CRM-E Canadian ERM Certification

RIMS Fellow - CRM-EThe workshop for CRM-E (enterprise risk management training), which is an adjunct to the Global Risk Institute’s Canadian Risk Manager designation, begins in Canada in Toronto on June 01.

I will be co-facilitating  the 3-day workshop in Toronto with John Bugalla. It is sponsored by RIMS, and is called  Enterprise-Wide Risk Management: Developing and Implementing (the name of the text). The first session will be a little experimental. John says many of the participants in the US version of this course (ARM-E) are not interested in writing the exam; we will have to see what the Canadian participants want to do. I created the content for the online exam for the CRM-E certification, and so I will be able to prepare students on that score.

Once we understand the background and requirements of the participants, we will be able to adjust the finer points of the approach. I have prepared a number of supplementary materials as back-up:

01-Organizational Planning Process
Shows relationship of Corporate identity; Environmental scan; Strategic/operational planning; Future scenarios; Risk assessment; Performance management; Program evaluation.
02-Corporate Governance
Diagram setting out roles & responsibilities of board; executive; audit authorities; risk owners/managers; and stakeholders.
03-Context Paper

Template with headings to establish the scope and assumptions of risk ID and assessment on a given plan, project, or policy.
04-Risk Register

A spreadsheet that accommodates all steps in the risk assessment, mitigation and monitoring process.
05-Risk Categories

A set of generic categories of sources of risk that can be used to facilitate the identification of risk. Also, a set of specialized risk criteria on new program implementation.
06-BCgov-Risk Dictionary
An elaborate set of generic risk categories applicable to organizational planning contexts — very useful for conducting comprehensive risk ID.
07-Likelihood and Consequence Descriptors
Suitable for operational and strategic contexts. Can be used as a preliminary model and modified according to organizational needs.
Links and references to information vital to ERM implementation and risk ID and assessment. For example: Environmental Scan; Risk Scenarios Planning; Compliance Pitfalls.
09-CRM-E Exam Study Guide

The CRM-E online exam consists of multiple choice and 4 short answer (text) questions. The Canadian and US (ARM-E) versions are distinct.
Key points on ERM implementation in the organization, as well as the risk ID and assessment process. Intended to help practitioners understand what is required to successfully implement a risk regime.

The Enterprise-Wide Risk Management: Developing and Implementing workshop is scheduled in Canada for Edmonton, Oct 17-19; and Vancouver, Nov 21-23.

Read More

Special Case Studies in Risk Management: Online Course

case-studies-risk-managementThe new Risk and Insurance Management Society online course I promised earlier this year is now up and running. It is called Special Case Studies in Risk Management.  In this course, I give full length presentations on important aspects of running Enterprise Risk Management.

This online course offers fresh perspectives on the risk manager’s role in implementing and applying risk methods in organizational settings. Detailed investigation and case studies will allow participants to hone their skills.

There are two key objectives: One is to alleviate the frustration that comes with having theoretical knowledge while being unsure how to implement. The second is to add to one’s repertoire of risk methods to address different situations. This course continues our mission to provide professional development online courses to risk managers who must think outside of the conventions and take on an enterprise role, whether in the public or private sector.

Benefits: become the process leader to accomplish the following:

  • prepare for emerging risks;
  • test the organization’s long-term strategy and  resilience;
  • expand and enrich the planning discussion;
  • create a successful ERM implementation plan;
  • understand and apply change management and motivation principles;
  • apply attention to detail in the risk matrix/risk register;
  • maintain the quality and rigor of the risk ID/assessment process
  • craft innovative win-win contract terms in major projects;
  • use model solutions to select the best policy option, implement multiple risk assessments, and resolve contradictory stakeholder agendas.

Who Should take this Course?

  • chief risk officers and risk managers
  • analysts and program leads responsible for conducting risk assessment
  • strategic and program planners
  • those charged with establishing or improving the ERM program
  • public and private sectors (principles are transferable)


Program Outline
The program is presented in 5 modules; the course takes 10-15 hours to complete. Each module consists of:

  1. introductory video;
  2. narrated slide presentation in two parts;
  3. case study article illustrating the principles, with audio/pdf commentary;
  4. tool/template download to help you apply the concepts;
  5. online multiple choice test.

Includes a master references file. Materials are made available in pdf and mp3 formats.

Module 1: Future Scenarios Planning
Gives risk managers a method to help them identify emerging risks, and prepare for the advent of low-frequency/catastrophic impact events – Black Swan risks. Walks through a city agency’s planning example. Future scenarios planning is a highly imaginative, yet structured methodology to identify significant risk in the long view.

Scenarios project a range of possible outcomes and enable people to think about the future in different ways.
~P. le Roux, case study article

Module 2: How to Overcome ERM Resistance
Change initiatives crucial to organizational success fail 70% of the time (Miller, 2002, Journal of Change Management). Risk managers’ common difficulties include: where to start a risk assessment of the organization, and how to overcome ERM implementation challenges at operational level. Understand the bureaucratic side vs. the realistic side of your ERM program. Seize upon the factors that motivate people to ensure the take-up and sustainability of the ERM program. Detailed 40-minute narrated presentation.

Module 3: Review of Risk Registers and Risk Templates
Investigate details of solutions for risk matrix design and usage. Attention to detail to
maintain quality of risk methodology. Review the risk register, risk categories, risk ranking matrix and descriptors, and consequence frameworks. Includes 5 sample template pdf downloads. Case study article discusses pitfalls of compliance.

