|
|
Posted By AFERM,
Monday, April 1, 2019
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
One way to generate more active involvement in Enterprise Risk Management (ERM) is to make sure your stakeholders truly have “skin in the game.” As in any human activity, people get involved and stay involved with ERM efforts and practices when they can see personal benefit from the involvement.
People generally perceive benefit in two ways. Some will only see benefit in saving their skins, and such individuals tend to concentrate on threats. Others will see benefit in improving their game and will tend to focus on opportunities. It has been my experience that people with an opportunistic mindset tend to be more engaged than people focused on self-preservation; however, either set of individuals will have personal reasons for being involved and active.
Now, it turns out the amount of skin anyone in the enterprise may have depends on their role in the game. The enterprise defines those roles, either directly and specifically or not, by how enterprise goals and objectives translate to individual strategies and plans. The enterprise also defines how the individuals play the game by the culture it creates and nurtures. A culture that promotes continual improvement, encourages taking appropriate risks, and exercises appropriate accountability and rewards innovation will foster opportunistic thinking. A culture that focuses on maintaining the status quo, on punishing failure, on protection rather than promotion, and does not have clearly defined goals and objectives will foster risk intolerance.
Where does the risk management come in? Remember, the reason for risk management, whether practiced at the enterprise or individual level, is to improve the likelihood of successfully meeting or exceeding our goals and objectives. When an enterprise’s goals, objectives, strategies, and plans are translated to individual stakeholders and they accept their role, they will have something to lose and will embrace risk management practices.
To build a more effective ERM community, consider the following:
- At the top, clearly define enterprise goals and objectives with strategies and plans to achieve those goals
- Actively and regularly scrutinize the enterprise’s goals, objectives, strategies, and plans for the purpose of making them better
- Delegate the strategies and plans to the stakeholders and make it clear that the enterprise expects them to adapt their delegated strategies and plans into supporting plans of their own
- Promote a culture that encourages people to identify and spend more resources on opportunities and fewer resources on threats.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, March 4, 2019
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
This is really two different questions. Emerging risks, by definition, represent uncertainties caused by evolving current or near-term events and conditions. Because they are near-term, we can easily recognize changes in current events and conditions that have the potential to impact objectives and plans.
To use one of the four dimensions of risk impact, emerging risks have high urgency. The changes and their potential impacts are either happening now or will happen soon. For example, consider the stock market. Stock prices change continuously, driven in large part by investors’ perceptions of the impacts of immediate changes in market conditions. Changing conditions can have an almost immediate impact on stock prices. By comparison, risks with a long horizon have low urgency, so they are not likely to impact objectives until well into the future. Objectives with far horizons involve events and conditions far away from present day, and they generally have lower likelihoods.
International Electrotechnical Commission (IEC)/International Organization for Standardization (ISO) 31010 “Risk management–Risk assessment techniques” (2009) includes several risk identification techniques applicable to forecasting near-term or emerging risks. These include Checklists, Business Impact Analysis, and Cause and Effect Analysis. These and several others are particularly useful for identifying near-term or emerging risks because they can take advantage or our knowledge of current events and conditions.
Other ISO 31010 risk identification techniques are useful for longer-range objectives and uncertainties. These include Brainstorming, Delphi, Structured What-If (SWIFT), and Scenario Analysis, among others. They depend less on current knowledge than on our ability to imagine the future and assess its impacts.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, January 7, 2019
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
It is important to establish a common definition of risk culture. The Risk Management Society (RMA) defines risk culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes towards taking and managing risk within an institution.” In my opinion, this definition appropriately focuses on attitudes and behaviors as the driving force behind organizational culture because it is ultimately the people, and not the processes and procedures, that determine ERM program success. A useful model to think about with respect to promoting culture is the Attitude-Behavior-Culture (A-B-C) model where culture derives from repeated behaviors, behavior is influenced by attitude, and attitude is influenced by culture. (Hillson, 2013) https://www.pmi.org/learning/library/understanding-risk-culture-management-5922
Culture change efforts can focus on shaping attitudes and reinforcing the desired behaviors associated with the desired risk culture. Considering strategies in relation to the A-B-C model, knowledge and understanding are key to shaping attitude. There are several approaches that an agency can consider, including frequent communications, specific training on the ERM program, using ERM as a common thread woven throughout agency-provided training, and providing other learning forums. Strategies to address the behavior component could include setting expectations and reinforcing the desired risk management behaviors. Creating clearly defined risk appetite statements for employees allows them to apply the statements to the decisions they make within their assigned responsibilities. Adding a risk management core competency or performance goal to performance appraisals can be useful. Additionally, having clearly defined and enforced risk management policies and processes that guide behavioral expectations, along with recognizing and rewarding the desired behaviors, are significant ways to establish and reinforce how the agency expects its employees to behave, individually and collectively. The final culture component of the A-B-C model can be addressed through periodically assessing the risk culture of the organization and by setting the right tone at the top, and through an effective and transparent risk governance process. These aspects are the most important according to Hillson, and the results of a 2013 study conducted by RMA. www.rmahq.org/WorkArea/DownloadAsset.aspx?id=5452
It is important to remember that changing culture is very much an evolutionary endeavor and not a revolutionary one. It is one of the most difficult leadership challenges, takes considerable effort and time and is difficult to measure progress.
