Manage Tomorrow's Surprises Today

Cruise Ship Accident due to Preventable Operational Risk

2012-01-16T17:49:40Z

The Costa Concordia, a Carnival Cruise Line owned ship, ran aground resulting in at least 6 deaths. This is a 4,000-passenger, 115,000 -ton cruise mega-ship, with the latest and greatest technology, as it is just 5 years old. As an Enterprise Risk Management (ERM) professional, my forecast is that we will learn over the next six weeks that this is not the first near miss for the Costa Cruises organization, nor the first questionable judgment call by one of their ship's captains. My bet is that one of the thousands of crew management have reported issues in the past and that other Carnival ships have faced similar operational risks in the past several years. The problem is each one of these issues in its silo is a one-off near miss and perhaps in isolation is not worth escalating to senior management that sets policy. Put them together however, and you see a grave systemic pattern that is likely to result in disaster that would have been preventable had the systemic pattern been detected and managed as a whole rather than as one-off incidents.

To be effective, Enterprise Risk Management must be pushed out to the front-line business process activity level where decisions are made 12and information must aggregate up across silos and levels to be understood by senior management. Few organizations have their ERM programs functioning at the business process activity level. Typically, organizations interview the top management about their "risk worries" and boil things down to the "top ten risks". Unfortunately, these top ten risks are disconnected from the everyday operating controls at the business process activity level, so these "top ten risks" continue to be unresolved. GRC programs are no better, as they focus on heavily silo'd compliance, such as SOX, IT, and Internal Audit, and also do not link risk to operating controls and business metrics at the business process activity level.

The fact is that operational risk is all around us, typically most prevalent in the organization's area of core competence. In the last year, I have blogged about oil discovery firm's failure to manage drilling risks, leading banks' failure to manage investment risks, power companies' failure to manage power risks and manufacturers' failure to manage product quality risks. I have heard risk managers say their bosses give the same answers too many times, "It won't happen to us," or, "Although enterprise risk management is a priority, we are not ready to take our ERM program to the business process level." Since 89% of ERM and GRC programs fail to adequately manage operational risk at the business process activity level, this dangerous game of not moving their ERM and GRC programs forward to detect and manage operational risk at the front line activity level is not only fraud, but also a form of "Russian roulette" with real consequences.

Due to SEC requirements passed in February 2010, the once wide-spread practice of, "Don't write it down," is no longer viable. Boards of directors are now liable for not having their risk management programs reach the front line business process activity level. Now, both management and their boards of directors are liable for what they don't know, but should have known. If you are a publically traded company or you are a supplier to a publically traded company, evaluate your risk management effectiveness with these five competencies:

1)      Name all your front line business processes
2)      Conduct a risk assessment in each of these business processes
3)      Connect mitigation/control activities to each of the key risks in these business processes
4)      Connect your business metrics for each process to these mitigation activities
5)      Connect your front line activity risks to your business performance management strategic objectives

These are five of twenty five requirements outlined in this complimentary risk management maturity test available on-line: www.rims.org/rmm. If you do not score above a "managed level" of risk management maturity, it means your organization is failing to achieve these five simple steps in a material manner at the front line activity level, where it matters the most. The Costa Concordia accident was preventable, and so are the risks at your organization.

How to measure your Enterprise Risk Management effectiveness

2012-01-04T11:30:00Z

I am often asked for insight on business measures or KPIs for ERM programs to track overall progress and effectiveness.

The key question for risk managers is: how do I measure the value ERM is delivering to my organization?

The following are examples of measures that will quantify and measure the value your ERM program is providing:

Number of systemic risks identified

Systemic risk identification will detect areas of upstream and downstream dependencies throughout your organization, such as when one area of the organization is unknowingly causing strain on other areas. Additionally, this method could also identify areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated, increasing organizational efficiency.

Percentage of process areas involved in risk assessments

ERM is cross-functional in nature and cannot be done in silos. A business is the sum of its parts. The same is true of risk. A risk event in one functional area also affects other functional areas within the business. Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information. The more process owners involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are hugely valuable to the organization.

