Manage Tomorrow's Surprises Today

Top 5 Project Risk Management Practices

View all posts | View current post

Changes, such as new IT systems, new products, and new markets, or reacting to a change in the business environment, such as regulatory or competitive actions, all introduce new risk or change the threat level of existing risks. The challenge for project managers is how to get teams, functional areas, business processes, systems, and vendors aligned to new goals; moreover, how to get the needed transparency into the activities that have been agreed upon in project execution and how to prioritize the issues that surface every step of the way, until the project is completed. Enterprise risk management (ERM) software and methods is a holistic view of risk management across functions and silos. Project management office (PMO) needs this holistic view of risk across the enterprise to help serve their clients, which involves coordinating with multiple stakeholders and many moving parts. 

The benefits of imbedding risk management in projects are specific and measurable. The PMO can reduce budget overruns and missed deadlines—their biggest concerns—if uncertain project events are dealt with in a proactive manner, directly translating to the organization’s bottom line. Helping the PMO to formalize their risk management practices dramatically reduces the team’s stress of “fighting fires” by repairing damage due to preventable risks before they manifest.

Step 1: Formalize Risk Management in Projects: Every project manager is already using risk management techniques in their job informally. Relay to project managers that not formalizing this existing work with methodology and software is as inefficient as doing project schedule in their head as they go along and not using a Gantt chart software package. Studies have shown that formalizing risk management reduces overall project management task work by 30-60%.

Step 2: Identify Root Causes of Risks: Risk managers can help project managers very early on in their process. The first step in project risk management is to identify the risks that are present in projects. A root cause approach enables managers to understand the cause of risk and connect this to the effect of not managing this risk. 

Failed projects show that project managers were frequently unaware of the root cause until it was too late. The frightening finding is that frequently someone in the project actually knew the root cause, but didn't have the structure to inform the project manager of the issue. Risk Managers can provide PMOs with this missing structure and methodology.

For example, a major concern for project managers is “Missed deadlines/project cost over-runs,” which is the outcome, or effect, of a particular risk. . The key is to help them figure out what the cause of this outcome is, of which there can be many. Until the cause is identified, it will be hard to know what action needs to be taken. Not using root cause techniques will result in risks identified like, “Schedule rigidity,” which does not provide them the ability to determine where the source of the schedule issue lies - i s it a people, process, system, or vendor issue? Each of these sources of risk can cause schedule rigidity, and until they know which of these categories is causing the issue, action is still unclear. Risk Management software can provide project managers a library of root cause choices such as, “Stakeholders unwilling to act or move,” which let’s them know it’s a people problem verses “Inefficient, non-value added workflow,” which let’s them know it is a process issue at hand to prompt project managers to think about the type of risk which greatly simplifies the important step of acting on the risk.

Step 3: Prioritize risks using risk assessment templates with common objective set of standards As risk managers know, treating all risks equally wastes a lot of time and effort. Some risks have a higher impact and greater likelihood of occurring than others. Through formal risk assessments, risk managers can help project management offices prioritize where time and resources are better spent based on the risks that can cause the biggest losses and gains. By giving them standardized enterprise-wide evaluation criteria that applies to all risks and all projects, they will not only be able to prioritize risks within each of their projects and be able to prioritize time to the tasks associated with the largest risks across all of their projects; but their assessments seamlessly integrated into your ERM efforts. You can find risk assessment template guidance here that explains how to standardize your assessment criteria to prioritize risk.

Step 4: Clarify Ownership Issues for business process improvement: The structure that risk management offers provides the ability for project managers to make clear who is responsible for what risk. The solution is simple: based on the priority score of Step 3, they can assign a risk owner for each high risks and goals that have been assessed. The risk owner is the person on the team who has the responsibility to plan activities. Ownership also exists on another level; if a project threat occurs, someone has to be held responsible. This sounds logical, but it is an issue that has to be addressed before a risk occurs, especially if different business units, departments and suppliers are involved in the project. An important side effect of clarifying the ownership of risk effects, is that line managers start to pay attention to a project. The ownership issue is equally important with project opportunities. 

Step 5: Managing tasks and risks: Some project managers think they are done once they have created a list with risks and mitigation activities. The real value risk management provides is achieved by using those risks to get transparency into the true progress of a project, which is challenging. For example, 50% expenditure of budget or time does not necessarily translate into 50% achievement of goals. Progress means mitigation of the risks, achievement of the goals, and compliance with regulatory or internal standards.

