This webinar covers seven common pitfalls faced when establishing enterprise risk management. Also, it conveys the commitment necessary for the proper implementation in order to achieve organizational objectives over time.
Main points covered:
Major drawbacks in Enterprise Risk Management
• Weak tone at the top
• Focusing on issues instead of risks
• Not embedding ERM within business
• Not rethinking perspective towards risk
• Unidimensional risk evaluation
• Vague risk responses
Presenter:
Shady Hallab is an Experienced Manager at PricewaterhouseCoopers LLP in Montreal. He focuses mainly on managing and directing enterprise risk management programs and acts as a risk advisor for evaluating and recommending risk solution best practices for a wide range of private, public and government organizations.
Link of the recorded session published on YouTube: https://youtu.be/GRj_GdIqIo4
2. 2
“The biggest risk is not taking any risk... In a world
that’s changing really quickly, the only strategy
that is guaranteed to fail is not taking risks.”
— Mark Zuckerberg | Facebook co-founder
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
3. • Core element of corporate governance
• Critical component within three-lines of defense
• Leveraged to enable-strategy
• Helps management make risk-aware decisions
• Aligns language around risk across organization
• Corporate scanner for potential threats
• Unique platform to capture opportunities
ERM is no luxury
3
With the value-add that it brings to the organization, ERM
has proven to be an essential tool to govern organizations
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
4. Weak tone at the top
Executive support is key to successfully
embed risk management within business
Tone at the top should come from the Board
and Executive Management team
Lack of executive sponsorship transforms
ERM into an administrative burden
4
5. Focusing on issues instead of risks
5
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Risk is the effect of uncertainty on objectives.
Issues are risks that have already materialized
from a potential event to an existing issue
Your risk register should stay focused on
risks as potential events, not existing issues.
6. Focusing on issues instead of risks
6
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Risk Issue
7. 7
Poll Question
Which part of ISO31000 covers tone at the top?
a. Communicate and consult
b. Establish the context
c. Risk analysis
d. All of the above
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
8. Not embedding ERM within business
8
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Businesses often have hundreds of projects and initiatives
that are running simultaneously.
ERM program should not be one of them, it should
integrated within them.
If not, ERM becomes a documentation took without any
real value in providing live-feed to management
9. Not rethinking perspective towards risk
9
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Human beings tend to avoid discussing
negative uncertainties
Employees do not feel comfortable
disclosing risks within their lines of business
To be effective, ERM should constitute a
platform whereby risk is openly discussed
Management should embrace a culture of
positive-risk discussion and acceptance
Unless we rethink risk, we will not be able
to capture the intended value of ERM
10. 10
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Organization Negative Risks
Organization
Positive Risks
Not rethinking perspective towards risk
11. What part of ISO31000 covers perception of risk?
a. Establish the context
b. Risk Evaluation
c. Monitor and Review
d. Communicate and Consult
11
Poll Question
12. Unidimensional risk evaluation
When designing the risk evaluation scale, CROs must consider different
dimensions.
There is general tendency to focus on financial impact, but other
dimensions such as reputation, legal, and business continuity could have
higher impact that would eventually translates into dollar amount.
12
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
multi facades to consider when evaluating risk
13. 13
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
Vague risk responses
Assigned
Owner
Risk response is one of the key outcomes for the risk management process.
Organizations often mix business-as usual measures to specific risk responses
that should in practice reduce the impact and/or likelihood of risk.
Measurable
Action
Time-
deadline
Non-
continuous
Implementing a risk response does not mean that its operating effectively
14. What should risk responses specifically target
when drafted?
a. Accurate estimation of financial and
human resources required
b. Exact projection of implementation
timeline
c. Develop action that addresses the root
causes of the risk
d. Potential side effects and impacts
14
Poll Question
6 Pitfalls When Implementing Enterprise Risk Management – Shady Hallab
15. ISO 31000 Training Courses
ISO 31000 Introduction
1 Day Course
ISO 31000 Foundation
2 Days Course
ISO 31000 Risk Manager
3 Days Course
ISO 31000 Lead Risk Manager
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/iso-31000-training-courses | www.pecb.com/events
Before we start discussing the top common reasons why an ERM program may fail, let us take a minute first to understand why is it important?
