reading

Mastering 21st Century Enterprise Risk Management

Firing Dated Practices | The Best Practice of ERM | Implementation Secrets

Author

Gregory M Carroll

Production Editor

Rebekah Donaldson

Reviewer

Special thanks to Greg Hutchins at CERM Magazine

ISBN: 9781483510446

Copyright 2013 Gregory M Carroll. Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported License. For details on the Creative Commons license, visit: http://www.creativecommons.org/licenses/by-nc-sa/3.0

To contact the author:

Greg Carroll

Fast Track Aust PTY Ltd

+61755918977

http://www.fasttrack365.com/contact

http://www.linkedin.com/in/gregorymcarroll

For additional work by the author:

http://www.fasttrack365.com/resources

http://www.fasttrack365.com/blog

Contents

Foreword

Introduction

Understanding risk

Part I. Learning from the Past: Firing Failed Risk Practices

Why 20th century risk management failed

Over-promised

Incorrectly structured

Inaccurately implemented

Complex interrelationships not mapped

Inappropriately focused

Part II. Getting It Right: Implementation Secrets

IBM and Queensland Health's billion dollar fiasco

Secrets to successful risk management

Gen Y & 21st century risk management

Selecting ERM software

Getting software implementation right

Part III. A New Approach: 21st Century Best Practices

Enterprise risk management framework

Scenario analysis – an alternative view of the future

Structural/casual risk modelling

Shareholder value strategy

Conclusion

Addendum: How to Design a True Enterprise Risk Management System

Definitions

1. Identification

2. Evaluation

3. Monitoring

4. Aggregating

5. Management

More information

Foreword

Being a business owner, I keep an eye out for marketing ideas. I use a switched-on U.S. based marketing consulting firm B2B Communications (b2bcommunications.com) who educated me on 21st century marketing. Having a successful business for over 30 years, to say I am learning a whole new paradigm is an understatement. As a result, I have been following an Australian marketing guru Bruce Rasmussen (@bruceras), who just released interesting survey results: Bruce’s research found that, “admirable traits such as 'building the relationship' and 'following up after the sale,' with which virtually all sales people have been brought up, are the staple approach in the ICT sales community. The only problem is that these behaviours are no longer considered to be best practice.”¹

In one of my blog posts I put forward the case that the character and modus operandi of Gen Y is changing the way people will work in the future, and the very traits we complain about may be the solution to our biggest problems.²

A common theme raised at the 2013 OpRisk conference was the paradigm shift in risk management. This was supported by a Milliman research report³ that found:

1. Basic risk indicators and standard formula are ultimately a very blunt model; and

2. Structural/causal-based risk models are the leading emerging best practice in the field

In other words, the accepted practice is failing and there is an entirely new approach to risk management.

Then I watched a video on 3D Printing⁴ -- a technique used to produce physical products from digital designs. The Economist compares it to the invention of the steam engine and the printing press. Business Insider says it's "the next trillion-dollar industry." And everyone from BMW, to Nike, to the U.S. Air Force is already using it every day. The Motley Fool Investment Advisors claim it will put an end to the Made-in-China era in the same way digital music downloads put an end to CD mass production.⁵

The pace of innovation and adoption is accelerating. Google, GPS, the iPad, and DNA evidence were research projects just 20 years ago. They are the norm today.

Accepted best practice in risk management has failed. The rate of technological change has accelerated. A fundamental change in business is happening, and a majority of businesses today will not be around in 10 years unless they urgently adopt major transformations.

Think I’m overstating the situation? Ford, one of the largest companies in Australia for the last 50 years, is shutting plants.

Just as the 1890s world of the Wild West had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, in which we still operate today, be long forgotten by the 2020s. When I note:

The environment has changed... The nature of selling has changed... The nature of work has changed...

The nature of risk management has changed...

The rate of change of technology has accelerated... The movement of capital has accelerated...

The intrusion of compliance has accelerated... And volatility is now the norm...

