Date: Tue 13 July 2021
Title: Establish Context – Underrated, Misunderstood
By now, we have a great foundation for Enterprise Risk Management: realistic rationale, definitions, and sound planning. Now to begin High Quality Risk Assessment in earnest, we address the classic “Establish the Context” – the most misunderstood and underrated step in the whole risk management process.
At this point in our podcast series we have deconstructed some of the misconceptions in the field; we reiterated the persisting and obvious need for Enterprise Risk Management; and we introduced viable definitions for both ERM and what I take to be its core process, High Quality Risk Assessment.
You probably feel how my working methods trace a fairly tight logic.
Let’s continue that train of thought by considering now the step in High Quality Risk Assessment called Establish the Context.
What do the standards mean by “Establish the Context”? For ERM itself? or for a particular risk assessment?
What is the true significance of “Establish the Context” in an effective ERM program?
Context Paper: Hands-down, the best preparation for risk assessment is: write what I call a Context Paper.
If you compare your results to that of firms that simply use an informal approach, you will find that looking after your planning regime and preparing a context paper will move you light years ahead in conducting risk management.
Summary: What did we cover today?
The true meaning and purpose of Establish the Context.
The headings in what I call the Context Paper, used to prep a risk ID session:
1. Title of the plan under scrutiny
2. Goals and objectives of that plan
3. Corporate values
4. Risk categories
5. Stakeholder analysis
6. Procedural and due diligence points
Process in preparing the context paper.
“Do not introduce as risk things into the risk ID session which should, properly speaking, simply be trends and conditions that are already known — that should have been taken into account in the formulation and design of the plans themselves.”
E. Robertson Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (2016)
The discussion on Establish the Context begins in Chapter 2.2.
[edited for clarity]
Establish Context – Underrated, Misunderstood
This is episode 7: Establish the Context – The Most Misunderstood and Underrated Step in the Risk Management Process.
Well, if you’re just joining us in the podcast series, I’ll give a quick summary of what we’ve covered so far. We’ve deconstructed some of the misconceptions in the field. We reiterated the persisting need for enterprise risk management. We also introduced viable definitions for both ERM and what I take to be its core process, which I call High Quality Risk Assessment. Unfortunately we couldn’t start right in with risk ID, because we need to take some preparatory steps. An important one, upon which we spent I guess 2 episodes, was to look at the planning regime — making the planning practice of the organization rational, ordered, logical and comprehensive. [This] really irons out many problems at the front end, so that you don’t have to try to solve those problems when conducting risk assessment.
So if you’re following my method of thinking here, it’s really to try to maintain a pretty tight logic, step by step, and introduce rigour into the whole process of enterprise risk management — rather than just doing it off-the-cuff, or in an informal, ad hoc way.
In following that train of thought, let’s take what is usually considered (at least it was in the early standards) to be the first step in enterprise risk management, which is to Establish the Context.
So the first question that arises — the first point of confusion really — is establish the context for what? The standards did not make clear at the outset whether “establish the context” pertains to the whole operation of setting up ERM across the organization, or whether it pertains to just doing a risk assessment on a given topic. And today I believe you’ll read any number of headings in risk management standard that relate to “establish the context” in some form or other.
Well, let me give you my take on this, to try to simplify matters as much as possible. If you take the step of “establish the context” in a broad sense, to pertain to, let’s say, establishing enterprise risk management across the organization as a new management practice, or indeed to inform the planning, that’s why I spent so much time on reviewing, revising and fixing the planning regime. So please refer back to my work on that.
If on the other hand you take the step “establish the context” to pertain to a specific risk assessment, in that case you’re sort of agreeing with me that “establish the context” belongs as a specific step for any particular risk ID and assessment on a particular topic. And I’ll go ahead and show you the exact steps that I take to develop the context.
The purpose in writing context paper is to inform the participants in a risk ID and assessment exercise of the bounds of the discussion; the scope of the exercise; the assumptions that go into the discussion. And when you do this, it works like magic, because instead of wasting, say, an hour and a half of precious meeting time in sorting out all of these foundational issues, you’ve already solved them up front. And people are very grateful for that. They find that the process has so much more value when they get into the room and really start to discuss risk in earnest.
Well then, you might ask: isn’t writing a context paper a huge burden — something that really adds to the whole workload of doing risk assessment? Actually, you’ll find that it’s a time saving device. It clarifies things in your own mind, as the facilitator, so much that you’ll come to really appreciate it and live by the context paper. The context paper itself, in its form just as a generic format, is only one page. After you fill out the various headings a good context paper need not take more than 1 1/2 or 2 pages. So it’s not the the quantity of the information that’s important here; it is the quality.