Percentage of key risks mitigated

Having a sense of your overall risk coverage is important; however, it is not nearly as valuable as knowing the coverage of your organization's key risks. Because all risk assessment should be conducted on standardized criteria, you can determine a uniform tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you to prioritize resources to the risks that need stronger coverage, rather than wasting resources on risks that will have no major impact on your organization. This gap analysis with a tolerance level will also help you to identify emerging risks as they rise out of tolerance and it becomes clear that some mitigation activities in place are no longer sufficient.

Percentage of key risks monitored

Most organizations have no understanding of how the business measures that they rely on daily are tied to their risks. If a risk or activity changes, organizations have no way of knowing how, and if, these changes will affect their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing what activities need to be monitored. Regular risk assessments enable organizations to detect increased threat levels and identify new emerging risks before they materialize and bring business metrics out of tolerance.

Learn more on how to measure risk management effectiveness.

The Importance of Linking Risks to Business Measures

2011-12-05T12:00:26Z

The number of business measures within organizations is typically growing. Measures are often added on a reaction basis to loss events that have already occurred. Wouldn't it be valuable to be able to focus on forward looking measures? In most organizations, these preventative, proactive measures are indistinguishable when grouped with reactive measures, because the metrics do not formally tie back to any commitments or risks.

What if a risk or activity changes? Organizations have no way of knowing how and if these changes will affect their metrics. Risk Assessments and linking risks to activities allows organizations to start prioritizing what activities need to be monitored. Through regular quarterly, or even annual, risk assessments, organizations can detect increased threat levels and identify new emerging risks before they materialize and bring your business metrics out of tolerance.

Measures are important because you cannot improve what you cannot measure, however this large number of unconnected goals is problematic because:

Measurement fatigue - staff may simply ignore many measures because of a lack of time to assess them.
Measure obsolescence - in a changing environment there is no effective way of knowing when measures no longer apply.
Lack of prioritization - picking the measures to focus on is likely to be on an ad hoc basis and upon the whim of current staff.
Lack of continuity - changes in the organization or the development of new lines of business may result in new measures while existing measures may be more effective.
Lack of coordination - often measures apply to multiple risks or commitments across functional lines. The inability to formally tie measures to risk or commitments does not promote inter-functional coordination resulting in business silos and duplication of effort.
Wasted resources - The amount of resource available to accomplish business goals and to mitigate risk is finite. Staff will often continue to manage to obsolete or unimportant measures rather than aligning with current imperatives.
Resistance to change - A difficulty to apply past experience to a changing business environment resulting in a tendency to "reinvent the wheel".

Much of the necessary information exists in organizations today; the missing piece is formalizing these critical connections. LogicManager™ has functionality to identify risks and commitments; assess them based upon likelihood, impact and assurance; evaluate whether action is needed; devise mitigation or business building activities if needed, specify and record measurements to track effectiveness, and finally formalize the connection between all of these activities.

Connecting the measurements to the mitigation activities and business initiative data and then back to the underlying risk and commitments will provide the following benefits:

Explicit prioritization of measures based upon a risk/reward index and a dashboard presentation on the heat map dashboard in LogicManager.
Real-time trending of measures on an ongoing basis with measure consolidation used to direct management attention to problem (out of tolerance) conditions.
Allow for rational elimination of measures that have low priority or non-existing connections to risks or business initiatives.
Facilitate new business initiative business measurements prioritized upon risk or business commitments.
More effective use of scarce resources.

The key is working with the functional managers to make the connections. The immediate benefit will be to identify measures that are not connected to any risk or initiative and to determine if they should be eliminated. Then, once the connections are made, use the management tools in LogicManager on an ongoing basis to improve utilization of business measures within your organization.

Watch 4 minute video to learn how to link risks to business measures.

Landmark Risk Management Study to be Updated

2011-11-07T13:00:00Z

Last week, at RIMS ERM Conference 2011, we announced that LogicManager and RIMS (The Risk and Insurance Management Society) have selected Queens University Management School (QUM) to update the landmark 2008 study that quantified a direct, positive relationship between the maturity of an organization's risk management framework and its business performance. Read the full press release here.

