whitepaper
© risk decisions 2011
The first step to ERM:
What risk managers need to know to
establish an Enterprise Risk Structure
by
Val Jonas CEO Risk Decisions Group
www.riskdecisions.com
management solutions
Val Jonas: The first step to ERM:
whitepaper
The first step to ERM: What risk managers need to know
to establish an Enterprise Risk Structure
Executive Summary
"At companies that have a formal ERM program -- by
no means a majority – ERM is generally in a nascent
stage. We believe that ERM eventually will not be a
distinct discipline because it will become integrated
with everyday practice. At some point, risk
management may be likewise part of every senior
executive's repertoire of skills."
Standard & Poors Credit FAQ: Standard & Poor's Looks Further
Into How Nonfinancial Companies Manage Risk June 24, 2010
Most organisations aspire to practise effective Enterprise Risk
Management (ERM), but very few are achieving it. Over the last
decade, much effort has gone into implementing systems to comply
with Sarbanes Oxley, COSO, Turnbull, Basel II, COBIT and other
regulatory standards. Most organisations are now stuck in a world of
compliance-oriented risk management. They are therefore failing to
take advantage of the benefits gained from a more strategic approach
to risk.
Figure 1: The five steps to ERM
This first step is not costly or time consuming; it just requires simple
and practical steps to get the right people involved in ERM.
Putting ERM in place delivers significant benefits:
• Accurate business planning and objective setting
1. Enterprise risk documentation: framework,
policy and process
• Enhanced reputation and credit rating
• Better decision making:
It is the board’s role, as part of its corporate governance, transparency
and disclosure responsibilities, to maintain a framework, policy and
process for managing risk.
• Use of capital
• Negotiating key contracts
However, for management of risk to be effective, it is important that
everyone in the organisation understands their role in managing risk.
To achieve this, the risk manager needs to ensure that three key
documents are in place and communicated across their organisation:
a risk framework; a risk policy; and a risk process.
• Supply chain management
• Product demand and development
• Improved performance and shareholder value
• Reduced cost of insuring risk
• A sound platform for corporate governance.
Our “Five Steps to Enterprise Risk Management” whitepaper,
published in December 2010 gives an overview of how organisations
can address this shortfall, providing insights for the Chief Risk Officer,
based on Risk Decisions experience of helping organisations
implement ERM.
This new whitepaper “The First Step to Enterprise Risk Management”
is the first in a series of five that builds on this overview to give risk
managers insights into how to start embedding ERM into their
organisation.
This whitepaper describes the three most important documents
required to achieve effective ERM. It also stresses the importance of
understanding risk attitude and accommodating different perspectives
of risk across the enterprise. Finally, it considers the risk structure
required to provide a consolidated view of risk at different levels in
the organisation.
2
Figure 2: Enterprise risk documentation
www.riskdecisions.com
© risk decisions 2011
whitepaper
Val Jonas: The first step to ERM:
Risk framework – getting people involved
This document sets out for everyone in the organisation how the
management of risk (threats and opportunities) maps onto the
organisation’s structure.
Remember, it’s important to understand your senior management’s
information requirements, and ensure that your risk process(es) can
deliver these.
2. Understanding enterprise risk attitude
It includes information on:
Of the three documents outlined in section 1, the policy document is
likely to be the most difficult one in which to align aspiration with
reality. This makes it important that all employees understand what
management of risk actually means to your organisation.
• Who is responsible for different types of risk (e.g. strategic,
financial, safety),
• The wider stakeholder community’s involvement.
(e.g. contractors and suppliers)
For example:
• Objectives and expected outcomes
Essentially, the risk framework is about getting people engaged in
the management of risk.
Risk policy – defining thresholds
Senior management is responsible for ensuring that their organisation
behaves in a
pre-determined and measured way when faced with significant
threats or opportunities. One way to achieve this is through setting
the risk policy. In which risk managers clarify their organisation’s vision
and therefore how risk taking or risk averse they are willing for the
organisation to be.
