Economic Crisis: Why ERM Did Not Fail

economic-crisisRisk management controls: not implemented — or rather, subverted

We are continuing to experience economic turmoil. After the first severe and generalized wave of economic upheaval originating in the US recession, many in risk management circles were speaking of “the failure of Enterprise Risk Management”. First, let’s not characterize what happened in those terms, because failure depends upon one’s point of view; the failure was not universal. The people responsible for what Galbraith called the “seemingly imaginative, currently lucrative, and eventually disastrous innovation in financial structures” did not fail.  (He was writing back at the time prior to the October 1987 crash, about parallels to 1929 — but might just as well have been referring to collateralized debt obligations – CDOs).
Read the rest of this entry »

Read More

Enterprise Risk Management Manifesto

Enterprise Risk Management - risk matrixEnterprise Risk Management is now finding its place in creating strategic value.

Traditionally confined to either loss control in the realm of commercial insurance, or financial controls and audit, enterprise risk management has now taken an evolutionary step to encompass the entire spectrum of strategic and operational risk.

Risk has gained, in recent years, a high profile in the public mind, as waves of corporate malfeasance, natural disaster, security threats and economic meltdown have rocked the foundations of organizations in all sectors, and created profound distrust among stakeholders. ERM implementation is now proving its value as conventional risk management duties expand to embrace strategic planning and innovation.
Read the rest of this entry »

Read More

Enterprise Risk Management Tools & Templates – pdf/print/ebook

toolstemplatescover-blogERM Tools & Templates – 2nd edition

[UPDATE] Enterprise Risk Management Tools and Templates is now available on Amazon, in both print and ebook formats. process. In this companion volume to the main text Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation, I give 17 tools and templates in full colour, 8.5” x 11” size.

Demand is especially strong for a sample risk register, properly formulated risk statements, and an environmental scan template.


Table of Contents

01. ERM and Core Risk Management Process
02. ERM – Organizational Preparedness
03. Complete Organizational Planning Process
04. Governance, Risk and Compliance (GRC)

05. Environmental Scan
06. Stakeholder Analysis
07. Context Paper
08. Risk ID and Assessment Session – Agenda

09. Risk Register
10. Enterprise Risk Categories
11. Risk Statements

12. Probability-Severity or Likelihood-Consequence
13. Heat Map

14. Risk Tolerance
15. Risk Management Plan: Report to the Board

16. Weighted Multi-Criteria Selection Tool
17. ERM Maturity Matrix based on Carnegie-Mellon method

The document will take the form of text, spreadsheets and diagrams, and be accompanied by explanatory notes — it aims to answer needs among risk managers.

[UPDATE: 2nd EDITION EXPANDED TO 17 ITEMS – 07 October 2016]

Read More

Managing Program Implementation

2011-06-29 / How to Implement ERM / 0 Comments

managing program implementationThe implementation gap (rev 15 Jul 2017)
Managers in all business domains have had experience with program design and implementation, project implementation, and change initiatives. This could apply to a new practice, work process, or regulatory compliance exercise. The challenges in public policy implementation are similar. In fact, whether in business or in government, these efforts encounter high failure rates. For example, failed software application roll-outs are a common experience.

Program failure rates are alarmingly high, as are levels of waste in software application roll-outs that collapse or underdeliver.  It is safe to say that more time and attention are paid to the software features themselves, program and policy design (or the creation of a new business initiative, or government policy) than to a specific plan for execution. Implementation seems secondary in importance to plan formulation.

Once plans are set or software selected, should not the implementation among staff, stakeholders, or other intended beneficiaries itself be planned and subjected to risk assessment? The literature points to many sources of program failure and success. I have accurately predicted software debacles in government, and have also facilitated long-lived successes. In other words, the principles of program success and change management are known, but not commonly used.

An article by Travis L. Russ – “Communicating Change: A Review and Critical Analysis of Programmatic and Participatory Implementation Approaches” (Journal of Change Management, 8:3–4, 199–211, September–December 2008) – caught my attention. He calls two broad approaches of change initiatives ‘programmatic’ and ‘participatory’. I have also divided implementation into what I call the ‘formalistic’ vs. ‘the real work’ aspects, with parallels to Russ’s conception.