The 2011 update will gather data just as the 2008 study did, using real organization's data compared against the best practices outlined in the RIMS Risk Maturity Model (RMM), co-authored by LogicManager and RIMS. Click here to see these best practices in action.

The 2008 study was the first time that risk managers gained real evidence that they could show their VPs, Executives, and even Boards of Directors that risk management has a powerful, direct effect on business performance. Further, with the help of the RMM's accompanying step-by-step practitioners guide, risk managers gain a roadmap detailing how to develop ERM programs that effectively achieve the strategic goals that drive business performance. This next update will provide the same evidence and guidance using more recent risk information.

The updated study will be conducted by Queens University Management School. Mark Farrell, Actuarial Science & Risk Management Teaching Fellow, Queens University Management School states, "We sought out RIMS and LogicManager to update the analysis, as the RMM is the premier source for risk maturity information, as it has by far the largest and most proven collection of real data that has stood the test of time."

Since its creation in 2006, the RMM has been used by over 1500 industry leading organizations to assess the strengths and weaknesses of their risk management programs and build action plans for improvement. In addition to gaining invaluable ERM insight about organizational risks, companies that complete the RMM assessment will receive a complimentary copy of the updated RMM research report.

Recently, the RMM was spotlighted at the inaugural RIMS ERM Conference 2011 last week in San Diego. The conference featured presentations highlighting the attributes of the RMM and its ability to help companies advance their ERM programs. I was chosen to facilitate roundtable discussions on the RMM and how organizations can link risk to business performance through ERM.

To see how you can link risks to your organization's business performance, click here.

]]>

What Cantaloupe and Citigroup Have in Common

2011-10-26T12:00:00Z

Two stories in the news recently have caught my eye: one involving a listeria outbreak caused by tainted cantaloupe, and the other involving Citigroup losing $285 million for defrauding investors.

In the cantaloupe story, a nationwide listeria outbreak was traced to a packing facility in Colorado operated by Jensen Farms. According to The New York Times, government investigators said workers accidentally carried bacteria into the facility and hard-to-sanitize machinery created an environment in which the bacteria could grow and thrive. (Jensen Farms has voluntarily recalled its cantaloupe).

In the Citigroup story, the Securities and Exchange Commission (SEC) settled a civil suit against the banking giant totaling over a quarter billion dollars for failing to tell investors of the role of their investments or that it had made bets that the investments would fall in value. These charges have continued since we identified it first in 2009 and saw it happen to Goldman Sachs in 2010.

So what do cantaloupe and Citigroup have in common?

Both Jensen Farms and Citigroup were in compliance, yet failed to have proper risk- management practices in place.

The packing facility that caused the outbreak was audited two days prior to the outbreak and received a passing grade of 96 out of 100, according to company officials, so their facility was in compliance. However, despite the passing grade, the conditions causing the outbreak were still present.

In Citigroup's case, the investments themselves were in compliance with regulations; however, it was the lack of risk disclosure that resulted in a loss of $285 million and a tarnished reputation.

The lesson to be learned from both of these cases is that just being in compliance is simply not enough. Organizations must additionally be able to fully manage risks across all business functions and through every material level as well as see their connection to business performance.

The first step in seeing across silos and levels and seeing the link to business performance is evolving your organization's risk taxonomy. Your taxonomy is the framework that manages the relationships between risks, activities, and goals and defines your organization's standards, assumptions, and terminology.

Click here to see an example of taxonomy in action

5 Steps for Better Risk Assessments

2011-10-21T12:00:00Z

Risk managers are charged with ensuring transparency, alignment, and forward looking views throughout the organization. The way this is achieved is through risk assessments.

Successful enterprise risk assessments can be a powerful tool for board and management level strategic decision making by connecting business activities to goals and identifying the risks that threaten to derail these strategic objectives. An unsuccessful risk assessment is little more than a form over substance activity that lacks context and actionable results.

So, how do you implement a successful enterprise risk assessment?

The key is being able to compare information across functions and levels while keeping one comprehensive risk picture.