In many applications of the context paper that I have seen, people start with just the procedural issues. In other words: What was the meeting about? When was it held? Where was it held? Who was invited? Who showed up? What were the constraints imposed? Sometimes they’ll [i.e., higher management will] say: you can’t discuss this or that. And [to record that] just forms part of good due diligence.
The first real heading in the context paper is #1 title of the topic under discussion.
Now that might sound elementary. But it’s really necessary to this to state specifically. What is the subject of the risk assessment? And if you don’t do that, then it gives people license to start identifying risks that are outside scope. People will ignore the project at hand, and start to identify risk that pertains to, let’s say, the national economy, or global politics, or… you name it. If you list specifically the topic as the first heading, then it gives you the tool you need as facilitator to draw people back in, to start to identify risk specifically with regard to goals and objectives.
So now there comes an important point, a conceptual point, because you might object: “You know, the national economy, various international trends, and so on, might have a real effect upon our local plan, so they need to be discussed. Well, here’s my answer to that. That’s precisely why I insist on looking at the planning regime. If your plans have not already taken into account what the national trends are; what the industry is doing; what the various stakeholder concerns are… then the plans are already incurring risk and are poorly informed. So you have to go back and fix the planning.
Don’t bring those sorts of questions into the risk ID. The risk identification has to do with uncertainty pertaining to the intended actions to execute on the formulated goals and objectives. So by insisting on the proper substantiation, the research into and formulation of plans, we’re precluding this notion of identifying risk in a vague way.
Saying: oh interest rates might change; or demographic patterns might change; or government regulations might change… What characterizes all these risks is that they’re systemic in nature. They’re things over which typically you don’t have any control, but, for that very reason must be taken account of when you formulate and design your plans.
If it’s something important enough where you need to contemplate an entire scenario of response, well then, that would take a scenario analysis — and that’s something different again. But right now, it’s important simply to conceptualize that we don’t want to identify risk in a vague way. We don’t want a vague sort of general rehash of already understood and known issues [e.g., interest rates, demographic patterns, etc. that should already have been the subject of an environmental scan to inform plans].
I can tell you that this conceptual point is missed by so many, and yet this is exactly what introduces the rigor and structure in our planning and risk management process.
Well, you might disagree with me here, and say: “No Edward, this is exactly where we need to do risk assessment, because often in our plans we miss some national trends, or economic indicators, or background facts about stakeholders” and so on and so forth. Well, that’s fine, if that’s the way you want to do it — but I think there’s two risks: First of all, you run the risk of having to reformulate, in a major way, your plans, because you’ve identified some systemic risk that simply scuttles the whole concept of your plan. Second, you miss the opportunity to capture and manage those risks which affect your day to day operations and your ability to execute on the goals and objectives — and this is where the value really comes in.
So my conclusion on this point is the following: Do not introduce as risk things into the risk ID session which should, properly speaking, simply be trends and conditions that are already known, that should already have been taken into account in the formulation and design of the plans themselves. Well I’m getting ahead of myself, because I’m talking about how to actually conceptualize and formulate a risk. But let’s continue with this subject of the context paper and how to write one properly.
After the first heading of the title of the subject of the risk assessment, our next heading is #2 goals and objectives. Now here again there’s a misconception that often enters. People will sometimes list the goals and objectives of the risk management program — of the entire ERM initiative in this context paper. That’s not what we’re after. What we’re after is the goals and objectives of the plans under consideration.
Okay, so first of all we have to make sure that our planning language is consistent. We know what the definitions of goals and objectives are, and how they relate to one another. And as I say, this has already been taken care of at the planning stage. So then you’re probably asking: What — do we have to state again the goals and objectives of the plan itself in this context paper. And I’m saying you have to either state them — copy and paste them if they’re brief enough [to make this] practical — or simply put a reference to the original planning document.
Why is that? It’s because we want the participants to be able to trace through, step-by-step, each particular goal and objective or intended action, for the purpose of identifying risk.
So to repeat: in the context paper itself, you need not repeat all of the goals and objectives. If it’s practical to do so you can do a short paragraph; or you can copy and paste them over from the original document or, otherwise, you simply make a reference to the original planning document (which will be part of the set of papers that people have before them when conducting the session).
All right, well so far, by virtue of the context paper, people know exactly what the topic of the discussion is, and what the underlying or reference document is [along with its goals and objectives].
The next heading in the context paper is #3 values. In other words, what are the guiding principles that people should keep in mind for the behaviour of people in the organization, when they [i.e., the risk analysts] are assessing risk with respect to the goals and objectives in this plan?
Now here, the values may not be stated explicitly in the plans under consideration. You might have to go back to corporate documents to recall, to refresh people’s memories, about what the values of the organization are, what the principles are for behaviour and interaction and so on. The reason this is so important is because values are often sort of “glossed over”. They seem to appear in the annual report as propaganda items, but actually could be true sources of economic value. They can be true differentiators, to set you apart in the marketplace, and they can be sources of liability… and so on.
