Posted by Steven Minsky on Mon, Jan 16, 2012 @ 11:52 AM
View all posts | View current post
The Costa Concordia, a Carnival Cruise Line owned ship, ran aground resulting in at least 6 deaths. This is a 4,000-passenger, 115,000 -ton cruise mega-ship, with the latest and greatest technology, as it is just 5 years old. As an Enterprise Risk Management (ERM) professional, my forecast is that we will learn over the next six weeks that this is not the first near miss for the Costa Cruises organization, nor the first questionable judgment call by one of their ship's captains. My bet is that one of the thousands of crew management have reported issues in the past and that other Carnival ships have faced similar operational risks in the past several years. The problem is each one on these issues in its silo is a one-off near miss and perhaps in isolation is not worth escalating to senior management. Put them together however, and you see a grave systemic pattern that is likely to result in disaster that would have been preventable had the systemic pattern been detected and managed as a whole rather than as one-off incidents.
To be effective, Enterprise Risk Management must be pushed out to the front-line business process activity level where decisions are made 12and information must aggregate up across silos and levels to be understood by senior management. Few organizations have their ERM programs functioning at the business process activity level. Typically, organizations interview the top management about their "risk worries" and boil things down to the "top ten risks". Unfortunately, these top ten risks are disconnected from the everyday operating controls at the business process activity level, so these "top ten risks" continue to be unresolved. GRC programs are no better, as they focus on heavily silo'd compliance, such as SOX, IT, and Internal Audit, and also do not link risk to operating controls and business metrics at the business process activity level.
The fact is that operational risk is all around us, typically most prevalent in the organization's area of core competence. In the last year, I have blogged about oil discovery firm's failure to manage drilling risks, leading banks' failure to manage investment risks, power companies' failure to manage power risks and manufacturers' failure to manage product quality risks. I have heard risk managers say their bosses give the same answers too many times, "It won't happen to us," or, "Although enterprise risk management is a priority, we are not ready to take our ERM program to the business process level." Since 89% of ERM and GRC programs fail to adequately manage operational risk at the business process activity level, this dangerous game of not moving their ERM and GRC programs forward to detect and manage operational risk at the front line activity level is not only fraud, but also a form of "Russian roulette" with real consequences.
Due to SEC requirements passed in February 2010, the once wide-spread practice of, "Don't write it down," is no longer viable. Boards of directors are now liable for not having their risk management programs reach the front line business process activity level. Now, both management and their boards of directors are liable for what they don't know, but should have known. If you are a publically traded company or you are a supplier to a publically traded company, evaluate your risk management effectiveness with these five competencies:
1) Name all your front line business processes
2) Conduct a risk assessment in each of these business processes
3) Connect mitigation/control activities to each of the key risks in these business processes
4) Connect your business metrics for each process to these mitigation activities
5) Connect your front line activity risks to your business performance management strategic objectives
These are five of twenty five requirements outlined in this complimentary risk management maturity test available on-line: www.rims.org/rmm. If you do not score above a "managed level" of risk management maturity, it means your organization is failing to achieve these five simple steps in a material manner at the front line business process activity level, where it matters the most. The Costa Concordia accident was preventable, and so are the risks at your organization.
Posted by Steven Minsky on Tue, Jan 03, 2012 @ 06:30 AM
View all posts | View current post
We are often asked for insight on business measures or KPIs for ERM programs to track overall progress and effectiveness.
The key question for risk managers is: how do I measure the value ERM is delivering to my organization?
The following are examples of measures that will quantify and measure the value your ERM program is providing:
Number of systemic risks identified
-
Systemic risk identification will detect areas of upstream and downstream dependencies throughout your organization, such as when one area of the organization is unknowingly causing strain on other areas. Additionally, this method could also identify areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated, increasing organizational efficiency.
Percentage of process areas involved in risk assessments
-
ERM is cross-functional in nature and cannot be done in silos. A business is the sum of its parts. The same is true of risk. A risk event in one functional area also affects other functional areas within the business. Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information. The more process owners involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are hugely valuable to the organization.
Percentage of key risks mitigated
-
Having a sense of your overall risk coverage is important; however, it is not nearly as valuable as knowing the coverage of your organization’s key risks. Because all risk assessment should be conducted on standardized criteria, you can determine a uniform tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you to prioritize resources to the risks that need stronger coverage, rather than wasting resources on risks that will have no major impact on your organization. This gap analysis with a tolerance level will also help you to identify emerging risks as they rise out of tolerance and it becomes clear that some mitigation activities in place are no longer sufficient.
