Enterprise Risk Management Tools & Templates – pdf/print/ebook

toolstemplatescover-blogERM Tools & Templates – 2nd edition

[UPDATE] Enterprise Risk Management Tools and Templates is now available on Amazon, in both print and ebook formats. process. In this companion volume to the main text Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation, I give 17 tools and templates in full colour, 8.5” x 11” size.

Demand is especially strong for a sample risk register, properly formulated risk statements, and an environmental scan template.


Table of Contents

01. ERM and Core Risk Management Process
02. ERM – Organizational Preparedness
03. Complete Organizational Planning Process
04. Governance, Risk and Compliance (GRC)

05. Environmental Scan
06. Stakeholder Analysis
07. Context Paper
08. Risk ID and Assessment Session – Agenda

09. Risk Register
10. Enterprise Risk Categories
11. Risk Statements

12. Probability-Severity or Likelihood-Consequence
13. Heat Map

14. Risk Tolerance
15. Risk Management Plan: Report to the Board

16. Weighted Multi-Criteria Selection Tool
17. ERM Maturity Matrix based on Carnegie-Mellon method

The document will take the form of text, spreadsheets and diagrams, and be accompanied by explanatory notes — it aims to answer needs among risk managers.

[UPDATE: 2nd EDITION EXPANDED TO 17 ITEMS – 07 October 2016]

Read More

Special Case Studies in Risk Management: Online Course

case-studies-risk-managementThe new Risk and Insurance Management Society online course I promised earlier this year is now up and running. It is called Special Case Studies in Risk Management.  In this course, I give full length presentations on important aspects of running Enterprise Risk Management.

This online course offers fresh perspectives on the risk manager’s role in implementing and applying risk methods in organizational settings. Detailed investigation and case studies will allow participants to hone their skills.

There are two key objectives: One is to alleviate the frustration that comes with having theoretical knowledge while being unsure how to implement. The second is to add to one’s repertoire of risk methods to address different situations. This course continues our mission to provide professional development online courses to risk managers who must think outside of the conventions and take on an enterprise role, whether in the public or private sector.

Benefits: become the process leader to accomplish the following:

  • prepare for emerging risks;
  • test the organization’s long-term strategy and  resilience;
  • expand and enrich the planning discussion;
  • create a successful ERM implementation plan;
  • understand and apply change management and motivation principles;
  • apply attention to detail in the risk matrix/risk register;
  • maintain the quality and rigor of the risk ID/assessment process
  • craft innovative win-win contract terms in major projects;
  • use model solutions to select the best policy option, implement multiple risk assessments, and resolve contradictory stakeholder agendas.

Who Should take this Course?

  • chief risk officers and risk managers
  • analysts and program leads responsible for conducting risk assessment
  • strategic and program planners
  • those charged with establishing or improving the ERM program
  • public and private sectors (principles are transferable)


Program Outline
The program is presented in 5 modules; the course takes 10-15 hours to complete. Each module consists of:

  1. introductory video;
  2. narrated slide presentation in two parts;
  3. case study article illustrating the principles, with audio/pdf commentary;
  4. tool/template download to help you apply the concepts;
  5. online multiple choice test.

Includes a master references file. Materials are made available in pdf and mp3 formats.

Module 1: Future Scenarios Planning
Gives risk managers a method to help them identify emerging risks, and prepare for the advent of low-frequency/catastrophic impact events – Black Swan risks. Walks through a city agency’s planning example. Future scenarios planning is a highly imaginative, yet structured methodology to identify significant risk in the long view.

Scenarios project a range of possible outcomes and enable people to think about the future in different ways.
~P. le Roux, case study article

Module 2: How to Overcome ERM Resistance
Change initiatives crucial to organizational success fail 70% of the time (Miller, 2002, Journal of Change Management). Risk managers’ common difficulties include: where to start a risk assessment of the organization, and how to overcome ERM implementation challenges at operational level. Understand the bureaucratic side vs. the realistic side of your ERM program. Seize upon the factors that motivate people to ensure the take-up and sustainability of the ERM program. Detailed 40-minute narrated presentation.

