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = RiskCommentary.caThe all-important risk identification process: High Quality Risk Assessment. The first step is actually to fix the organization’s planning practise! Six steps in High Quality Risk AssessmentInvestigate and fix the planning practice. The intuitive, informal approach -- does it work?The importance of the planning language.Properly formulated goals.Properly informed goals.The crucial point in the development trajectory of organizations.Conclusion: we need proper planning and management systems in order to mature.Complete planning practiceStrategic identity; internal analysisLooking outward; external analysisVisionGap analysisFormulation of goals and objectives Beneficial psychological effects of engaging staff in planning process.SummaryKEY QUOTE“Why do so many strategic plans end up on the shelf? It’s curious, given that strategic planning is among the most popular of management tools.” (Robertson, 2019, p. iv)LINKS E.Robertson Strategic Planning: Process, Templates and Effective Implementation (2019)
New website = RiskCommentary.caFoundation for ERM: you must have the best organizational planning practice you can muster. Recap: 3 basic steps in strategic planning processinternalenvironmental scangoal formulationThree types of planninginternal organizationstrategicoperationalBroader schemato try to relate planning and management practices (Agile, Lean, ERP, etc.) see Robertson Strategic Planningreview to see where you might make changesIs strategic planning dead?Mintzberg’s article “The Rise and Fall of Strategic Planning“strategic planning is popular; yet somehow mysterious and ineffective (kinda sounds like ERM!)his true complaint: not predictive; focused on quantitative targets; not participatoryRecommended practices in strategic planning:an iterative process; participatory, involving dialogue and exchangewell-informed by detection of trends, conditions and emergent issueshelps promote an integrated cultureNote on the use of academic studiesConclusions: significance of good strategic planning:research and discussioncommon understanding that is developedresulting meaningful actionIs it too much to ask that risk managers look at planning?SummaryKEY QUOTE“Traditional planning fails to take into account the creative processes and discoveries that generate breakthroughs.” (article ~ Wall, S. and Wall ,S.R.)LINKS Aldehayyat J & Anchor J (2010) “Strategic Planning Implementation and Creation of Value in the Firm” Wall, S. & Wall, S R (1995) “The Evolution (Not the Death) of Strategy” E. Robertson Strategic Planning: Process, Templates and Effective Implementation (2019)
New website = RiskCommentary.ca“Establish the Context” - the most misunderstood and underrated step in the whole risk management process.Recap of topics so farEstablish the ContextWhat do the standards mean by “Establish the Context”?What are the elements and true significance of “Establish the Context”?The headings in what I call the Context Paper, used to prep a risk ID session:1. Title of the plan under scrutiny2. Goals and objectives of that plan3. Corporate values4. Risk categories5. Stakeholder analysis6. Procedural and due diligence points (constraints)7. DeliverableKEY QUOTE“Do not introduce as risk things into the risk ID session which should, properly speaking, simply be trends and conditions that are already known -- that should have been taken into account in the formulation and design of the plans themselves.”LINKS E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)The discussion on Establish Context begins in Chapter 2.2. Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates
New website = RiskCommentary.caContext for risk assessment could mean projects, contracts, administrative workflows, technical processes, etc.Summary of the series to date. High Quality Risk Assessment. Establish the Context. Context Paper - The purpose is twofold: - to create a highly useful aid to facilitation; and - to create a testament to due diligence. Trap of trying to identify risk in business settings where goals are poorly formulated. What if we don't have hierarchical “goals” and “objectives”? Examples of Special Contextsa. budgetsb. formal projects (project management)c. contractsd. workflows: administrative procedures or technical processese. performance management regimesf. specialized disciplinesAlternative contexts must still somehow express goals or intended actions that are clear.SummaryKEY QUOTE“The ERM champion must scrutinize the planning and even coach managers to adopt a complete planning practice... As a consequence, the risk information ultimately developed will make clear sense.” (Robertson, p.31)LINKS Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016). The discussion on Establish Context begins in Chapter 2.2.
