Kempkey Insurance and Risk Management Services

Articles

Creating and Protecting Value:

From Defensive to Strategic Risk Management

By Ed Kempkey

Rapid changes in information technology, the explosion of globalization and outsourcing, the sophistication of business transactions, and increased competition combined with economic and political uncertainty is putting more pressure than ever on organizations to understand and assess their risks.

Business survival requires an organization to take risks; successful organizations manage risk well while those that do not go out of business.  Many of the techniques used by boards and senior executives are dated, lack sophistication, and are no longer effective in creating and maintaining an organizations competitive advantage.

So, how do you develop and sustain an effective risk management program?  Since the introduction of the ISO 31000 International Risk Management Standard, there is now a framework for organizations to follow.  Built upon other leading international risk management standards, the ISO framework is considered the current best practice for enterprise risk management.

Underlying principle

The overarching ISO principle is that risk management should have net value to the organization.  Risk management should make money, enhance reputation, contribute to public safety, improve sustainability, generally enhance benefits, and reduce harm.  It does this by improving the decision makers’ understanding of the effects of uncertainty on objectives.  This provides a high return on the investment in risk management, especially when you are able to exploit risk.

It’s about uncertainty

Organizations face complexity in distributed operations, relationships, increased regulatory oversight, and litigation burdens.  Uncertainty grows right along business complexity.  When risk is considered as the effect of uncertainty on objectives, all efforts to reduce that uncertainty will therefore increase the likelihood that the organization will achieve its objectives.  Uncertainty stems from either not having enough information, or the wrong information, to be used in decision-making or planning.   When fully integrated into the management and direction of the organization, risk management is just one aspect of management and is just one more tool available to mangers besides tools for operations, finance, planning, human resources, and so forth.

Elements of Enterprise Risk Management

The two main components of an effective plan are a risk management framework and a risk management process.

Risk management framework

The framework in an organization supports the risk management process for decision making in the organization.  Successful frameworks are usually simple to understand and to implement, yet sophisticated enough to be effective.  The framework includes five components:

  1. Mandate and commitment which requires strong and sustained commitment by management of the organization.  This can include defining and endorsing the risk management policy and assigning accountabilities and responsibilities at appropriate levels within the organization.
  2. Design of framework for managing risk which includes the way in which risk management performance will be measured and reported.
  3. Implementing risk management includes holding information and training sessions and communicating and consulting with stakeholders.
  4. Monitoring and review of the framework in order to ensure that risk management is effective and continues to support performance.
  5. Continual improvement of the framework based upon the results of monitoring and reviews in order to make decisions on how the framework, policy and plan can be improved.

Risk management process

The process is comprised of activities that support and assist decision making within the organization. The activities include:

  1. Establishing the context which sets the stage for the decision or activity requiring risk management.
  2. Risk assessment identifies, analyzes, and evaluates the risks.
  3. Risk treatment enhances the likelihood of positive consequences and reduces the likelihood of negative consequences to acceptable or tolerable levels.
  4. Monitoring and review keeps close watch over the risk and the control implemented to modify the risk.
  5. Communication and consultation is continuous to ensure that the stakeholders are engaged and contribute to the management of risks.

 Implementing Enterprise Risk Management

The contrast of these two components creates four quadrants:

Risk Management Development Matrix

Let’s look briefly at each of the four.

Quadrant 1Traditional Management.  At this stage the organization operates in a defensive mode, relying on the purchase of insurance when possible.  The perspective of risk is that of hazards and is oriented around cause of loss.  Risk treatment operates in silos within departments, and consequently is a “bottom-up” process (defensive position).

Quadrant 2Framework.  The “tone from the top” encourages risk awareness across the organization and staff to be accountable for their actions.  Strong leadership utilizes the knowledge of all staff and team members in determining controls before risks occur.

Quadrant 3:  Process.  A strategic process is used to identify, analyze, evaluate and treat risks.  The process includes monitoring and reviewing the results to assure success of the plan.

Quadrant 4Enterprise Risk Management.  ERM looks at the upside of risk and the many opportunities it can present.  It is tied to strategic objectives and is a coordinated approach that looks at all risk departments.  Subject matter experts and risk committees are used to identify risk, and it is a “top-down” process (offensive position).

The first step toward achieving leadership is to gain internal support.  The organization can then utilize internal and external talent to take a series of steps in their progress towards a leadership position.

The Risk Assessment Workshop

Combines Learning and Teambuilding

By Ed Kempkey

A key component of a successful risk management program is establishing a system for accurately assessing the organizations risks.   Risk assessments include identifying, analyzing, and evaluating organizations risks in order to decide on the proper treatments for those that are most critical to achieving its objectives.  There are numerous ways to assess risks, including interviews, questionnaires, checklists and documentation reviews.  While these can be used to supplement the process, the preferred method is a risk assessment workshop.

