Risk managers frequently come to me in fear and doubt asking for advice on how to move forward with their Enterprise Risk Management programs. Here is a typical recent inquiry:

"I am researching and reviewing for the best approach for my organization. I have also talked to some consultancy firms. My initial thoughts is to select a suitable Enterprise Risk Management software package which could guide us through the various stages of risk management and generate different risk reports to different levels of management. However, in the course of my research, I also came across some sources which advised that ERM software should be the last thing to consider in the implementation of risk management. Could you help clarify my doubts and concerns."

Below are a few of the self serving myths told by consultants to create fear and doubt in the hearts of risk managers:

Myth: Software is the last thing to consider - The first priority is to get buy-in from the CEO and the senior management team that enterprise risk management is needed and establish the mandate and timeline to get this accomplished. After appointing a responsible executive to manage your ERM program, software is the next on the list as the best way to adopt best practices within a sustainable process. Select software that has embedded industry best practices. Best practice frameworks include the Australian Risk Management Standard, COSO ERM, COBIT 4.0, Standard & Poor's ERM among others. Make sure you select a software package the requires little or no training. Speak with the software vendor's customers about how easy the software is to use. Consulting proposals greater than 5-10% of the software purchase price is a red flag on ease of use. Note that a consulting first or consulting only approach without the software infrastructure is the biggest red flag, as these best practices and methodologies will quickly be forgotten and consultants will have a perpetual source of income training and re-implementing their services.

Myth: Quantitative risk assessment is better than Risk Control Self Assessment. The right answer is that you need both. According to a recent survey by the Global Association of Risk Professionals (GARP), only 12% of companies are doing a quantitative only approach, 29% a qualitative only approach, while 59% are doing both. (You can access a copy of the GARP Survey on my website.)

Enterprise risk management is about bringing together a risk picture from the entire enterprise (credit, market, operational risk, etc.) using a variety of qualitative methods like Risk control self-assessment along with complimentary quantitative methods. Here are the reasons why:
a) There is insufficient data available to use traditional quantitative methods to quantify operational risk. Risk Control Self Assessment is best suited for this purpose.
b) Coverage is the main issue for Enterprise Risk Management: Quantitative methods are 10 times more expensive and at best can be applied to only 10-15% of the risks threats facing an enterprise. The risk control self assessment approach is proven to help management discover and uncover risk across the entire enterprise. Risk control self-assessments prioritize risk threats and performance opportunities that need follow-up with deeper analysis, including quantitative methods.

The next time a wolf suggests you not to put a perimeter around your hen house, consider the source and the agenda behind the recommendation.

Posted by stevenminsky in | Permalink | Comments (0) | TrackBacks (0)

Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification • Risk Maturity Model | Permalink | Comments (1) | TrackBacks (0)

At the SIA’s 2nd Annual Risk Management Conference for financial services firms held on June 27th in New York City, overall, the maturity of enterprise risk management in the past year has definitely moved up one notch. Uncertainty about how to define enterprise risk management and the debate about the value of risk management have been replaced with more practical concerns on how to best implement a risk management program and how to measure the performance.

For those of you who could not attend, the following are the hot topics to think about: 1) setting of risk tolerance or thresholds, 2) convergence of assessment work within risk, compliance, IT, and finance and audit functions, 3) centralization or decentralization of the risk management function, 4) bird flu impact on business continuity, 5) The need for technology audits, and 6) accelerated adoption of Enterprise Risk Management as a business necessity by credit rating agencies.

According to Julian Fry, Global Head of Operational Risk at Merrill Lynch & Co., Inc., who was a panelist at the conference, the top 10 risk management business issues within Financial Services and Investment Management companies are:
1) Proper business practices, 2) Internal fraud, 3) Knowing your client, 4) Transaction execution, 5) Client selection exposure, 6) Business disruption, 7) Product complexity/pricing, 8) Employment practices, 9) Accounting evaluation (sox), and 10) Back office operations.

You can find downloads for a few of the presentations from the conference at:
risk conference presentations for download.

Posted by stevenminsky in Compliance • Enterprise Risk Management • Risk Identification | Permalink | Comments (0) | TrackBacks (0)

Fear or Opportunity? How will you respond?

Risk management: a fresh view of current events

Bird Flu: A Y2K technology fix déjà vu sink hole, or an opportunity to enable a more flexible virtual workforce?

Terrorism: A security nightmare, or an opportunity to improve controls that should be in place anyway?

Global warming: A disaster waiting to happen or a wakeup call for conserving energy and reducing costs?

Your next job promotion: Do you feel stuck in a game of musical chairs where events control you or are you proactively leveraging risk management to meet your performance objectives and advance your career?

Posted by stevenminsky in Risk Identification | Permalink | Comments (0) | TrackBacks (0)