Module 3: Review of Risk Registers and Risk Templates
Investigate details of solutions for risk matrix design and usage. Attention to detail to
maintain quality of risk methodology. Review the risk register, risk categories, risk ranking matrix and descriptors, and consequence frameworks. Includes 5 sample template pdf downloads. Case study article discusses pitfalls of compliance.

Module 4 Creative Contracts Case Study
This is a non-legalistic study of contract risk management. Walk through a detailed case study of a major project in the health care sector. Presenting a novel solution in the realm of public-private partnerships, the story tells of replicable methods to allocate risk appropriately, craft unique provisions in uncharted territory – and paper the deal. Supplementary articles present both sides of the P3 issue.

Module 5 Complex Contexts
Risk assessments never follow neat patterns. Gives participants practice in interpreting and mapping out the administrative mess, even to begin a risk ID. Uses models abstracted from real life situations in order to: repair defects in planning; select the best policy option; resolve contradictory agendas; harmonize multiple delivery channels, etc. Detailed presentation of 6+ complex contexts and their solutions.

Read More

Strategic Risk Assessment-3/6

2010-07-27 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. The model for risk context described in posts 1/6 and 2/6 – Strategic Identity – needs to be complemented by research.  In this post I describe Environmental Scan as a preparatory step in strategic risk assessment.

The Black Swan author Nassim Taleb’s lamentation is that we suffer from an illusion that the world is comprehensible. Granted, we can’t know everything – but that admission is no substitute for trying.

Research in pursuit of strategic resilience is often of a general nature: a PEST (Political, Economic, Social and Technology) summary; or a précis of economic trends and forecasts. Generalized research is not really sufficient to inform strategic risk assessment.

Environmental Scan

What is an environmental scan?  It is research oriented towards 1. the internal setting; 2. the task environment; and 3. global conditions.

This means turning attention first to an internal review of the firm – precisely to identify the unique assets and competencies mentioned in the last post, as well as “hidden assets” in the form of intangibles and abstract qualities. Many of these might escape a cursory review, but actually be of value – for example, the past experience of employees, or a unique position in the market or supply chain.

The second area is the “task environment” which is the domain of all the firm’s various interactions and stakeholder relations. The third area is the macro or global scene, but is still specific in the sense that you pay attention to developments in your field, and compare cross-jurisdictional practices.

Environmental Scan Template

Comprehensive environmental scan templates and resources are provided in the online course Creating Value: Risk Manager as Innovator. These templates contain:

1. Environmental Scan practice: The who, what, when, and how of a complete environmental scan research process for the organization, integrated with planning.

2. Internal Scan: Listing of 14 internal elements to review as scan targets, in the categories of Assets: e.g., Hidden, Under-Recognized, Not Counted in Financial Statements; Facilities; Processes; People.

3. Task Environment: Plan to conduct scan of stakeholder and firm interactions (see diagram). Stakeholders identified in 6 general categories. Review of  Obligations, Dependencies, Interactions, Deliverables.

Strategic Risk Assessment - Stakeholder Analysis

4. Macro/Sector Scan. Macro and Sector trends set out in many classes and categories.

Methodology: The environmental scan templates aims to identify and assess opportunities for innovation in 5 levels of improvement, from compliance to changing business practice.

Environmental scan is therefore a targeted effort, first, to take stock of the organization itself, then to investigate the trends, interests and motivations of stakeholders. Finally, it gives you sufficient preparation to be able to enter into the strategic discussion and identify crucial risks – and opportunities – in industry developments, social trends, geo-politics, technological innovation, and market shifts.

With the risk context defined authoritatively through Strategic Identity and informed by environmental scan, the risk manager has an excellent basis on which to lead group sessions. Risk manager as facilitator is the subject of the next post.

Read More

Complex Risk Contexts-Pt2

2010-07-08 / How to do Risk Assessment / 0 Comments

Here is a diagram — my Complex Risk Contexts Schema. In Complex Risk Contexts – Part 1,  I introduced the idea of muddled risk contexts that can make it difficult even to begin to conduct effective risk assessment. The first one was planning problems.