Standardize your Assessments - Activities like vendor management, business continuity, compliance, IT, financial reporting, operations, internal audit, and others are all informal risk assessments. When these assessments are carried out on the same standards and assumptions, defined in a taxonomy, they can be compared and utilized cross-functionally.
Common Root Cause Approach - Risk managers should provide a common root cause risk library to process owners so that when multiple areas chose the same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated.
Alignment of Activities, Goals and Risks - Risk managers need to tie root cause risks to strategic goals and trace these same risks through the process areas that they affect in order to determine which activities will roll-up to impact organizational objectives. Once these connections are made clear, risk managers are able to prioritize the effectiveness of controls, so that resources and focus are allocated to the issues that will yield the greatest benefit to the organization.
Group Information for Multiple Stakeholders - Because assessments are conducted on the same standards and assumptions and risks are identified at a root cause level from a common library, process owners can do one risk assessment, and the information can be sliced, diced, and aggregated to serve multiple purposes. It will provide a functional insight for the process owner, tie into governance areas like vendor management, and serve a strategic purpose by rolling-up into board level objectives.
Timing and Trends - Risk assessments must be conducted on a regular basis and when approaching business changes, new initiatives, or high risk issues. Being able to view the trends over time gives the organization's static risk profile context and a reference point so that necessary actions can be taken when you start seeing small changes in your risk profile before things get out of tolerance.

Whether your organization's risk management program is new or old, to effectively practice the 5 steps discussed, the first thing an organization must do is evolve its taxonomy.

Watch a 4 minute video on the benefits a common platform powered by a robust taxonomy can provide.
]]>

Takeaways from EGRC Magic Quadrant

2011-08-08T12:00:00Z

Recently, Gartner released its 2011 Magic Quadrant for enterprise governance, risk, and compliance (EGRC) platforms. While the report highlights the top vendors of EGRC, which includes LogicManager, it also identifies some revealing trends within the EGRC marketplace based on reliable consumer feedback. The most notable trend recognized is the shift towards enterprise risk management (ERM) within EGRC platforms. As Gartner states,

"ERM has emerged as the most significant use of EGRC platforms."

It used to be that compliance was by far the leading use of EGRC. Now however, ERM is seen by business leaders as the way to provide their boards of directors with transparency, monitor the achievement of organizational goals, and be proactive on emerging risks. Overall, ERM is now seen as the method to improve business performance.

This trend can be directly attributed to increased regulatory pressures on boards of directors. These new regulations, which came into effect in February 2010, now hold boards of directors personally accountable for risk management oversight of material risks all the way down to the front-line, meaning that boards are given the choice between closing gaps in risk management or disclosing these gaps to the public. Doing neither, is now considered fraud. The "we didn't know about it" defense is no longer valid.

Considering these regulations went into effect in early 2010, it comes as no surprise that ERM became the leading use of EGRC platforms in 2010, and continued to be in 2011. Similarly, this is now the second consecutive year that LogicManager, the leader in ERM solutions, has been represented in the magic quadrant.

So what does this all mean for risk managers?

Action must be taken. In the past it may have been sufficient to only reach senior managers for risk assessments, now however, due to the above regulatory changes, risk managers need to engage the front-line directly with risk assessments.

Risk management reporting has changed, so don't be caught waiting for your board to give direction. The board expects the risk manager to identify and assess risks across all levels and silos of the organization and reveal the gaps in reporting to the front-line. If you continue to report using senior-level assessments only, even if the board seems to be complacent, it won't be long before the board turns to someone else for risk management.

Three metrics to present at your next board meeting:

Engagement at the front-line - Roughly 10% of all employees are front line managers. Do the math for your organization. How many risk assessments has the front-line conducted this year? How many front-line managers do we reach? Show the board how large the gap is and determine how much liability (or gap) they are willing to accept.
Linking risks to processes and goals - Of the front-line managers you're not reaching, how many have assessed risks related to strategic goals this year have gone unreported? The risk manager must be able to make the connections and demonstrate how these risks impact business processes and strategic goals.
Identifying emerging risks - How many emerging risks, that front-line managers are in the position to identify, are going unaddressed? What is the degree of disconnect between the number of unaddressed risks and those that have proven, sufficient mitigation action in place?

