Time to get into my recommended ERM process! Let’s start with practical definitions of Enterprise Risk Management and High Quality Risk Assessment. These definitions are rooted in the international standards (ISO 31000, COSO, AS/NZ 4360) but are not copied: they reflect a precise method finely honed over years with clients.
In prior episodes, I devoted time to critique what I take to be some of the misconceptions in the field of Enterprise Risk Management. I explained, at least in part, what may have caused them, and highlighted the extraordinary need for good risk management that faces us today, even though difficulties in implementation, linking to strategy and proving value are still persisting.
With that as background, let’s start to look into my recommended ERM process. We won’t have time to discuss the whole implementation, of course, but we can begin with some practical and descriptive definitions.
Do listeners/reader want just the definitions or should I discuss rationale behind them?
I think it’s important to tell you the “why”, the rationale, as our preferred approach to ERM is a conscious one, without accepting advice uncritically…
Definitions: rationale and approach
– rationale for creating my own definitions
– does a risk management technique reach ultimate truth?
Definition 1. Enterprise Risk Management
“A distributed practice of High Quality Risk Assessment applied to strategy and operations, in all domains, in support of aligned corporate goals and values.” (Robertson 2016, p.13)
What is the significance of the elements in the definition?…
Must risk sub-disciplines or sub-frameworks use High Quality Risk Assessment?…
The points that I’m insisting on really are points pertinent to quality, rather than additional administrative burden.
Definition 2. High Quality Risk Assessment.
“The comprehensive identification and analysis of phenomena that could prevent the achievement of objectives, or compromise associated values, of a researched and planned program, followed by a principled response.” (Robertson 2016, p.11)
How to operationalize this practice, as indicated by the elements in the definition?…
Significance of High Quality Risk Assessment process
This is the essential practice in an ERM regime. Start with this, because if you don’t get this right, there’s really no point to continuing with ERM…
When the High Quality Risk Assessment Process is finely honed it starts to enable incisive analysis of complex problems.
Summary: what have we accomplished today? We considered:
1. a working definition of Enterprise Risk Management
2. the risk ID and assessment method called High Quality Risk Assessment
3. the necessity to develop and refine your risk ID and assessment process
4. the planning practice
In our next podcast episode, we will look closely at how to conduct High Quality Risk Assessment, and how to see that it is the details of the process are so important to guarantee the quality — to make the magic happen — in your risk identification and assessment process.
“One key message here is: do not fall into the trap of trying to lead a risk ID session, much less implement an entire ERM program, where goals and objectives are poorly defined.” (Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation p.32)
E.Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
[edited for clarity]
Welcome to the Risk Commentary Podcast. This is Episode 4 – Enterprise Risk Management: Definition and Core Practice.
Well, in prior episodes I devoted time to offer some critique of what I take to be some misconceptions in the field of Enterprise Risk Management and I explained, at least in part, what may have caused some of these myths or misconceptions to arise. And at the same time I highlighted the extraordinary need for good risk management that still is with us today, even though there are difficulties in implementation: i.e., difficulties in linking the risk practice to strategy and in proving the actual value of the risk management process. These are all persisting, according to the evidence in the surveys.
So with that much as background we can start to look into the Enterprise Risk Management process — at least the one that I recommend. We won’t be describing in detail how to actually do the whole thing in this podcast episode — that’s too much material. But what we can do is start with an introductory piece on the definitions that I recommend, and this will give us a good foundation.
[01:53] Right away, I have a dilemma in the narrative, and that is to decide whether to launch straight into the definitions and present them, sort of for you to accept at face value, or to actually explain the rationale, the “why” of how I got there. I think it’s important to do a bit of that because we want to take an approach to ERM that is really deliberate, mindful or conscious. We don’t want simply accept some formula that’s given, by me or or anyone else. Now, at the same time I recognize that there are different learning styles and some don’t care too much about the rationale — they just want to go straight to what they think is going to work. And that’s fine, so that’s the reason why I’ve got shown notes with timestamps. So you’re able to jump to the areas in the subject matter that are of most interest to you.
[02:43] All right, so I’ll start with a bit of the background for those who are interested. The first question likely is ‘why did I create my own definitions?’ ‘Why do I have to reinvent the wheel?’– because you might say: ‘Aren’t the definitions and the methods (that are) described in the standards good enough?’ ‘Aren’t they really comprehensive and built on a whole body of experience by professionals?’ and so on.
I did talk about this before, but just let me reiterate here: the whole idea of recreating my own definitions is to address the fact that the standards really do not give detailed advice on how to conduct risk identification and assessment, nor do they give advice on how to implement a new management practice and roll it out across and through the organization.
I think it’s possible that those deficiencies, if it’s even fair to call them that, might be responsible for the fact that many managers in many different verticals, different industries, who tried to implement risk methods were simply not able to do it in a way that delivered results that were really convincing for them
So the definitions that I present do not, of course, tell the whole story of how to implement Enterprise Risk Management. But the definitions contain a series of elements that reflect a precise method, which can be elaborated.