Percentage of key risks monitored
-
Most organizations have no understanding of how the business measures that they rely on daily are tied to their risks. If a risk or activity changes, organizations have no way of knowing how, and if, these changes will affect their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing what activities need to be monitored. Regular risk assessments enable organizations to detect increased threat levels and identify new emerging risks before they materialize and bring business metrics out of tolerance.
Learn more on how to measure risk management effectiveness.
Posted by Steven Minsky on Tue, Dec 06, 2011 @ 12:11 PM
View all posts | View current post
The number of business measures within organizations is typically growing. Measures are often added on a reaction basis to loss events that have already occurred. Wouldn't it be valuable to be able to focus on forward looking measures? In most organizations, these preventative, proactive measures are indistinguishable when grouped with reactive measures, because the metrics do not formally tie back to any commitments or risks.
What if a risk or activity changes? Organizations have no way of knowing how and if these changes will affect their metrics. Risk Assessments and linking risks to activities allows organizations to start prioritizing what activities need to be monitored. Through regular quarterly, or even annual, risk assessments, organizations can detect increased threat levels and identify new emerging risks before they materialize and bring your business metrics out of tolerance.
Measures are important because you cannot improve what you cannot measure, however this large number of unconnected goals is problematic because:
· Measurement fatigue - staff may simply ignore many measures because of a lack of time to assess them.
· Measure obsolescence - in a changing environment there is no effective way of knowing when measures no longer apply.
· Lack of prioritization - picking the measures to focus on is likely to be on an ad hoc basis and upon the whim of current staff.
· Lack of continuity - changes in the organization or the development of new lines of business may result in new measures while existing measures may be more effective.
· Lack of coordination - often measures apply to multiple risks or commitments across functional lines. The inability to formally tie measures to risk or commitments does not promote inter-functional coordination resulting in business silos and duplication of effort.
· Wasted resources - The amount of resource available to accomplish business goals and to mitigate risk is finite. Staff will often continue to manage to obsolete or unimportant measures rather than aligning with current imperatives.
· Resistance to change - A difficulty to apply past experience to a changing business environment resulting in a tendency to "reinvent the wheel".
Much of the necessary information exists in organizations today; the missing piece is formalizing these critical connections. LogicManager™ has functionality to identify risks and commitments; assess them based upon likelihood, impact and assurance; evaluate whether action is needed; devise mitigation or business building activities if needed, specify and record measurements to track effectiveness, and finally formalize the connection between all of these activities.
Connecting the measurements to the mitigation activities and business initiative data and then back to the underlying risk and commitments will provide the following benefits:
· Explicit prioritization of measures based upon a risk/reward index and a dashboard presentation on the heat map dashboard in LogicManager.
· Real-time trending of measures on an ongoing basis with measure consolidation used to direct management attention to problem (out of tolerance) conditions.
· Allow for rational elimination of measures that have low priority or non-existing connections to risks or business initiatives.
· Facilitate new business initiative business measurements prioritized upon risk or business commitments.
· More effective use of scarce resources.
The key is working with the functional managers to make the connections. The immediate benefit will be to identify measures that are not connected to any risk or initiative and to determine if they should be eliminated. Then, once the connections are made, use the management tools in LogicManager on an ongoing basis to improve utilization of business measures within your organization.
Watch a 4 minute video to learn how to link risks to business measures.
Posted by Andrew Cutting on Mon, Nov 07, 2011 @ 08:00 AM
View all posts | View current post
Last week, at RIMS ERM Conference 2011, we announced that LogicManager and RIMS (The Risk and Insurance Management Society) have selected Queens University Management School (QUM) to update the landmark 2008 study that quantified a direct, positive relationship between the maturity of an organization's risk management framework and its business performance. Read the full press release here.
The 2011 update will gather data just as the 2008 study did, using real organization’s data compared against the best practices outlined in the RIMS Risk Maturity Model (RMM), co-authored by LogicManager and RIMS. Click here to see these best practices in action.
The 2008 study was the first time that risk managers gained real evidence that they could show their VPs, Executives, and even Boards of Directors that risk management has a powerful, direct effect on business performance. Further, with the help of the RMM’s accompanying step-by-step practitioners guide, risk managers gain a roadmap detailing how to develop ERM programs that effectively achieve the strategic goals that drive business performance. This next update will provide the same evidence and guidance using more recent risk information.
