Enterprise Risk Management Tools & Templates – pdf/print/ebook

toolstemplatescover-blogERM Tools & Templates – 2nd edition

[UPDATE] Enterprise Risk Management Tools and Templates is now available on Amazon, in both print and ebook formats. process. In this companion volume to the main text Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation, I give 17 tools and templates in full colour, 8.5” x 11” size.

Demand is especially strong for a sample risk register, properly formulated risk statements, and an environmental scan template.


Table of Contents

01. ERM and Core Risk Management Process
02. ERM – Organizational Preparedness
03. Complete Organizational Planning Process
04. Governance, Risk and Compliance (GRC)

05. Environmental Scan
06. Stakeholder Analysis
07. Context Paper
08. Risk ID and Assessment Session – Agenda

09. Risk Register
10. Enterprise Risk Categories
11. Risk Statements

12. Probability-Severity or Likelihood-Consequence
13. Heat Map

14. Risk Tolerance
15. Risk Management Plan: Report to the Board

16. Weighted Multi-Criteria Selection Tool
17. ERM Maturity Matrix based on Carnegie-Mellon method

The document will take the form of text, spreadsheets and diagrams, and be accompanied by explanatory notes — it aims to answer needs among risk managers.

[UPDATE: 2nd EDITION EXPANDED TO 17 ITEMS – 07 October 2016]

Read More

The Economist Risk Intelligence Report

2010-12-09 / How to Implement ERM / 0 Comments

Managing innovationRisk management surveys
The Economist Intelligence Unit has released a report entitled “Fall guys: Risk management in the front line”. It is based on a survey of banking and insurance executives both within and outside the risk function, supplemented by interviews with other risk experts.

The report paints a picture, on one hand, of an increased appreciation for risk managers, where many have acquired more authority within improved risk governance structures. This is a response to the economic crisis. On the other hand, respondents who believe their firms are effective in detecting emerging risks are still in the minority (35% – p.3. para.7). This same discrepancy – the risk function’s high importance but low perceived effectiveness –  appears in previous risk management surveys (see summary in this online introductory presentation).

Risk managers’ role
I found it encouraging that, according to this new report, risk managers wish to broaden their role by being “constructive”, “enabling”, and assisting managers to “achieve their business objectives” (p.4 para.2). Helping risk managers do just that is pretty much my whole mission in ERM! But relatively few firms even have risk managers participating in important business and strategic decision-making (p.4 para.1) The authors lament:

…there continues to be a perception among some senior managers that it is a support function staffed with narrowly focused specialists, such as business continuity planners, insurance buyers, or health and safety officers. Risk managers can find it difficult to break out of this mould and convince senior-level management that they have a contribution to make… (p.7 para.4).

This leads to the question: how can risk managers who aspire to support strategic planning and opportunity analysis move into that space? The authors regret a “cultural barrier”, and say it is a matter of better communication. But risk managers must prove they can actually help identify key business implementation risks, and can steward the innovation process, before they can be invited to fulfill those planning roles.

Risks and opportunity management: effective methods
They will not prove their value in planning by relying on the formalistic and bureaucratic aspects of the ERM program (PR, kick-off speeches, disseminating policy, etc.). Rather, they must demonstrate effective processes.  They must facilitate sessions dedicated to the analysis and mitigation of critical risks, and the identification of opportunities for innovation — in any context required by the internal client.

Risk managers must aggregate information for the board – but can they deliver insightful risk information that serves as a sound basis for strategic decision-making?

Risk managers must address long-term strategy and emerging risks. But do they know how to conduct a future scenario planning process? (See the report p.9 for a discussion of how the Lego senior director for strategic risk management uses risk scenarios.)

Risk managers must help identify opportunities. The authors report: “The average company’s risk register contains only threats, not opportunities” (p.8). My response is: should we really expect opportunities to show up within a risk register? To identify opportunities systematically, and subsequently develop them into sound business propositions and implement innovation — this all requires dedicated techniques. Risk managers are well-positioned to lead this process.

