|
|
Posted By AFERM,
Monday, April 27, 2020
Updated: Saturday, November 2, 2024
|
Question asked by Frank Clark
AFERM EXPERTS SAY...
COVID-19 is a classic black swan event. Black swan events, as defined by Nassim Taleb, cannot be prevented and can be prepared for only by emphasizing agency antifragility. The COVID-19 pandemic is a realized issue with the emphasis on solving the immediate problems. However, an agency’s objectives and strategies my be influenced in the medium-to-long-term.
ERM processes should include recurring opportunities to survey current conditions and future assumptions and adjust objectives and strategies as appropriate. The COVID-19 pandemic is certainly one of those opportunities. Once adjustments are put into place, an agency can examine known uncertainties and their treatment plans. They can also explore new uncertainties that could impact the revised objectives and strategies. Risk appetite statements and thresholds should also be reviewed, as what was once considered to be important may not be as important now. Agencies should examine existing uncertainties in the light of new understanding. Impact assessments may change and may no longer meet the adjusted appetite thresholds. New uncertainties that emerge from the altered future landscape must be examined against the updated risk appetite.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, March 31, 2020
Updated: Saturday, November 2, 2024
|
AFERM EXPERTS SAY...
The greatest challenge to most organizations is overcoming cultural inertia, or reactions to cultural change. Organizations don’t change quickly or easily, and the practices prescribed by OMB A-123 introduce fundamental changes to organizations’ processes for decision-making and setting strategic objectives. Cultural change is often difficult, regardless of the need or reasons. Success takes time, leadership and management commitment and buy-in at all levels, clear and relevant objectives, and continuous and consistent communication.
We’d love to hear more of the specific challenges you may be facing within your organization. Please join the discussion by posting a comment below.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, January 21, 2020
Updated: Saturday, November 2, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
Realized problems are by definition issues, also known as deviations from expectations. The events and conditions that caused the concern have already occurred and are usually referred to in the past tense. By comparison, unrealized problems, also known as risks, are usually referred to in the future tense or as “what if “ questions. The key to distinguishing unrealized risks from realized risks is to look at where they are in time and how they are described. In summary, when an issue is identified in past tense it is typically a realized problem while an issue identified in future tense, or as a “what if” statement, represents a potential threat or opportunity.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, January 21, 2020
Updated: Saturday, November 2, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
Decision making is seldom routine. At its core ERM is the same as risk management activities conducted at lower levels within an organization. The differences lie in the objectives and the uncertainties that impact them. The objectives at an ERM level are different in that the plans are more strategic than tactical, so it follows that the uncertainties are typically broader in nature requiring the need for varied responses. The decision making process itself involves similar steps but will apply different decision criteria and engage varied levels of stakeholders within an organization.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, July 22, 2019
Updated: Sunday, November 24, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
In the government there is no profit metric or insolvency risk. However, there are costs associated with responding to uncertainties and benefits resulting from those efforts. For government entities the balancing act occurs between response costs and the benefits received from the results.
When an uncertainty has the potential for positive or direct impact, measuring the benefit received is straightforward and can occur after the fact. However, when uncertainty has potential for negative impact measuring the benefits received becomes more challenging. This results from measuring an outcome that, if the response effort is successful, does not occur.
In both situations the business case for responding to a particular uncertainty hinges on the organization’s ability to estimate response costs against the benefits received. As such, an organization’s confidence in those estimates becomes vital to the decision making process.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, July 9, 2019
Updated: Sunday, November 24, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
Quantifying value of any kind is dependent upon what is being measured. For example, risk management measures the impact of uncertainty against an organization’s objectives, so the unit of measurement depends upon those objectives. For cost or price-related objectives a common metric is money. For schedule-related objectives it is typically a unit of time. Metrics will vary for performance-related objectives based on key performance parameters or requirements. Like all useful measures, those parameters should be SMART – that is, Specific, Measurable, Attainable, Realistic and Time-bound. The Project Management Institute article “Quantifying Risk: Measuring the Invisible” describes several methods aligned with cost, schedule, and technical objectives.
Beyond that traditional risk management triad, the ability to quantify ERM value depends on whether the objectives can be quantified. For example, objectives related to staffing in an enterprise can be quantified by head counts or staff hours. Government compliance-related objectives can be quantified by number or severity of audit findings.
Other objective categories can be a little more difficult. For example, measuring reputation or safety. Fortunately, even when an objective defies static quantification its change can still be measurable. Survey results, while not so meaningful taken individually, can provide a measure of an enterprise’s reputation over time. A count of incident reports on any given day may not be a meaningful measure of safety, but when tracked over time can support objectives to improve such a critical factor of business success.
In short, quantifying objectives is a critical step in defining the terms needed to convey the value of an organization’s risk management efforts. In closing, Albert Einstein reportedly once wrote on a blackboard: “Not everything that counts can be counted, and not everything that can be counted counts.”