After presenting these metrics, the next step is showing the board how the gaps in reporting can be filled. Tell them what resources are needed and what decisions need to be made, after all, the board does not want to be charged with fraud and does not want to turn away stockholders by reporting their flaws in risk management.

To learn more on this subject of presenting to the board, please register for LogicManager's upcoming webinar: Presenting Risk Management to the Board.

]]>

What the Board Should Know About Cyber Risk

2011-07-08T12:00:00Z

Recently organizations have been faced with the increasing threat of cyber attacks, whether from external hackers such as lulzsec or from internal attacks such as wikileaks. Your customers' personally identifiable information, organization's intellectual property, and confidential files are all vulnerable to attack.

How vulnerable is your organization to a cyber-attack? What would the consequences of a cyber-attack be on your organization? Your board needs to know.

The consequences of a successful cyber-attack reach far beyond just legal or IT issues. An organization's reputation, customer loyalty, and ultimately strategic goals will suffer as a result deeply affecting the bottom-line.

A prime example is recent the Play Station Network breach earlier this year. The security breach forced Sony to shut down their network for over a month disrupting Sony's revenue, operations, and possibly even future sales. What will ultimately hurt Sony as a result of the breach won't be the legal ramifications or the cost of implementing better IT security. It will be the breach's long-term effects on customer loyalty, reputation, and even market share.

What would be the consequences of a data breach or other cyber-attack be on your organization? Are you prepared for an attack beyond IT resiliency?

With such high-publicity breaches at Sony, Epsilon, Lockheed Martin, and even the U.S. Chamber of Commerce, your board will want to know if your organization faces the same risks. What Should You Present to the Board?

If you're unsure of what information you should report to the board, you can register for our upcoming webinar Presenting ERM to the Board.

Risk Managers: What should you report to the Board?

2011-06-20T14:32:26Z

Boards are under pressure like never before to assure their organization has an effective risk management program. The SEC, through the Proxy Disclosure Enhancements amendment, is holding them personally responsible for risk management.

If your board hasn't already come knocking on your door for a briefing on the effectiveness of risk management, they will be soon. So the $64,000 question remains:

What should you present to the board?

The short answer is the larger picture of risk with a connection directly to the front-line. This is the crux of the problem. As you know, the board makes strategic decisions by viewing your organization from a 35,000-foot perspective. They aren't interested in a list of hundreds of risk indicators, or even the top 10 operational risks.

Your board needs to understand the sources of uncertainty that could impair continuing operations or reaching your organization's strategic goals. The risk is not the event of a lawsuit, but rather the uncertainty that employees are acting appropriately that the board needs to know about. It's not the event of supply chain disruption, but rather the uncertainty of changes in weather patterns. The board needs to understand trends in uncertainty, that is the larger risk picture, on the commitments they have endorsed.

Sounds simple enough, so how do you assemble this information?

You need to take these big picture issues one by one, and connect them to the real people that materially contribute to each issue.

How to connect risks to strategic goals:

1. Choose one of the board's strategic goals.
2. Identify the business processes that contribute to that goal.
3. Assess the sources of risk for each corresponding process.
4. Connect the corresponding risks to that strategic goal.
5. Repeat steps 1 through 4 for each of the board's strategic goals.
6. Report the impact of risk on each strategic goal to the board.

Any one of these steps can be a challenge for risk managers. Find out how ready you are to present to the board, evaluate your risk program with the RIMS Risk Maturity Model Assessment.

You can also learn more about what the board requires by registering for our next webinar: What should you report to the board?

Risk Managers: Why Spreadsheets are Failing You

2011-05-20T14:37:58Z

While spreadsheets are still an excellent tool for data manipulation and one-dimensional analysis, they fall significantly short of delivering the capabilities a risk manager really needs to analyze trends and see the relationships the job entails.

The limitations of spreadsheets are systemic and largely stem from the way they manage data, their inability to easily show relationships, and their general inaccessibility.

Impractical

Risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. This often results in dozens of spreadsheets and documents each with multiple versions and revisions.