Hillson, D. (2013). The A-B-C of risk culture: how to be risk-mature. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, November 6, 2018
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
One of the benefits of aligning ERM with agency strategy is developing information that strengthens the agency’s strategic review process. Recognizing a root cause and identifying outcomes or impacts of the key risk events that can inhibit or enable realizing the strategic goals and objectives of the agency provide greater insights into what actions, resources, and our authorities may be needed. Explicitly discussing the risks to strategic objectives and the consequences of the risks, if they manifest, presents an objective argument that supports the actions taken to achieve results and demonstrates that the agency has a thorough understanding of the issues and key challenges to accomplishing its goals.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, October 23, 2018
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
As with most questions of discretion and management choice, the appropriate course of action is dependent upon considerations beyond residual risk rating or exceeding the agency’s established risk tolerance boundaries or risk appetite level. ERM informs the resource allocation and internal decision-making processes and should not necessarily trigger the focus of resources in any one direction. There may be a range of other factors that agency leaders must consider when deciding where and how to address key risks. For example, the risk may stem from entirely external factors beyond the control of the agency and may require extensive deliberation and negotiation before an acceptable course of action to influence these factors is set and resources focused to respond. There may be broader political considerations that motivate leaders to elect to apply resources to one risk over another. The decision of where to focus may also be influenced by the resources at hand. It may be the better decision to apply existing resources to one risk over another because the agency has those resources available but needs to attain the resources needed to address another risk. Finally, the actions available to the agency may have already been exhausted, and nothing else can be done to reduce the likelihood or minimize the impact if the event materializes, but the residual risk still exceeds the established risk appetite level. Simply monitoring leading key risk indicators may be the only option.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, September 20, 2018
Updated: Monday, November 25, 2024
|
Question asked by Gary Fouts
Additional Details
I'm creating a communications plan for the agency I support as a contractor (FEMA-FIMA). I wanted to hear the depth and breadth of other comms plans supporting ERM. Thanks.
AFERM EXPERTS SAY...
Formal communication programs are crucial for organizations striving to achieve their objectives. One way to approach communications strategies for an Enterprise Risk Management (ERM) program is through discussion of vertical and horizontal communications. Although a very simplistic model in principle, the discussion can prove beneficial. A communication plan facilitates information transfer between the bottom and top levels, as well as every level within the organization and across stakeholder pools on horizontal platforms. Simply put, a communication program can support communication up and down (support to leadership) and side to side (stakeholder to stakeholder or office to office), as evidenced by the examples provided below.
The first example addresses not just information direction, but also information flow. This can be compared to a water spring, where information flows point to point from the bottom level of an organization through the layers to the top for decision-making, and then it is dispersed throughout the organization. In this model, each organization at the bottom primarily transmits its information to update the top levels of the organization where decisions are made, and then risk responses and their corollary effect spread across the organization. The primary purpose of this communication program is to provide necessary information to “leadership” for quick and conclusive decision-making.
Other organizations, however, require a more complex model that is multi-directional simultaneously. Unlike a water spring, which is more unidirectional and cyclical, the information flow effect for this example resembles airport terminal traffic. In this model, each terminal or department within the organization is responsible for transmitting and receiving risk information from every other node. This can be compared to airport terminal traffic, where individuals use escalators, elevators, moving platforms, and stairs to move to and from any terminal in the airport. The primary purpose of this type of communication model is to provide transparency and information symmetry across the organization.
The key to an effective communication program is choosing the right communication model for a particular agency, depending on where the organization is in its ERM maturity curve. In addition, it is important to remember that as an agency matures and changes, the communication program will most likely need to evolve as well.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, September 20, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
To answer the second question first, risk responses are not internal controls. Industry professionals know that agencies identify risks, develop risk responses, and then implement internal controls. If risk responses are not internal controls, then what is the relationship between the two?
