Risk Management & ERM: The Basics
In this piece, I am going to walk through the essentials of risk management process, and I will discuss how each is then elevated to an Enterprise Risk Management (ERM) competency.
The ISO 31000 Risk Management Process Framework provides the best illustration of this iterative cycle that serves as the foundation for most risk management practices, and thus it is intuitive to most management and leadership teams despite the likely use of different nomenclature.
Context simply means that we must understand the scope and assumptions for what we are attempting to risk-manage, and Identification calls for a brainstorming of all possible risks within that scope.
Analysis determines what the potential impact of an identified key risk is to the organization in terms that are meaningful (loss of revenue for example).
Evaluation determines where that risk exposure fits within the larger context of the entire organization.
Treatment determines options for handling the exposure, as well as identifying any residual risk.
As with any best practice, this process is iterative lending to the ongoing communication, monitoring, re-evaluation (and re-prioritization) of risks over time and as the business changes. I will briefly delve into each of these topics to point out some of the key success factors and pitfalls encountered when moving from theory to reality.
ERM - Context
Establishing the context is all about planning, and may well be the most overlooked and misunderstood component of risk management, either as a function or a discipline. Context for a risk management process means identifying the scope, goals, outcomes and resources required for thing (process, department, business venture, etc.) being evaluated. This is not unlike any other project where ‘planning the work and working the plan’ is the battle cry.
As risks across an organization are fluid, so are the risk processes that are used – this is what gives flexibility to the program – but because Context defines the 6Ws for the program, these variable processes are also complimentary.
Now, context for ERM happens at a higher level, where an understanding of both internal and external forces at play within an organization (think Strengths, Weaknesses, Opportunities, Threats) is combined with strategic vision and objectives to define the organization’s Risk Appetite and Capacity. With this knowledge, we begin crafting a program that targets mission-critical elements of the organization, aligning time, energy and resource to the issues that matter most.
Understanding Risk Capacity to define a clear Risk Appetite statement is not only foundation for ERM, but for strategic planning itself. Risk, Appetite, and Capacity statements ensure that strategy and risk are balanced, that objectives are properly prioritized, and set the tone for cascading management processes.
ERM - Risk Identification
Risk Management begins with the identification all sources of risk, areas of impacts, events and their causes and potential consequences to generate a comprehensive list for Risk Analysis and Evaluation (which is where the measuring comes in). From a traditional functional perspective, this is generally equated with safety hazard evaluation of systems, processes and environments.
From an ERM perspective, the focus is broader, and includes events that might create, enhance, prevent, degrade, accelerate or delay the achievement of strategic objectives, as well as assessing the risk of not pursuing opportunity. Risks not under the control of the organization are identified along with those that are, and include cumulative as well as cascading effects.
Types of Risk
The types of risks an organization deals with can be categorized within four main buckets which may be expanded when relevant. Under this traditional model, risks are managed in a silo fashion, and risk management as a function focuses only on hazard loss with a directive to mitigate negative impact from those activities most commonly driving such losses.
It is pertinent to note here that the functional responsibility for managing risk does not change with the implementation of an ERM discipline. Rather, ERM processes lay the foundation to systematically capture, measure and report risk within each functional area.
Recall that ERM is not a function, but a strategic business discipline.
Division heads and operational subject matter experts (SMEs) are the best source for understanding and managing risk within their respective areas – ERM gives them a vehicle to communicate both problems and solutions in a common language that is easier to digest and respond to at an executive level. The role of the Risk Manager is to assist with the risk identification process, focusing on the capture of relevant data from SMEs.
Pitfall: ERM should not remove ownership of risk management responsibility from functional areas – risk managers own the process, not the risk.
ERM - Risk Analysis
Risk analysis involves developing an understanding of the risk, including the sources, impact, likelihood and other relevant attributes. When we talk about traditional hazard loss risk, we are concerned with both Probability and Impact (or Severity). These measures can be quantitative, qualitative or a combination of both depending on the type of risk assessed as well as the program maturity of the organization.
This analysis is generally underpinned by a calculation that determines Probability and Impact on an axis across various categories – for instance, an employee injury may impact operations (downtime & claim costs), reputation, and regulatory fines. Here we are looking to develop a systematic process for capturing and measuring potential impact of identified risks.
This results in a common vocabulary that, in conjunction with guidance from Risk Appetite and Tolerance statements, allows for a timely and more measured conversation about risk to occur.
Understand that a determination of “high risk” with no Context means everything and nothing all at the same time because every brain in the conversation will come to a different conclusion.
Pitfall: Overly complicated risk registers and calculations can easily derail the program.
Focus on Risk Tolerance guidance and build a process that is fit-for-purpose as well as appropriate for current organizational maturity. The first couple of years an entity may use all qualitative measures (high, medium, low) and then gradually begin incorporating more quantifiable elements. This is perfectly fine – as the discipline matures, the program and tools will naturally evolve on their own.
ERM - Risk Evaluation
As Risk Assessment identifies exposures and potential impacts, now Risk Evaluation looks specifically at how they play out within the organization with the specific purpose of determining which risks need treatment and the priority for treatment implementation.
