The key word is prioritize

The key word is prioritize. With ERM, we identify and assess risks, but only so we can use the data to prioritize on a portfolio basis where we should spend or not spend our limited resources. There is a cost of action and a cost of inaction and ERM helps us make intelligent and informed choices.

Unfortunately, organizations and people often make decisions about the risks they are going to treat without data, spending too much money on the wrong things and not enough on the right things.

Prioritize.

Read Full Post »

Using ERM to decide if you should get the H1N1 vaccine

The Canadian government is practicing risk management this week.

It has begun administering H1N1 vaccines as part of the largest mass immunization effort in Canadian history. But did it assess the impact and likelihood of H1N1 risk properly before implementing this plan? Are people making the right decisions about getting (or not getting) the shot? Against the backdrop of the H1N1 vaccination debate, I thought I would borrow some of the concepts of enterprise risk management to make this decision for my family.

There are two sides to this debate: people who will get the vaccine and those who will not. Regardless of which side of the debate you are on, this week I have seen examples of poor risk management on both sides.

Too often organizations spend time and money treating the wrong risks because they focus on one marquis risk rather than carefully examining their portfolio of risks. For the parents who are waiting in line from 4 to 6 hours to get the vaccine, they are in panic mode. These folks have perceived the impact of not getting the shot as catastrophic (i.e., death) and the probability is 100%.

And organizations do this all the time. They panic and spend time and resources on the wrong risks without practicing smart risk management. (Please read about my dishwasher risk management.) I am not saying there is no H1N1 risk; I am just saying the impact and likelihood are less than 100% .When we make decisions about which risks to treat based on anecdotal evidence rather than data, we make the wrong decisions.

Alternatively, other people think the vaccine is harmful; they won’t get the shot because they say it contains mercury or thimerosal. These people are also practicing poor risk management. In their minds, the risk of harm from the mercury is catastrophic (i.e., death) and the probability is 100%.  But if they looked at this vaccination risk in the context of other risks – a portfolio of risks – they would learn that the impact of getting H1N1 is much worse than the adverse side-effects you could get from the actual shot.  (By the way, according to Health Canada, there is more mercury in a can of tuna than the shot.)

Others won’t get the shot because they believe it could cause autism or Guillain–Barré syndrome. Again, have the parents who have chosen not to get the shot for these reasons properly assessed the impact and likelihood of getting these verses getting the flu? Probably not. (Only 1 or 2 people in 100000 get Guillain–Barré syndrome and the autism concern has been discredited.)

Finally, I am not advocating getting the vaccine or not, and I am not an expert in vaccine side-effects, all I am saying is get the facts and assess the risks of getting the vaccine – or not – and then do it in the context of all the other risks your family faces every day.

If you are an organization, always do your proper risk assessments on a portfolio basis and base decisions on qualitative or quantitative data and not on emotion or panic.

Data used was taken from http://www.windsorstar.com/health/Windsor+Anne+Jarvis+H1N1+shot/2153888/story.html

Read Full Post »

ISO 31000 is the “New Age in Risk Management”

Courtesy of Reuters http://www.reuters.com/article/pressRelease/idUS246464+28-Oct-2009+BW20091028

From October 2009 corporations of different sizes and industries will be faced with a new universal standard focused on Risk Management. Dubbed ISO 31000: Principles and guidelines for risk management; the new guidelines were developed
by the Organization for Standardization (ISO) in response to the need to standardize the existing norms, regulations and frameworks related to risk management.

The standards, which may be applied to companies and individuals alike, include guidelines for the implementation of risk management within organizations of any type, size and segment, stem from the need of corporations to address the uncertainties that have a potential impact on their goals. These objectives may be related to different corporate activities ranging from strategic initiatives
to operational processes or projects. These principles may be applied to different risks associated with sev modern concept which states that risk is opportunity.

Yet, there has been no consensus to the terminology and concepts utilized in risk management. This has created challenges for organizations to integrate their different risk management functions. Typically, this result in risk management is addressed in isolated manners, which often leads to the spread of the so-called silos or departmental “islands” utilizing disparate terminology, systems, criteria, and concepts for each area of the organization, resulting in the greatest challenge faced by ISO 31000 lied in establishing a common terminology and standardizing best practices and frameworks, so that organizations could implement risk management practices in their processes. Since this is a standardization initiative in line with the integrated view of Enterprise Risk Management, the new norm does not contradict other existing regulations, such as ISO/IEC 27005 – the technical standard focused on
information security risk management but provides guidelines and is aligned with other sets of rules.

Similar to ISO 9000 and ISO 14000, which became references for managing these issues within organizations, the launch of ISO 31000 will provide countries worldwide with a set of internationally recognized guidelines for managing risk.