Formalistic or programmatic implementation
The formalistic aspect or bureaucratic side of program implementation consists of promotion, advertisements of anticipated benefits (promises), rhetoric, persuasion, and directives, and all associated documentation. Russ, focusing on communication in particular,  characterizes this ‘programmatic’ approach as a:  “downward cascade of information about the change, such as the transmission of new policies/procedures, knowledge or facts about the change process, and directives for how the change should be implemented” (p.200). If such directives were well-informed, then the situation is tolerable. But often they are not. A typical example of this is the executive ‘kick-off’ speech, where the exec gives the change initiative official blessing, but does not participate in working out the practice of the new program.

The real work or participatory approach to implementation
By contrast, the real work aspect of change is the trial and proof of the intended change mechanism itself – whether (as in most of my posts) it has to do with risk management, or indeed with a new management practice, quality regime, training program, or marketing project. The real work means that pilot groups, in cooperation with the change facilitator, must explore the new practice and experiment with it. Russ seems to concur: “participatory approaches invite input, using involving and empowering methods to gain the insights of various stakeholders to shape the change programme and not merely to ‘receive it’” (p.204).

Read More

Enterprise Risk Management Critique

2010-12-21 / How to Implement ERM / 1 Comments

risk matrixIt is useful for risk managers to recognize a divide in the literature. Some tacitly accept ERM pretty much as the standards and guidelines describe it; others take ERM a social construct – something that does not really exist as it presents itself. This is an important distinction because there is no way to understand and evaluate ERM without taking a critical view.

Enterprise Risk Management is conceptualized in a critical way by Michael Power in his book Organized Uncertainty: Designing a World of Risk Management (Toronto: Oxford University Press, 2007). Standard functions for audit at one time were to check compliance and probity. Power argues that, now, internal control has been reconstituted as risk management. A central thesis in this book is that the idea of risk has taken over as an organizing principle.

We are all familiar with “change fatigue” – and the fact that Enterprise Risk Management has been viewed as just another “flavour of the month”. Many implementations have gotten stuck, complaints of red tape are common, and many are still reporting poor ability to identify and assess risk. The puzzle, as Michael Power points out, is “the continuing co-existence of local critique and world-level conformity” (p.197).

ERM has evidently persisted, even through “the failure of ERM” to predict the economic crisis. Is it because practitioners find that ERM works to create and preserve value? Or, is it because the values that ERM represents are necessary as a sort of exercise in legitimacy? Compliance and risk governance, from Power’s perspective, make up a “moral economy” (p.192).

Power calls into question another mainstay of ERM: “Reputation has come to be a modality of organizational governance but is not itself uniquely governed by any specific interest group or expertise.”(p.185). I’m not sure about the last part of that sentence, because public relations and brand are what some people live for. But obsession with reputation risk – as a program objective – occurs, whether in the private sector, or in government where civil servants should be managing their programs and not politicians’ PR. Power points out that this focus on reputation has now transformed it into a “first order” risk, rather than a downstream consequence.

Many people in government have asked me: what about opportunity? Opportunity is indeed part of the rhetoric, but you will scarcely find it supported with methodology in guidelines and standards. Power’s assessment: “ERM, which celebrates the entrepreneurial spirit of risk taking, may paradoxically lead to an exacerbation of control” (p.199).

I have seen enterprise risk management implemented without an excess of red tape; I have seen it fulfill, at least in part, its mandate. Practitioners, in taking a critical view, might assess whether or not their ERM programs are taking on characteristics they had not intended.

[Revised 12 Sep 2011]

Read More

The Economist Risk Intelligence Report

2010-12-09 / How to Implement ERM / 0 Comments

Managing innovationRisk management surveys
The Economist Intelligence Unit has released a report entitled “Fall guys: Risk management in the front line”. It is based on a survey of banking and insurance executives both within and outside the risk function, supplemented by interviews with other risk experts.