The updated study will be conducted by Queens University Management School. Mark Farrell, Actuarial Science & Risk Management Teaching Fellow, Queens University Management School states, “We sought out RIMS and LogicManager to update the analysis, as the RMM is the premier source for risk maturity information, as it has by far the largest and most proven collection of real data that has stood the test of time.”
Since its creation in 2006, the RMM has been used by over 1500 industry leading organizations to assess the strengths and weaknesses of their risk management programs and build action plans for improvement. In addition to gaining invaluable ERM insight about organizational risks, companies that complete the RMM assessment will receive a complimentary copy of the updated RMM research report.
Last week, the RMM was spotlighted at the inaugural RIMS ERM Conference 2011 in San Diego, California. The conference featured presentations highlighting the attributes of the RMM and its ability to help companies advance their ERM programs. I was chosen to facilitate roundtable discussions on the RMM and how organizations can link risk to business performance through ERM.
To see how you can link risks at your organization to performance management, click here.
Posted by Steven Minsky on Wed, Oct 26, 2011 @ 07:00 AM
View all posts | View current post
Two stories in the news recently have caught my eye: one involving a listeria outbreak caused by tainted cantaloupe, and the other involving Citigroup losing $285 million for defrauding investors.
In the cantaloupe story, the deadly, nationwide listeria outbreak was traced to a packing facility in Colorado operated by Jensen Farms, in which factors such as workers and trucks accidentally carrying the disease into the facility, and machinery being hard to sanitize created the environment in which the bacteria could grow and thrive.
In the Citigroup story, the Securities and Exchange Commission (SEC) settled a civil suit against the banking giant totaling over a quarter billion dollars for failing to tell investors of the role of their investments or that it had made bets that the investments would fall in value. These charges have continued since we identified it first in 2009 and saw it happen to Goldman Sachs in 2010.
So what does cantaloupe and Citigroup have in common?
Both Jensen Farms and Citigroup were in compliance, yet failed to have proper risk management practices in place.
The packaging facility that caused the outbreak was audited two days prior to the outbreak and received a passing grade of 96 out of 100, so their facility was in compliance. Despite passing, the conditions causing the outbreak were still present.
In Citigroup’s case, the investments themselves were in compliance with regulations; however it was the lack of risk disclosure that resulted in a loss of $285 million and a tarnished reputation.
The lesson to be learned from both of these cases is that just being in compliance is simply not enough. Organizations must additionally be able to fully manage risks across all business functions and through every material level as well as see their connection to business performance.
The first step in seeing across silos and levels and seeing the link to business performance is evolving your organization’s risk taxonomy. Your taxonomy is the framework that manages the relationships between risks, activities, and goals and defines your organization’s standards, assumptions, and terminology.
Click here to see an example of taxonomy in action
Posted by Steven Minsky on Fri, Oct 21, 2011 @ 07:00 AM
View all posts | View current post
Risk managers are charged with ensuring transparency, alignment, and forward looking views throughout the organization. The way this is achieved is through risk assessments.
Successful enterprise risk assessments can be a powerful tool for board and management level strategic decision making by connecting business activities to goals and identifying the risks that threaten to derail these strategic objectives. An unsuccessful risk assessment is little more than a form over substance activity that lacks context and actionable results.
So, how do you implement a successful enterprise risk assessment?
The key is being able to compare information across functions and levels while keeping one comprehensive risk picture.
- Standardize your Assessments - Activities like vendor management, business continuity, compliance, IT, financial reporting, operations, internal audit, and others are all informal risk assessments. When these assessments are carried out on the same standards and assumptions, defined in a taxonomy, they can be compared and utilized cross-functionally.
- Common Root Cause Approach - Risk managers should provide a common root cause risk library to process owners so that when multiple areas chose the same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated.
- Alignment of Activities, Goals and Risk - Risk managers need to tie root cause risks to strategic goals and trace these same risks through the process areas that they affect in order to determine which activities will roll-up to impact organizational objectives. Once these connections are made clear, risk managers are able to prioritize the effectiveness of controls, so that resources and focus are allocated to the issues that will yield the greatest benefit to the organization.
- Group Information for Multiple Stakeholders - Because assessments are conducted on the same standards and assumptions and risks are identified at a root cause level from a common library, process owners can do one risk assessment, and the information can be sliced, diced, and aggregated to serve multiple purposes. It will provide a functional insight for the process owner, tie into governance areas like vendor management, and serve a strategic purpose by rolling-up into board level objectives.
