Date: Tue 12 Oct 2021
Title: Final Episode: The C-Suite Considers ERM
What are likely the key questions of senior executive in considering the adoption or remediation of enterprise risk management? We ask these questions and give summary answers, giving an overview of this podcast — over 5 hours of concentrated audio information to guide the successful roll-out of ERM. Support continues from me in the form of books, courses and consulting.
The key questions entertained at the level of the C-suite with regard to ERM are likely these three, to which I give an answer in summary:
a. What exactly is ERM?
Due to uneven development in the field, the definition has to be selected from among many, or created. I offer a carefully crafted definition of ERM, which relies on what I call High Quality Risk Assessment.
b. Is there a verifiable value proposition?
Yes. An incremental, low-risk and trial implementation will yield results, successively:
(1) with respect to clarity of the strategic identity and aims of the organization;
(2) by supporting execution on goals and objectives;
(3) by analyzing and solving business problems.
c. How can it be integrated, quickly and efficiently, with existing planning and management?
(1) establishing a sound planning regime, and
(2) using the principles of successful program implementation.
An elaboration on these answers is given over the course of the podcast series.
1. Enterprise Risk Management is not forecasting, not is it governed by probability estimates; rather, identifying risk acknowledges and brings to light the uncertainty inherent in plans which typically remains on the subconscious level.
2. Preparedness in the form of Business Continuity and Emergency Planning can be considered the cornerstone of an ERM program.
3. ERM has developed in such a way that there is a multiplicity of definitions and interpretations.
4. The planning regime itself is all-important. The benefits of preparatory work in defining what I call Strategic Identity are many.
5. Survey results show little confidence in the quality and utility of the results of risk assessment: in all likelihood, this is due to a methods deficit.
6. This leads us to value, as the core practice in ERM, what I call High Quality Risk Assessment.
7. The second main pillar of a successful program is to be acutely aware of a body of knowledge addressing generic program success. This seems to be little-appreciated in the management world.
8. The titles and job descriptions of those managing risk is varied. Rather than focus on formal training, we suggest certain competencies for the Risk Champion.
9. Managers responsible for ERM often have trouble with conceptual hurdles.
Here are some leading questions:
– Is it possible to define, monetarily quantify and insure an organization’s risk appetite and justifiably call that ERM?
– Is risk tolerance an appropriate notion outside of the world of investing?
– Do quantitative models capture risk in a way that is comprehensive, accurate, and forward-looking?
– Do financial risk management techniques constitute complete ERM?
– Is due diligence meaningfully differentiated from risk management, and does it have a defined and consistent methodology?
– Does everyone agree on the definition of, and how to manage, “opportunity”?
10. The use of scenario analysis: a. for specific circumstances; b. for future resilience.
11. Final words and thanks.
Thank you for your attention — anyone wanting support materials can go to RiskCommentary.com.
”Enterprise Risk Management holds the promise of capturing the entire spectrum of risk across the organization. This book answers the need for a generic ERM methodology, proven by experience in the field, in both public and private sectors.” (Robertson 2016 back cover)
BOOKS, COURSES, and CONSULTING CONTACT
[edited for clarity]
This is the final episode in the podcast series: The C-Suite Considers Enterprise Risk Management.
What are likely the key questions of senior executive considering either the adoption or even remediation of enterprise risk management in the organization? Well, we formulate these questions and then give summary answers. Then I’ll proceed with a series of points to give an overview of the entire podcast series, which consists of over five hours of concentrated audio information to guide the successful rollout of enterprise risk management. Support will continue from me in the form of books, courses, and consulting.
If I were in a leadership position of an organization of any size considering enterprise risk management, the first thing that I would want to know is what exactly is enterprise risk management — what is the definition?
Secondly I would ask: Is there a verifiable value proposition?
Then I would ask. How can it be integrated quickly and efficiently within existing planning and management?
So I’ll try to give brief answers to these questions right now, with the understanding that the elaboration on these answers really is found within the content of the entire podcast series.
On the first question of definition, anyone who’s looked into this question will find that there’s actually a multiplicity of definitions and practices, which makes it a little bit bewildering. I give an extended discussion of that in Episode 4. But here is my definition… the thing that sets it apart in my mind is that it’s a crafted definition that has specific elements, deliberately chosen and reflected in a defined practice. Here’s the definition that I gave on page 13 of my book: “Enterprise risk management is a distributed practice of High Quality Risk Assessment applied to strategy and operations, in all domains, in support of aligned corporate goals and values.”
[02:40] This immediately begs the question: What is High Quality Risk Assessment? I call it “high quality” risk assessment to differentiate it from ad hoc, informal, uninformed practices — which I think have plagued the industry. High quality risk assessment runs as follows: “The comprehensive identification and analysis of phenomena that could prevent the achievement of objectives, or compromise associated values, of a researched and planned program, followed by a principled response.”
The second question we wanted to consider is this: Is there verifiable value proposition? The answer is yes. The value of high quality risk assessment can be discerned in three successive stages, and these are encountered in a trial, incremental implementation — which is low risk, and allows the chance for feedback a
a. The first result is with regard to the plans of the organization: the improved clarity and quality of formulation of the strategic identity of the organization and its aims.
b. In a second stage, it’s the verification of the support of execution on goals and objectives that is given by enterprise risk management (specifically by high-quality risk assessment).
c. In the third stage, the value is seen in the in-depth analysis and solution of chronic business problems.
The third question which the C-Suite is likely to be asking is: How can enterprise risk management be integrated quickly and efficiently within the existing planning and management regime?
The industry standard, back in the day, was that enterprise risk management takes between three to five years to implement. I’ve been able to do it in much less time than that in different kinds of organizations.