The report paints a picture, on one hand, of an increased appreciation for risk managers, where many have acquired more authority within improved risk governance structures. This is a response to the economic crisis. On the other hand, respondents who believe their firms are effective in detecting emerging risks are still in the minority (35% – p.3. para.7). This same discrepancy – the risk function’s high importance but low perceived effectiveness –  appears in previous risk management surveys (see summary in this online introductory presentation).

Risk managers’ role
I found it encouraging that, according to this new report, risk managers wish to broaden their role by being “constructive”, “enabling”, and assisting managers to “achieve their business objectives” (p.4 para.2). Helping risk managers do just that is pretty much my whole mission in ERM! But relatively few firms even have risk managers participating in important business and strategic decision-making (p.4 para.1) The authors lament:

…there continues to be a perception among some senior managers that it is a support function staffed with narrowly focused specialists, such as business continuity planners, insurance buyers, or health and safety officers. Risk managers can find it difficult to break out of this mould and convince senior-level management that they have a contribution to make… (p.7 para.4).

This leads to the question: how can risk managers who aspire to support strategic planning and opportunity analysis move into that space? The authors regret a “cultural barrier”, and say it is a matter of better communication. But risk managers must prove they can actually help identify key business implementation risks, and can steward the innovation process, before they can be invited to fulfill those planning roles.

Risks and opportunity management: effective methods
They will not prove their value in planning by relying on the formalistic and bureaucratic aspects of the ERM program (PR, kick-off speeches, disseminating policy, etc.). Rather, they must demonstrate effective processes.  They must facilitate sessions dedicated to the analysis and mitigation of critical risks, and the identification of opportunities for innovation — in any context required by the internal client.

Risk managers must aggregate information for the board – but can they deliver insightful risk information that serves as a sound basis for strategic decision-making?

Risk managers must address long-term strategy and emerging risks. But do they know how to conduct a future scenario planning process? (See the report p.9 for a discussion of how the Lego senior director for strategic risk management uses risk scenarios.)

Risk managers must help identify opportunities. The authors report: “The average company’s risk register contains only threats, not opportunities” (p.8). My response is: should we really expect opportunities to show up within a risk register? To identify opportunities systematically, and subsequently develop them into sound business propositions and implement innovation — this all requires dedicated techniques. Risk managers are well-positioned to lead this process.

Conclusion: Managing innovation and opportunity is done incrementally
Risk managers who are aspiring to expand their roles can start with small pilot projects, even as experiments. I wrote a description of collaborative risk assessment in business (“No risk in collaboration”) in the September 2010 edition of Canadian Underwriter. You must have a sound process for identifying risks comprehensively as a basis. Principles of engendering and managing innovation are closely related. If you can help one client solve a critical business problem and meet objectives, then the next department will come knocking on your door.

Read More

ERM – Tool for Implementation

2010-06-24 / How to Implement ERM / 0 Comments

In the previous post ERM Implementation – Platitudes? I drew a distinction between the bureaucratic or formalistic side and the practical value side of any program or initiative. I thought I would post an ERM pdf – Implementation Tool focusing on just this aspect of enterprise risk management implementation. It is a diagnostic tool containing criteria that you will be able to apply to your organization.

Avoid confusion: people should recognize enterprise risk management as distinct from enterprise resource management. For example, resource management at, a cloud computing technology leader, offers an application to help ensure the efficient allocation of resources within the organization. The roll out of cloud computing applications is discussed in the online course Managing IT/Cyber Risk. [Disclosure: ERTechnical receives an affiliate fee for NetSuite link.]

Here is a preview of some of the elements from each of the two sides of ERM methodology, with editorial comments in each category:


Selection of Risk Management Standard:
[Select an appropriate risk management standard in order to give uniformity to language and definitions. The standards more or less converge on similar concepts and order of steps. However, it will require interpretation in order to make it meaningful in the context of your work. You can’t rely on it as an implementation guide as it stands.]

Documented Corporate Policy:
[This is the outline of the application of the standard to your organization. The danger here is that it is much too long, with too much extraneous theory and especially advice that has been written in advance of practical trials.]