The next point has to do with the nature of a management technique, and to recognize that a management tool is not the way to ultimate truth. We don’t pretend that risk management and its results present anything absolute. It’s simply a rational tool that we’ve constructed to impose some kind of order on chaotic reality. So our method uses logic and a defined procedure. But within that structure we can accommodate both quantitative and qualitative information, as well as relatively objective information — that is, data and hard numbers and so on — as well as a well informed subjective judgment or professional memory, all with the recognition that we’re trying to be as comprehensive and diligent as possible within the constraints that are imposed upon us.
The next point about my method is is that it is principles-based. In other words, I’m not categorical or dogmatic about how something has to be done, although I may insist on a certain principle. So, for example, there’s the principle of being comprehensive. We have to be comprehensive in our risk ID, otherwise it’s not really Enterprise Risk Management.
And I’ve got a way to be comprehensive. But if you can present another way to be comprehensive that’s more effective in your working situation, then I’m all for it.
Now my last point about my approach to definitions is that I characterize it as authoritative, in the sense that they’re grounded in an important definition in the international standards. The three standards, COSO, ISO 31000 and AS/NZ 4360 overlap in one important aspect, and that is in their definition of risk. They all take risk to be the uncertainty that is associated with goals and objectives. And that is precisely where we start. And that’s how I ground my definitions and my approach.
[05:56] So here’s a quick summary of my rationale and approach to definitions:
– First of all, our own definitions are needed because the standards simply don’t give sufficient detailed advice, either in the sense of doing risk ID and assessment, or rolling out such a practice.
– We’re recognizing that this is a management technique that doesn’t pretend to reach ultimate truth. It is simply a rational tool that we’re using to impose some kind of order on chaotic reality, so that we can reach relatively correct decisions.
– While I might insist on certain principles, such as being comprehensive, in the risk ID, I’m not dogmatic on actually how to get there.
– Finally I say my approach is authoritative, insofar as it agrees with the definition of risk that is given in three of the prominent international standards.
[06:45] So without discussion of rationale out of the way, let’s proceed straight to my
definition for Enterprise Risk Management, and it is as follows:
“The distributed practice of High Quality Risk Assessment applied to strategy and operations in all domains in support of alliance corporate goals and values.”
So that’s the definition that I crafted and published in my book Solving the Enterprise Risk Management Puzzle.
Let me now explain how the parts of the definition actually reflect the different elements of your method to roll out Enterprise Risk Management.
The first point is that it’s a distributed practice. That means that we’re expecting everyone who’s responsible for managing any program area to be responsible for the risk that is incurred in that program area. While we might have Chief Risk Officer or a similar function in the organization, we can’t expect that office to understand, be aware of and control or mitigate all of the risk. That’s simply an unfair expectation. Rather, the function of the chief risk officer or similar function… is to enable the methods to be applied across all of the various department areas. [editor’s note: i.e., to enable staff to adopt the methods]
The next element in the definition is High Quality Risk Assessment. So I call this “high quality” risk assessment in order to differentiate it from an ill-defined, unstructured, or sort of informal discussion of risk that people might engage in, when they first entertain the idea of instituting risk management in their business or organization, and they’re actually non-experts. So there’s no blame in this whatsoever. We can’t expect people who are not experts in risk ID, who really haven’t had a chance to investigate the question, to see right away that there’s really more to risk ID than meets the eye. It took us a while to figure it out. And George Head, one of the luminaries in the field, said risk identification is as much art as it is a science [paraphrase].
So the question that arises: ‘Is everyone expected to use this new process?’ And I did mention with regard to sub-frameworks or sub-disciplines that a uniformity of methods is not needed. In other words, we’re going to accept the fact that, let’s say, the IT security folks have their categories of risk analysis and that they’re doing well in identifying risk in their domain. Or that could be the same with environmental audit, or health and safety, and so on. I do stand by that point, but in order to subsume these various practices under ERM we have to make sure that they’re aligning with corporate goals, strategic aim and values.
At the same time, there’s another qualification that I did not mention before. It’s often the case that an existing risk management practice will really appreciate and benefit from the High Quality Risk Assessment process that we [develop and] deliver. Why? Because it’s highly rigorous and gives results. So they might wish to to consider it.
The next element in the definition is strategy and operations. In other words, we can’t really call it ERM if we’re not applying risk methods to both strategy and operations. Now that doesn’t mean that we can’t start with some operational area to do trials and to experiment with our risk ID process to make sure that it’s working all right, before we roll it out to other department areas, or even before we try to apply it to strategy.
As we go along, you’ll see that I really favor an incremental approach to implementation.
The next element is all domains. And that means, of course, that we can’t limit our risk assessment to, let’s say, what is insurable risk, or simply financial risk, or hazard risk. No, we are responsible for covering the entire spectrum of all risk categories, all risk areas.
The next element in the definition is aligned goals and objectives which implies, first of all, that there is some kind of planning regime; and secondly, that the plans arrived at are all oriented [to] and supporting the same strategic aim and the same corporate identity.
Next you’ll see that we include in the definition corporate values. I think values have been misunderstood, in the sense that they’re taken to be more or less platitudes that might appear in the glossy annual report at year end. But it’s important to take values seriously, because they can be sources of risk — and sources of actual economic value, and a differentiator for the organization in the marketplace.
