In previous 3 posts, I described the agenda I use for the “Enterprise Risk Management-Developing and Implementing” workshop, to get participants to work through their own risk management challenges. I also reported on requests expressed in online course feedback. Many want case studies.
In the earliest days of implementing ERM in BC Provincial Government, I remember saying to the Deputy Minister of Finance that, notwithstanding our own innovative risk financing programs, we couldn’t find sufficient examples of the new enterprise-wide approach. He responded by saying that we would have to create our own examples.
I often explain to groups in risk identification sessions that I am not the content expert. Rather, I am experimenting, in partnership with them, with a process that allows the people who really know the risks – the subject matter experts, program staff, managers and executive – to identify them comprehensively and articulate them properly. It is an experiment, because each business setting has its own unique requirements — adjustments to the process — that cannot be known in advance. We are going to, in effect, create our own example.
I feel that anyone who is capable to setting out an agenda and chairing a meeting amongst his or her peers is capable of carrying out trial risk ID sessions. Notice, though, at a certain point, you can no longer rely on case studies: you must offer your own interpretation of your particular risk management context.
Risk Management Context
Context is king. You have to think through the headings in the context paper to define the business. And it is natural to have trouble defining goals and objectives – we have all been there – because working in an organization has complications. For example, contradictory legacy practices must be sorted out, and unclear direction must be resolved, before you can set out coherent goals for the organization. Then, planned objectives themselves must be intended action, not mere hyperbole. For example, the goal of “the best billing system in the business” would be better described by listing the intended steps to achieve it.
Only when the context is properly defined can you undertake any meaningful risk identification. I would say that 80% of my work with agencies consists in clarifying the context. Once that is done, the remaining 20% – the actual risk assessment – goes smoothly and proceeds logically.
Logic Leads to Creativity
Logic dictates that the threats discussed must not be vague phrases – they must be directly tied to planned goals and objectives. In other words, the discussion will be both meaningful and comprehensive when it traces through a consistent and detailed context. This will prevent people from trying to address broad strategic matters and operational details in the same session. It will prevent them from haphazardly throwing in threats like earthquake or flood, when these things require their own (business continuity and emergency planning) context and analysis.
When I am not the content expert, it gives me an advantage. I have a license to be logical; i.e., to ask candid questions about inconsistencies and contradictions. If you are leading the process within your own business unit, try inviting some constructive criticism from outside the department. This can drive a stagnant plan forward.
A critical approach leads to creativity. When scrutinizing the corporate context, you could discover a planning gap – possibly the necessity to re-evaluate and reformulate corporate goals. Risk assessment can then, at a minimum, support the achievement of said goals. We can also aim to identify opportunity and reach a higher level of result: new sources of revenue, added value, and innovative contributions to the industry or profession.
I urge you, therefore, to read case studies, not to copy them slavishly, but to inspire an original approach to create your own risk management examples.
[article updated 13 October 2012]
- Requests for Risk Management Case Studies
- Enterprise Risk Management Manifesto
- Risk Register-Risk Log Examples-Pt2
- Risk Register-Risk Log Examples-Pt1
- Feedback from ERM Sessions – Online