In the risk policy document risk managers give guidance on:
• What level of risk taking is acceptable
• For more on this see Section 2: Understanding risk attitude
• Which risks owners should escalate to senior management,
and when
• Budgetary sign off for risk and mitigation actions
• Risk approval levels (e.g. for business cases).
In keeping with existing company policy you may find it appropriate
to align risk budget sign-off thresholds with general budget sign-off
(i.e. delegated powers).
Risk process – communicating consistently
The risk process is a statement on how you want your organisation
to identify, manage, mitigate, report, and otherwise communicate
risks consistently across the organisation.
a) A high tech company
A high tech company may pride itself on being innovative and
therefore seek opportunities and take risks, with a view to maximising
reward. Top down, managers will tend to encourage employees to
think out of the box in an environment free of excessive control. To
balance this, management are likely to develop close working
relationships with key employees and have communication
mechanisms that allow fast decision making. In this scenario, it is vital
to properly understand and take measured risks.
b) A long established business
In contrast, a long established business relying on its trustworthy
reputation for repeat business and referrals may take a risk averse
attitude. The organisation will expect employees to follow strict
codes of conduct: avoid deviating from procedure, and maintain
the status quo. However, it needs to guard against becoming
introverted and overtaken by external events. Risk management
can address this.
Of course, most organisations take a position somewhere between
risk taking and risk averse extremes, adopting a portfolio approach to
balance investment, innovation and core business. Whatever position
your organisation takes, it is essential that it consciously understands
its risk attitude, measures the risk and makes sound decisions on the
basis of good information.
It may be useful to get some external help in assessing this. You may
think you are risk averse, but actually are avoiding facing up to risk,
which in turn can be extremely risky.
Identifying a suitable process for your organisation is generally the
most straightforward of these three steps, as there are many well
established standards to choose from. This includes the recently
published ISO:31000 international risk management standard. It is up
to you to decide which best suits your organisation. See Appendix 1
for a selection of those available.
Whichever process you select you will often need to adapt it to reflect
your organisation’s specific requirements or existing working practices.
Bear in mind too that these needs may differ across different
divisions, business units, functions etc. See Section 4 for more on
accommodating multiple perspectives on risks.
You may also have certain areas (e.g. safety, environmental) that
require specialised risk procedures – we suggest that you either
document these separately or add them as appendices to the main
risk process.
Figure 3: Balancing risk and reward
© risk decisions 2011
www.riskdecisions.com
3
Val Jonas: The first step to ERM:
whitepaper
Some organisations find it useful to form a Risk Committee – although
take care to consider the benefits and barriers of this approach. It is
generally better to integrate risk into all board activities as opposed
to making it a separate exercise. However, the complexity of risk in
some organisations (e.g. financial institutions) may require this
specialist committee approach.
Functional-level Risk Steering Group
For ERM to work effectively, communication about risk must flow in
all directions in your organisation, so the most efficient way to
implement communication of risk information is to focus on middle
managers, and in particular the functions. Each function is responsible
for oversight of their discipline across the organisation, and therefore
it makes sense for them also to be responsible for overseeing risk.
However, clarifying responsibility for risk at this level is not enough:
using risk management to break down the traditional functional stove
pipes gains the most benefit. Creating a function-led Risk Steering
Group can be an effective way to achieve this. A significant number
of an organisation’s risks occur in one area of the business and impact
in another, so the benefit of bringing managers together to work as
a team on managing risk is a major step forward.
Figure 4: Vertical & horizontal Enterprise Risk Management
Risk Champions
3. Embedding risk into the corporate structure
Having documented your risk management framework, policy and
process, (including a definition of risk attitude), you then need a
practical strategy for implementing and embedding them across the
enterprise.
The organisation’s risk manager is likely to have responsibility for this
strategy. This requires a major change programme, taking a threepronged approach:
• Top down from “board level risk representatives” including input
from non-executive board members
• Middle out via a “risk steering group” (comprising function,
business unit and programme managers)
• Bottom up from existing pockets of good practice via “risk
champions”.