Not only does this impede the process of combining data into a coherent big picture, it also means any changes to data structure becomes a great undertaking. Dependent on spreadsheets, risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much needed evaluation and mitigation.

Relationships

Risk analysis is not a static process; it's dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management's requirements and priorities change.

Spreadsheets, however, are ridged. With each change to a spreadsheet, links between information are lost making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization's strategic goals?

What's worse, spreadsheets can actually limit the depth of risk analysis. You can only analyze the relationships your risk tools can uncover. Spreadsheets offer limited access to past and current data, you cannot easily aggregate and dissect information, and they require a high level of technical knowledge to compare data over time.

Simply put, spreadsheets prevent an understanding of the dependencies and consequences between departments, processes, and strategic goals. Without these connections it's impossible to see how multiple risk can come together to create a disaster like the BP oil spill or the Japanese nuclear crisis.

Inaccessible

Risk management isn't something that can be done in isolation. The information risk managers collect and analyze needs to be accessible to the rest of the organization. Spreadsheets, however, aren't accessible to business intelligence software, to management, or to other support functions that could benefit from that data.

The result is a risk management function without support from management and an organization with an abundance of duplicate tests, controls, and information. Risk managers need to be able to aggregate and access information across business silos and multiple levels in order to engage the right people with the right information.

The Solution

Risk management requires dynamic tools that can organize and link data automatically, analyze dependencies and consequences enterprise-wide, and be accessed by decision makers and other silos.

The solution is a robust software platform that can organize risk-information all in one place, link the relationships between data, and be accessible to the rest of the organization. Identify duplicate tests and controls, uncover the complex relationships between risks, and make that information accessible to decision-makers with one shared risk management platform.

How do you audit a risk management program?

2011-04-29T13:23:54Z

With so many risk management standards and government regulations out there that require risk evaluation, how should internal audit review your company's risk management program? How would you apply any one of these frameworks to an audit? How do you meet the reporting requirements of so many external stakeholders from regulators to investors to customers to rating agencies?

Challenges with using risk management frameworks:

• Many standards to choose from: COSO, ISO 31000, Solvency II, etc
• Recommendations aren't directly actionable and are vaguely defined
• No concept of improvement over time, requirements are black and white
• Standards are lengthy and abstract

None of these standards have clear auditor guidelines, review requirements, or control recommendations. Because of this, some auditors have begun using risk maturity models developed by consultants, however these models tend to be externally focused rather than centering around organization goals and performance.

This is where a proven framework such as the RIMS Risk Maturity Model comes into the auditing process.

The RIMS Risk Maturity Model is a collection of best-practices taken from each of the major ERM standards and it provides clear criteria that create a continuum of risk management capabilities. Best of all this model has been shown to correlate with better business performance as risk maturity increases.

How does internal audit use the RIMS Risk Maturity Model to review risk management?

The RIMS Risk Maturity Model has requirements for five levels of risk maturity for each of 68 core competencies that roll up to 25 success factors, 7 underlying attributes, and one final score.

This allows auditors to quickly assess their organization's risk management program, identify the top findings that require remediation, and make actionable and practical recommendations with the companion practitioner's guide.

No more vague frameworks or external consultants that reward form over substance. Review your organization's risk management program with clear requirements, clear recommendations, and a focus on your organization's strategy and achieving results.

Take a tour of the RIMS Risk Maturity Model Assessment today and see how intuitive auditing risk management can be.

5 Reasons to put ERM tools on your GRC shortlist

2011-04-25T13:33:34Z

If you're considering automating your governance, risk, and compliance (GRC) program there are dozens of choices out there and choosing the one that's best for your program can be challenging.

While many tools out there can document controls and test compliance, managing enterprise-wide governance, risk, and compliance is about much more. It's about adding measurable business value and contributing to the achievement of strategic goals.

To help you separate tools that have simply jumped on the buzzword bandwagon from tools that will help you deliver business value, here's a list of five must have features required to support your GRC or ERM program.

5 Capabilities that will add value to your GRC/ERM program

Is GRC and risk management tied to strategic goals?
Senior management is concerned with where your organization is going. Without a connection between risk and strategic objectives, you're executive team is unlikely to make risk or compliance initiatives a priority.