... I feel like Sarah Connor (Linda Hamilton) in the last scene of “Terminator,” driving toward the storm clouds on the horizon, thinking. “The unknown future rolls toward us. I face it, for the first time, with a sense of hope.”

Greg Carroll

linkedin.com/in/gregorymcarroll

Introduction

Risk management has traditionally focused on the downside—the "what if"—of risk. What if I get audited; will my documentation be in order? What if someone gets hurt? Risk has also traditionally been siloed at many organisations, with each functional area requiring its own unique parameters. Accounting and finance are concerned with financial regulations; manufacturing is concerned about safety and equipment validation.

To further complicate the situation, each functional area turned to a different software supplier to obtain the risk management solution that would meet their specific regulatory requirements. The goal was to stay out of trouble. Aside from the obvious IT application management nightmare, the siloed, stay-out-of-trouble approach to risk management became a model for inefficiency and escalating costs.

Modern risk management philosophy goes beyond "staying out of trouble." It incorporates the upside of risk—the people and process efficiencies that result when a holistic risk management framework is integrated into all aspects of the business and aligned to specific business objectives. Investing in risk management, as with all other investments, must produce a return. Mastering 21st Century Enterprise Risk Management explains why many risk management systems are broken and what needs to be done to fix them. It also explains the pitfalls to avoid when deploying an enterprise risk management system.

Whether you're new to risk management or a seasoned veteran, you'll learn effective approaches and emerging models that are backed by real-world examples.

Welcome to 21st century risk management.

Understanding risk

Although most think they know what risk is, there seems to be a fair bit of misunderstanding outside the risk fraternity.

Like the motor vehicle, risk is not good or bad. So before we dive in, let’s take three minutes to cover some basics:

00:00 Definition

Risk is the level of uncertainty in any situation. Risk management is a system that identifies, quantifies and attempts to reduce or eliminate uncertainty. As an event in one part of an organisation can affect other unrelated parts (the butterfly effect), Enterprise risk management (ERM) is a coordinated linking of all organisation risks into a single model so everyone is aware of the effect immediately. ISO31000 is a new international standard that provides a framework and process, for an effective enterprise risk management system.

00:25 Identification

A good risk management system must start with a set of corporate objectives, not at the detail level.

Objectives need to cover all aspects, including financial, operational, marketing, as well as OHS & Environment goals; and apply at all business levels including strategic, organisation-wide, project, product and process. Linking all risks back to these objectives is how you create an integrated enterprise risk management system and ensure the system produces a good return on the investment. Uncertainty includes lack of information related to, or understanding of, an event, its consequence, or likelihood.

01:00 Assessment

A risk assessment is a preventive evaluation of each uncertainty in a specific area of operation by internal subject matter experts. Assessments, by nature, are subjective. For standardisation, a risk matrix grades the impact of a risk based on likelihood of it happening and the effect (consequences) if it does. The key factor is to examine practical risks. With time, assessments can be refined when they are periodically reviewed and updated.

A job safety analysis (JSA) is a specific type of risk assessment immediately prior to starting a job and considers situational effects at a given time.

01:40 Control

A control is an action or measure that can alter an uncertainty (hopefully for the better) and can include any device, change of practice, use of equipment, redesign of product or process. Generally, the best solution is to eliminate a risk so there is a preference for one control over another so they are ranked in order of effect in a hierarchy of controls.

02:00 Mitigation

It is important to understand the risk appetite of the business unit being assessed. This is the level of risk that can be tolerated on an ongoing basis. It will vary dramatically from department to department, e.g., marketing vs. finance. Be aware that elimination of a risk is not always the objective and sometimes not even desirable. However, the risk is still worth recording, as it may have an effect on other areas.

Mitigation is a fancy word for an action that reduces or eliminates a risk, i.e., how a control is applied to risk. Controls regularly do not act as intended, so mitigation requires change management, i.e. planning, approval, monitoring and review of its effect. The assessment prior to applying a control (mitigation) is referred to as its initial risk. The evaluation of the risk still outstanding afterward is referred to as the residual risk.