Module 4 Creative Contracts Case Study
This is a non-legalistic study of contract risk management. Walk through a detailed case study of a major project in the health care sector. Presenting a novel solution in the realm of public-private partnerships, the story tells of replicable methods to allocate risk appropriately, craft unique provisions in uncharted territory – and paper the deal. Supplementary articles present both sides of the P3 issue.

Module 5 Complex Contexts
Risk assessments never follow neat patterns. Gives participants practice in interpreting and mapping out the administrative mess, even to begin a risk ID. Uses models abstracted from real life situations in order to: repair defects in planning; select the best policy option; resolve contradictory agendas; harmonize multiple delivery channels, etc. Detailed presentation of 6+ complex contexts and their solutions.

Read More

Risk Register-Risk Log Examples-Pt2

2010-07-15 / How to do Risk Assessment / 0 Comments

In the last post Part 1 we began a review of some sample risk registers which are publicly available and excerpted in this Risk Register-Risk Log Examples pdf.

The third risk register example, like the second, seems quite good as a practical tool. It does have a column beside the Likelihood and Consequence to calculate the resultant risk ranking (‘risk grade’ as they call it). I’m not sure about how they’re using risk category; also, there’s nothing on tolerance or controls.

But what jumps out at me is how they are using the Describe Risk column (circled). In the first item I count at least 5 issues that could be separate risk statements. That would be better, otherwise you don’t know what you’re assessing. If you compiled a list of 50 risks in a similar discursive manner, you would have a lot of text impossible either to rank accurately, or effectively manage.

In this case, where they are talking about developing courses overseas, some analysis offline might let them formulate precise risk statements addressing upstream causes. Then they could devise mitigation plans to engage with the foreign university and help ensure the viability of the offshore activity. But the concept of risk implied here is not one focused on objectives; but rather the traditional one of exposure to assets.

Back to our review of sample risk registers. The last one has the sixth column labeled Contingency/Action. There is a difference, and it’s helpful to sort out all the various ways to respond to risk. For example, people often characterize risk financing as a transfer of risk – it’s not.

In any case, these finer distinctions are not indicated in this particular risk register. Nor (like two of the others) does it have columns for controls, tolerance, and the valuation and allocation of residual risks,  which you would need in a project management risk register.

In conclusion, this review of sample risk registers shows that risk managers need to pay attention to detail in two ways:

a. Number of Columns. The number of columns will generally indicate the depth of analysis and must correspond to the business requirements. Too few columns will give you just lists of general information, without incisive analysis to support decision-making, or ways to track progress on mitigation.

b. Column Labels. Column headings are telling, and the examples discussed revealed some confusion in the interpretation of terms. Your choice of headings should reflect a clear idea of the risk process.

The new Risk & Insurance Management Society online course Special Case Studies in Risk Management contains a fuller discussion of the risk register, its associated ERM tools and templates, and the implications for selecting ERM software. We provide a comprehensive risk register for project management and discuss each of the 17 columns of analysis in detail.

Read More

Risk Register-Risk Log Examples-Pt1

2010-07-13 / How to do Risk Assessment / 2 Comments

In the discourse on enterprise risk management, probably one of the least discussed issues is the risk register or risk log. What is a risk register? Information regarding the ID, assessment and mitigation of risk must somehow be recorded and managed in a sort of matrix – but how should it be done?

This entails questions about the appropriate number of columns; the right headings; the right order; and the terminology used. You must create or borrow an adjunct Likelihood and Consequence schema, and decide how the project risk log fits into a business intelligence regime. What is the technology, and what are the rules to report and escalate risks?

Of course the approach to risk information management will depend on the nature of the business. There is no single design; an IT risk register will have criteria not found in a generic project management risk register.

In the pdf posted here Risk Register-Risk Log Examples I’ve got excerpts, with sources cited, from four risk register templates. If we go through them in some detail, it could be useful to help you design the features you need to build a consistent approach.

In the first one, there are four columns. Evidently they’re talking about a construction site. The first column is called Risk Category, listing “existing structure” and “site conditions”. To my mind, those aren’t really risk categories; they are just parts of the (physical) context. Instead, if we called “site” context element A,  and “structure” context element B, then we could apply to both of them many risk categories, that is, sources of risk; e.g., approvals; physical condition; weather hazards; safety and security; etc. Hate to be picky, but I think risk categories (abstract realms of risk) and context (whatever it is you are studying) are confused here.

In this same risk log template, the second and third columns (circled) are “Description” and “Consequence”.  It’s not worthwhile splitting those into two separate columns. You can see that there’s content duplication in two cells in the second row. Although some people like to list several consequences for one risk; I prefer to have one line item identifying the root cause, if possible. This first risk register template is more like a facsimile than a working example.

The second example, by contrast, is more practical. Although not as elaborate as a full blown project management risk log, you could do a lot worse than this risk register to concisely note, date, assess and manage your risks. Purists will not like the word ‘hazard’ equated with the word ‘risk’ in the third column. Notice the column circled; they call action “new controls” whereas we would normally call that treatment or mitigation. This risk register does not permit much analysis, though – not even a ranking of the risks.

So far, then, we can see that there is a lot of variation not just in the design, but in how the terminology is used.

In the next post, we’ll finish the review of sample risk registers and discuss implications for the design of a risk register template for your organization.

Read More