Does it directly link activities to business performance?
While it's good to be in compliance and have some risks covered, your risk and compliance program should be aligned with operational goals. This means using metrics and controls that can actionably improve business performance, not just meet requirements or checking off a box.

Does it drill down to the process level?
Every day your front-line managers are making decisions about risk. Does this software give you transparency into these decisions and will your process-level managers be able to use it?

Is information shared across business silos?
Meeting several compliance standards often requires the collection of similar data. Does this software allow information to be collected once and then be reused across silos and functions to prevent double-work?

Does it use SMART business metrics?
S.M.A.R.T. business metrics are built at the process level, around root-causes, are comparable, and are forward looking to give you the most complete picture of your risk and compliance program.

Whether your risk management program flies under the banner of GRC or ERM you need tools that give you transparency into processes and shows relationships across your enterprise.

To learn more about these attributes, take the RIMS Risk Maturity Model Assessment today and see how your program compares to industry best-practices.

5 Ways to put Risk Appetite into action

2011-04-12T12:00:00Z

An organization-wide risk appetite can be a powerful statement that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action is nothing more than an idea.

So how do you give your risk appetite teeth? How do you make it an actionable guide for your organization?

Here are five recommendations to put your risk appetite into practice.

1. Translate risk appetite to the process level.

Every day your front-line managers are making operational decisions about risk, far from your risk appetite policies. This is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.

To successfully implement your risk appetite you need to identify and set risk tolerances at this level of operations; at the front-line process level. This will allow you to connect front-line decisions with your overall risk appetite and determine which processes are out of range.

2. Set and measure risk tolerances around root causes.

Setting risk tolerances around front-line processes isn't enough to truly put your risk appetite into action. You also need to be monitoring root causes of risk at this level.

For example, say your risk appetite sets a low tolerance for customer dissatisfaction and as a goal you aim to increase customer satisfaction. You could goals for a particular customer satisfaction survey. However, this metric doesn't offer any actionable solution to improve customer service.

Instead, go to the root causes of customer dissatisfaction with metrics such as call wait time, email response time, or case volume. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.

3. Risk metrics need to be forward looking.

Another problem with our customer service survey comes from the time to it takes to compile responses and analyze aggregated results just to be able to make a decision. With a survey you'll always be acting on customer impressions from last month as an effect of last year's policies.

Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization.

4. Standardize your risk metrics enterprise-wide.

Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.

Using our customer service metrics again, re-opened cases might a good root-cause metric, but it's not comparable over time or across products as the number of total customers will vary. Instead measuring the percent of re-opened cases may be a more meaningful metric as it's value is independent of customer volume and is thus comparable both over-time and across silos.

5. Align your risk tolerances with your strategic goals and business model.

Risk tolerances will naturally develop from your overall risk appetite, but they also need to be in line with your organization's goals. Your organization might define a very low tolerance for customer dissatisfaction, but if you're attracting lots of high cost customers, then this policy isn't in line with a discount business model.

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will both improve risk mitigation effectiveness and contribute to achieving your strategic goals.

To evaluate how well your organization sets risk tolerances and manages overall risk appetite please visit the RIMS Risk Maturity Model Assessment and assess your risk appetite management today.

Japanese Nuclear Crisis: lessons for risk managers

2011-03-22T12:00:00Z

The nuclear crisis still unfolding at Fukushima Daiichi continues to threaten a meltdown as core temperatures and radiation leaks continue to fluctuate. The disaster is one of the worst nuclear disasters in history. However the vulnerabilities at the power station are not isolated to Japan or utility companies; they are common risk management shortcomings in operational practices seen in every country and every industry. Here are a few lessons for managers from this crisis.

1. Link controls to the assets they depend on.

Managers' often make the mistake of assessing the effectiveness of a single control without expanding the scope of assessment to the assets that control depends on.

For example, the Fukushima plant had multiple backup cooling systems to prevent a core meltdown. However they all depended on a single diesel generator and battery backup system. When the system was discovered to be damaged, battery backup was depleted within hours and the cooling systems were rendered useless.