New website = riskcommentary.caLooking carefully at conventional advice, we discover why risk ID can be ineffectual.Confusion entrained by the supposed risk ID methods set out in conventional literature.· interviews and surveys, questionnaires· audits, physical inspection· brainstorming· networking with peers, industry groups· judgemental - speculative, conjectural, intuitive· history, failure analysis· examination of personal experience or past agency experience· incident, accident and injury investigation· scenario analysis· decision trees· SWOT analysis· flow charting, system design review· work breakdown structureConclusionsProcedures in this list can certainly inspire the search for risk, but are problematic for various reasons.By contrast High Quality Risk Assessment is specified to identify uncertainty in relation to goals.High Quality Risk Assessment definition (Ep. 004)procedural grounding in proper planning (Ep. 005, 006)preparation of the Context Paper for the risk ID session (Ep. 007,008).KEY QUOTE“Such a multiplicity of [risk ID] methods might entrain confusion about the object of the exercise.” (Robertson, p.42)LINKS Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = RiskCommentary.caThe process of risk identification itself. We can do so with confidence, because all of the procedural and conceptual elements we need are finally in place.RecapHigh Quality Risk Assessment: Preferred method: round-table of expertsPrepared session: agenda, context paper and facilitation aidsRisk formulation rules - see blog post.Points in facilitationReview: conceptual and procedural foundatioNotice that in our preparatory work, we have:proper concept and definition of risk ID and assessment (Ep. 004)procedural grounding in proper planning (Ep. 005, 006)procedural refinement in the creation of a Context Paper for the risk ID session (Ep. 007, 008)avoided pitfalls entrained by some of the conventional risk ID advice (Ep. 009).The question arises once more: is all of this too much work?Summary statement of your expected result:As required in our definition of High Quality Risk Assessment (Ep. 4), we have to identify risk:that is consistently conceived among participants as uncertainty connected with goalsin direct association to intended actions (goals/objectives) that are researched and substantiatedin relation to defined corporate values which govern behaviour of staff and employeescomprehensively, considering all possible relevant sources of riskas efficiently as possible, being mindful of the constraints in using people’s timerigorously, so as not to gather information based on vague and disparate ideas of riskwithin a context using defined assumptions that are documented and so contribute to due diligencein such way as to effectively aggregate qualitative and semi-quantitative informationSo, there we have a summary description of all the prerequisites and elements of an effective risk identification exercise. In the next episode, we can continue our work in the the round table session by assessing the risks, once they are identified and formulated.KEY QUOTEThe deliverable for a risk ID and assessment session: "A comprehensive list of risks, arranged in several categories of analysis, with criticality rankings and mitigation measures, arrived at by consensus, to inform an improved business plan." (Robertson p.36)LINKS Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates Blog post - How to Write Risk StatementsE. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
New website = RiskCommentary.caHigh Quality Risk Assessment implies comprehensive risk identification and a sensible assessment using four key criteria. I share a generic methodology developed and refined over years with clients.Review of the advantages of round table methodRisk identification - finer points of risk formulation Facilitation - finer points of facilitationLIFT: Listen; Interpret; Formulate; TestRisk assessment - four aspectsSummaryKEY QUOTEDefinition of High Quality Risk Assessment“The comprehensive identification and analysis of phenomena that could prevent the achievement of objectives, or compromise associated values, of a researched and planned program, followed by a principled response.” (Solving the ERM Puzzle, p.11)LINKS Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates (Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation RIMS document, pdf download Exploring Risk Appetite and Risk Tolerance