I think many risk managers would be able to write their own lists. Then how interesting it would be to compare our risk context statements and find out just how common our difficult business situations happen to be! I have posted here a summary of complex risk contexts. Let’s look at two more.

Multiple Assessments – Delicate Risk Context

Field risk assessments must often be repeated many times. Loss control inspections come to mind. But it could occur in social services, engineering or marketing. The problem is: how to you get consistency in such reports when they are conducted by field personnel with varying viewpoints? If the work has any degree of sensitivity, and demands a delicate balance of criteria, then general guidelines or policy will not answer.

I worked with a forestry team overseeing such risk assessments for tree sites across the province that were both a public hazard and a conservation refuge. The fate of these trees, determined by contractors, was not being decided with sufficient due diligence. The answer turned out to be a sort of auditable assessment tool, with refinements to balance contradictory criteria.

How to Choose the Optimal Solution?

One of the features of a mature Enterprise Risk Management system is that significant business investments, programs and initiatives are the result of a risk-based decision-making process.

Often a risk-based decision is required to select one of many possible solutions, whether a project, software application, or other sizable investment. It is not very thorough to just compare checklists of features. Conversely, you cannot conduct a High Quality Risk Assessment (link to online course) on each and every option. Even if you could, how can you compare the risk profiles when the trade-offs keep shifting from one case to the next?

I developed a solution to select the best risk financing option for a major Canadian federal crown corporation. It involves, indeed, a comparison of features of the various solutions. But it adds value by incorporating a comprehensive risk identification process. The team reviewed opportunity cost and mitigated the risk of foregoing the other candidate solutions. (It worked. They eventually decided on going with a captive.)

Those interested in seeing a fuller discussion of complex risk contexts may be interested in a new Risk & Insurance Management Society online course, currently in development – Special Case Studies in Risk Management. There are five more complex contexts discussed, with solutions and examples. The other modules within this course include Risk Scenarios Planning and Creative Contracts.

In the meantime I have posted here a summary of the complex risk context models – maybe they will inspire you to add your own.

Read More

Complex Risk Contexts-Pt1

2010-07-06 / How to do Risk Assessment / 0 Comments

In a previous post Common Mistakes in the Risk Context Statement I described one of the situations most often encountered when trying to establish context — the lack of coherent planning. If the working team does not have plans or (what is perhaps more common) confuses planning terms, it is really impossible to set up the context and identify risk in a meaningful way.

I think we have all been there: where we tend to state department or business goals in vague or undefined terms that sound good on the surface, but are not verifiable or tangible. I could say, the company aims to achieve “best-in-class service”, or the “highest degree of professionalism” or “impeccable accountability”, but these, at best, are part of a vision statement, and do not constitute goals, in the sense of a tangible deliverables.

Risk context can present a whole variety of challenges that need to be recognized and solved. I believe the reason many joint projects fail, or let’s say, the reason many risk ID sessions with the slightest degree of complexity go around in circles, is because the facilitator does not recognize traps. I’ve seen many meetings begin with tons of goodwill, but participants disperse in a despondent mood because they were not able to establish common ground.

It all has to do with setting the risk context properly. And rarely does the context consist of a single set of ordered goals and objectives, conceived with crystal clarity. I made notes on what I call complex contexts, and created a diagram and a solution for each one – I’ve probably hit on typical situations that others might find useful.

The first situation is the one described above. Is there a planning regime? Are departments required to set out business goals, with some kind of performance management, that are aligned with corporate strategy? Is there a commonly understood and applied planning language? If so, you are miles ahead, because risk management cannot substitute for good planning.

The other complex risk contexts have to do with multiple risk assessments in the field (technical, social or health care); selecting the best of many possible solutions (e.g., short-listed IT applications); or reconciling two diametrically opposed parties in a common project. In the next post, I will discuss them in more detail, along with a pdf summary of the complex context models.

Read More

Common Mistakes in the Risk Context Statement

2010-05-27 / How to do Risk Assessment / 0 Comments

Has everyone had enough of risk context yet? According to Google, I see that a grand total of 58 persons on the planet searched for “risk context statement” last month. OK, this post goes out to you 58!