Therefore we want to make sure values are brought to the fore as risk criteria in any particular risk assessment.
The next item in the context paper that we want to list as a heading is #4 risk categories. Now this is procedural item. It means: what are the categories of risk that you as facilitator are going to bring to the table in order to inform people’s consideration of risk?
For example the classic categories of risk that people are used to considering are: the PEST, or PESTLE, which means political, economic, social, technological and so forth. Now you might have generic categories of risk to bring to the table for people’s consideration. But at the time you will also want to bring to the table what I call specialized categories of risk. So let’s say, for example, you’re doing a risk assessment on IT Security risk. Well, right there the IT security folks will have a series of risk categories and considerations that they want to run through, and you can work with them offline, before the session, to make sure that those categories of risk are properly listed in your context paper. [Then] people are able to consider them, and suggest what the risks are pertaining to each category.
#5 stakeholder analysis. Well you might have done a stakeholder analysis as part of your general planning, your strategic planning exercise. On the other hand there may be no stakeholder analysis that is extant to inform the risk ID exercise on a given topic.
So right there, it could be a question of deficient plants. If you don’t have a set of goals and objectives, and an appended stakeholder analysis to characterize the concerns, requirements motivations and so on of your stakeholder group, then you know, it has to go back to the planning to to fix that.
For the purpose of the context paper, what we want to do is list the conclusions, the major points, from the stakeholder analysis, so that we can use them as a point of departure for identifying risk.
Speaking of stakeholder input, it’s actually possible and even desirable (if it’s feasible) to have stakeholder reps participate in your risk ID. That gives the whole process so much more credibility and [makes it] so much better informed.
Now I’m repeating myself, because I said at the very beginning we want to put in the procedural elements, that is: who was invited? who attended? etc. You can also do that down in [section #6 contraints, procedural elements] as I’m suggesting right now.
Make sure that you put in any instructions from senior management. The reason we want to do that is so that you have a record, so you can go back, and you’ve got documentary proof [i.e., of imposed constraints and limitations to the risk process].
Moving on now to the context paper heading #7 deliverable. Well, this again is a procedural ploy on the part of the facilitator. It might sound, you know, perfectly obvious that you want to have a full risk register as the deliverable. But, you know, what you want to do is set that out explicitly in the context paper. Why do you want to do that? It’s because you need to have something to point to, to say to people: “Look, this is exactly what we’re aiming to complete today.”
Now you might only have, let’s say, 1 1/2 hours, or at the best maybe 3 hours with a group of senior executive. You’re not going to get these people around the table again to consider this issue! Therefore you need to keep them focused on completing this exercise, [i.e.] filling out, to the best of their ability, the risk register — and in order to do that it really helps to set out the deliverable explicitly as a topic heading in the context paper.
Now here I’ve got a sentence that you can use under the topic heading #7 deliverable: “A comprehensive list of risks, arranged in several categories of analysis, with criticality rankings and mitigation measures, arrived at by consensus, to inform an improved business plan” (or policy or program or whatever it is).
So those are the headings in the context paper that I recommend, which you can change or add to, according to the needs of your business situation.
I wanted to make a few comments about the process. You, as chief risk officer or risk champion or facilitator, are going to be working, most likely, with a program lead: someone who’s a subject matter expert in the area where you’re conducting risk assessment. This is the person who has been leading a staff to create the plan. So you can work together to make sure that the context paper is properly filled out, in all of its various headings. Then, as a point of procedure, shop that paper around as a draft to all the intended participants of the risk ID session. The reason for doing that is to get people’s feedback, to make sure that they understand exactly what each of the elements is in the context paper: to make sure that the planning language is commonly understood; that the definition of a risk is commonly understood, and so on. [Note: glossary of terms can form part of the context paper.]
Let’s go over the main points that we discussed today by way of summary.
We talked about Establish the Context and how that is one of the most misunderstood and really undervalued parts of the risk management process, because, if you get it right, it can solve so many problems up front.
We talked about preparing a context paper for every risk ID and assessment exercise on any given topic.
The headings in that paper should be:
#1 topic (the plan under discussion)
#2 goals and objectives (of that plan)
#3 values of the corporate entity
#4 risk categories that you intend to bring to the table
[#5 stakeholder analysis]
#6 procedural and due diligence elements [also constraints] such as the list of attendees and list of those invited to the session
#7 deliverable of the risk ID session itself.
Finally, we discussed the process involved in preparing and actually vetting the context paper.
Now, there’s more that enters into the discussion of context. And I’m going to cover that in the next episode. But so far I think, if you follow my recommendations to:
a. fix up the planning, and to
b. prepare a context paper
… and you compare that to another organization, that is similar, and trying to do risk management in a rather informal or imprecise way, you’ll find that you are light years ahead.