Unfortunately, lots of project teams struggle to cross the finish line, being overloaded with tasks that need to be done quickly. Helping them to connecting activities to the risk assessment of Rule 3, means that each of these tasks will get a “priority score” that helps project managers to understand what is most important for follow-up to mitigate risks and achieve goals. Managing risks helps to focus on the current situation of risks and goals. Has the relative importance of risks or goals changed? Answering this question helps project managers pay attention to what matters most for their project value.

The 5 risk rules above give you demonstrate how risk management can provide a structure for business process improvement throughout the organization to gain efficiency and quality improvements. Watch this 5 minute video on streamlining and improving governance activities, like project management, through ERM. Risk management is all about getting clarity on where your organization currently stands and measure the effects of efforts to continuously implement improvements to make it even better.

How to Buy ERM Software

View all posts | View current post

The goal of every ERM program is to assess material risk down to where the risk activity takes place, which typically means extending to front line management, and aggregate this information to an objective, accurate, and holistic picture applicable for each stakeholder, including the board. However without ERM software, risk management programs cannot reach this level.

With the high cost of traditional licensing for ERM/GRC software, combined with the skepticism among senior management on what the payback of ERM/GRC is, senior management is reluctant to approve any business case for an investment of this magnitude without evidence of effectiveness.

Here are the benefits of an ERM Software -as-a-Service (SaaS) approach :

1) Evidence of effectiveness: With a SaaS approach to ERM, all consulting and training is included within your single simple monthly SaaS fee. If the advice you receive gets you more of your stakeholders engaged in the risk management process, you add more capacity. Your ERM SaaS vendor gets paid only if their advice gets you the results you need, at your organization, within your risk culture.
2) No Upfront License Purchase Cost: If a product is really as good as the vendor suggests, you should be able to start with just one license. No minimum licensing term or minimum quantity of license requirements should tie you down. If the product is that good, customers will stay. Locking you up with minimum commitments or upfront traditional licensing is a red flag the product does not work.
3) No IT Burden: Software-as-a-Service is a way of delivering applications over the Internet as a service. Instead of installing and maintaining software, you simply access it via the Internet, freeing your organization from complex software and hardware management.  As a SaaS customer, you have no hardware or software to buy, install, maintain, or update. Access to applications is easy: You just need an Internet connection.
4) Cross-functional collaboration: Concurrent licensing through SaaS allows anyone at your organization to use your ERM software when they need it. This contrasts with GRC-type "named-seats" licensing in which one license must be purchased for each and every individual user in advance regardless of the frequency they use the system.
5) Engagement of management: The biggest fear of every senior management team is that ERM will be another added burden and will distract the front line from serving customers. Since full implementations of SaaS take only 45 days versus 18 months, evidence of effectiveness is immediate and attracts users to participate. You have a guarantee that it will work, as you can start with only 1 license and stop at any time.

With the risk removed from ERM software with Software-as-a-Service, it is a game changer in your ability to accelerate your ERM/GRC program. Click here to learn more about the flexibility and cross-functional efficiency that can be quickly achieved by ERM and GRC programs with a SaaS approach.

Risk Taxonomy Step 3: Managing Cross-Silo Dependencies

View all posts | View current post

A risk taxonomy, the brains of an enterprise risk management software platform, creates a common language to make working across operational silos possible. It also creates the basis for a risk management discipline, so rather than reacting to seemingly “one off situations” the entire organization can standardize and prioritize how assessment, mitigation and monitoring are applied in a common comparable way to build risk management competency across the enterprise.

See our other blogs Identify Core Business Processes and Link Resources to Business Processes that explain steps 1 and 2 of building your risk taxonomy.

1) Standardize assessment criteria and weightings for Risk Assessment Templates

Common standards and assumptions makes information collected across the organization objective, quantifiable and comparable, enabling better analysis, issue resolution and issue escalation when necessary.

2) Rationalize and consolidate risk assessments and data fields
Different areas across the organization are collecting the same information for resources, they just don’t know it. For example, Accounts payable, contract management, vendor management, business continuity, and IT all collect overlapping information about your vendors. By understanding what information is being collected by these areas for each resource, you can easily rationalize and consolidate assessments and data fields. You can gather information across silos and identify areas where controls and tests can be consolidated.