- Timing and Trends - Risk assessments must be conducted on a regular basis and when approaching business changes, new initiatives, or high risk issues. Being able to view the trends over time gives the organization’s static risk profile context and a reference point so that necessary actions can be taken when you start seeing small changes in your risk profile before things get out of tolerance.
Whether your organization’s risk management program is new or old, to effectively practice the 5 steps discussed, the first thing an organization must do is evolve its taxonomy,
Watch a 4 minute video on the benefits a common platform powered by a robust taxonomy can provide.
Posted by Steven Minsky on Mon, Aug 08, 2011 @ 08:00 AM
View all posts | View current post
Recently, Gartner released its 2011 Magic Quadrant for enterprise governance, risk, and compliance (EGRC) platforms. While the report highlights the top vendors of EGRC, which includes LogicManager, it also identifies some revealing trends within the EGRC marketplace based on reliable consumer feedback. The most notable trend recognized is the shift towards enterprise risk management (ERM) within EGRC platforms. As Gartner states,
“ERM has emerged as the most significant use of EGRC platforms.”
It used to be that compliance was by far the leading use of EGRC. Now however, ERM is seen by business leaders as the way to provide their boards of directors with transparency, monitor the achievement of organizational goals, and be proactive on emerging risks. Overall, ERM is now seen as the method to improve business performance.
This trend can be directly attributed to increased regulatory pressures on boards of directors. These new regulations, which came into effect in February 2010, now hold boards of directors personally accountable for risk management oversight of material risks all the way down to the front-line, meaning that boards are given the choice between closing gaps in risk management or disclosing these gaps to the public. Doing neither, is now considered fraud. The “we didn’t know about it” defense is no longer valid.
Considering these regulations went into effect in early 2010, it comes as no surprise that ERM became the leading use of EGRC platforms in 2010, and continued to be in 2011. Similarly, this is now the second consecutive year that LogicManager, the leader in ERM solutions, has been represented in the magic quadrant.
So what does this all mean for risk managers?
Action must be taken. In the past it may have been sufficient to only reach senior managers for risk assessments, now however, due to the above regulatory changes, risk managers need to engage the front-line directly with risk assessments.
Risk management reporting has changed, so don’t be caught waiting for your board to give direction. The board expects the risk manager to identify and assess risks across all levels and silos of the organization and reveal the gaps in reporting to the front-line. If you continue to report using senior-level assessments only, even if the board seems to be complacent, it won’t be long before the board turns to someone else for risk management.
Three metrics to present at your next board meeting:
- Engagement at the front-line – Roughly 10% of all employees are front line managers. Do the math for your organization. How many risk assessments has the front-line conducted this year? How many front-line managers do we reach? Show the board how large the gap is and determine how much liability (or gap) they are willing to accept.
- Linking risks to processes and goals – Of the front-line managers you’re not reaching, how many have assessed risks related to strategic goals this year have gone unreported? The risk manager must be able to make the connections and demonstrate how these risks impact business processes and strategic goals.
- Identifying emerging risks – How many emerging risks, that front-line managers are in the position to identify, are going unaddressed? What is the degree of disconnect between the number of unaddressed risks and those that have proven, sufficient mitigation action in place?
After presenting these metrics, the next step is showing the board how the gaps in reporting can be filled. Tell them what resources are needed and what decisions need to be made, after all, the board does not want to be charged with fraud and does not want to turn away stockholders by reporting their flaws in risk management.
To learn more on this subject of presenting to the board, please register for LogicManager’s upcoming webinar: Presenting Risk Management to the Board.
Posted by Steven Minsky on Thu, Jul 07, 2011 @ 09:00 AM
View all posts | View current post
Recently organizations have been faced with the increasing threat of cyber attacks, whether from external hackers such as lulzsec or from internal attacks such as wikileaks. Your customers' personally identifiable information, organization's intellectual property, and confidential files are all vulnerable to attack.
How vulnerable is your organization to a cyber-attack? What would the consequences of a cyber-attack be on your organization? Your board needs to know.
The consequences of a successful cyber-attack reach far beyond just legal or IT issues. An organization's reputation, customer loyalty, and ultimately strategic goals will suffer as a result deeply affecting the bottom-line.
A prime example is recent the Play Station Network breach earlier this year. The security breach forced Sony to shut down their network for over a month disrupting Sony’s revenue, operations, and possibly even future sales. What will ultimately hurt Sony as a result of the breach won’t be the legal ramifications or the cost of implementing better IT security. It will be the breach’s long-term effects on customer loyalty, reputation, and even market share.