*Alberto Bastos is a founding partner of Modulo, a global leader in IT GRC Management automation, and coordinates the Brazilian Association of Technical Standards` (ABNT) Special Commission on Risk Management Guidelines.

The Information Company
+ 1 425 235 0724
Andressa Ferrer
andressa@theinformationcompany.net

Copyright Business Wire 2009

Read Full Post »

Apparently the FDIC thinks ERM is a good idea

An interesting article titled “Regulators Tighten Screws on Enterprise Risk Management at Banks” in FinCriAdvisor this weekend, discusses how FDIC thinks ERM would be a great idea ERM at  some small banks.

Apparently, not only do some banks not practice risk management, but some like the Bank of Tacoma (Wash.) also lack strategic plans! Others like the Butler Bank of Lowell, Mass., lack risk exposure plans and some like the Venture Bank of Lacy, Wash., “operate with an inadequate system” to monitor risks.

What! I am worried that some banks still use the ancient abacus to calculate their regulatory capital.

But the real reason that I wanted to write about this article was to rant about this quote: “One difficulty is that risk management often is backward-looking and informed by experience, rather than anticipatory.”

So Riskczar asks, if the author thinks that risk management is backward-looking, then internal audit must be the Mother of All Backward-Looking activities.

Read Full Post »

From AS/NZS 4360 to ISO 31000 – A history lesson

A consultant from New Zealand named Chris Peace, traces the history of the AS/NZS 4360 standard and the new ISO 31000, due out just in time for Christmas, in this copy of Safety and Health Practitioner dated October 16, 2009.

Although the original 1995 edition of the AS/NZS 4360 standard was developed from earlier risk-management ideas and processes it was nonetheless ground-breaking as the first standard published on risk management.

The subsequent 1999 edition added the “communicate and consult” stage, and a number of handbooks on aspects of risk management was also developed, the majority jointly by Australia and New Zealand.

The 2004 edition of the joint standard¹ incorporated experience from the previous 10 years, and many of the appendices in the 1999 edition were either consolidated into the body of the standard, or removed into the associated handbook, SAA/SNZ HB 436:2004.² Importantly, this included the 5×5 qualitative risk matrix in appendix E. Many users had simply copied this for their own use without thinking about its relevance, or the need for adaptation to their context. Few thought about alternative risk-analysis techniques – the matrix was the method!

Please click on the link above to read the complete story.

Read Full Post »

Risk management: ya, there’s an app for that too

CS STARS, a business unit of Marsh, has developed an application for iPhone allowing users to access risk-management dashboards right from the device.

According to the announcement: “CS STARS LLC offers technical solutions for risk-management professionals, as well as for insurance carriers and third-party administrators. The company assists these parties by delivering integrated software and services for risk, claims and compliance management. STARS Enterprise, the company’s primary software platform, supports comprehensive risk management, enterprise risk management (ERM) and compliance and safety management, according to the official report.”

The link to the app can be found here: http://handheld.softpedia.com/get/Business/STARS-Enterprise-85873.shtml

I would be delighted to try out this app and provide a complete review if someone would kindly send me an iPhone please. Please contact me at riskczar@gmail.com for my complete mailing address.

Read Full Post »

S&P ‘Refining and Adapting’ Insurers ERM ‘Adequate’ Assessments

October 21, 2009

Courtesy: Insurance Journal

Standard & Poor’s Rating Services is refining and adapting its methodology for assessing insurance companies’ enterprise risk management (ERM), as set out in a recently published article, “Expanded Definition Of Adequate Classification In Enterprise Risk Management Scores.”

S&P said it published the article to help market participants better understand its “approach to scoring companies’ ERM processes. This article is related to our criteria article ‘Principles Of Corporate And Government Ratings,’ published on June 26, 2007, on RatingsDirect.”

S&P”s update of it criteria is designed to “expand and subdivide the definition of Adequate as we use it to score a company’s ERM capabilities. These criteria will give market participants the ability to differentiate among the large preponderance of companies whose ERM scores are in the Adequate category. We have also supplemented our definition of Excellent ERM.”

The new article supersedes the ERM classifications in “Summary Of Standard & Poor’s Enterprise Risk Management Evaluation Process For Insurers,” published on Nov. 26, 2007, on RatingsDirect.” S&P added that it doesn’t expect any effect on existing ratings as a result of these criteria, which are effective immediately.

S&P explained that, “given the number of companies whose ERM scores fall into the Adequate category,” it believes additional differentiation of these companies’ ERM capabilities “can be provided based on the scope and progress of their ERM processes.

It has separated the definitions in the “Adequate” category into three levels, as follows: “Adequate, Adequate With Strong Risk Controls, and Adequate With Positive Trend. A company whose ERM is scored Adequate With Strong Risk Controls should have all of the characteristics of Adequate, plus strong controls over all of its material risks. A company whose ERM is scored Adequate With Positive Trend will have all of the characteristics of Adequate With Strong Risk Controls plus risk management culture and strategic risk management scores of at least Strong with the possibility to attain an ERM assessment of Strong within 24 months.”