3) Make resource allocation available in a central place as a library
Using information from one common place makes it possible to dramatically reduce rework, especially collecting and managing information, for both you and the process owners you work with.

4) Formalize risk identification of resource dependencies to each other
The library also helps you know who else is connected to the same information. The key is to figure out how all of these resources are related to each other and what combination of these resources are most important to critical areas of your business.

By connecting activities, or controls, to the vendors and other resources that activity relies upon at the business process level, the process owner and the activity owner can now be notified when resources change, both directly and indirectly, related to their areas of concern. This is a major contributor to business performance management and the value add of enterprise risk management.

Typically people in organizations only know one degree of separation in relationships. A risk taxonomy enables you to recognize all the relationships and notify appropriate related parties on changes, both direct and indirectly related to their area, so no one misses the “memo.” Direct relationships are always known, it is the indirect relationships that are more problematic and hard to control.

Look at BP for example, the vendors were not in connection with each other or the processes owners involved. People were missing key pieces of the “memo” reporting that there were issues, so no one could put the puzzle together. In days were outsourcing of vendors and activities is becoming so extensive and complex, how do you maintain the connections between the risks encountered by your vendors and your business risk and control owners throughout the organization?

Why did the CEO of BP get fired? Lack of establishing effective monitoring of risk!

By building a risk taxonomy to define resources and their relationships, along with implementing common standards and assumptions across your organization, everything becomes comparable and objective -- everything is on the same scale. You can analyze, report, and make decisions taking into consideration every relationship related to the resource or process across the organization. This is how risk tolerance is aggregated and matched to the organization's risk appetite!

Watch our 5 minute video: Strategic ERM to learn how you can link your risks, processes, and resources in your risk taxonomy to your organization’s strategic goals and key concerns to grow more strategic over time.

Risk Taxonomy Step 2: Connecting What Matters

View all posts | View current post

Organizations need to build a robust Enterprise Risk Management (ERM) framework or risk taxonomy, which provides a holistic view of all information and relationships across the organization. Taxonomy structures and preserves the integrity of information, so as changes occur in multiple parts of the organization, managers can compare risks on an 'apples to apples' basis and connect the dots between business areas. It is the critical foundation of your ERM program and any enterprise risk management (ERM) software automation initiative.

As I described in my last blog, the first step to building a risk taxonomy is identifying your organizations core business processes to create accountability and focus on business value.

The next step in building a risk taxonomy is to enable better resource allocation by the naming and categorizing of all the key people, systems, and vendor products and services used by these business processes.

1. Organize risk assessment templates by resources vs. by use or department

To make effective Enterprise Risk Management (ERM) simple and practical, you need to take complex material, break it down, and make it accessible for anyone in your organization. To do this, information should be organized by resource rather than by use or department, and organizations need to create a holistic profile for each critical resource in your enterprise.

By resources, we mean people and vendors and the physical assets, software applications, services and data repositories used in the organization. Everyone knows something about the relationships and data around these resources, but no one knows everything. The challenge is how to get everyone to contribute their "piece".

A risk taxonomy, provides a structure for information and ownership, by breaking down complex interconnected information into resources as basic building blocks. This enables everyone to understand and contribute their piece and take ownership for change management. These standardized building blocks become a library to be shared across all business areas and reduces unnecessary duplication and overlap.

2. Performance Management: Link resources to the Business Processes that use them

The relationships between the resources and the business processes that use them should be explicit as this determines business impact. The more clear the understanding of business impact, the more effective the governance activity will be. The connection to a business process provides a direct connection to the subject matter expert for the activity that uses the resource and knows the criticality of that resource to their activity.

The result is the identification of critical business processes based on a score that includes these key supply chain and infrastructure dependencies. Control and mitigation activities can then be organized within the business processes in which they operate and are connected to the resources they depend upon to complete this circle.

A common shared infrastructure, or risk taxonomy, is necessary to support risk management information across an entire enterprise. Through this approach, organizations will see the benefits of eliminating redundant work on assessments, controls and testing while reducing risk at the same time.

The next steps in building a risk taxonomy is standardizing risk assessment template criteria for these resources and processes, consolidating data collection, and understanding cross-silo dependencies.

Look out for our next blog on these topics! Watch our 5 minute video: Streamlining Governance through ERM to learn more.

Building a Risk Taxonomy: Finding What Matters

View all posts | View current post

Risk taxonomy is the framework of naming, organization and managing the relationships to manage your risk information. Your ERM program and any Enterprise Risk Management (ERM) software you use depends upon it.

