Rethinking Risk Intelligence

November-December 2010 Issue

by Diana Del Bel Belluz, M.A.Sc., P.Eng.

Is your organization risk intelligent? Recently I was asked to present a session on how to assess risk management maturity to The Conference Board of Canada’s Strategic Risk Management Council. My research for the talk revealed three common reasons that organizations fail to achieve risk intelligence:

1.     Many risk management progams are overly focused on the components of their ERM framework (e.g., risk assessment processes and ERM accountability structures). It’s like building a car for someone who doesn’t know how to drive and doesn’t care to leave their house and then wondering why the vehicle just sits in the garage. While developing a risk framework and tools is necessary for a successful ERM program; it’s not sufficient for success.

2.     In developing their implementation plans, many ERM leaders fail to consider the human capital required to actually bring an ERM framework to life.  It is people (not frameworks) who manage risk. ERM programs don’t acheive risk intelligence if they don’t invest effort into the development of their people’s risk knowledge and skills.  

3.     Many ERM leaders pay scant attention to how well the ERM progam is actually working. They mistakenly measure their success based on the ERM reports generated rather than by evaluating how effectively ERM information is applied to improve business outcomes. It’s like judging a meal solely by the ingredients used to create it and not evaluating how good it tastes. As the proverb says the “proof of the pudding is in the eating” and the value of an ERM program lies in how effectively it helps managers to optimize organizational performance and resilience. Ideally an ERM report is the start of a conversation, not the last word.

Here are two tips for improving your organization’s risk management intelligence.

Tip #1. Measure the impact of ERM  

It’s easy to get drawn into the details of the risk framework and risk reporting. One way to stay focused on the overall effectiveness of your ERM program is to measure its impact.

At least once a year, review how well your ERM program is serving the business. As the year draws to a close, it is an excellent time to take stock of where your ERM program has delivered good value and where it hasn’t. Here are three lines of inquiry you can use to spot good opportunities to sharpen your risk intelligence.

 a.  Check the alignment of your key risks with your stated risk appetite and tolerances  

• Compare your latest risk profile to the one created a year ago. Did the past year’s ERM activities result in a closer alignment of your risk exposure with your stated appetite and tolerance for risk? If the answer is ‘yes’, was it dumb luck or can you point to specific ways the ERM program helped?
• What lessons can be drawn from the organization’s successes and challenges in meeting its goals and targets that can be used to enhance your ERM practices going forward?

 b.  Learn from surprises

• Over the past year, what risk events surprised you? For example, did risk events occur that were not on your radar screen? Or, did you vastly under- or over-estimate the magnitude of any enterprise risks? Why did you miss or miscalculate these ‘surprise’ risks?
• What opportunities for improving your processes and skills for identifying, assessing, monitoring, and communicating about risks do these surprises reveal?
• What can be learned from these surprises about potential weaknesses in how you develop and use risk indicators as early warning signals?

 c.  Spot the opportunities

• Over the past year, what hasn’t your organization accomplished with respect to its strategic objectives?
• What opportunities (i.e., upside risks) could your organization exploit this year to bring it closer to fulfilling its mission and goals?

Tip #2. Integrate ERM into the business

The outputs of ERM processes (e.g., risk appetite statement, risk measurements, risk indicators, etc.) don’t become risk intelligence until they are applied to improve decision processes such as:

• Goal setting

• Strategy development

• Environmental scanning

• Scenario exploration

• Performance forecasting

• Business planning

• Business process design and implementation

• Performance monitoring and management

• Assessment of management effectiveness (including risk management)

• Continuous improvement

• Organizational design and development

The integration of ERM into business processes does not happen spontaneously. It requires effort and intentionality to:

a.     Define optimal flows of risk information between ERM processes and other important business management processes. The feedback (and feedforward) loops are the key to driving risk management behaviour that is aligned with the organization’s risk appetite.

Here are a couple of examples of feedback loops:

• Management sets risk appetite and the Board approves it. Risk appetite criteria inform the goal and objective setting processs. Managers pull risk appetite criteria into the risk assessment process to help evaluate the adequacy of their current efforts to manage key enterperise risks and allocate resources accordingly. Risk appetite criteria are evaluated periodically by management and the Board to ensure they continue to reflect the organization’s values and aspirations.
• Risk estimates from the risk assessment process are fed into the business planning process to help develop performance forecasts. On an ongoing basis, peformance forecasts are compared with actual performance, deviations and trends are identified. Managers take action to address potential performance shortfalls. A periodic evaluation of forecast vs. actual performance identifies opportunities for fine-tuning that are fed back to the risk assessment process.

b.    Identify where ERM and/or business processes need to be updated to ensure timely exhange of information and effective feedback loops. Here you may benefit from collaborating with colleagues who are responsible for organizational design and enterprise architechture.

c.     Develop and implement a change management plan to ensure smooth information flow between ERM and other business management processes. Most importantly, the change management effort must ensure your people know what is expected of them and develop the skills required to manage risk.

The Risk Wise bottom line… Achieving risk intelligence requires more than an ERM framework. You need to ensure your people have the knowledge and skills to use ERM processes and tools.  Most importantly, they must be motivated to do so by feedback loops that integrate risk information into key management and decision processes.

Follow the links to:

• Read this month's Bonus Resource - Recording of Webinar on ERM Resources.
• Download a printable version of the entire November - December 2010 issue of the Risk Management Made Simple Advisory.
  
• View the Article Index to access back issues of the Risk Management Made Simple Advisory.

To learn about cost effective ways to increase your organization’s risk intelligence, contact Diana Del Bel Belluz at Risk Wise: Diana.Belluz @ riskwise.ca