Investigation and Trials of Risk Identification Methods: at the Operational Level:
[These criteria are at the heart of the matter. An effective risk ID and assessment process, both at the strategic and operational level, is essential to successful enterprise risk management. This will ensure value and engaged participation. These points are covered in detail in the risk management online training course: How to Conduct High Quality Risk Assessment.]

Risk ID Methods Developed to Target Specific Work Functions:
[It is unlikely that a rigid and uniform risk methodology will work across all departments. Involving staff to develop and refine the methods, while observing compatibility across the organization, is a good way to make risk ID useful to them.]

The last part of the ERM tool is the assessment: to compare the formal and practical sides. The idea is not to discard the formal aspects altogether, but determine whether they are being used excessively. Perhaps you agree that it is better to lead with the second list; the practical work elements.

Rather than lead with too many formal aspects, you can develop them incrementally to support the proven practical work. This results in higher utility, sustainability and credibility of your ERM framework implementation.

Those wishing to study further the principles of program implementation, as applied to ERM, may be interested in a new Risk & Insurance Management Society online course to be launched later this year. It is called Special Case Studies in Risk Management. It includes a module called Overcoming ERM Resistance, with a 40-minute presentation, case study, and a more elaborate implementation tool with 24 criteria. I will post an announcement.

Read More

ERM Implementation – Platitudes?

2010-06-22 / How to Implement ERM / 0 Comments

ERM Process Misconceptions

If you have been charged with implementing Enterprise Risk Management, I’m sure that you are familiar with promotions and pronouncements that run along these lines:

  • We want to embed ERM in the organization and get everyone to think about risk.
  • Employees must be risk-optimizing in their business decisions.
  • All employees are risk owners.
  • The focus of ERM is our assets and resources, and their exposures to risk.
  • The key to successful ERM is a robust communications plan.
  • The ERM program will reduce uncertainty and reduce volatility, improve our credit standing, and demonstrate compliance to the Board. This will translate into shareholder value.

Do these statements sound familiar? On the face of it, they sound like a wonderful plan for a mature risk culture. The trouble is, they don’t tell us how to achieve these benefits.

First, a caution. One of the statements reads:

>>The focus of ERM is our assets and resources, and their exposures to risk.

No. The focus of your ERM program is your organization’s goals and objectives – which flow from the strategic direction and values. The enterprise risk management definition is based on the concept of risk as the “effect of uncertainty on objectives” (ISO) or “the chance of something happening that will have an impact on objectives” (AS/NZS 4360).

In the order of things, mission, vision, and strategic direction are actually paramount. Furthermore, behavioural guidelines for public agencies or private companies – code of ethics, business rules, professional creeds, etc. – are elements of the organization that have economic value. They are definitely at risk, susceptible to analysis, and require risk mitigation. They are merely supported by assets and resources, which are of secondary consideration.

ERM Methodology: Focus on Bureaucracy or Value?

How to actually achieve ERM benefits is probably what concerns you most if you are in charge of implementing ERM. What is your approach?

I believe that all programs and initiatives, in any field, whether in a private sector firm or government, have their bureaucratic or formalistic side, and the practical value side.

The bureaucratic side consists of the promotional pronouncements like the ones above, describing the virtues, promises and supposed benefits of the new program. It is also in the policy. If this side is relied on too much – that is, if there is no genuine substance to the new program – then what you will see is mere lip service and avoidance; or compliance with pro forma templates and check-lists. It ultimately fails.

I recommend putting the practical value side first. Focus on a minimalist approach to enterprise risk management implementation: seek practical value; prove the core ERM methodology – that is, effective risk ID and assessment. This is at the heart of the organizational change you are seeking.

You might say: you can’t lead with the technical side: if you create a brilliant solution, but fail to communicate it, it’s a failed program. But I would much rather err on the side of unadvertised value than on the side of promoted fluff.  It’s much better – and less risk – to build incrementally upon a firm foundation. A risk ID and assessment method that solves business problems sells itself.

Read More