Most organizations have an organizational chart of how their people are connected. To be effective in risk management, organizations must also have an organizational chart of how their business processes are connected to create accountability and focus on business value.

The first step is to name, categorize and connect your business processes and sub-processes.

• WHY: Establishing business process level accountability for risk: The foundation for enterprise risk management is identifying an organization’s business processes and recognizing the owners as accountable for risk vulnerabilities, compliance and performance goals.

Because all business activities are within business processes, all risks and mitigation activities also fall within processes. Therefore, defining processes is the first step in leveraging efficiencies and creating transparency for risk management, compliance and business performance improvement.

• WHAT: Focusing on business value with Performance Management: A business process is a set of coordinated tasks and activities that lead to accomplishing a specific organizational goal. Business processes include customer facing areas, those providing support functions as an internally shared service, or areas performed by an outsourced partner.

End-to-end processes consist of multiple levels of sub-processes. The level of granularity, meaning the extent to which processes are broken down into smaller processes, evolves over-time. You may choose to get granular in areas of greater priority to the company and fill out the others over time.

• WHERE: Consolidating existing risk assessment templates: Business Processes names, structure and their owners are typically already known within an organization and maintained by various functional areas such as finance, internal audit, HR, business continuity, process improvement, quality management, or other departments. There should be only one way to call and organize business processes enterprise wide, otherwise known as a taxonomy or naming convention. The ERM team has the responsibility to locate these lists and agree on a common single naming convention for the enterprise.

Definitions:
Business Process Owner: the individual(s) responsible for process design and performance. The process owner is accountable for sustaining the gain and identifying risk and future improvement opportunities on the process.

Risk Owner: the individual who is accountable for the validation, assessment and action plan to care for particular risks within the process.

The Process Owner is typically the risk owner. When is this not the case? When the business process is outsourced. Activities can easily be outsourced, but the ownership for the risks within such activities can never be outsourced and must remain managed within the organization.

The next step in building a risk taxonomy is managing resource allocation, the naming and categorizing of all the key people, systems, and vendor products and services used by these business processes.

Look out for my next blog on these topics! In the meantime, watch a complimentary 20 minute webinar: Streamlining Governance through ERM to learn more.

Risk Assessment Template Best Practices

View all posts | View current post

Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:

1. Adopt a uniform numerical scale –Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
2. Define objective evaluation criteria – Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
3. Calibrate assessment criteria - Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
4. Use universal business elements - Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc..
5. Link risk assessment templates - Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities.

Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.

The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.

Receive risk assessment templates you can use to organize your existing ERM Program information as the next step to centralizing all your ERM program data.

5 Reasons Why You Need ERM Software

View all posts | View current post

How do you manage the uncertainty of what has not happened yet?

That’s where enterprise risk management software (ERM Software) also known as operational risk management software comes in. It tracks the emerging risks and changes to existing risks across the enterprise and connects these changes to the activities and business metrics that run the business. A change in risk at the business process level, demands a change in the operating procedures to prevent this risk from materializing or seize an opportunity.

The next time someone in your organization, has doubts about needing enterprise risk management software to effectively manage risk, consider these 5 universal truths:

1. Content: Risk assessment templates, risk identification root cause libraries – ERM software comes with all the templates, standards, and libraries you need, on day one. ERM programs need this content before they can have an ERM program. Spending months developing this content and the time wasted of all those around the organization as well as the missed risks and opportunities. A change in risk at the business process level, demands a change in the operating procedures to prevent this risk from materializing or seize an opportunity.
2. All in one place: Timely decision making - this requires governance over the complex and time consuming activity of organizing and grouping information across silos and levels. With ERM software, all of your risk management activities are all in one place, so the process of rolling up and grouping information is automated to just a click of a button. 
3. ERM Reports: Accurate but easy to interpret views for your board – Since it is so hard to roll up information using spreadsheets, risk managers typically have to choose between presenting accurate but far too granular information, or high-level but less accurate assumptions to the board. ERM software eliminates this choice, as accurate risk information directly from the process owners is easily rolled up into holistic views of the enterprise. All of the information, metrics, and reporting tools are available right at your finger-tips, so senior management can make strategic decisions before goals are impacted based on reliable risk data aggregated from the process owners.
4. Business intelligence tools with a forward looking perspective – spreadsheets, by nature, can only manage risk from a historical perspective; aka identify risks that have already happened. While this is important, what about the risks that your organization is susceptible to, but has been fortunate enough to avoid so far? ERM software provides the structure to prioritize and manage risk from a historical and forward looking perspective with capabilities to identify emerging and systemic risks and track trends over time.
5. Linking risk to performance management – spreadsheets simply lack the ability to tie risks to goals and success measures. Only a robust taxonomy within ERM software is able to manage the complex relationships and interdependencies between root-cause risks, business activities, and the strategic goals they impact.

