[940 words, first published 2012/11/13]
So far in this series of posts, we have seen the genesis of the ERM program in the decision by the Board of Governors; the project team’s review of background materials; and the decision to begin with a trial risk assessment applied to the strategic plan. Now we consider how ERM was developed and rolled out to the rest of the organization.
DEVELOPMENT OF ERM PRACTICE
Conclusions Drawn from Initial Risk Review
The trial risk assessment of the strategic plan yielded a risk register addressing all the main strategic objectives. The plans for mitigation developed by the executive were, for example, to adjust program investment levels; create broad-reaching communications campaigns; and address certain stakeholder concerns. These risk treatments turned out to be relatively familiar administrative actions, except that they were fresh initiatives, targeting sources of possible program failure, that were missed in the original planning. The group held their usual far-ranging collegial discussions, but, in a facilitated session, identified risks in a systematic review, using the context paper and tracing through several categories of risk. The executive team’s confidence in the quality of the resulting analysis led them to recommend the method to be the rolled out.
Follow Up Risk Identification and Assessment Sessions
Sessions were subsequently held department by department, until all 20 business unit level risk assessments were eventually completed. The two-person team (the CFO and the project manager) instituted a train-the-trainer approach to transfer skills to department managers. The aim was to apply risk methods within business units’ regularly scheduled planning and management meetings. These follow-up sessions served as a further proving ground for experimentation with risk assessment, since the working culture varied through different parts of the same organization.
With each trial, the implementation team gave guidance and advice. Their main concern was to steer members of the college toward consistent criteria for risk assessment. They emphasized the significance of threats to the delivery of program goals and objectives. As the team collected the results of business units’ efforts, they were able to identify themes emerging in the aggregate body of risk information. The roll-out process took roughly 18 months.
Challenges to Successful Implementation
The team anticipated difficulty in getting take-up within the academic departments. This did not actually materialize, because the deans, who took the lead, appreciated that risk assessment was actually focused on departmental academic goals. Some initial push-back was probably based on a perception of risk management as the imposition of a bureaucratic compliance requirement, having little connection with planned activities.
The chief difficulty was actually to stay the course. They needed to secure the participation of each administrative unit and academic department in turn; to encourage them to temporarily keep competing priorities in check; and gradually to establish the baseline risk profile for the whole organization. Time spent on individual attention to departments, including detailed review of risk registers and follow-up interviews, was necessary, as mentioned, to communicate a consistent idea of risk and ensure the value and relevance of the initiative. Some departments tried to use the exercise to submit a lengthy “wish list” and get more resources. This necessitated some negotiation to get participants to re-cast the analysis to make it more strategic in character. Through feedback and dialogue, the risk culture developed in such a way as to keep minor matters out of the risk register, and to align risk assessment with planned strategic direction.
Risk Management Policy
The enterprise risk management program, renamed College-wide Risk Management, became summarized in a 4-page policy document on the college web site. It sets out generic rationale for ERM and guidelines for its integration into college management, including roles and responsibilities; reporting frequency; definitions; the risk management process; and references.
Risk Management Tools and Templates
In the last post, the implementation team’s alteration of risk terminology was mentioned. Through incremental roll-out, revisions and slight alterations were negotiated to eventually develop a set of tools and templates that reflected the management requirements of the organization, while keeping the core process intact. These tools and templates – each a single sheet – are listed on the college web site as policy sub-items, as follows:
Risk Analysis Session Guidelines. Similar to what we have called the context paper, this document sets the scope and procedural rules for an individual risk assessment.
Risk Analysis Worksheet. Gives rules on proper formulation of risk statements.
Risk Categories. Lists the sources of risk to be considered by session participants to inspire their thinking about what the risks might be in a given context. Encourages a thorough review in many categories specific to the college management culture.
Risk Register. A spreadsheet to list individual risk items, rank them, and give summary indications of how they are managed.
Risk Analysis Measurement Tool. A likelihood and consequence schema. Note the three unique categories of consequence developed by the college to track their business.
Risk Treatment Action Plan. Requires noting the responsible person, deadline and funds required.
Risk Profile Template. Permits an aggregate view of risks, arranged by category, with colour coding indicating the level of risk.
In sum, the ERM implementation team pursued the integration of ERM into the management practice only after an initial trial risk assessment at the strategic level. They used a train-the-trainer approach, instituted over time, department by department. Considerable effort by the two-person team was expended, following a defined project plan, to exchange ideas with department leaders, arrive at a common understanding of risk, discover the value of risk identification, and decide on the best configuration of tools and templates. Finally, the entire policy and tool/template set were concisely written and posted on the college public access web site.