Conclusion: Managing innovation and opportunity is done incrementally
Risk managers who are aspiring to expand their roles can start with small pilot projects, even as experiments. I wrote a description of collaborative risk assessment in business (“No risk in collaboration”) in the September 2010 edition of Canadian Underwriter. You must have a sound process for identifying risks comprehensively as a basis. Principles of engendering and managing innovation are closely related. If you can help one client solve a critical business problem and meet objectives, then the next department will come knocking on your door.

Read More

How to do Risk Assessment-Risk Statements

2010-06-08 / How to do Risk Assessment / 0 Comments

How to Write a Risk Statement

I would say there are five rules to writing a risk statement:

  1. Write a complete sentence, consisting of a cause and effect.
  2. Link the two clauses by a phrase such as “leads to”; “causing’; “results in” (without using conditional terms like “might”; “may”; “could”).
  3. State the cause as an event, or as a set of conditions.
  4. State the effect upon the program goal, objective, or value criterion under consideration.
  5. Identify and state the risk that lies as far upstream as is practical to manage in the chain of cause and effect.

Risk Statement Examples

context A:
Manufacturing process, using a critical fabricated aluminum part sourced from a supplier which has just been bought out.
risk statement:

Changes to management of supplier X leads to faulty weld, heat treat and QA of our special-order welded 6061-T6 aluminum part.

context B:
Private school language program, expecting foreign student contingent from a country where political unrest is imminent.
risk statement:

Communication ties severed with institutional contact Mr. X within next 3 weeks results in inability to arrange permissions, visas and travel for September cohort.

context C:
Custom web security firm plans to set up a new office in Hong Kong. They are inexperienced in international business and getting help to apply for a business license.
risk statement:

Professional services Co. XYZ prepares deficient business license application, causing delay to planned September launch.

Explanation of Risk Statements

Notice that the statements could easily have read, for example, in Context A: “Customers injured” (characterizing this as a product liability issue); or in Context B: “September students don’t show up”; and in Context C: “Office opens late.” But the offhand, short keyword approach to risk ID doesn’t serve you very well.

I identified causal events, as far upstream, so to speak, as I could, in the hope of taking action to prevent the risk before it even matures.

So in Context A, I didn’t focus on the end product failing; nor on the faulty part entering our plant. I focused on the supplier’s new management somehow compromising the weld, heat treat and QA process. Can we take steps to guarantee that process?

In Context B, it was the communications drop that was going to cause our risk to manifest. Therefore, could we look at back-up communications channels?

In Context C, there is still time to do due diligence on firm XYZ and explore options, and so build extra assurance that the Hong Kong business license application will succeed.

At the same time, by describing the effect on our plan, I have made it possible to think more clearly of alternatives to the plan and post-event mitigation (contingencies).

You can imagine a risk register of, say, 50 risks on a critical initiative. If they are all just vague keyword phrases, then their assessment and associated treatment plans will be just as vague. But if the risk statements are complete, time-specific, directly targeted to goals, and indicate upstream opportunities for prevention and mitigation – then you will have a tightly defined risk profile that you can act on.

Risk Statements vs Risk Categories

I’m creating the first draft of the exam for an upcoming Enterprise Risk Management certification, and in the text they are using, the idea of writing a cogent risk statement is not addressed. But I think it is relevant: recent years’ risk management surveys show that people have little confidence in the effectiveness of their risk methodology.

There is a distinction between a risk category and a risk statement. Many people identify risks with two-word phrases: “reputation risk”; “construction risk”, and so on. These are not risk statements, they are general rubrics within which you must specify the risk. I’ve heard of consultants presenting lists of risk categories as if they represented the sum total of identified risks. The trouble with that is, while a two-word phrase is fast and easy to say, the threat that it denotes in relation to your organization is unsaid.

Now lists of risk categories, derived from loss history in a given industry (often sourced from brokers) are undoubtedly useful to help you identify relevant risks  – but you have to use them correctly. They are not a substitute either for a comprehensive risk identification exercise, nor for writing complete risk statements.

A complete risk statement, whether or not inspired by or derived from a risk category, is formulated in direct association with a task, goal, objective or value criterion in your business or organizational plan. In the context of Enterprise Risk Management, the concept of risk goes beyond potential loss due to exposure of assets to hazards. The ISO 31000 defines risk as the “effect of uncertainty on objectives”. The older AS/NZS 4360 says: “the chance of something happening that will have an impact on objectives”.

