Enterprise Risk Management Tools & Templates – pdf/print/ebook

toolstemplatescover-blogERM Tools & Templates – 2nd edition

[UPDATE] Enterprise Risk Management Tools and Templates is now available on Amazon, in both print and ebook formats. process. In this companion volume to the main text Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation, I give 17 tools and templates in full colour, 8.5” x 11” size.

Demand is especially strong for a sample risk register, properly formulated risk statements, and an environmental scan template.


Table of Contents

01. ERM and Core Risk Management Process
02. ERM – Organizational Preparedness
03. Complete Organizational Planning Process
04. Governance, Risk and Compliance (GRC)

05. Environmental Scan
06. Stakeholder Analysis
07. Context Paper
08. Risk ID and Assessment Session – Agenda

09. Risk Register
10. Enterprise Risk Categories
11. Risk Statements

12. Probability-Severity or Likelihood-Consequence
13. Heat Map

14. Risk Tolerance
15. Risk Management Plan: Report to the Board

16. Weighted Multi-Criteria Selection Tool
17. ERM Maturity Matrix based on Carnegie-Mellon method

The document will take the form of text, spreadsheets and diagrams, and be accompanied by explanatory notes — it aims to answer needs among risk managers.

[UPDATE: 2nd EDITION EXPANDED TO 17 ITEMS – 07 October 2016]

Read More

How to do Risk Assessment-Using Risk Categories

2010-06-03 / How to do Risk Assessment / 2 Comments

Risk Categories: Strategic and Operational

A client sent me a question today, which I quote with permission:

I’ve been tasked to go over the strategic (corporate) risk register done by the exec… The question I have is, there are 14 separate risk categories, while the operating depts. have been using 4.  Is it worthwhile to keep them consistent, or would it make sense in any universe to use different ones for strategic vs. operating risks?

I definitely want to cut the number of categories down from 14 to 4 or 5; please advise if this makes sense also.

Here is the short answer: there is no strict rule about whether operational and strategic risk assessment can use the same risk categories. Nor is there a prescription about the number of categories you must use. Rather, you would make those decisions based on how you need to manage your information. First, you work to identify risk using categories; then, the categories work for you to manage the results. Let me explain.

Risk Categories: Generic and Specialized

Aside from the question of scope (operational/strategic), risk categories fall into two classes: generic and specialized. The generic risk categories are the familiar ones that apply to any organization; here’s a partial list drawn from the Guidelines for Managing Risk in the Western Australia Public Sector:

  • economic
  • socio-political
  • national and international events
  • personnel/human behaviour
  • financial/market

Specialized risk categories are the ones that belong to a specific vertical (industry, profession, field or practice). They are categories of analysis that subject matter experts can bring to the table. Project risk categories are a good example – especially useful if they are arranged by project stage. Here is just a sample of risk categories that would be relevant to the analysis of, for example, an IT implementation initiative:

  • process and system training
  • process compliance and user acceptance
  • security and privacy
  • release management

How to Use Risk Categories

Use risk categories in two stages; there’s a kind of shifting gears in the way you use them.

Stage 1:  Peruse risk categories and consider each one to identify risk and create risk statements. As facilitator of the risk ID session, you present all of the risk categories that you can get your hands on (that are relevant), and that you have time to cover.

Get the session participants to consider the whole list, so that you “map” each individual viewpoint against each of the categories. It’s unlikely you’ll have time to do this line-by-line: send out the lists ahead of time, and then do a walk-through at the session. The idea is to use the risk categories to inspire people’s thinking and jog their work-related memories, so that they can formulate risk statements about the project at hand.

Stage 2: Once you have completed your risk ID, you may have a list of, say, 30 to 50 risks within a specific context. Now that you and the group have worked so hard to delve into each of the categories, you have to decide: how do you want categories to work for you?

Are they an administrative tool? You will likely want to sort on the material by department, business unit, risk owner, or by project stage. You might therefore need to create new categories or spreadsheet columns, and re-categorize certain risks. For example: something originally identified under the rubric of “Financial” may belong more properly under “HR” or “Marketing”, depending upon who is looking after mitigation. You could invent a code or category to coordinate mitigation, such as a communication plan to address 30% of the risks identified across various departments.

Are categories an analytical tool? It makes sense to arrange categories to reflect the perceived source of the risk – good for analyzing the strategic view of things. You might be able to discern where the most critical risks are coming from, or what function they are affecting, and draw useful conclusions. You can imagine the richness of the analysis if your department heads agree to categorize (accurately, with consistent criteria) an aggregated 250 risks across the organization in several columns.

There is no end to the nature and number of categories, nor a minimum. It all depends upon the number of risks, the complexity of your risk information, and what you want to get out of it. Sorting by categories helps you manage mitigation, as well as to interpret the risk profile and write your report.

You work to extract the risks from categories. Then you make the categories work for you.

Read More