Typically an organization starts their ERM journey from either a top-down strategic or bottom-up governance approach and then evolves to cover their entire enterprise. Click here to watch the video that best represents your current ERM challenge.

5 ERM Steps to Prevent a Risk Management Shipwreck

View all posts | View current post

The Costa Concordia, a Carnival Cruise Line owned ship, ran aground resulting in at least 6 deaths. This is a 4,000-passenger, 115,000 -ton cruise mega-ship, with the latest and greatest technology, as it is just 5 years old. As an Enterprise Risk Management (ERM) professional, my forecast is that we will learn over the next six weeks that this is not the first near miss for the Costa Cruises organization, nor the first questionable judgment call by one of their ship's captains. My bet is that one of the thousands of crew management have reported issues in the past and that other Carnival ships have faced similar operational risks in the past several years. The problem is each one on these issues in its silo is a one-off near miss and perhaps in isolation is not worth escalating to senior management. Put them together however, and you see a grave systemic pattern that is likely to result in disaster that would have been preventable had the systemic pattern been detected and managed as a whole rather than as one-off incidents.

To be effective, Enterprise Risk Management must be pushed out to the front-line business process activity level where decisions are made and information must aggregate up across silos and levels to be understood by senior management. Few organizations have their ERM programs functioning at the business process activity level. Typically, organizations interview the top management about their "risk worries" and boil things down to the "top ten risks". Unfortunately, these top ten risks are disconnected from the everyday operating controls at the business process activity level, so these "top ten risks" continue to be unresolved. GRC programs are no better, as they focus on heavily silo'd compliance, such as SOX, IT, and Internal Audit, and also do not link risk to operating controls and business metrics at the business process activity level.

The fact is that operational risk is all around us, typically most prevalent in the organization's area of core competence. In the last year, I have blogged about oil discovery firm's failure to manage drilling risks, leading banks' failure to manage investment risks, power companies' failure to manage power risks and manufacturers' failure to manage product quality risks. I have heard risk managers say their bosses give the same answers too many times, "It won't happen to us," or, "Although enterprise risk management is a priority, we are not ready to take our ERM program to the business process level." Since 89% of ERM and GRC programs fail to adequately manage operational risk at the business process activity level, this dangerous game of not moving their ERM and GRC programs forward to detect and manage operational risk at the front line activity level is not only fraud, but also a form of "Russian roulette" with real consequences.

Due to SEC requirements passed in February 2010, the once wide-spread practice of, "Don't write it down," is no longer viable. Boards of directors are now liable for not having their risk management programs reach the front line business process activity level. Now, both management and their boards of directors are liable for what they don't know, but should have known. If you are a publically traded company or you are a supplier to a publically traded company, evaluate your risk management effectiveness with these five competencies:

1)      Create a risk taxonomy by naming your business processes
2)      Conduct a risk assessment in each of these business processes
3)      Connect mitigation activities to each of the key risks in these processes
4)      Connect your business metrics for each process to these mitigation activities
5)      Connect your process risks to performance management strategic objectives

These are five of twenty five requirements outlined in this complimentary risk management maturity test available on-line: www.rims.org/rmm. If you do not score above a "managed level" of risk management maturity, it means your organization is failing to achieve these five simple steps in a material manner at the front line business process activity level, where it matters the most. The Costa Concordia accident was preventable, and so are the risks at your organization.

How to Measure your Enterprise Risk Management Effectiveness

View all posts | View current post

We are often asked for insight on business measures or KPIs for ERM programs to track overall progress and effectiveness. 

The key question for risk managers is: how do I measure the value ERM is delivering to my organization? 

The following are examples of measures that will quantify and measure the value your ERM program is providing:

Number of systemic risks identified

• Systemic risk identification will detect areas of upstream and downstream dependencies throughout your organization, such as when one area of the organization is unknowingly causing strain on other areas.  Additionally, this method could also identify areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated, increasing organizational efficiency.