Internal controls ensure that the objective of a risk response is carried out effectively. When comparing risk responses and internal controls to the construction of a building, one could say that the risk response is more of the “blueprint” or “architectural diagram” and the internal control is the “engineered solution.” Internal controls ensure the execution of the risk response. In addition, the relationship between risk responses can be one to one, or one to many, and in some rarer circumstances, many to one. One risk response could be affected by one internal control or by several. Multiple risks responses could be affected by one internal control if the risk responses are very similar or if the internal control is complex and multi-faceted.
Now, what happens if an organization already has internal controls, and how is that considered when establishing the likelihood of risk? There are three parts to this process. In part one, “inherent risks” are identified based on risk impact (calculated using probabilities of incidence and severity), assuming a world without controls. In part two, the agency develops a risk response, applies an internal control, and re-measures, which leads to “controlled risk.” In part three, agencies measure the risk impact and/or output over time given the implementation of the control to determine if there is any “residual risk.” As such, internal controls become very important in parts two and three when establishing the likelihood of risk.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, September 6, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Reporting will vary depending on leadership and how the audience best receives information. However, reporting will likely focus on the accomplishments of the ERM program, particularly as it relates to enabling an agency effectively managing risk tolerances at the goal and objective levels and risk appetite at the agency level. To accomplish this, agency leadership should view the risk tolerance of each objective and goal as a target measure of performance.
For example, an agency may leverage a risk tolerance scale of 1-10, with an objective risk tolerance determined to be a 4. The goal of the ERM program is to ensure that there is the least amount of deviation of risk associated with that goal from the established threshold. Further, consider a target with 10 rings, where the agency’s targeted risk tolerance is the fourth ring. The agency’s actual results can then be overlaid on the target to view any potential deviation. If the results are actually ranked at 5.5, the agency took on too much risk compared to its threshold; the risk response will need to be adjusted. If the ranking is actually at a 3, the agency expended too much energy reducing the risk and can shift resource use to another focus area. Ultimately, this representation allows for management to understand how well the ERM program is helping the organization in accomplishing its mission, goals, and objectives.
Additional methods used by agencies include storyboard or dashboard-style presentations capturing key risk metrics for a portfolio of risks, or at a more granular level by program or individual risk. This can be facilitated through user developed applications based on Microsoft Office Suite tools, or through more advanced governance, risk and compliance (GRC) automated solutions that have built in analytics and reporting capabilities. We have also seen other informative communication strategies where agencies use a newsletter campaign to broadly distribute important updates, useful tips, and planned implementation details to risk stakeholders on a frequent, recurring basis. The goal being to help make informed decisions and keep ERM on the forefront through proactive engagement.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Thursday, September 6, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
This question touches on an important distinction within ERM program implementation. There is a significant difference between a fully compliant ERM program and a fully capable ERM program. Compliance focuses on the contents of an ERM program, while capability focuses on what an ERM program can achieve.
A fully compliant ERM program can be established in 1-2 years, seeking to institute an Enterprise Risk Board, a governance structure, risk appetite statement, updated Statement of Assurance, risk profile, etc. It is not as easy to build an ERM program that is mature, fully functioning, integrated, and outcome-oriented. In a smaller, less complex agency with leadership buy-in, this could range from 5-7 years. However, in a larger, complex, decentralized agency, it could take 5-10+ years. It is important that agencies not be discouraged by those projections. Effective ERM is meant to be a long-term, evolving endeavor.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, August 7, 2018
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Agency buy-in, especially from senior leadership/executives, is often difficult to achieve, and resistance to new initiatives is common across all levels of the organization. Successfully implementing ERM requires the ERM team to focus on change management in conjunction with developing the program processes, policies, and procedures. It is helpful if there is positive tone and commitment to ERM from the head of the agency and/or deputy. Key change management elements that should be addressed include focusing ERM efforts on strategic goals and objectives; recognizing and celebrating wins; building internal risk management capabilities with ERM champions at various levels; clearly stating the rationale and benefit case for ERM; tailoring the program to fit existing organizational culture and processes, where possible; and encouraging continuous engagement and collaboration. Several specific actions that agencies might consider include incorporating ERM into executive performance plans; explicitly integrating key risks into resource allocation decisions; applying the ERM framework to an issue widely recognized as a problem by most agency executives; and incorporating risk management principles throughout agency training programs, both as a stand-alone effort and integrated into other courses.
This post has not been tagged.
Permalink
| Comments (0)
|
|
Blog Home
All Blogs
Print Page
RSS