The answer to the question of integration and the existing management regime is as follows. First, there has to be a sound planning practice. You can’t identify risk in an environment where you haven’t got properly formulated and substantiated goals and objectives.
The second part of the answer has to do with addressing the question of successful implementation. We see that in ERM (as well as in programs in general, in management endeavors) under- delivery and failure is quite common. The answer is to actually observe the principles of successful programs, which are covered in a whole literature on this topic. I summarize them and apply them to ERM.
[05:15] Now that we’ve given those preliminary questions and answers, I’ll go ahead with a summary of main points of the whole podcast series.
1. Enterprise risk management essentially comes from the world view of rational planning. The idea is to have faith that we can impose some sort of ordered intention upon a seemingly chaotic reality. In essence, I don’t believe ERM is forecasting, nor is it governed by probability estimates. I think the essence of it is to identify risk — that is to acknowledge and bring to light the uncertainty that is inherent in plans.
These uncertainties typically remain on the subconscious level. They remain floating around in the back of one’s mind, but this practice actually captures and manages these uncertainties in a deliberate way.
2. Preparedness, in the form of Business Continuity and Emergency Planning can be considered to be the cornerstone of an Enterprise Risk Management program. It doesn’t make too much sense to try to manage risk, unless you’ve actually taken care of business by establishing emergency planning and business continuity in your organization — and that is a separate discipline, with its own training, certification, and practices. It is closely related to risk assessment, and I’ve collaborated on many of these projects, but again it it’s a specific endeavor and project to establish BCEP within your organization.
3. ERM has developed in such a way that there’s a multiplicity of definitions, interpretations and practices. Now we’ve already covered this today. Let me just repeat: the definitions and methods that are presented here are the result of successful experimentation. They constitute a generic approach, adaptable to any organizational culture where you have planned goals and objectives.
[07:20] 4. The planning regime itself is all important. The benefits of preparatory work in defining what I call strategic identity are many. People start to work as a team towards a commonly understood aim. You start to get a clear definition of the essential and unique identifying features of the organization. This in turn gives a sound basis for actual coherent plans — and then risk assessment.
5. Survey results among ERM practitioners have shown little confidence in the quality and utility of the results of risk assessment. Now, in all likelihood, this is due to what I call a methods deficit — the widespread use of random, informal, ad hoc approaches to risk identification.
The results of this sort of practice are a mishmash of familiar issues, with little utility, and this explains why the first risk assessment often just sits on a shelf.
6. The value of the core practice of enterprise risk management — what I call High Quality Risk Assessment: it’s the first of two main pillars in a successful ERM program. The results of high quality risk assessment (if it’s done right) are so compelling as to motivate widespread support. Instead of a dry and sort of punitive checklist exercise, enterprise risk management starts to reveal its true value as a way to nail uncertainty, to break down and solve business problems.
[08:59] 7. The second main pillar of a successful program is to be acutely aware of a body of knowledge addressing generic program success. There seems to be little appreciation in the management world of these principles. Yet, ignoring these principles of successful program implementation continues to be at the root of a lot of failure and under-delivery in management initiatives, in all disciplines (notably in technology).
Note also that the international standards governing enterprise risk management give little advice on this point.
8. The titles and job descriptions of those managing risk are quite varied. Rather than focus on formal training, I suggest a series of competencies which are appropriate for the Risk Champion.
9. Managers responsible for enterprise risk management often have trouble with conceptual hurdles which come from traditional practices, and other related disciplines, notably in finance, investment and insurance.
Here are some “leading” questions:
[10:01] a. Is it possible to define, monetarily quantify and insure an organization’s risk appetite and justifiably call that enterprise risk management?
I realize that is the approach to enterprise risk management that is taken by many. Yet I would challenge that, because I don’t feel that it captures the entire practice.
b. Is risk tolerance an appropriate notion outside of the world of investing?
I’ve had so many questions from clients and students who say: how can we even conceptualize risk tolerance and apply it to our organization? I have two blog posts addressing this topic specifically. [see show notes]
Another one of these leading questions from the world of finance:
c. Do quantitative models capture risk in a way that is comprehensive, accurate and forward-looking?
d. Do financial risk management techniques constitute complete enterprise risk management?
I have a whole podcast episode  dedicated to that question. And similarly:
e. Is due diligence meaningfully differentiated from risk management? and
f. Does it have a defined and consistent methodology?
These are important questions that I find are rarely answered in the discourse on enterprise risk management. The last of these questions is:
g. Does everyone agree on the definition of, and how to manage, opportunity?
That’s an extended discussion itself [see Episode 19].
10. Scenario Analysis. This is one major topic that I did not address at length in any of the podcast episodes. So I will say a few words about it now. Scenario analysis is very similar to high quality risk assessment, except that you’re focusing on one set of circumstances in order to develop all the various possibilities and contingencies that would obtain in that set of circumstances. This is typically seen, for example, in Business Continuity and Emergency Planning, where you do an “all hazards” risk assessment.
Another important aspect of scenario analysis is the methodology of future scenarios. This is the only technique that I’ve seen that entertains the idea of looking at emerging and far future risk. It gives you a reasonable and plausible way to develop future situations, and use those to test the resilience of your current strategic plans. [Note: see book Chapter 4.4]
[12:40] My final point today is to encourage risk managers to strive to define your aims, and quickly prove the value of enterprise risk management. It is a practice which will bring scrutiny to the uncertainty inherent in plans, in all domains. My methods, keep in mind, are perfectly compatible with existing risk sub-disciplines, whether in finance, or health and safety, or insurance portfolio management, for example. These methods are very likely to gain support and confidence of staff simply because they help staff to attain their deliverables and solve recurring business problems.
Thank you very much for your attention to these podcast episodes! Anyone wanting support materials can go to RiskCommentary.com.