Enterprise Risk Management and Board of Directors

What is the role of the Board of Directors with regard to Enterprise Risk Management? I recently addressed the Board members of Island Health, our local health authority, to answer this question.

The Board has already been given advice by the Healthcare Insurance Reciprocal of Canada. HIROC characterizes health authorities as “high reliability” organizations, meaning that any particular failure can have much larger catastrophic effects.

I suggested the following Board duties:

  1. to review the rigour, quality and efficacy of the enterprise risk management regime itself;
  2. to review the content, i.e., results of the risk assessment process, as applied to strategic plans – the risks that were identified; the mitigation plans created;
  3. to ask critical questions regarding any element of the risk management practice, make suggestions, advise and guide the executive.

Similar to audit, the Board must maintain its independence. Unlike audit, which uses specific criteria and checks for compliance, each Board member formulates questions and criticism by drawing upon his or her unique individual background and expertise.

Eventually, the risk culture should mature so that a common understanding is developed among management, staff, and the board itself of how corporate values and risk ownership are understood and applied.

Read More

Requests for Risk Management Case Studies

Online Risk Management Course – Requests for Case Studies

In the previous post, I mentioned that many online and on site course participants have  requested specific advice on managing risks in one or another domain; for example (to repeat):


Specific insurance coverages
First party claims
Operational risk
Risk management in the energy field
Marketing risks
Property and casualty insurance

I have been able to answer certain requests with online course materials and blog posts.

Read the rest of this entry »

Read More

Feedback from ERM Sessions – Online

Online Risk Management Course – Assessment

The online risk management courses I offer through Risk and Insurance Management Society includes How to Conduct High Quality Risk Assessment, which, in the first two years of its running, got an approval rating (“would recommend this course to others”) of 88%.  Some of the positive feedback stating “the most beneficial aspects” is as follows:

Read the rest of this entry »

Read More

How to Define Risk Tolerance: 3 Mini Case Studies

2010-07-01 / Risk Tolerance / 0 Comments

Following on the idea given in the previous post What is Risk Tolerance that performance measures will necessarily be of different types and qualities, we can conclude that a risk tolerance assessment for a given context will have various measures, too.

This assumes that the risk tolerance statement is not construed purely in financial terms, and that Enterprise Risk Management contemplates many forms of tolerance, risk in all domains, not just in capital management.

The tolerance for risk will have to be determined within the specific work context.  It will be defined in relation to the goals of the organization, and to its particular system of ethics, professional codes, business rules, and quality standards – in a word, its values.

It will not necessarily be something categorically measured, a discrete number. It might, on the other hand, have various obtainable measures associated with it, as indicators that require monitoring. I believe that in many organizations, risk tolerance must be the subject of a continual dialogue between management and staff, in order to ensure a reasonably consistent interpretation of and adherence to it.

What that means in practice is that the risk manager will not find a universal formula for risk tolerance, but may well have quality standards, statutory requirements, regulatory guidelines, or stakeholder interests that help shape it.

Example 1. If I am a mechanical engineer requiring a certain carbon content or grain structure in the steel that enters the plant to manufacture a critical part, I have to determine my degree of tolerance – risk will play out in different ways, and so will mitigation costs, depending on whether I rely on the supplier’s assurances, third party reports, or in-house 100% check.

Example 2. A social services organization, such as a child welfare agency, or a counselling or psychiatric care facility, will have “zero tolerance” for certain things involving patient safety. Yet, staff will have to make judgments as to whether the safeguards in any particular situation are sufficient to permit attention to be diverted elsewhere – to clients at risk who might otherwise go unattended.

Example 3. Imagine an IT firm that is doing well and sees potential in branching out into a new area of cyber security. Managers do not have clear agreement on the criteria for success, and guidelines for making incremental choices, as they build the new operation.  The firm’s tolerance for risk (or risk appetite) for this specific venture needs definition beyond a simple percentage.

Well, each of these examples shows that Enterprise Risk Management cannot rely solely on the notion of risk tolerance as a discrete number, a percentage of capital at risk. ERM allows for the design of risk tolerance for contexts of different scope and activity  in different disciplines.

This is just where the risk manager can offer to lead a thorough risk identification and assessment session. In each of the examples above, managers and staff will be glad to participate in a structured discussion of risk, and contribute to suggestions for risk mitigation, because the results will help them to make critical decisions in their daily work.