You can find further discussion, with examples of good and poor risk statements, in the prior version of  the ERM Guideline I wrote for BC government (section 2.3.2, page 20).  You can email me if you want to see this — the current version doesn’t have it.

In this series on risk methodology, so far I’ve covered:

How to do Risk Assessment-Establish the Context–Part 1
How to do Risk Assessment-Establish the Context–Part 2
Pitfalls in Writing the Risk Context
Using Risk Categories


Read More

How to do Risk Assessment-Using Risk Categories

2010-06-03 / How to do Risk Assessment / 2 Comments

Risk Categories: Strategic and Operational

A client sent me a question today, which I quote with permission:

I’ve been tasked to go over the strategic (corporate) risk register done by the exec… The question I have is, there are 14 separate risk categories, while the operating depts. have been using 4.  Is it worthwhile to keep them consistent, or would it make sense in any universe to use different ones for strategic vs. operating risks?

I definitely want to cut the number of categories down from 14 to 4 or 5; please advise if this makes sense also.

Here is the short answer: there is no strict rule about whether operational and strategic risk assessment can use the same risk categories. Nor is there a prescription about the number of categories you must use. Rather, you would make those decisions based on how you need to manage your information. First, you work to identify risk using categories; then, the categories work for you to manage the results. Let me explain.

Risk Categories: Generic and Specialized

Aside from the question of scope (operational/strategic), risk categories fall into two classes: generic and specialized. The generic risk categories are the familiar ones that apply to any organization; here’s a partial list drawn from the Guidelines for Managing Risk in the Western Australia Public Sector:

  • economic
  • socio-political
  • national and international events
  • personnel/human behaviour
  • financial/market

Specialized risk categories are the ones that belong to a specific vertical (industry, profession, field or practice). They are categories of analysis that subject matter experts can bring to the table. Project risk categories are a good example – especially useful if they are arranged by project stage. Here is just a sample of risk categories that would be relevant to the analysis of, for example, an IT implementation initiative:

  • process and system training
  • process compliance and user acceptance
  • security and privacy
  • release management

How to Use Risk Categories

Use risk categories in two stages; there’s a kind of shifting gears in the way you use them.

Stage 1:  Peruse risk categories and consider each one to identify risk and create risk statements. As facilitator of the risk ID session, you present all of the risk categories that you can get your hands on (that are relevant), and that you have time to cover.

Get the session participants to consider the whole list, so that you “map” each individual viewpoint against each of the categories. It’s unlikely you’ll have time to do this line-by-line: send out the lists ahead of time, and then do a walk-through at the session. The idea is to use the risk categories to inspire people’s thinking and jog their work-related memories, so that they can formulate risk statements about the project at hand.

Stage 2: Once you have completed your risk ID, you may have a list of, say, 30 to 50 risks within a specific context. Now that you and the group have worked so hard to delve into each of the categories, you have to decide: how do you want categories to work for you?

Are they an administrative tool? You will likely want to sort on the material by department, business unit, risk owner, or by project stage. You might therefore need to create new categories or spreadsheet columns, and re-categorize certain risks. For example: something originally identified under the rubric of “Financial” may belong more properly under “HR” or “Marketing”, depending upon who is looking after mitigation. You could invent a code or category to coordinate mitigation, such as a communication plan to address 30% of the risks identified across various departments.

Are categories an analytical tool? It makes sense to arrange categories to reflect the perceived source of the risk – good for analyzing the strategic view of things. You might be able to discern where the most critical risks are coming from, or what function they are affecting, and draw useful conclusions. You can imagine the richness of the analysis if your department heads agree to categorize (accurately, with consistent criteria) an aggregated 250 risks across the organization in several columns.

There is no end to the nature and number of categories, nor a minimum. It all depends upon the number of risks, the complexity of your risk information, and what you want to get out of it. Sorting by categories helps you manage mitigation, as well as to interpret the risk profile and write your report.

You work to extract the risks from categories. Then you make the categories work for you.

Read More