It is no secret that in a fast changing world, businesses need to have a strong backbone to scan, capture, and manage events that can affect their operations and existence. Changes in technology, speed of communication, rising expectations of consumers, among others create tremendous challenges for boards and senior executives as they attempt to manage risks. This is why enterprise risk management is important to the organization…
It is a key element of corporate governance, according to OECD
An integral part of the second line of defense as per the IIA
A recognized strategy enabled as determined by many strategists
It provides management an opportunity to consolidate all the certainties, within and outside their areas of operations in one place with tools and options to handle these situations
It is a unique tool that is up there to constantly scan for organizational threats coming from both internal and external context covering historic and futuristic events
It also helps management to find the upside of potential risks and identifying opportunities within
Simply put that if this red sphere that you see on the right is the organizational scope, all those overlapping red lines are areas where ERM supports and contribute and hence the failure of such a support tool may have catastrophic impact on the organization.
Before we start with get into some of the reasons ERM fail, let’s ask a question…
Over the dozens of projects that I have delivered in the past across a number of geographies and cultures, lack of executive support and tone at the top is one of the very first reasons for why organizations fail to sustain an enterprise risk management. Given the particularity of the ERM program and the delicacy of the subject, unless there is a clear commitment from the board and the executive group supporting risk management, embracing the program becomes difficult and failure becomes a matter of time.
Top management should believe in a truly functional ERM program for it to work as the ERM function is only the facilitator and without the support and commitment from executives for it to work, it will simply not work.
ERM programs are there to be future-looking. Programs are not meant to discuss on-going business issues and current consequences for past issues. That should be tackled as part of the business-as usual and executive platforms. ERM programs should remain focused on the uncertain events, especially the ones that are low likelihood/high impact ones. When ERM program transforms into a took to discuss existing issues, it is automatically faces to prioritize the events that are uncertain. That is, businesses will automatically focus on current issues during prioritization.
Let me give an example, company A has been suffering from a number of lawsuits driven by not complying with HR-related laws and regulations. Adding a risk of not complying with existing laws and regulations to the risk register won’t add any value to the course of business. This is an existing issue that management are, in reality, dealing with it regardless if it is on the ERM register of not. Alternatively, one of the associated risks that may be related to this event could be … Risk of being unable to attract quality talents driven by reputation for non-complying with local laws and regulations. The difference between these two wording is what would actually be management focusing on in the risk response part and there is a big difference. Because in the first example of the lawsuits, it will be more reacting to the existing lawsuits and attempting to comply with laws and regulations whereby the second is more about attempting to control and maintain the broader consequences of not being able to attract talent in a way that the risk response would be more focused on this dimension instead beyond the particularity of laws and regulations and the existing lawsuits…
ERM programs are there to be future-looking. Programs are not meant to discuss on-going business issues and current consequences for past issues. That should be tackled as part of the business-as usual and executive platforms. ERM programs should remain focused on the uncertain events, especially the ones that are low likelihood/high impact ones. When ERM program transforms into a took to discuss existing issues, it is automatically faces to prioritize the events that are uncertain. That is, businesses will automatically focus on current issues during prioritization.