These criteria represent the “specific application of fundamental principles that define credit risk and ratings opinions,” S&P continued. Their use is determined by issuer- or issue-specific attributes as well as the rating agency’s “assessment of the credit and, if applicable, structural risks for a given issuer or issue rating. Methodology and assumptions may change from time to time as a result of market and economic conditions, issuer- or issue-specific factors, or new empirical evidence that would affect our credit judgment.”

The reports are available to RatingsDirect subscribers at: http://www.ratingsdirect.com. If you are not a RatingsDirect subscriber, you may purchase a copy of the report by calling (1) 212-438-9823 or sending an e-mail to: research_request@standardandpoors.com. Ratings information can also be found on S&P’s public Web site at http://www.standardandpoors.com.

Source: Standard & Poor’s
Find this article at:
http://www.insurancejournal.com/news/international/2009/10/21/104667.htm

Read Full Post »

Measuring the benefits of ERM

I was reading this article from Gary W Patterson called, “Enterprise Risk Management (ERM) Applied to Benefit Operations and Strategic Planning”. In it, Gary, a.k.a the FiscalDoctor™, addresses these five questions about ERM:
1. Does ERM focus only on money?
2. What activities does ERM involve?
3. What are ERM deliverables?
4. How do I know whether our ERM program is a success?
5. How does ERM fit into the goals and structure of the organization?

To see the entire article, click here. For this post, I only want to focus on the response to #4. How do I know whether our ERM program is a success?

Gary answers: “Determining whether an organization’s ERM program is a success is a judgment call. The judgment is based on the effectiveness of the eight ERM activities. Are the program deliverables and risk responses effective?”

While I agree there is some element of “judgment call”, we should be moving away from qualitative measures of success. With my ERM hat firmly on my head at all times, I am also able to squeeze my Six Sigma hat on my noggin. (Six Sigma is a methodology for process improvement with a focus on variability and measurement of defects.)  At the heart of every Six Sigma engagement, one measures the current state of a process or output, then makes the improvement, then measures the future state and the difference. Thus, no judgment call but quantified proof.

I submit for an ERM project, one merely has to define some current and future state measures, as this is the sort of thing that Board members or leaders will want to see to compliment the only measure they are likely to focus on: the tens of thousands of dollars spent on consultants with little to show for it in the short-term.

Some examples of measures include: the number of risks identified, key risk indicators defined, action plans outstanding and completed, people trained on ERM, articles published on the Intranet, etc. If you have any more ideas, please leave your comments below.

Perhaps as a profession, risk practitioners need to move more in this direction so our performance can be measured against something tangible, because as discussed in earlier posts, it is difficult to measure success as “nothing bad has happened”.

Read Full Post »

Risk managers are like janitors

This is a bit of a re-post but it seems appropriate following a comment I received earlier where the reader asks: “How can you convince a small business owner to invest resources into something that they cannot see a value in?”

For years I have been saying that being a risk manager is like being a janitor (with all due respect to the hard working men and women who clean up after the rest of us.) I can say this from experience because I often felt like the janitor. I built processes and controls, formal and informal, managed relationships with traders and back offices, which no one saw because nothing bad happened. But once in a while someone does something unpredictable and out of your control.

Why is a risk manager is like a janitor? Because as long as you do your job – sweep, mop, empty the trash – no one notices because after all, you are doing your job very well. Buy one day you might miss a rotting banana peel because someone put it in a place you never thought of looking – like behind the AS/400 printer which hasn’t been used in 14 years –  and all hell breaks loose. How could you miss this? How did this happen? (And the janitor asks ‘What kind of fool throws a banana peel behind a printer?’)

Like the janitor who was not expecting to find rotting fruit in odd places, great risk managers who are rarely rewarded for how well they do their job are usually punished when something bad happens, even if it is a black swan event or a hidden banana peel.

Read Full Post »

Good white paper from GT on value of ERM in this economy

Another pretty good white paper from earlier this summer, from a major accounting firm, this time GrantThornton. It is a decent primer on ERM if you are a newbie but makes some good points about the value of the ERM.

It is written in very simple language, and includes a list of about 100 risks to consider in this down economy (which you can borrow from) and an example of a risk register, which makes this paper more practical and less theoretical.

Finally, the paper also illustrates the relationship between Governance, Risk and Compliance (GRC) and ERM.

GrantThornton appears unafraid to give away some of its IP, which I quite like.

See white paper http://www.gt.com/staticfiles/GTCom/Advisory/CorporateGovernor/CGwhitepaper_ERM_FINAL.pdf

Read Full Post »