Board-level Risk Representatives
Your organisation will take the lead on what
people do from the top down. Therefore, you
need to ensure that each member of the board
takes a specific interest in risk. It is a good idea
to map each board member to a relevant
organisational risk perspective, according to their
skills, experience, interests and expertise.
Forming a comprehensive set of board level ‘Risk
Representatives’, covering all the organisation’s
perspectives on risk, provides a natural way of
hooking into risk and opportunity activities
further down the company. For example, an oil
company will require specific focus on safety and
the environment, whereas a technology
company may have a particular focus on market
competitors. All organisations will have finance
and HR perspectives. See section 4 for more
information on multiple risk perspectives.
4
There will already be pockets of good risk management in your
organisation, which you should encourage and reward to demonstrate
that the organisation values risk management activities. One of the
ways to do this is to identify and recognise risk champions and task
them with the job of helping to spread good risk management
practice more widely.
However, it is important to understand the issues with ‘not invented
here’ and ‘but we’re different’ attitudes often found in large
organisations. Each area of the business should be encouraged to
adopt their own take on the management of risk, subject to
remaining within the defined framework, policy and overarching
process. See Section 4 for more information on multiple risk
perspectives.
Having identified these three key groups, the final step is to generate
lines of communication between them, whereby board
representatives can gain a deeper insight into specific risks through
dialogue with relevant members of the functional Risk Steering Group
Figure 5: Risk and decision making: lines of communication
www.riskdecisions.com
© risk decisions 2011
whitepaper
Val Jonas: The first step to ERM:
of specialist risk champions. Similarly, risk champions can sound out
higher level opinions on areas and types of risk that they believe
should be gaining more management attention.
The role of the Chief Risk Officer (CRO) and
Internal Audit
The CRO and the internal audit team play a key role in facilitating
communication and understanding between these different levels of
risk management. They will play a practical role in meetings and help
ensure that appropriate lines of communication are in place.
Instead, you need a number of ways to slice and dice data, by
discipline, budgetary authority, contracting mechanism, geographical
location, technology and so on. So therefore, rather than create a
single hierarchy, a more effective approach is to create a number of
hierarchies containing risk information.
Combined with this multi-hierarchy structure, you also need a simple
risk map (covered in a later white paper), to ensure risk information
is communicated horizontally and vertically and reported at the right
levels.
Finally, you will need a central repository for risk information. The
current practice of trying to consolidate a myriad of spreadsheetbased risk registers cannot deliver efficient ERM:
4. Accommodating multiple risk perspectives
In the same way that risk attitude varies from one organisation to
another, so perspectives differ within each organisation. This is easiest
to understand when you consider different functions or disciplines.
For instance:
• They do not provide an audit trail
• Considerable effort is required to produce a consolidated view for
reporting and analysis
• Spreadsheets do not give multiple users concurrent access.
• IT departments will be concerned with risks relating to data
protection and e-security, cyber crime, virus protection and so on;
so they may follow the COBIT guidelines as part of their working
practices.
• Safety, Health and Environment’s risk focus will include hazard
analysis and prevention, staff training and awareness, risk
assessment checklists; they will need to adhere to HSE
legislation.
There are many tools available on the market, but one of the key
criteria when you are selecting a tool is to ensure that it is
configurable to match the multiple perspectives in your
organisation.
5. Summary
• Finance Directors, Heads of Major Projects and Operations
Managers will place a different emphasis on risk again.
An effective ERM strategy must not only recognise and accommodate
all of these disciplines, but more importantly find the right level at
which they fit together.
Organisations often assume that they can only implement ERM as a
single structure, with risks being rolled up from bottom to top, and the
CEO sitting at the top of the pyramid, reviewing everything
underneath. In fact, there are many different ways to aggregate risk
and therefore, a pyramid is unlikely to be best way to gather and
report on risk information.
Top down governance of risk is the responsibility of the board,
setting the vision and direction for the organisation, including the
way forward on embedding Enterprise Risk Management. Producing
guidance and documentation is the easy bit. Developing and
implementing a strategy to roll ERM out across the organisation is
the challenge.
