The difference in a successful ERM implementation is in the approach.
Having the right knowledge in “how to” ensures success.
This article gives you the opportunity to self-assess, or health check your approach.
What Comes to Mind for Top Managements?
Imagine the day to day lives of top management;
- Will our company performance stay the course, are our goods and services relevant in a world changing to counteract climate change, how open are we to internet hacking, or from left-field which competitor will take away our market share?
- Or are we serving the community to the best levels of city life, roads and transport facilities, good governance, creating opportunities, stimulating competition, knocking out the potential for fraud and corruption?
- At the operations level the security staff are validating access by staff and visitors, a compliance audit is coming up and shareholders are asking some questions.
- As the CEO, I see the quarterly risk register reports, but what do they tell me about the real risks that I’m facing?
It may be time to re-evaluate your Risk Management approach and objectives!
Self-Assess the Value of Your Risk Management
Top Management should expect Risk Management to add value; but is this in subjective or objective ways?
Asking the Right Questions helps you to form a view as to how much value Risk Management adds to your business.
Self-assess your approach to Risk Management by answering these questions:
Select a Score | ||||
Question | Brief Answer | |||
How confident are you, that you will succeed in implementing Risk Management? |
Before implementing, CorProfit’s research shows these need to be in place: | Which of these is the best fit? | ||
They are driving | Supportive | Risk Function is Motivating | |
Top Management Buy-in | |||
Competent Risk Management Function | |||
Comprehensive Risk Framework | |||
Robust Risk Software | |||
Before implementing, Cor Profit’s research shows these need to be in place: | What do you think the current level of knowledge for each is? | ||
Best Practice | Good Practice | Developing | |
Top Management Buy-in | |||
Competent Risk Management Function | |||
Comprehensive Risk Framework | |||
Robust Risk Software |
These questions go to checking the health of your Risk Management | Yes | No | Not Sure |
Was a substantial change made to your Risk Framework Document in last 1 to 2 years? | |||
Have you re-evaluated your Risk Process to reflect increased learning and knowledge, in last 2 years | |||
Have you re-evaluated your Risk Matrix to reflect increased learning and knowledge, in last 2 years | |||
Were your Risk Registers uploaded from either Excel or another system to your current system | |||
Have you added at least 10% more risks since your initial upload to the current system | |||
Are you challenged to gain staff buy-in (they may struggle with the concept of Risk management or are too busy) | |||
Have you changed report formats and types of analysis in the last 1 to 2 years |
By answering each of the above, if there are more “No’s” than ‘Yes’s”, the chances are that your Risk Management has plateaued!
Investing in the Right Approach to Implement Risk Management
The best, the most value-adding form of Risk Management is to make it both Strategic and Tactical, rather than being Risk Assurance where most Risk Frameworks stand at.
Your vision may be to have Risk Management as a strategic business strategy and be an effective decision-making tool to assist top management obtain better outcomes that lead to increased business performance and resilience that would not otherwise be possible.
The level of success will be proportional to the investment made to set the vision, articulate the strategy and realise benefits through implementing Risk Management correctly in business units, projects and assets.
If you treat Risk Management as an “expense” then it will tend towards Risk Assurance, which is another form of compliance and kept at a minimum.
If Risk Management is treated as an investment, it will become embedded in the Strategic Business Plan and Strategic Projects, aimed at delivering these better and avoiding unnecessary wasted efforts.
This is the New Frontier for Risk Management!
Let’s look at the 4 aspects referred to above that need to be in place before you implement Risk Management.
Before implementing, these need to be in place: | Relative importance between the 4 Aspects |
Top Management Buy-in | • Management are generally supportive, delegating authority to the Risk Management Functions
• They look for good risk analysis and actions necessary to keep Strategic & Key Business Risks within Risk Tolerances and Risk Appetite |
Competent Risk Management Function | • It is obviously necessary for staff to be competent to just the levels necessary
• Knowledge comes through a well-designed roadmap that builds maturity |
Comprehensive Risk Framework | • A poor Risk Framework can’t lead to a good implementation
• The ISO31000 and other Standards are not published to inform you how to implement (it’s up to each organisation to define) |
Robust Risk Software | • The aim is to purchase software that you won’t outgrow
• If the Framework is comprehensive and capable of driving the Risk Management Implementation, you are likely to purchase the right software for you |
In relative terms, before implementing, of the 4 aspects, the Risk Framework is key-most.
- The Risk Framework along with the Policy & Procedures demonstrate the Board’s commitment to Risk Management
- The Framework explains how Risk Management is governed, measured, reported and improved upon over time
- This does not require the Risk Management team, executive management and staff to be ‘boffin-heads’ at the start. Over time their knowledge will naturally improve
- It’s not where you start that counts, but where you end that matters!
- A good foundation is needed at that start.
There’s a difference between a Risk Framework that is “theoretical” from one that is capable of being implemented. Don’t rely on the ISO31000 Standard or other Guidelines and Codes. This can only come from experience.
A more sophisticated Risk Framework will also describe a Maturity Pathway by which the Risk Process will evolve over time, starting in more simple ways and adding in more aspects as and when the organisation is ready for the next stage of maturity. The value of this is that the organisation is less likely to meander down pathways that prove to be of little value, but rather to institute a basis for continuous improvement.
Look for good precedence in the marketplace and treasure those who can bring good knowledge to you.
By Ian Abrahams
Principal Risk Management Consultant, CorProfit
BSc.Eng (Civil) MEngSc CPEng CPRM MIEAUST MAIRM MAIPM