Enterprise Risk Management and Board of Directors

What is the role of the Board of Directors with regard to Enterprise Risk Management? I recently addressed the Board members of Island Health, our local health authority, to answer this question.

The Board has already been given advice by the Healthcare Insurance Reciprocal of Canada. HIROC characterizes health authorities as “high reliability” organizations, meaning that any particular failure can have much larger catastrophic effects.

I suggested the following Board duties:

  1. to review the rigour, quality and efficacy of the enterprise risk management regime itself;
  2. to review the content, i.e., results of the risk assessment process, as applied to strategic plans – the risks that were identified; the mitigation plans created;
  3. to ask critical questions regarding any element of the risk management practice, make suggestions, advise and guide the executive.

Similar to audit, the Board must maintain its independence. Unlike audit, which uses specific criteria and checks for compliance, each Board member formulates questions and criticism by drawing upon his or her unique individual background and expertise.

Eventually, the risk culture should mature so that a common understanding is developed among management, staff, and the board itself of how corporate values and risk ownership are understood and applied.

Read More

Reprint – Risk Analysis for Tough Issues

Edward Robertson-article-risk-management-magazineThe Economist’s risk management study in 2010 found that there is a continuing perception of risk management as: “…support function staffed with narrowly focused specialists, such as business continuity planners, insurance buyers, or health and safety officers…” (Fall guys – risk management in the front line). Then Forbes/Deloitte reported in 2012 that a significant sector of corporate employees are “unaware of what they need to do concerning risk”. (Aftershock: adjusting to the new world of risk management).

Back December 2006 I published an article with Risk Management Magazine. It is relevant to the question of broadening the risk manager’s role to bring risk assessment to strategic planning and policy. I wouldn’t change a word of it today.

Read the rest of this entry »

Read More

Create Your Own Risk Management Examples

Experimenting with the Risk Management Process

In previous 3 posts, I described the agenda I use for the “Enterprise Risk Management-Developing and Implementing” workshop, to get participants to work through their own risk management challenges. I also reported on requests expressed in online course feedback. Many want case studies.

In the earliest days of implementing ERM in BC Provincial Government, I remember saying to the Deputy Minister of Finance that, notwithstanding our own innovative risk financing programs, we couldn’t find sufficient examples of the new enterprise-wide approach. He responded by saying that we would have to create our own examples.
Read the rest of this entry »

Read More

Feedback from ERM Sessions – Online

Online Risk Management Course – Assessment

The online risk management courses I offer through Risk and Insurance Management Society includes How to Conduct High Quality Risk Assessment, which, in the first two years of its running, got an approval rating (“would recommend this course to others”) of 88%.  Some of the positive feedback stating “the most beneficial aspects” is as follows:

Read the rest of this entry »

Read More

Enterprise Risk Management Manifesto

Enterprise Risk Management - risk matrixEnterprise Risk Management is now finding its place in creating strategic value.

Traditionally confined to either loss control in the realm of commercial insurance, or financial controls and audit, enterprise risk management has now taken an evolutionary step to encompass the entire spectrum of strategic and operational risk.

Risk has gained, in recent years, a high profile in the public mind, as waves of corporate malfeasance, natural disaster, security threats and economic meltdown have rocked the foundations of organizations in all sectors, and created profound distrust among stakeholders. ERM implementation is now proving its value as conventional risk management duties expand to embrace strategic planning and innovation.
Read the rest of this entry »

Read More

Canadian Federal Government Risk Management

2011-09-12 / Public Sector ERM / 0 Comments

canadian-federal-government-risk-managementConference showcases progress in ERM

During the past three years, I have presented at the Public Sector Risk Management conference put on by Infonex in Ottawa. The topics of my presentation were:

January 2011 – “Risk Assessment Best Practices: Examples from Provincial Government”
February 2010 – “How Risk Management Can Lead Innovation”
February 2009 – “Principles-based Enterprise Risk Management” (keynote address).

The original 2009 session set the stage for subsequent years:

Treasury Board Secretariat representatives Greg Kenney (now Senior Director, Investment Planning and Project Management) and Nisa Tummon (now Director, Risk Management) explained the refreshed and revitalized role of TBS Center of Excellence on Risk Management. They support all Canadian Federal Government departments in training and developing best practices in Integrated Risk Management, or Enterprise Risk Management (both terms are actually used). Read the rest of this entry »

Read More

ERM for Municipal Government Services

2011-09-12 / Public Sector ERM / 0 Comments

alberta-municipalities-risk-managementRapid ERM Implementation

In April 2009 I had some interesting work with the Alberta Urban Municipalities Association (AUMA-AMSC) in Edmonton. This diverse organization has a twin mandate – both advocacy and services – for local governments. The task was to get Enterprise Risk Management up and running.
Ken Baker, Controller, was project lead. He asked that we start with a plenary session, not to cover the theory of ERM, but rather to explain what it would mean in practice. In my presentation I focused on a few key messages before we began work:

a) Risk management is not a substitute for environmental scan and planning. Substantially known trends and conditions are not risks, they are facts. The risk is that the plans to meet them will be, for one reason or another, unsuccessful.

b) Established disciplines within the purview of risk management should not be mixed up in the same exercise. Each has their own nuances and categories of analysis. For example, IM/IT security and Business Continuity/Emergency Planning are two distinct things – even though they need to be coordinated in an overall ERM framework.

c) Scope, organizational boundaries, level (strategic vs. operational), time frame and  stakeholder and client group analysis – all these need definition in a context paper for any given risk assessment. If not, assumptions on all those items keep invisibly shifting in the minds of participants – whether you are conducting interviews or a round table session. Failure to properly establish context always leads to mushy (that seem to be the best word for it) risk information.

After having checked context papers, mostly done by email as pre-work before I arrived on site, I led risk ID sessions with each working group. The content was varied and challenging, including benefits services, claims management, an energy (electricity and natural gas commodities) aggregation program, and IT systems. My role, after clarifying working principles, was to facilitate sessions –which means demonstrate the process and transfer capacity. Ken posted documents and templates on a Sharepoint site, and coordinated the successive work of departments.


CEO John McGowan reported in the internal staff newsletter Between the Lines, April edition:

“the Directors of the first four participating departments were tasked with identifying the details of their operations in a context paper. This was followed by individual departmental sessions with the teams where a facilitator helped each group identify its own risks… According to one participant this had a ‘cathartic effect’ and left the teams with a new positive impression that ERM would assist them in the quality of decision-making, not create extra work.”

Next Steps

In later talks with Ken, we did some analysis and interpretation of the aggregate results. Those “cathartic” departmental sessions actually came together to paint a clear picture of critical aspects of the AUMA-AMSC operational risk profile. Ken has said that the next logical step is to conduct a strategic risk assessment at the board/exec level.

This shows that you can start at the operational level and implement ERM rapidly and with a minimum of bureaucratic overlay – the essential point is to prove and validate the core risk assessment methodology. I would recommend also conducting future scenarios planning at the strategic level to cover extreme conditions on critical business factors.

[Revised. Originally published 07 May 2010]

UPDATE: Ken Baker has subsequently become ERM Program Manager at City of Edmonton.


Read More