QHSE, Security Coordinator, Manager and Maritime, Training Safety Advisor, Accident Investigator, Oil & Gas, IRCA, IMCA, ISO 9001:2000, ISO 14001:2005, ISO 18001:2008, Lead Auditor, Auditor Trainer, Drilling, Geotechnical Investigation, Train the Safety Trainer, Safety Supervisor and Leadership, Fall Protection,
6 Pitfalls when Implementing Enterprise Risk ManagementPECB
This webinar covers seven common pitfalls faced when establishing enterprise risk management. Also, it conveys the commitment necessary for the proper implementation in order to achieve organizational objectives over time.
Main points covered:
Major drawbacks in Enterprise Risk Management
• Weak tone at the top
• Focusing on issues instead of risks
• Not embedding ERM within business
• Not rethinking perspective towards risk
• Unidimensional risk evaluation
• Vague risk responses
Presenter:
Shady Hallab is an Experienced Manager at PricewaterhouseCoopers LLP in Montreal. He focuses mainly on managing and directing enterprise risk management programs and acts as a risk advisor for evaluating and recommending risk solution best practices for a wide range of private, public and government organizations.
Link of the recorded session published on YouTube: https://youtu.be/GRj_GdIqIo4
An Explanation of Enterprise Risk Management Rao Chalasani
Rao Chalasani of Livingston, New Jersey, stands out as the former chief technology officer and risk strategist director with Bank of America (BofA) Merrill Lynch in New York, NY. There, Rao Chalasani invented and implemented the patent-pending Enterprise Risk Management System.
QHSE, Security Coordinator, Manager and Maritime, Training Safety Advisor, Accident Investigator, Oil & Gas, IRCA, IMCA, ISO 9001:2000, ISO 14001:2005, ISO 18001:2008, Lead Auditor, Auditor Trainer, Drilling, Geotechnical Investigation, Train the Safety Trainer, Safety Supervisor and Leadership, Fall Protection,
6 Pitfalls when Implementing Enterprise Risk ManagementPECB
This webinar covers seven common pitfalls faced when establishing enterprise risk management. Also, it conveys the commitment necessary for the proper implementation in order to achieve organizational objectives over time.
Main points covered:
Major drawbacks in Enterprise Risk Management
• Weak tone at the top
• Focusing on issues instead of risks
• Not embedding ERM within business
• Not rethinking perspective towards risk
• Unidimensional risk evaluation
• Vague risk responses
Presenter:
Shady Hallab is an Experienced Manager at PricewaterhouseCoopers LLP in Montreal. He focuses mainly on managing and directing enterprise risk management programs and acts as a risk advisor for evaluating and recommending risk solution best practices for a wide range of private, public and government organizations.
Link of the recorded session published on YouTube: https://youtu.be/GRj_GdIqIo4
An Explanation of Enterprise Risk Management Rao Chalasani
Rao Chalasani of Livingston, New Jersey, stands out as the former chief technology officer and risk strategist director with Bank of America (BofA) Merrill Lynch in New York, NY. There, Rao Chalasani invented and implemented the patent-pending Enterprise Risk Management System.
Often, the best way to help your child grow up is to kick him/her out of the house. However, there’s always that anxiety – will they thrive, get hurt, fail? Many internal audit and/or risk functions became volunteer parents of their organization’s ERM programs, bringing enthusiasm and commitment to the role. However, ERM (and ESRM) works best when it’s owned and embedded into the fabric of the business. Unfortunately, most ERM programs fail within three years or less after leaving the nest. Why? Explore common challenges and proven strategies for coaxing ERM safely and successfully from the nest.
Presentation by: Brian Link, CIA, VP – GRC Strategy & Partnerships, Resolver Inc.
The Intersection of Risk, Security, and PerformanceResolver Inc.
In many organizations, risk is seen as a compliance function, corporate security as something we have to do but reluctantly, and neither is connected to enabling success. How can leaders of these functions break out of any silo mentality and help leadership connect their essential work to the achievement of enterprise objectives? How can corporate security, risk, and internal audit work together?