What would be the consequences of a data breach or other cyber-attack be on your organization? Are you prepared for an attack beyond IT resiliency?
With such high-publicity breaches at Sony, Epsilon, Lockheed Martin, and even the U.S. Chamber of Commerce, your board will want to know if your organization faces the same risks. What Should You Present to the Board?
If you're unsure of what information you should report to the board, you can register for our upcoming webinar Presenting ERM to the Board.
Posted by Steven Minsky on Fri, Jun 17, 2011 @ 11:25 AM
View all posts | View current post
Boards are under pressure like never before to assure their organization has an effective risk management program. The SEC, through the Proxy Disclosure Enhancements amendment, is holding them personally responsible for risk management.
If your board hasn’t already come knocking on your door for a briefing on the effectiveness of risk management, they will be soon. So the $64,000 question remains:
What should you present to the board?
The short answer is the larger picture of risk with a connection directly to the front-line. This is the crux of the problem. As you know, the board makes strategic decisions by viewing your organization from a 35,000-foot perspective. They aren’t interested in a list of hundreds of risk indicators, or even the top 10 operational risks.
Your board needs to understand the sources of uncertainty that could impair continuing operations or reaching your organization’s strategic goals. The risk is not the event of a lawsuit, but rather the uncertainty that employees are acting appropriately that the board needs to know about. It’s not the event of supply chain disruption, but rather the uncertainty of changes in weather patterns. The board needs to understand trends in uncertainty, that is the larger risk picture, on the commitments they have endorsed.
Sounds simple enough, so how do you assemble this information?
You need to take these big picture issues one by one, and connect them to the real people that materially contribute to each issue.
How to connect risks to strategic goals:
- Choose one of the board’s strategic goals.
- Identify the business processes that contribute to that goal.
- Assess the sources of risk for each corresponding process.
- Connect the corresponding risks to that strategic goal.
- Repeat steps 1 through 4 for each of the board’s strategic goals.
- Report the impact of risk on each strategic goal to the board.
Any one of these steps can be a challenge for risk managers. Learn more on how an ERM platform overcomes these challenges and provides insight to risk managers and their boards by registering for our webinar: Presenting Risk Management to the Board.
Posted by Steven Minsky on Fri, May 20, 2011 @ 09:00 AM
View all posts | View current post
While spreadsheets are still an excellent tool for data manipulation and one-dimensional analysis, they fall significantly short of delivering the capabilities a risk manager really needs to analyze trends and see the relationships the job entails.
The limitations of spreadsheets are systemic and largely stem from the way they manage data, their inability to easily show relationships, and their general inaccessibility.
Impractical
Risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. This often results in dozens of spreadsheets and documents each with multiple versions and revisions.
Not only does this impede the process of combining data into a coherent big picture, it also means any changes to data structure becomes a great undertaking. Dependent on spreadsheets, risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much needed evaluation and mitigation.
Relationships
Risk analysis is not a static process; it’s dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management’s requirements and priorities change.
Spreadsheets, however, are ridged. With each change to a spreadsheet, links between information are lost making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization’s strategic goals?
What’s worse, spreadsheets can actually limit the depth of risk analysis. You can only analyze the relationships your risk tools can uncover. Spreadsheets offer limited access to past and current data, you cannot easily aggregate and dissect information, and they require a high level of technical knowledge to compare data over time.
Simply put, spreadsheets prevent an understanding of the dependencies and consequences between departments, processes, and strategic goals. Without these connections it’s impossible to see how multiple risk can come together to create a disaster like the BP oil spill or the Japanese nuclear crisis.
Inaccessible
Risk management isn’t something that can be done in isolation. The information risk managers collect and analyze needs to be accessible to the rest of the organization. Spreadsheets, however, aren’t accessible to business intelligence software, to management, or to other support functions that could benefit from that data.
The result is a risk management function without support from management and an organization with an abundance of duplicate tests, controls, and information. Risk managers need to be able to aggregate and access information across business silos and multiple levels in order to engage the right people with the right information.
The Solution
Risk management requires dynamic tools that can organize and link data automatically, analyze dependencies and consequences enterprise-wide, and be accessed by decision makers and other silos.
The solution is a robust software platform that can organize risk-information all in one place, link the relationships between data, and be accessible to the rest of the organization. Identify duplicate tests and controls, uncover the complex relationships between risks, and make that information accessible to decision-makers with one shared risk management platform.