Risk Assessment Workshop

A workshop format enables participants to both contribute and learn in a natural environment.  The result is not only a ranked list of key risks, but a fascinating discussion about the control environment, risk appetite, and individual risk tolerances.  As stakeholders walk away from the session their understanding of business operations, objectives, and challenges has expanded and they are equipped with the knowledge and the detailed analysis to make improved decisions.

The average workshop lasts about 2 hours and typically has 5-10 executives, a record keeper, and a facilitator.  The facilitator guides the group through a set of risks and the group determines the impact and likelihood of the risks by consensus.  To avoid groupthink or the potential bias that one individual can place on the group opinion, voting software is used to enable anonymous assessment of risk in a workshop environment.

The benefits

In my experience, the benefits of a workshop go far beyond assessing risks.

Learning opportunity: A well-structured workshop allows participants to examine risks from a range of perspectives, and learn from other experts and leaders in the room.  Participants will inevitably emerge from the workshop understanding their business better and with heightened awareness of corporate objectives, and the landscape of internal and external risk environments.  If the workshop agenda includes discussion of current, committed, and contemplated mitigants, they will also gain a greater understanding of how other parts of the organization are mitigating risk, and how these mitigants might fit together.

Team building: Risk workshops are an excellent tool for promoting team building.  A risk workshop provides a “safe” environment to share perspectives and ideas and ensures equal opportunity for participants.  It is a great “get to know you” exercise for a recently established management team.

Efficient use of time: Risk workshops can be an effective way for a management team to cover a large amount of ground very quickly.  The focus on a defined agenda and use of facilitation techniques and risk management tools ensures that the discussion sticks to the highest-priority issues.

Risk management education: Risk workshops provide a “live” demonstration of risk management techniques and approaches.  As such, they are an excellent vehicle for educating participants on the theory and application of risk management to specific business problems.

Continuous improvement: Risk workshops provide the risk manager with an environment for continuously improving the quality of tools and techniques.  By repeated exposure and use by manager from a variety of levels and backgrounds, a program of workshops will effectively validate such tools as risk tolerances and voting guides.

Risk assessment workshops not only serve as the core activity in the risk management process, they also provide a wonderful combination of learning and teambuilding.

 

What is your company’s risk profile?

by Ed Kempkey

A corporate risk profile documents risks that are critical to achieving the organization’s business objectives over a specified future period of time.  The risk profile then serves as a management tool that senior executives can use for strategic and business planning, resource allocation and action plans.  The time horizon for a corporate risk profile should typically be in the range of three to five years depending upon the volatility of the business environment.

How to prepare a risk profile

There is no set rule for preparing a risk profile, other than to keep it simple and easy to communicate.  One way is to conduct a risk and control assessment workshop and then display the risks on a heat map.  The workshop is an efficient use of time, and the heat map is visually appealing, and easy to understand and describe.

Risk workshop

A workshop format enables participants to both contribute and learn in a natural environment.  The result is not only a ranked list of key risks, but a fascinating discussion about the control environment, risk appetite, and individual risk tolerances.  As stakeholders walk away from the session their understanding of business operations, objectives, and challenges has expanded and they are equipped with the knowledge and the detailed analysis to make improved decisions.

The average workshop lasts about 2 hours and typically has 5-10 executives, a record keeper, and a facilitator.  The facilitator guides the group through a set of risks and the group determines the impact and likelihood of the risks by consensus.  To avoid groupthink or the potential bias that one individual can place on the group opinion, voting software is used to enable anonymous assessment of risk in a workshop environment.

Heat map    

The heat map is a powerful tool to display voting results from the workshop.  It is a graphical depiction of the relative rating for each risk based upon the likelihood of the event occurring, and the impact or consequences of its occurrence.  The vertical scale represents likelihood in incremental ratings of 1 to 5, with 1 being the least likely and 5 being the most likely.  The horizontal scale represents impact in incremental ratings of 1 to 5, with 1 having the least impact and 5 having the greatest impact.

The heat map is color coded to show the levels of risk, with those having high impact and likelihood in the upper right quadrant in shades of red, and those with low impact and likelihood in the lower left corner in shades of green.  Risks that fall between these extremes are displayed relative to their ratings, an example of which is shown in figure 1.

Heat Map

In the heat map displayed above, the blue squares represent the inherent risks (before mitigation), and the white circles represent residual risks (after considering current controls).  The line between the blue square and the white dot represents the adequacy of mitigants over each risk, with a short line showing low levels of mitigation and a longer line showing high levels of mitigation.

How often should a risk profile be prepared?

For many organizations an annual profile may be too infrequent given the fluctuating business environment.  On the other hand, a quarterly profile may be an inefficient use of time and unnecessary.  A semi-annual profile is the most expedient interval to start, and can be adjusted after some experimentation.

Who should participate in preparing the risk profile?

The organizations management team should participate in creating the risk profile.  This can best be accomplished by first scheduling half-hour interviews with each individual in order to get input on risks relative to the objectives for their area of responsibility.  A list can then be compiled for use in facilitating the workshop and creating a risk profile that ensures improved decision making and planning as well as enhanced governance and stakeholder confidence and trust.