02:45 Review

Review is the key to effective risk management. Set milestones throughout mitigation, and review affected area on completion. When properly implemented, review is where risk management creates value and facilitates continual improvement.

03:00 Done!

So that’s the three-minute basic risk tutorial. Use this to break down some of the walls surrounding the implementation of risk management, and show that it is just a practical approach to improving efficiency by directing resources where they produce the greatest effect.

Part I. Learning from the Past: Firing Failed Risk Practices

What do I mean by ‘failed’? By "failed" I mean that risk management has failed to deliver the promised benefits. Outside the governance, risk, and compliance (GRC) fraternity, most senior executives will agree that risk management at best is an evil necessity, and at worst a bureaucratic waste of time but most likely just another failed management fad. In the same way that a weed is a plant in the wrong place, a management fad is a strategy poorly implemented. Unfortunately, when it comes to the current perception of risk management, many of those working in GRC have their heads in the sand. Instead of debating the furnishing fabrics while the house is burning, or believing we can fix it if we work harder, I believe we need to reassess our approach to risk management.

Case in point: Ford Australia closure

Ford has been an iconic brand in Australia for nearly 100 years. Supporter rivalry of Ford vs. GM was the stuff of legends, the automotive equivalent to Liverpool vs. Manchester United fans. No other product could dream of this level of consumer advocacy.

In the 1970s Ford produced the ultimate “muscle car” -- still talked about today -- and its luxury models were used as limos for visiting heads of state.

Ford Motor Company management claims it is no longer economical to manufacture in Australia due to the high labour costs. However, German manufacturers including BMW, Mercedes, Audi and Volkswagen somehow seem to be able to compete. All face similar labour costs, environmental controls, and taxes. So maybe there's something else going on at Ford.

Writing about Ford's decision in The Australian, Maurice Newman argues that government needs to "work urgently to restore our international competitiveness." He writes, "...why invest billions in modernising? The decision to shut down in October 2016 was the only rational one."

In my opinion, the fault can be firmly placed at the feet of Ford's management. The purpose of management is to cater to the push and pull of the business environment and ensure not only survival but also growth.

When management sleeps on the job

Of course, Ford didn't jump straight from dominance to closing up shop. Ford “slipped” from selling 84,000 vehicles in Australia in 2003 to only 14,000 in 2012. I think free-fall is a more apt description. An 83 percent drop in sales?

Has management at Ford been asleep the last 10 years? There is a dire lesson in this for anyone in business. Look at Ford worldwide. Ford Focus is one of the top selling cars in Europe, while the Ford F150 is one of the biggest selling pickups in the US. On top of this, Ford had a well-publicized enterprise risk management framework. Since 4 cylinder compacts and 4-wheel drive vehicles account for up to 80% of the Australian market, how could Ford Australia become “no longer economical”?

Death by 1,000 cuts

In my opinion, Ford’s product is stuck in the ‘80s. Marketing is non-existent. Customer service is laissez faire. But where were Ford’s executives, and should they have acted? They had 10 years, and that's the key. Ford suffered death by 1,000 cuts. Too many managers accepted poor results as being out of their control. They kept using last year's results to budget for next year, which only breeds decreasing performance. Those approaches, along with cost cutting to shore up the dwindling bottom line, may feed executive short term bonuses but lock in long term failure.

Simple good governance consists of proactive risk management plans with mitigation strategies, not charts. Proactive risk management is about planning for the future not reporting the past.

Customer feedback, like risk, must be tied to hard corporate objectives, not soft feel-good values. Product development must be oriented to advancing customer expectations, not cost cutting.

Marketing must be aimed at developing the market, not merely beating last year's results. Good governance should no longer be considered a luxury enjoyed by large profitable companies but a survival skill for all businesses.

The greatest threat to your business is mediocrity. Mediocre management is easily identified by their contempt for compliance and risk management. They prefer frenetic activity (a.k.a. fire fighting) to prevention and planning.

Risk managers must lift their game or risk seeing risk management consigned to the trash heap of management fads.

Why 20th century risk management failed

⁶