New website = riskcommentary.caHigh Quality Risk Assessment: What is the true significance of the risk register you’ve built so carefully? How does it lead to dramatic, breakthrough risk mitigation?Facilitating risk assessmentRisk register - the full significanceWhat have we accomplished so far?Quality infused at each stepResult: revelations in the perception of the risk profileBreakthrough Risk Mitigationmitigation action that is truly “breakthrough” and dramaticexpert participants sorting on risk information novel interpretation of risk profile: identify fundamental risksevidence-based decisionsCreativity and innovationintroducing imaginative and unorthodox solutionstaking it offline as special projectdo not short-change this part of the processHow is the risk register used going forward?transformed from a static snapshot to a dynamic management toolSummaryKEY QUOTE”Poorly understood chronic problems often have to do with the nebulous and difficult questions of communications and working relationships...” (Robertson, p.58, Section 2.5 Risk Mitigation and Review)LINKS Do you need a risk matrix (risk register) or other templates for risk assessment? Enterprise Risk Management Tools and Templates (E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.caEnterprise risk management implementation: Who is the champion?Edited for length.Significance of the Enterprise Risk Management champion Who actually is leading this work? What are the requisite qualifications and background? Is any special training needed? Background and qualitiesFunctionsPrinciples of program success (discussed in full E15): A few success factors and their relation to ERMSummary of traits of ERM championKEY QUOTE”the ERM champion’s success in instituting ERM will not hinge on the degree of authority leveraged. The reason is that willing participation in genuine Enterprise Risk Management... is not a response to formal authority. It is an outcome of seeing the value of the new process.” (Robertson 2016, Solving the ERM Puzzle, p.24)LINKS Edited transcripts: The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books. (E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.caHow can we roll out Enterprise Risk Management with a minimal footprint? Edited for lengthPrinciples-based approachvalue proposition (cost-benefit analysis) - principle: no big capital outlays; practitioners prove method through trialsexecution - principle: gradual, organic growth, not command and control risk ID methods - principle: rigorous definitions and procedure; integrate with existing practicepolicy, standard and governance - principle: minimal paperworkbenefits - principle: ascertain first direct short effects then later higher order outcomesSummary: How do we maintain a minimal footprint in the implementation? KEY QUOTE“Program managers of new initiatives are under pressure to show results, and it is easy (but risky) to communicate promises rather than demonstrate the work. Focus on a low-key approach that relies on evidence of benefits.” (Solving the ERM Puzzle... p.75)LINKS Edited transcripts: The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books.(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.caHow to implement an Enterprise Risk Management regime that is readily accepted and endures? Answer: by mastering the principles of program success, which will set you apart as an administrator.Edited for length. Employ proven success factors for program implementation shown in studies.1. clear goals and objectives - how to formulate them?2. senior executive support - how to secure meaningful exec support?3. staff buy-in, the age-old problem - how to get take-up? is software the answer?4. program adequacy - how does bad ERM design scuttle the program?5. adequate resources - how to support people’s efforts6. program champion - significant role for organizational change7. incremental implementation - avoid common fail in a monolithic impositionValue add: How to compile more risk criteria specifically for your business. andSummary[see unedited transcript for full discussion]Use all these principles as Risk Categories in your next risk ID session.KEY QUOTE“Master the principles of program success that have already been studied, and really apply to all administrative programs, all management initiatives -- not just ERM.”LINKS Edited transcripts: The ERM Minimalist available at Books and Courses. Works well with Play Books (read aloud function) and Apple Books.(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation Program implementation -- failure and success factors: please see the resources I listed in Episode 3.
New website = RiskCommentary.caERM mid-life crisis: how to rejuvenate and validate the program.The curious juxtaposition of need vs poor take-up.Steps in analyzing and fixing poor take-up in ERM programs.Several specific fixes for improving the compelling nature of risk information.What about “opportunity”? Ref: Innovation.What about other risk management sub-disciplines?Return to first principles in planning and HQRA.Review again the principles of program success (Ep 15).KEY QUOTE“The result [of High Quality Risk Assessment] is a body of risk information that is fresh and revelatory, leading to problem solving. When that happens at your risk ID session, it is unmistakable. People see the logic of the method and acknowledge that it is working.”LINKS Free introductory course: Innovation: How Can My Organization Get Started?