Take our example above regarding an employee injury; for the average company the impact may primarily be claim costs, but for a heavily regulated organization (think nuclear or remediation) that same injury could also spur high impact regulatory fines and adverse media affecting the organization’s reputation.
In this stage, we are acknowledging all risks, but weighting them by relevance for the specific entity. Second, we look at risks from a consolidated perspective to identify those that show up in more than one area and/or that have the potential to increase impact across functional areas through a domino effect.
Finally, we consider prioritization of risk by functional area, as well as for the whole entity. Since a high risk in one area may, in the grand scheme of things, be a low risk to the organization, or conversely something considered low risk may not be at all when its discovered that it exists across several functional areas, this exercise improves resource allocation in addressing “game-over” problems or simply low-hanging fruit as top priorities.
Pitfall: Analysis paralysis.
Many a program starts going sideways at this point and a couple of things generally happen. Small, everyday risks are considered low risk (due to low impact) despite high frequency and desensitization obscures the fact that they are nickel-and-diming the company to death. Second, big hairy scary exposures are deemed low risk due to low probability, or are considered unmanageable and thus summarily dismissed.
So here is where we point you back to the section on Context and Risk Tolerance because that will address much of this problem before it even starts (yes, you should go back and read it again right now). Then, we will continue with a quick side tour to discuss Control-Based ERM.
ERM - Risk treatment
Once identified, traditional risk management calls for dealing with (or Treating) risk exposures in four ways, Avoidance, Reduction, Transfer or Acceptance. The choice of which to use is not always clear, and depends on an understanding of impact, cost and effectiveness.
Once a determination is made on how an exposure will be treated, the anticipated effectiveness of that solution will be factored back in to the Risk Evaluation to determine the residual risk that remains and to calculate a new risk score. It should be noted that other than total Avoidance, no risk can be 100% mitigated, and some may require more than one technique or solution.
Consider a company mitigating construction project risk by:
Reduction through project size
Transfer through subcontractor indemnity and bonding, and
Transfer through its own Builder’s Risk Insurance program.
Key Success Factor: Be creative! Many exposures are best tackled with a multi-faceted approach, and not every risk can or should be insured away.
ERM - Communication & Consultation
To make the risk identification, evaluation and treatment discussions relevant, operationally viable and realistic, subject matter experts across the organization must be engaged in the process for both consultation and validation (what we call gut-checking).
As indicated earlier, the risk manager will become the program expert whose main mission is to assist operational SMEs with the process within the framework established by the entity, as well as to help identify when there is an information or input gap on more strategic due diligence projects.
If it is not obvious at this point, successful ERM requires a willingness to create and maintain communication channels within the organization, and leaders will need to be mindful of spotting managers who block and hoard information from their teams rather than compile, synthesize and communicate it up the chain.
Pitfall: Excluding Internal Risk Management from Due Diligence efforts.
Every leader knows that their success comes from their team, and the concept of open communication to allow information to bubble up is nothing new. However, when strategic moves and opportunities are presented at the top, deep and holistic internal vetting is often overlooked.
Opportunities are evaluated first and foremost on a risk/reward basis tied to return on investment, market expansion, revenue generation, etc. There is a lot of legal this and market analysis with graphs and projections and computations galore. I am not dismissing any of that critical and relevant work.
The gap I am talking about is typically in post phase – implementation/merger/acquisition – when suddenly your internal SMEs must quickly digest, adapt and manage this fabulous new thing. What happens when the product you launched is going like hotcakes but the sales team doesn’t have the manpower keep up; or your repair team cannot troubleshoot the new piece of equipment customers are clamoring for because their test units aren’t compatible; or the contract is inked for a near-belly up company (which you got a great deal on!) but then your surety suddenly terminates because your risk now exceeds their appetite?
Sure, these things can usually be fixed, but it will be expensive and distracting. Allowing your internal team in only after the “go” decision has been made is a bit like closing the barn door after the horses are off and running. In addition to the inefficiency, this oversight leaves your operational SMEs and Risk Manager feeling underutilized and their skills unappreciated; they begin losing confidence in the process and ERM begins sliding downhill. There are a multitude of ways to get the requisite operational input you need, yet still keep the secret squirrels secret, and it’s worth the extra effort on the front end to avoid post-go decision pitfalls.
ERM - Monitoring & Review
The final component of the ISO 31000 Risk Management Framework is monitoring and review. This is also a cyclical process that delivers continuous improvement within the program. As the business or environment changes, existing risk issues will be reviewed through the process and treatments changed or adjusted based on need. New issues will arise from the review of others, and occasionally fixes don’t fix and need to be reimagined.
Over time, the documentation collected will be invaluable because something magical happens when write stuff down. A division manager considering a vendor for a job can determine if they’ve had bad performance with the company some distant time in the past, training new staff at every level is easier and more efficient, and project stumbles can be assessed through lessons learned to be avoided in the future.
Hopefully, this brief primer has somewhat de-mystified the risk management process, and has illuminated the fact that risk management is already part of the fabric of your organization. Taking that capability and evolving it into a more standardized and formalized process that breaks across functional silos with guidance provided by the C-Suite (and Board if relevant) will move you into an ERM competency.