Let me give an example, company A has been suffering from a number of lawsuits driven by not complying with HR-related laws and regulations. Adding a risk of not complying with existing laws and regulations to the risk register won’t add any value to the course of business. This is an existing issue that management are, in reality, dealing with it regardless if it is on the ERM register of not. Alternatively, one of the associated risks that may be related to this event could be … Risk of being unable to attract quality talents driven by reputation for non-complying with local laws and regulations. The difference between these two wording is what would actually be management focusing on in the risk response part and there is a big difference. Because in the first example of the lawsuits, it will be more reacting to the existing lawsuits and attempting to comply with laws and regulations whereby the second is more about attempting to control and maintain the broader consequences of not being able to attract talent in a way that the risk response would be more focused on this dimension instead beyond the particularity of laws and regulations and the existing lawsuits…
Tone at the top is not enough alone to ensure that risk management programs are actually effective. Another common reason for why ERM programs lose value and hence become an administrative burden is their failure to become integrated within businesses, operations, and accordingly closer to where the risks are. When risk management programs are not integrated in the business, many things could happen hindering the value of the program. For instance, time gaps between the surfacing of the risk and the time is takes to document, communicate, and escalate widens… Another consequence is going into a reactive mode instead of a proactive future-thinking approach. This is mainly because when risk is not integrated enough and hence not considered enough as part of the management decision-making mechanism, management becomes less informed and prepared about what can go wrong. This by itself takes operations to a place where more issues are materializing and actually occurring shifting management focus from futuristic proactive approach to issues-focused approach.
Transparency and being able to promptly communicate and escalate risk is important to the success of any risk management program.
As long as risk is viewed as a negative topic, engaging in positive discussions become difficult. Why would anyone discuss risks associated with his own day to day operations with another function or business department? The answer is because it should be regarded as a positive communication. Unless we talk about potential risks, we cannot assess how ready are we to deal with them. This requires a shift in the culture from a negative connotation with risk topics to positive ones.
To incentivize businesses to be more open about their risks, being open about risk could help departments secure resources such as budget and expertise to respond to these risks. On another front, it shows as well that departments are at the top of their issues. The discussion is not just about existing issues but potential risks are also brainstormed and business is ready for them.
Bottom line is, our perception to risk should change. It should transform into a positive topic that businesses can easily talk about. Otherwise, how can an ERM function operates without having access to open and transparent information?
As long as risk is viewed as a negative topic, engaging in positive discussions become difficult. Why would anyone discuss risks associated with his own day to day operations with another function or business department? The answer is because it should be regarded as a positive communication. Unless we talk about potential risks, we cannot assess how ready are we to deal with them. This requires a shift in the culture from a negative connotation with risk topics to positive ones.
To incentivize businesses to be more open about their risks, being open about risk could help departments secure resources such as budget and expertise to respond to these risks. On another front, it shows as well that departments are at the top of their issues. The discussion is not just about existing issues but potential risks are also brainstormed and business is ready for them.
Bottom line is, our perception to risk should change. It should transform into a positive topic that businesses can easily talk about. Otherwise, how can an ERM function operates without having access to open and transparent information?
When somebody does an accident in his car, he could be affected in different ways and in some cases the financial element is the least of their concern. For instance, the person could develop a fear against being on the roads or driving for some time, which could be more damaging than the financial cost associated with fixing the car. The frustration, the psychological effect, and other elements would come to play a critical role….
Risk in business is no different. Some risks and most of them would have a financial impact associated with them but from a materiality perspective the dollar amount may be immaterial compared to the materiality level defined by the organization. However, when it affects other dimensions such as reputation or potential breach of laws and regulations. That could attract media attention or the regulators and it would bring in negative publicity that may substantially affect the brand image and in some cases the existence of the organization…
Every risk should be evaluated from various impact dimensions and ensure to consider the higher impact as most representative evaluation for the risk evaluation.
It all comes down to risk response. Identifying the risk properly and then evaluating the risk to a great deal of accuracy won’t be any helpful if risk response is not effective. To start, risk response option has to be well thought of and appropriately selected. Common mistakes organizations make in this context is drafting generic risk responses that are difficult to execute, monitor and implement. If we to draw a risk response that is mega-size, it becomes difficult to implement to understand the specific impact of it on the rating of the risk.
As a general rule of thumb, risk response should be broken down into a sequence of specific action that are actionable within 12 months with ability to specifically determine starting criteria and ending criteria. Poor risk responses constitutes the beginning of the end of risk management and it should be avoided…