(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.caERM, for some, consists solely of Financial Risk Management. Is this sound? We offer commentary on quantitative modelling and its place in Enterprise Risk Management.Quantitative methods examplesChief limitations of quantitative modelsProprietary internal risk rating systemsForecasts and probability estimates2008-2009: crisis in risk management methods?Strategy and market risks scuttle the company RecommendationsQuotes from the financial expertsWhat constitutes due diligence?What is the worldview informing the faith in quantitative models?SummaryKEY QUOTES”...a new kind of blindness: the one induced by new technology and elaborate quantitative models.”(B. Voyles ) Voyles and other financial experts mentioned quoted in Robertson, p.98”...much more is being underwritten, correlated, and contemplated [by major insurers] than the traditional hazard risks.”Interview with LoriAnn Lowery-Biggers and Sean Murphy by John Czuba; see EP01.LINKS Blog post: Economic Crisis: Why ERM Did Not FailE. Robertson 2016 Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation
New website = riskcommentary.ca[Re-edited for clarity.]Due diligence is not the same as risk assessment; they are complementary.Due Diligence and High Quality Risk Assessment: how could they be used?1. Quote: the hope for a less quantified, more qualified and thoughtful approach.2. Due diligence definition vs risk assessment.3. Order of operations: a. select using matrix with criteria; b. conduct risk assessment.4. Maturity matrix definition.5. Thought experiment: due diligence for investment project using maturity matrix.6. Maturity matrix (semi-quantitative analysis) with categories:firm management teambusiness modeldeal structure7. After d.d scoring, do risk assessment. 8. This proposed method would help the management team.9. “High returns = high risk”. Is it strictly accurate?10. Application of Due Diligence and High Quality Risk Assessment in stages of major projects.Summary KEY QUOTE“The practice of due diligence has evolved into SOX checklists... Best practice awards are given to the weightiest presentations (by the pound) and third part vendors are predominantly selling ‘perfect solutions’ for enterprise risk management that will seriously impede your ability to conduct business.” (L. Burke Files, Due Diligence for the Financial Professional, 2010, p.6)LINKS Robertson, E. Enterprise Risk Management Tools and Templates, 2016. p. 35 - Enterprise Risk Management maturity matrix, based on Carnegie-Mellon methodology.Mark C. Paulk, Bill Curtis (CAST Research Labs), Mary Beth Chrissis, Charlie Weber Capability Maturity Model for Software (Version 1.1) The original article whose methodology has been borrowed and applied to many aspects of business.
New website = RiskCommentary.caWhat is the “upside” of risk? Does ERM manage opportunity meaningfully? It leads to a structured innovation program that risk managers can lead with confidence. 1. Opportunity - origin of the idea in ERM2. Opportunity - how can we make sense of the idea?3. Opportunity - as innovation4. Innovation a. an established discipline b. within the grasp of the risk manager; an expanded role5. Innovation - Free Online Introductory Course 6. Innovation - Paid Course SummaryKEY QUOTE”...risk managers can borrow from the practice of innovation and use a structured method to seek out, evaluate, greenhouse and develop new ideas” (Robertson 2016 p.112)LINKS Risk Commentary podcast books and courses.(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation Technology implementation - 3-part discussion, LinkedIn audio posts:innovation - successful tech implementation
New website = RiskCommentary.caWhat are the key questions of senior executive in considering the adoption or remediation of enterprise risk management? Answers to these questions form an overview to guide the successful roll-out of ERM. Key questions entertained by the C-suite with regard to ERM likely include these three:a. What exactly is ERM?Due to uneven development in the field, definitions are many. I offer a carefully crafted definition.b. Is there a verifiable value proposition?get clarity on strategic identity and aims; support execution of goals and objectives; analyze and solve business problems.c. How can it be integrated, quickly and efficiently, with existing planning and management?establish sound planning, and use the principles of successful program implementation.An elaboration on these answers is given over the course of the podcast series. Main points:1. Enterprise Risk Management is rational planning.2. Business Continuity and Emergency Planning.3. A multiplicity of definitions. 4. The planning regime. 5. Survey results.6. High Quality Risk Assessment. 7. Principles of program success. 8. Titles and job descriptions. 9. Conceptual hurdles. 10. Scenario analysis and Future Scenarios Planning.11. Prove the value of Enterprise Risk Management.KEY QUOTE”Enterprise Risk Management holds the promise of capturing the entire spectrum of risk across the organization. This book answers the need for a generic ERM methodology, proven by experience in the field, in both public and private sectors.” (Robertson 2016 back cover)LINKS (E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation Blog posts addressing risk tolerance:Risk Tolerance: Non-Finance ExamplesMaking Sense of Risk Tolerance, Risk AppetiteBooks and Courses Consulting Contact