Establishing top down risk representatives, a middle layer risk
steering group and champions within the organisation is one of the
fastest ways to move from a tactical fragmented approach to risk
management to embedded ERM.
While there will be many perspectives on risk, with different
capture and reporting requirements, it is important that the basic
risk process steps are the same for everyone. When cross-functional
groups meet, they need to use a common language. ERM provides
central visibility, consistent identification, reporting, communication
and aggregation for decision making at all levels. But it also
maintains distributed responsibility of management of the risks and
response actions.
Overall, make sure your organisation’s attitude to risk is well defined
from the top and communicated down through the organisation in
a practical way.
Finally, remember that Enterprise Risk Management should be
simple to understand and simple to implement. Keep it simple!
Make it effective!
Figure 6: Enterprise Risk Structure in the Predict! Hierarchy Tree
© risk decisions 2011
www.riskdecisions.com
5
Val Jonas: The first step to ERM:
whitepaper
Appendix 1: Risk Management Standards
ISO:31000: Risk Management – Principles and Guidelines (2009).
ISO, ISO/FDIS 31000:2009
AS/NZS 4360:2004 Risk management (2004), SAI Global Ltd, ISBN
0-7337-5904-1
Project Risk Analysis and Management Guide, Second Edition
(2006). Association of Project Management, ISBN: 1-903494-12-5
Enterprise Risk Management - Integrated Framework (2004). COSO,
AICPA
Management of Risk: Guidance for Practitioners Book (2007). Office
of Government Commerce, The Stationary Office, ISBN 13:
9780113310388
Practice Standard for Project Risk Management, First Edition, 2009,
Project Management Institute
6
www.riskdecisions.com
© risk decisions 2011
whitepaper
Val Jonas: The first step to ERM:
Appendix 2: Glossary
Where ‘source’ is in brackets, minor amendments have been incorporated to the original definition.
Glossary of Terms
Term
Budget
Definition
Source
The resource estimate (in £/$s or hours) assigned for the accomplishment of a specific task or group of tasks. Risk Decisions
Change Control (Management) Identifying, documenting, approving or rejecting and controlling change.
(PMBoK)
Control Account
A management control point at which actual costs can be accumulated and compared to earned
value and budgets (resource plans) for management control purposes. A control account is a natural
management point for budget/schedule planning and control since it represents the work assigned
to one responsible organisational element on one Work Breakdown Structure (WBS) element.
APM EVM
guideline
Cost Benefit Analysis
The comparison of costs before and after taking an action, in order to establish the
saving achieved by carrying out that action.
Risk Decisions
Cost Risk Analysis
Assessment and synthesis of the cost risks and/or estimating uncertainties affecting
the project to gain an understanding of their individual significance and their combined
impact on the project’s objectives, to determine a range of likely outcomes for project cost.
(PRAM)
Enterprise Risk
Management (ERM)
The application of risk management across all areas of a business, from contracts, projects,
programmes, facilities, assets and plant, to functions, financial, business and corporate risk.
Risk Decisions
Enterprise Risk Map
The structure used to consolidate risk information across the organisation, to identify central
responsibility and common response actions, with the aim of improving top down visibility
and managing risks more efficiently.
Risk Decisions
Left shift
The practice by which an organisation takes proactive action to mitigate risks when they are identified
rather than when they occur with the aim of reducing cost and increase efficiency.
Risk Decisions
Management
Reserve (MR)
Management Reserve may be subdivided into:
• Specific Risk provision to manage identifiable and specific risks
• Non-Specific Risk Provision to manage emergent risks
• Issues provision
APM EV/Risk
Working Group
Non-specific Risk
Provision
The amount of budget / schedule / resources set aside to cover the impact of
emergent risks, should they occur.
APM EV/Risk
working group
Operational Risk
The different types of risks managed across an organisation, typically excluding financial and corporate risks.
Risk Decisions
Opportunity
An ‘upside’, beneficial Risk Event.