In previous posts we’ve covered the reasons why you need to establish context (if you contemplate conducting a risk assessment) and the elements of a risk context statement. I can share with you now some of the common pitfalls I have encountered over the course of preparing and facilitating many risk ID sessions in a variety of organizational settings:

1. Lack of Planning: Hands down, the most common pitfall in writing context is trying to make up for poor planning. You feel you have to take an educated guess at what the project team plans to do, because the organization in question does not really have a mature planning practice and associated terminology. The idea of individual tasks, objectives, broader goals – and the future vision and mission these are all serving – are not clearly conceived and documented. I have seen this in both public and private settings.

Now, there is no need to drown in paper, but I feel there must be an ordered documentation of what the organization (or department) in question intends to accomplish, how they want to go about it, and how they like to conduct business. Then you have a basis for discussing risk. If you have a project management culture, then this is likely solved.

2. Lack of Rich Context: The next pitfall is to conceive of the context (and so its associated risks) very narrowly or superficially; it reads like a bit of vague background. Rather, context should be a detailed map that lets you discover all types of risk.

I’m convinced the risk context statement can address any conceivable project, on any scale, in any content area. You can identify risk in all of these:

  • work breakdown structure in a conventional project document;
  • administrative procedure;
  • industrial process;
  • technical workflow or materials handling operation on the plant floor;
  • new product launch;
  • implementation of a new HR policy;
  • execution of a strategic plan over the course of three years;
  • plans for a marketing campaign;
  • terms of a complex service contract;
  • implementation of a new IT system;
  • creation of a social services agency;

…and so on, ad infinitum. So “establish the context” applies to virtually any strategic or operational plan.

Now, this means that you can present that context in just about any format you can imagine; e.g.,

  • point form notes;
  • hierarchical ordered lists of tasks;
  • critical path diagrams;
  • flow charts;
  • conceptual diagrams;
  • spreadsheets;
  • drawings/sketches;
  • photographs;
  • inspection tours;
  • working models;
  • audio/video recordings, etc.

Let your risk ID session participants scrutinize a rich and detailed risk context!

3. No Values. Another pitfall is to gloss over values. Risk assessments commonly ignore ethical and procedural guidelines, including professional codes – and yet these are assets at risk, and a source of competitive advantage. If they are included, they should go beyond a few “motherhood and apple pie” statements copied from the annual report (sorry). For example,  I’ve led sessions where medical personnel have listed in point form their entire professional code in the context paper; subsequently, we reviewed each item for potential risk in the project at hand – an excellent approach!

4. Underestimated Stakeholders. They should at least be identified, and assessed with regard to their views and expectations. Then you will be able to determine what the risks are in relation to your program goals. One strategy far too under-utilized is to include certain stakeholders, constituents or program beneficiaries – somehow – in the risk assessment process itself. This is a distinct improvement on ordinary consultation that adds to the credibility of your risk management program. For example, I’ve seen government project teams invite industry reps and subject matter consultants to help identify risk in major public policy drafts. Result: a risk-adjusted implementation plan for a controversial policy that everyone agreed to. Another option is to conduct first a closed-door session (often preferred), but then share results with stakeholders to allow them to add comments.

5. Procedural Pitfalls:

a. Do not permit risks themselves to be listed in the context paper, because you are likely to forget to include them in the risk register.

b. Don’t forget to document any constraint or limitation that has been imposed on your risk ID and assessment process, including no-shows. This is simply to make clear the conditions under which you conducted the risk analysis and drew conclusions.

c. Don’t forget to state and draw attention to the intended deliverable (item 9 in our risk assessment template-establish the context.) This is a technique used in facilitation to ensure that participants understand what they must produce by the end of the session. It could read something like this: “Comprehensive list of risks associated with implementation of project X, identified and assessed by consensus of round table members, with corresponding summary plans for risk mitigation.”

Final note: it’s not quantity, it’s about quality. The context paper need not be longer than a few pages.  As long as it is authoritative, this work at the front end of the risk process is well worthwhile.

Read More

How to do Risk Assessment–Establish the Context-Pt2

2010-05-25 / How to do Risk Assessment / 0 Comments

In How to do Risk Assessment–Establish the Context Part 1, I gave references to risk context in ERM standards, and described a dual purpose for writing the risk context statement (scope/assumptions and risk ID agenda). Also, I posted a template pdf Risk Assessment Template-Establish Context with some commentary to help you (or the project manager) write a context paper.