Managers will have better business results by expanding the scope of risk analysis beyond a control to the systems and assets it depends.

2. Evaluate risk impact for each business process.

It's very typical for managers to over-invest in risk controls for one area while leaving other areas widely vulnerable. This over-focus on a single area stems from risk analysis ending at the business unit level without considering how each business process will be impacted.

Going back to the plant at Fukushima, while extreme attention had been paid to containing a potential reactor meltdown, the same level of attention was not invested to protect spent fuel. This under-investment in controls for spent fuel pools has lead to highly unstable conditions including radiation leaks and a potential meltdown outside the main containment vessel.

Managers at the business process level have the best knowledge to identify and evaluate the possible impact of a risk. At Fukushima Daiichi that means managers would assess the impact of a natural disaster on for each business process managing fuel storage, cooling systems, backup generators, all the way down to employee performance; not just the impact on reactors.

According to the RIMS State of ERM Report 98% of organization's fail to assess risk at the front-line. This is a widespread problem for risk management programs in every sector.

3. Routinely revisit risk assumptions to reveal emerging risks.

While executives recognize the business environment is constantly changing, the State of ERM Report shows 86% of business continuity plans are based on outdated assumptions. This leads to outdated controls whose effectiveness may no longer be valid in the current environment.

For the Japanese nuclear plant this means assessing the increased probability of natural disaster stemming from global climate change and updating models based on the latest geological information. Managers need to regularly revisit risk assumptions to prevent controls from becoming outdated.

4. Evaluate risk from vendor relationships.

Every organization depends on partners to maintain key equipment and provide key services under emergency situations. Yet, according to the RIMS report, 96% of organizations today do not cover risks from their vendor partners adequately.

Examples are everywhere, whether you look at the BP disaster and it's outsourced oil rig from Deepwater Horizon or the Japanese nuclear crisis stemming from vulnerabilities in the original GE reactor design.

Managers must evaluate how vendor relationships impact every area of operations and what essential processes may depend on these relationships. While a process or a technology may be outsourced to a vendor, you ultimately own the risk.

Risk management isn't about trying to predict the future, it's about being prepared in the right places where it matters most. These practices reveal the relationships between risks and activities within processes, and allow managers to spend less time fixing preventable problems and more time reaching their strategic goals.

Is your GRC program overly focused on compliance?

2011-03-15T14:52:11Z

No company falls out of compliance over-night. It's a gradual process resulting from a combination of overlooked issues, that together create a serious problem. Strangely enough, compliance issues often result from taking an overly compliance-focused approach to risk management; a common problem for GRC programs.

Take for example J&J who, after a series of product recalls in 2009, has once again fallen out of compliance and now faces a permanent FDA injunction shutting down at least one plant and requiring at least five years of severe FDA oversight. So what went wrong?

While J&J undoubtedly took the 2009 recalls seriously, they focused on correcting compliance issues rather than digging down to the root causes of those problems and correcting them at the source. The result? Manufacturing plants are once again out of compliance just two years later and the public's trust in J&J products is beginning to wane.

Focusing on compliance is akin to adding another bilge pump because your boat has taken on too much water rather than seeking out and repairing the leak. The real solution to a company's compliance issues is to adopt an integrated approach to risk management; one that can identify root causes and their impact enterprise-wide, an approach that focuses on business performance not just meeting compliance goals.

A leak will eventually sink the whole ship no matter how many pumps you add. It doesn't matter if the water is below regulatory guidelines, it's not good to have any substantial amount of water on board. Besides, a ship without the extra burden of water will sail easier and more efficiently.

These are the hallmarks of an ERM-approach to risk management. This approach means assessing risks at the operational process level and understanding the consequences of those risks enterprise-wide. It requires identifying problems at their root causes and focusing on business performance rather than just compliance guidelines.

It doesn't matter whether you sail under the flag of ERM or GRC, the difference is in the approach. Does your organization take an ERM-approach to managing risk?

Visit the RIMS Risk Maturity Model assessment and learn more about evaluating your program on one of the seven key attributes that drive ERM performance.