Percentage of process areas involved in risk assessments

• ERM is cross-functional in nature and cannot be done in silos. A business is the sum of its parts. The same is true of risk. A risk event in one functional area also affects other functional areas within the business. Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information.  The more process owners involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are hugely valuable to the organization.

Percentage of key risks mitigated

• Having a sense of your overall risk coverage is important; however, it is not nearly as valuable as knowing the coverage of your organization’s key risks.  Because all risk assessments should be conducted on standardized criteria, you can determine a uniform tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you to prioritize resources to the risks that need stronger coverage, rather than wasting resources on risks that will have no major impact on your organization. This gap analysis with a tolerance level will also help you to identify emerging risks as they rise out of tolerance and it becomes clear that some mitigation activities in place are no longer sufficient.

Percentage of key risks monitored

• Most organizations have no understanding of how the business measures that they rely on daily are tied to their risks.  If a risk or activity changes, organizations have no way of knowing how, and if, these changes will affect their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing what activities need to be monitored.  Regular risk assessments enable organizations to detect increased threat levels and identify new emerging risks before they materialize and bring business metrics out of tolerance.

Watch a 20 min On-Demand webinar  "Streamlining Governance through ERM" to learn how to measure risk management effectiveness.

Using Risk Assessment Templates to Prioritize Business Measures

View all posts | View current post

The number of business measures within organizations is typically growing. Measures are often added on a reaction basis to loss events that have already occurred. Wouldn't it be valuable to be able to focus on forward looking measures? In most organizations, these preventative, proactive measures are indistinguishable when grouped with reactive measures, because the metrics do not formally tie back to any commitments or risks.

What if a risk or activity changes? Organizations have no way of knowing how and if these changes will affect their risk metrics. Risk Assessments and linking risks to activities allows organizations to start prioritizing what activities need to be monitored.  Through regular quarterly, or even annual, risk assessments, organizations can detect increased threat levels and identify new emerging risks before they materialize and bring your business metrics out of tolerance.

Business measures are important because you cannot improve what you cannot measure, however this large number of unconnected goals is problematic because:

• Measurement fatigue - staff may simply ignore many measures because of a lack of time to assess them.
• Measure obsolescence - in a changing environment there is no effective way of knowing when measures no longer apply.
• Lack of prioritization - picking the measures to focus on is likely to be on an ad hoc basis and upon the whim of current staff.
• Lack of continuity - changes in the organization or the development of new lines of business may result in new measures while existing measures may be more effective.
• Lack of coordination - often measures apply to multiple risks or commitments across functional lines.  The inability to formally tie measures to risk or commitments does not promote inter-functional coordination resulting in business silos and duplication of effort.
• Wasted resources - The amount of resource available to accomplish business goals and to mitigate risk is finite.  Staff will often continue to manage to obsolete or unimportant measures rather than aligning with current imperatives.
• Resistance to change - A difficulty to apply past experience to a changing business environment resulting in a tendency to "reinvent the wheel".

Much of the necessary information exists in organizations today; the missing piece is formalizing these critical connections.  Enterprise Risk Management (ERM) software has functionality to identify risks and commitments; assess them based upon likelihood, impact and assurance; evaluate whether action is needed; devise mitigation or business building activities if needed, specify and record measurements to track effectiveness, and finally formalize the connection between all of these activities. 

Connecting the measurements to the risk mitigation activities and business initiative data and then back to the underlying risk and commitments will provide the following benefits:

• ERM Reports: Explicit prioritization of measures based upon a risk/reward index and a dashboard presentation on the heat map dashboard in LogicManager.
• Operational Risk Management: Real-time trending of measures on an ongoing basis with measure consolidation used to direct management attention to problem (out of tolerance) conditions.
• Risk Assessment Templates: Allow for rational elimination of measures that have low priority or non-existing connections to risks or business initiatives.
• Performance Management: Facilitate new business initiative business measurements prioritized upon risk or business commitments.
• Resource Allocation: More effective use of scarce resources.

The key is working with the functional managers to make the connections.  The immediate benefit will be to identify measures that are not connected to any risk or initiative and to determine if they should be eliminated.  Then, once the connections are made, use the management tools in your Enterprise Risk Management software on an ongoing basis to improve utilization of business measures within your organization.

Watch a complimentary 5 minute video to learn how to link risks to business measures.