Here is a little more detail to help anyone responsible for setting up a rigorous risk identification and assessment process.

First, the philosophy that informs this approach says that risk is relative, and identified in relation to planned goals and values – whether for operational or strategic risk assessment. A valid risk assesment process is logically consistent, reasonably comprehensive, and transparent. Using the context paper helps meet these conditions and leads to high quality results.

You know, the more I think about the context paper, it occurs to me how many conceptual difficulties get sorted out when you do the preparatory work.

The project lead can actually write the draft of the context paper. That means that you, as the risk professional, need only provide guidance. Keep the paper concise; use attachments or references to existing documentation to avoid duplication.

If the plan in question is informed by an environmental scan, so much the better. The scan should paint a picture of fairly well understood and predictable conditions (demographics, industry developments, etc.) that have some effect on the organization’s strategy. Once these are set out in a report, it is easier to discern specific threats and thus compile a strategic risk assessment.

The items in the context paper template – project goals and detailed tasks; professional values; stakeholder interests, etc. – should be considered sources of risk. You should list them carefully because you will review each to identify risks that can impede the success of the project. The context paper will help you trace through the project and ask: “What could stop us from achieving this goal?”; “What could affect our efforts to accomplish this task, with respect to cost, quality, or timeliness?”

The value of leading the session participants through such a list is that you “map” several uniquely informed brains against the key elements of the project. Each round table member will have a different response to the context, and different ideas of risk, which means you increase the chances identifying all of the most critical risks.

Well, it happens that people sometimes do not like, for political reasons, the risk profile you develop and the conclusions of your risk report. But when you share the context paper and make your scope and assumptions transparent, critics will be hard pressed to fault your method. More often, you will find that uniting a diverse array of opinion around a common context leads to effective solutions. This only adds to the credibility and strategic value of your risk management program.

Read More

Risk Assessment Template-Establish Context

2010-05-20 / How to do Risk Assessment / 2 Comments

Let’s take a look at the elements of a risk assessment template to Establish Context which you can use in the first step in the risk ID/assessment process. Keep in mind that this to establish context for an individual risk identification and assessment exercise on a given topic.

This is a list that has evolved over time, and can be modified to suit the risk context of your organization and line of business:

  1. Organizational Setting; Roles and Responsibilities
    You want to define the organizational unit that is responsible for this particular risk assessment.
  2. Planning/Program Setting and Time Frame
    In other words, what is the process, plan or project under review? There must be some sort of project charter or authoritative documentation.
  3. Goals and Objectives of the Plan/Program under Review
    NB – Not the risk management goals, but rather goals of the project you are scrutinizing for risk. List available work breakdowns.
  4. Environmental Scan: Key Trends and Conditions
    NB – these are not risks; rather, they are largely known. You can state the associated risks during your risk ID session.
  5. Procedural Standards / Organizational and Professional Value Criteria
    Even business rules, ethical guidelines  or customer service ideals – whatever guides the behaviour of your organization.
  6. Analysis of Participants / Stakeholders / Agents / Constituents
    The key here is to note their objectives and values – these can easily be sources of risk.
  7. Relevant Risk Categories
    Generic categories of risk, as well as specialized ones that are unique to your business, should be listed in preparation for the risk ID exercise.
  8. Procedural Constraints on Risk ID/Assessment Process
    NB – not constraints of the project; not risks – rather, known constraints of time/resources that will compromise your effort to conduct a comprehensive risk ID.
  9. Deliverable of the Risk ID/Assessment Process.
    Just to clarify to risk ID session participants what they must aim for.

Get the risk context statement reviewed and signed off by the project lead and round table members. The risk identification session itself then goes like clockwork, because you’ve clarified assumptions beforehand.

You can find detailed discussion to accompany the template in these posts:

How to do Risk Assessment-Establish the Context Part 1

How to do Risk Assessment-Establish the Context Part 2

Pitfalls in Writing the Risk Context Paper

Read More