Enterprise Risk Management proponents make some pretty bold claims. But do they really deliver? Existing frameworks are more like general recommendations. As usual, the key is in the implementation.

1. The Case Of The
Plucky Promise
Can Enterprise Risk
Management really deliver
the goods?

2. Enterprise Risk Management
• Structured process for the management of all risks
• Lots of ideas about how to make it work
• Are they real solutions or just snake oil?

3. Purported benefits
• Fewer surprises
• More efficient deployment of resources
• Improved chance of achieving goals
ü “Risk management is the Army’s principal risk-reduction process to
protect the force. Our goal is to make risk management a routine part of
planning and executing operational missions.” Chief of Staff, Army, 1995

4. Implementation challenges
• Effectiveness of program based on judgment
ü Human judgment can be faulty
ü Management has ability to override ERM decisions
• Application of risk management concepts relatively
new to most areas
• Risk management decisions/controls subject to
relative costs and benefits
• Tolerance for risk not uniform throughout
organization

5. And the fine print . . .
• No guarantee of success
• Only able to provide “reasonable assurance”
• Misalignment of incentives is likely

6. Built-in conflict
Business Management
• Customer is king
• Achieve performance targets
• Maximize volume & revenue
Risk Management
• Deviation from plan
• Minimize losses & errors

7. Improve your odds of success
1. Focus on empirical solutions
2. Don’t just tell people to manage their risks
• Provide risk assessment training and analytical tools to
help business managers evaluate risks as part of their day-
to-day decision-making process
3. Learn how to talk about uncertainty and risk

8. Focus on empirical solutions
Worse Better
Soft methods
used but are not
counted on by
management.
Management
intuition drives
assessment and
mitigation strategies.
No formal risk
management
attempted.
Quantitative models
built. Scope of risk
management expands to
include more risks.
Ineffective methods
used with great
confidence. No
objective, measurable
evidence that
improves on
intuition.
Quantitative models
built. All inputs
validated with proven
statistical methods.
Additional empirical
methods used where
optimal.

9. Risk assessment methods
Expert
Intuition
Expert
Audit
Risk
Mapping
Weighted
Scores
Traditional
Financial
Analysis
Probabilistic
Models

10. Key risk language skills
• It’s better to be precise than ambiguous about
what you don’t know
• Scales using verbal descriptions create an
“illusion of communication”
• Most people are “catastrophically overconfident” in
their ability to make predictions.
ü But with training, most people can become more accurate

11. Color
Code
Methodology
for
Ranking
Residual
Risk
Green
Assessed
levels
of
residual
risk
on
a
forward-­‐looking
basis
for
all
iden4fied
poten4al
occurrences
are
fully
within
management
tolerance
levels
when
all
mi4ga4ng
ac4vi4es
are
considered.
Green-­‐Yellow
Certain
iden4fied
residual
risks
are
outside
management
tolerance
at
the
present
4me
given
current
mi4ga4ng
ac4vi4es.
The
total
levels
of
residual
risk
present
a
minimal
threat
to
jeopardize
the
goals
and
objec4ves
of
the
Company
and
mi4ga4on
plans
must
be
in
the
process
of
being
implemented
in
order
to
lower
excessive
residual
risks
to
tolerable
levels
within
a
short
period
of
4me
not
to
exceed
two
quarters.
Yellow
Certain
iden4fied
residual
risks
are
outside
management
tolerance
at
the
present
4me
given
current
mi4ga4ng
ac4vi4es.
There
may
be
more
numerous
iden4fied
risks
than
lower
ra4ngs
or
the
poten4al
consequences
may
be
greater
if
any
single
or
group
of
events
occurs.
The
total
levels
of
residual
risk
are
more
than
minimal
but
s4ll
not
likely
to
jeopardize
the
goals
and
objec4ves
of
the
Company.
Mi4ga4on
plans
must
be
in
the
process
of
being
implemented
in
order
to
lower
any
excessive
residual
risks
to
tolerable
levels
within
a
reasonable
period
of
4me
not
to
exceed
four
quarters.
Yellow-­‐Red
The
residual
risk
of
a
given
category
aDer
accoun4ng
for
all
mi4ga4ng
ac4vi4es
is
significantly
outside
management
tolerance
levels.
Iden4fied
risks
have
a
reasonable
probability
of
occurring,
which
would
jeopardize
the
goals
and
objec4ves
of
the
Company.
Proposed
mi4ga4on
ac4vi4es
are
either
inadequate
or
would
not
reduce
residual
risk
within
an
acceptable
4meframe;
however
expected
loss
is
not
imminent
and
4me
is
expected
to
be
adequate
to
address
iden4fied
residual
risks
prior
to
any
likely
occurrence.
Red
The
residual
risk
of
a
given
category
aDer
accoun4ng
for
all
mi4ga4ng
ac4vi4es
is
significantly
outside
of
management
tolerance
levels.
Iden4fied
risks
have
a
substan4al
probability
of
occurrence
which
would
jeopardize
the
goals
and
objec4ves
of
Company.
Proposed
mi4ga4on
ac4vi4es
are
either
inadequate
or
would
not
reduce
residual
risk
within
an
acceptable
4meframe
and
there
is
a
substan4al
probability
that
an
iden4fied
residual
risk
will
occur
prior
to
the
implementa4on
of
a
mi4ga4on
strategy
sufficient
to
lower
the
overall
risk
to
a
degree
consistent
with
acceptable
management
tolerance
levels.
Ambiguity not cure for uncertainty

12. Dangers of relying on intuition
and experience
• Based on nonrandom, nonscientific sample of
events throughout our lifetime.
• Memory-based; selective
• Conclusions can include errors
• Inconsistent in how we apply memory

13. Focus on empirical solutions
Worse Better
Soft methods
used but are not
counted on by
management.
Management
intuition drives
assessment and
mitigation strategies.
No formal risk
management
attempted.
Quantitative models
built. Scope of risk
management expands to
include more risks.
Ineffective methods
used with great
confidence. No
objective, measurable
evidence that
improves on
intuition.
Quantitative models
built. All inputs
validated with proven
statistical methods.
Additional empirical
methods used where
optimal.
That’s why

14. Risk modeling methodologies
• Probabilistic risk analysis (engineering)
ü Monte Carlo simulation
ü Markov chains
ü Regression
• Qualitative methods (finance, insurance, psychology)
ü Decomposition
ü Option theory
ü Correlations
ü Bayesian analysis
ü Value of information

15. But we’re different –
that won’t work here
• Your risk measurement problems are not unique
• You probably have more data than you think
• You probably need less data than you think
• Getting more data is probably more economical than you
think
• You probably need completely different data than you think

16. Want to improve your odds of
launching a successful ERM
program?
info@eRiskAnalytics.com