[11:30] I hope that that gives you a good sense of my approach to Enterprise Risk Management, encapsulated in that definition. I essentially just want a really good risk assessment process, but I want that to be applied universally, to strategy and operations, across the organization in all domains. And I want to make sure that the whole planning regime is properly aligned. And if that’s not too much to ask! then we’ve got a system of ERM.
Honestly, I don’t think it’s really overly complex or overly burdensome. The points that I’m insisting on are really points of quality, not points that significantly add to the work volume.
Now, as I indicated in the previous episode on busting myths, I think that the concern about the administrative burden can be answered by the fact that the High Quality Risk Assessment really introduces efficiency into the management process.
[12:27] So let me give you the definition of High Quality Risk Assessment which I intended to give you as the second definition that I crafted to support our ERM initiative…
“The comprehensive identification and analysis of phenomena that could prevent the achievement of objectives, or compromise associated values, of a researched and planned program, followed by a principled response.”
Now again if we take the elements of the definition, we’re going to get a good sense of how to operationalize this practice.
The first element in the definition is comprehensive. As I indicated before, it’s an important principle in Enterprise Risk Management. We can’t limit the identification of risk to simply what is insurable risk, or hazard risk or financial risk. No, we have to actually cast the net wide, and capture risk in all domains, in all the various categories of risk that we can possibly bring to the table.
So once we identify the phenomena that could introduce some sort of uncertainty or hindrance to our intended goals and objectives — in other words, the risks themselves — we can analyze them. By that, I mean subject them to four “lenses”; that is, four views [or criteria], in order to arrive at a decision about each one. And I’ll get into exactly what those four lenses are all about.
Next in the definition you see that I have reiterated both the ideas of objectives and the associated values.
The next element in the definition — and this is important; I think this is really missing from much of the discourse — is researched and planned program. That means that if the corporate goals are simply residing in one person’s head, we can’t take that too seriously. Why? Because it’s [the goals are] not open to scrutiny and discussion. Nor is there any guarantee that they were arrived at through a process of actually systematically investigating: what the emerging issues are; what the environment is all about; what the competition is doing; what other jurisdictions are doing, and so on.
So why all of this close scrutiny of the planning regime? Well let me read you one paragraph, by way of warning:
“One key message here is: do not fall into the trap of trying to lead a risk ID session, much less implement an entire ERM program, where goals and objectives are poorly defined. Do not become embroiled in conducting risk assessment for groups who have not done their research and created coherent plans. Any discussion of risk without adequate preparation will end up going around in circles because the target for identifying risk keeps changing in people’s minds. This confusion will reflect poorly on the risk ID process and will damage (your own) the facilitator’s credibility. The principle is that risk management cannot substitute for proper planning.” [Robertson 2016, p.32]
Finally in the definition we have: followed by a principled response. What I mean by that is to follow the stages indicated in the risk management process, in order to have a consistent response (to each risk).
[15:45] Well, now that we’ve covered the definitions of Enterprise Risk Management and High Quality Risk Assessment that I propose, I want to finish today’s episode with a discussion of High Quality Risk Assessment, and its significance.
I characterized High Quality Risk Assessment as being the core practice, really the essential practice in an Enterprise Risk Management regime. And it’s the thing that you should start with. If you don’t get this right, then there’s almost no point in continuing with trying to implement an ERM program.
That might sound harsh, but that’s the reality, because the risk ID and assessment process really has to inspire in the participants some sort of special insight that they had not perceived before. If that happens, then things really start to take off.
By contrast, if the risk ID and assessment process is simply a bland rehash of issues that people are already aware of, then the value of the whole thing in the minds of the participants is going to diminish, and eventually the program will just fall by the wayside.
Just to recap, let’s be clear: When you experiment with your risk ID and assessment process, what you’re aiming for is some sort of an “aha moment” where people say: ‘Okay, now I really understand — I really have true insight into our risk profile, which I didn’t have before.’ Not only that, but (people think) this is helping us really clarify our goals, clarify how we operationalize our values. It can lead us to realize how we can solve a chronic business problem, how we can improve our relationship with a major stakeholder — things of that nature.
And when that starts to happen, you’ll know because people from across the organization will be calling you, saying ‘We’ve got something really important, and we hear you’ve got a good process. Can you come and help us?’
[17:28] So by way of summary, let’s review what we’ve accomplished today.
– We’ve actually established a definition of Enterprise Risk Management — a working definition that tells us it’s the distributed practice of High Quality Risk Assessment.
– We characterized High Quality Risk Assessment as the core practice in ERM,which is so important to experiment with and develop, until you and your team are satisfied that this process really inspires new insights into the risk profile.
– It’s really necessary to take a look at the planning practice in the organization and make sure that it’s of high quality so that we can begin risk assessment on a sound footing.
In our next episode we’ll take a closer look at High Quality Risk Assessment how to conduct it — and why the details of that process are so important to get right, to guarantee the quality to make the magic happen in your risk ID and assessment process. So until the next episode, thank you for listening.