The final report, based on a fully developed risk profile and agreed mitigation, could serve as a guideline, offering measures where possible, as well as practical indicators and advice. The engineer might then use that risk report to justify the cost of doing 100% inspection – or instead discover that it’s not necessary. The field staff in social services will feel as though their concerns have been heard, they have had a chance to discuss the ambiguities and contradictions encountered in the field, and they now have better guidelines to help them in difficult situations. The managers in the IT firm will have documented consensus on the new venture risks, and an agreed blueprint for proceeding.

Risk ID and assessment can therefore help establish a common understanding of the organization’s tolerance for risk, its possible measures and indicators, and steps to ensure adherence to it in practice.

Read More

What is Risk Tolerance?

2010-06-29 / Risk Tolerance / 0 Comments

In the online course feedback, people have asked how to determine risk tolerance in their enterprise risk management framework, as well as a risk appetite definition. ERM has inherited a collection of terms from the world of financial risk management – risk tolerance and risk appetite are two – and people have difficulty making sense of them when applying risk methods to the wide variety of working contexts that ERM comprehends. Let’s review first the conventional connotation of risk tolerance.

Risk Tolerance and Risk Appetite in Finance
Risk tolerance in personal finance is of course the degree of willingness to accept risk of loss in an investment portfolio (in anticipation of correspondingly higher degrees of return). An individual will fill out one of those questionnaires to acquire a rating, such as low, medium or high, and then select investments, perhaps on the basis of the measure of historical volatility (beta risk).

In corporate finance, the firm might publicize a statement indicating a general stance or attitude regarding the degree of risk it will usually take on. A “required rate of return”, set by policy, is a risk-adjusted percentage return on capital, used as a guideline to evaluate project proposals. It therefore indicates a degree of risk tolerance. We characterized risk tolerance in a previous post as degree of variability or volatility that the organization’s capital structure can support.

A few accounting firms’ white papers on risk tolerance (just Google it) discuss the closely related term “risk appetite”, as well as “risk capacity”, and agree that various stakeholders will have different appetites for risk: an investor want s to see a return, while policyholders or rating agencies want to see the risk of default minimized. Risk tolerance might be defined as exactly how much capital the firm wants to risk.

But I think the question for many enterprise risk managers is: how does all this translate into risk tolerance, not strictly in financial terms, but for the strategic and operational objectives in my manufacturing facility / university / software firm / health services organization / etc.? The finance definitions are not suited.

Performance Measures
I’m going to digress, but it’s relevant. This reminds me of when I was giving my final report for the master’s program in public admin. My project involved developing performance measures for electronic service delivery – specifically, electronic payment options for banking/cash management branch. There was a suite of payment programs, each in a different stage of maturity and serving different clients.

Now, here’s the point: the performance measures for these programs necessarily were of many different types and qualities. They ran the gamut from reliable calculations of savings-per-transaction, with year-over-year percentage changes in take-up and acceptance by clients, to mere indicator data showing simple numbers of transactions completed, to anecdotal reporting and narrative for those programs having no data. In other words, you have to assess the validity and relevance of quantitative measures, and recognize the value of qualitative analysis.

At the end of my presentation, my advisor asked me what the chances were of attaining a universal language of accountability and reporting. (He would express frustration about board members unable to read financial statements.) I thought then and still do that we should not force a universal language, because it will be reductionist. It seems to me that we are steeped in a culture of measurement (it tells us categorically, if you can’t measure it, you can’t manage it) and specifically of financial measurement. In ERM, risk is, indeed, often construed purely as quantitative financial risk management, but even the finance experts warn against this:

“CEOs discovered too late that they had traded their old-fashioned blind spots for a new kind of blindness: one induced by the comfort of new technology and elaborate quantitative models […] With such disasters [Société Générale’s US$7B rogue trading loss] as a backdrop, many risk management experts say it’s time for companies to revisit the fundamentals.” ~Bennett Voyles, April 2008

“[With] too much dependence on the math, you lose sight of the dynamics… that the world really moves, and that it’s a complex system.” ~Peter Bernstein, Jan 2008, interviewed by McKinsey

In my next post, I will tie it all together and suggest an approach to defining risk tolerance in any context.

Read More