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, June 11, 2019
Updated: Sunday, November 24, 2024
|
Full question: I am a recent college graduate and am trying to gain more information on the world of risk management. What information would be helpful for a young adult with a finance degree and specialization in insurance/risk management. I have been reading up on ERM frameworks and am currently working in a claims role. There is extensive information out there and have no idea where to look.
Question asked by Chris Harley
AFERM EXPERTS SAY...
At the most fundamental level risk is defined by the Internal Organization for Standardization (ISO), which says risk is the impact of uncertainty on objectives. There are three important pieces to that definition in order of need: objectives, uncertainties, and impacts.
Understanding risk begins with objectives and the plans put in place to attain them. Stemming from those plans are the uncertainties in executing those plans. Uncertainties have the potential to impact the plans and subsequently the ability to achieve your objectives.
It is important to note that you can’t manage uncertainties themselves, but you can manage how you respond to them. That is where risk management comes in. Risk management is a collection of practices that can help you identify uncertainties, prioritize objectives and plans to identify which uncertainties to address, and determine the appropriate response or non-response.
The particular practices used will vary depending on the enterprise and its objectives. For example, the homeowner’s ‘enterprise’ objectives may include minimizing catastrophic loss from a wide range of uncertainties. As such, taking out homeowner’s insurance is a contingency response to those risks. Conversely, an insurance company’s objectives would include profitability and growth. Risk Management practices may include demographic analysis, damage assessment techniques, and probability simulations. Responses may include insurance for the insurance company, also called reinsurance.
My advice is to begin with a fundamental understanding of risk management as the principles are the same for the individual and the enterprise. The Project Management Institute, the Risk Management Society, the Risk Management Association, the Institute of Risk Management, and of course, AFERM are all excellent sources for getting started. The AFERM Summit held each year (October 29th and 30th in downtown D.C.) is a great opportunity to network with other risk management professionals.
Thank you for your question Chris, and good luck in your career!
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Friday, May 10, 2019
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
Broadly, ERM brings value to the strategic planning process in several different ways. First, establishing the context stage of the ERM process provides understanding of major internal and external considerations that can enable the success of the strategic plan or present significant obstacles to achieving strategic goals and objectives. Armed with this understanding, the outcome of the strategic planning process can emphasize enablers and work to minimize potential barriers. A second value contribution stems from how OMB defines risk: “The effect of uncertainty on achievement of objectives. An effect is a deviation from the desired outcome – which may present positive or negative results” (emphasis added). Thinking about risk as “uncertainty” vice only as a potential threat, helps ERM provide input in strategic planning on potential new opportunities to pursue and increase the value the organization delivers through its programs and activities. The final value contribution ERM provides to strategic planning is providing the strategic planning team with a detailed understanding of potential impacts to the organization if a key risk event occurs, along with information on the approved risk response plans. Both of these elements can be used during strategic planning to help structure goals and objectives with a higher probability of success. This link is to a paper produced by the ERM Initiative at North Carolina State University that provides a couple of case studies on integrating ERM with strategy.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Monday, April 15, 2019
Updated: Monday, November 25, 2024
|
AFERM EXPERTS SAY...
Version 1.1 of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, released in July 2018, makes it much easier for CROs and Chief Information Officers (CIO) to align the cybersecurity framework with the agency’s ERM program. Revised definitions and the introduction of various terms (e.g., risk tolerance) makes the NIST framework align more closely with existing ERM terminology and approaches. Additionally, Version 1.1 explicitly acknowledges that the NIST framework is not intended to be rigidly applied, but instead, tailored to the needs and environment of the organization. As stated on page vi, “The decision about how to apply it is left to the implementing organization.” The greater compatibility with ERM and the flexibility and encouragement to tailor both risk management efforts to the organization provide the basis for integrating cybersecurity within the broader ERM framework. Figure 2 on page 12 shows an example of how the NIST framework integrates with overall agency risk management efforts. The revised framework can be found here.
This post has not been tagged.
Permalink
| Comments (0)
|
|
|
Posted By AFERM,
Tuesday, April 2, 2019
Updated: Monday, November 25, 2024
|
Question asked by Anonymous
AFERM EXPERTS SAY...
The main difference is that a risk is an event that could possibly occur in the future, while a challenge (often referred to as an issue) is an event that has already occurred. Thinking about this question as the Office of Management and Budget (OMB) defines risk (uncertainty), there is really no distinction other than the level of confidence you have in assessing the event likelihood (see likelihood scale examples on page 97 in the Playbook) and events that fall under either term can be present on the Enterprise Risk Management (ERM) risk register. There is a higher level of confidence in assigning a very high likelihood if the event has already occurred than for events with some level of probability of occurring in the future. It is often easier to assess and evaluate challenges because you can identify the actual causal chains that led to the event which facilitates identifying root cause(s). Similarly, with events that have already occurred, it is much easier to identify the actual impact on the organization rather than having to predict what the impact might be.
This post has not been tagged.
Permalink
| Comments (0)
|
Blog Home
All Blogs
Print Page
RSS