PRAM
Baseline
An approved scope/schedule/budget plan for work, against which execution is
compared, to measure and manage performance.
(PMBoK)
Performance Measurement
The objective measurement of progress against the Baseline
APM EV/Risk
Working Group
Proactive Risk Response
An action or set of actions to reduce the probability or impact of a threat or
increase the probability or impact of an opportunity. If approved they are carried out
in advance of the occurrence of the risk. They are funded from the project budget.
(PRAM)
Reactive Risk Response
An action or set of actions to be taken after a risk has occurred in order to reduce or recover from the
effect of the threat or to exploit the opportunity. They are funded from Management Reserve.
(PRAM)
Risk Appetite
The amount of risk exposure an organisation is willing to accept in connection with
delivering a set of objectives.
APM EV/Risk
Working Group
Risk Event
An uncertain event or set of circumstances, that should it or they occur, would have
an effect on the achievement of one or more objectives.
PRAM
Risk Exposure
The difference between the total impact of risks should they all occur and the Risk Provision.
APM EV/Risk
Working Group
Risk Management
Clusters®
Functionality in Risk Decisions’ Predict! risk management software that enables users to
organise different groups of risks to form a single, enterprise-wide risk map.
Risk Decisions
Risk Provision
The amount of budget / schedule / resources set aside to manage the impact of risks
Risk provision is a component part of Management Reserve
APM EV/Risk
Working Group
Risk Response Activities
Activities carried out to implement a Proactive Risk Response.
APM EV/Risk
Working Group
Schedule Risk Analysis
Assessment and synthesis of schedule risks and/or estimating uncertainties affecting
the project ability to meet key milestones.
(PRAM)
Schedule Reserve
The schedule component of Management Reserve.
APM EV/Risk
working group
Specific Risk Provision
The amount of budget / schedule / resources set aside to cover the impact of known
risks, should they occur. It is not advisable to net opportunities against threats and
so a separate value is calculated for each.
APM EV/Risk
working group
Threat
A downside, adverse Risk Event
PRAM
Uncertainty
The spread in estimates for schedule, cost, performance arising from the expected
range of outcomes. Often termed estimating error.
APM EV/Risk
© risk decisions 2011
www.riskdecisions.com
7
Val Jonas: The first step to ERM:
whitepaper
About Risk Decisions
Risk Decisions Limited is part of Risk Decisions Group, a pioneering global risk
management solutions company, with offices in the UK, USA and Australia. The
company specialises in the development and delivery of enterprise solutions and
services that enable risk to be managed more effectively on large capital projects
as well as helping users to meet strategic business objectives and achieve
compliance with corporate governance obligations.
Risk Decisions has introduced many innovative features that have since become
standard features in the industry including the risk hierarchy tree, combined threat
and opportunity risk impact grids and automated schedule risk analysis. The
company plays a significant role in influencing risk management policy, making
important contributions to APM, OGC and PMI risk management guides and
standards, including guidance on interfacing risk with other disciplines, such as
Earned Value and Systems Engineering.
Clients include Lend Lease, Mott MacDonald, National Grid, Eversholt Rail, BAE
Systems, Selex Galileo, Raytheon, Navantia, UK MoD, Australian Defence Materiel
Organisation and New Zealand Air Force.
For further information visit: www.riskdecisions.com
or contact Alex Leggatt at: Risk Decisions Ltd,
Whichford House, Parkway Court,
Oxford Business Park South,
Oxford, OX4 2JY
Tel: 01865 718666
Email: [email protected]
European HQ
For enquiries from the UK and mainland Europe.
Risk Decisions Ltd
Whichford House
Parkway Court
Oxford Business Park South
Oxford
OX4 2JY
United Kingdom
For general enquiries:
Tel:
+44 (0)1865 718666
Fax:
+44 (0)1865 718600
Email:
[email protected]
For help desk support:
Tel:
+44 (0)1865 395698
Fax:
+44 (0)1865 718600
Email:
[email protected]
www.riskdecisions.com
management solutions