Presentation by: Norman Marks, Evangelist and Mentor, OCEG Fellow
It has become increasingly important for companies to
use sophisticated analytics as the basis for risk-financing
decisions. Marsh Global Analytics (MGA) helps our
clients make these decisions, using award-winning tools,
cutting-edge technology, and quantitative risk
management expertise developed over decades of
experience. MGA Risk Economics provides clients with
risk-financing optimization (RFO), which allows
companies to structure insurance programs in the most
economically efficient manner, while also meeting the
risk-tolerance goals of the organization as a whole.
We recently worked with a audit firm to develop a risk assessment report for their client. The mandate which we got was clear, we had to make a presentation which was highly visual and would make the risk areas come alive while simultaneously ensuring that the document was crisp. The client loved the end product (which we delivered in approximately 21 hours).
First Removalists Furniture Transportation Is a leading company in Abu Dhabi and Dubai. if you are looking for movers in abu dhabi call us on 0525633557 or visit our website www.firstremovalists.ae
Reprint of Healthcare Financial Management Association article discussing the importance of implementing enterprise risk management in a healthcare setting. 14 years later ERM in healthcare may now be critical to organizational survival.
Up to 5% of an organization’s assets disappear each year due to fraudulent activity. Using retail loss prevention as a case study, this presentation leads you through a discussion about the best practices protecting an organization’s assets.
Presentation by: Jamie Burr, Application Manager, Resolver Inc.
Татьяна Будишевская
Старший менеджер Deloitte
Современная методика оценки культуры управления рисками в организации
Практические инструменты внедрения риск-культуры
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Resolver Inc.
Copyright notice: The following slides are intended for professional use within an organization for discussion purposes only. Any other uses or modifications are strictly prohibited.
In this presentation, Norman Marks and Richard Anderson discuss two related topics. The first is the relationship between the strategies set by the organization, its governance, and risks to its objectives. Their conversation addresses:
• How does a senior executive or board member gauge the effect of risk on corporate objectives?
• Is it enough to review a list of top risks at every board meeting?
• How does the board know whether risk management is adding value?
• How do you measure success?
• Where do reward and opportunity factor in?
The second topic is one that is heavily debated among practitioners, whether the concepts of risk appetite and tolerance can be applied effectively in practice. Areas they cover include:
• What is risk appetite? What is risk tolerance?
• Is it a useful concept or an overly complicated piece of mumbo jumbo?
• How can you help the board and top management set desired levels of risk and also help decision-makers take the right level of the right risks?
• Does it make sense to be “risk averse”?
Employee Engagement and Your Enterprise Security Risk Management StrategyResolver Inc.
Employee engagement is top of mind for the C-suite as a key factor to drive corporate business objectives and profitability, but what about leveraging engagement to manage risk? Gain insights into how human resources and risk management intersect with strategic and tactical approaches to reducing risk through talent acquisition, on-boarding, culture and HR policies.
Presentation by: Amanda Ono, Director of Talent, Resolver Inc.
Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ.
Often, the best way to help your child grow up is to kick him/her out of the house. However, there’s always that anxiety – will they thrive, get hurt, fail? Many internal audit and/or risk functions became volunteer parents of their organization’s ERM programs, bringing enthusiasm and commitment to the role. However, ERM (and ESRM) works best when it’s owned and embedded into the fabric of the business. Unfortunately, most ERM programs fail within three years or less after leaving the nest. Why? Explore common challenges and proven strategies for coaxing ERM safely and successfully from the nest.
Presentation by: Brian Link, CIA, VP – GRC Strategy & Partnerships, Resolver Inc.
The Intersection of Risk, Security, and PerformanceResolver Inc.
In many organizations, risk is seen as a compliance function, corporate security as something we have to do but reluctantly, and neither is connected to enabling success. How can leaders of these functions break out of any silo mentality and help leadership connect their essential work to the achievement of enterprise objectives? How can corporate security, risk, and internal audit work together?
Presentation by: Norman Marks, Evangelist and Mentor, OCEG Fellow
It has become increasingly important for companies to
use sophisticated analytics as the basis for risk-financing
decisions. Marsh Global Analytics (MGA) helps our
clients make these decisions, using award-winning tools,
cutting-edge technology, and quantitative risk
management expertise developed over decades of
experience. MGA Risk Economics provides clients with
risk-financing optimization (RFO), which allows
companies to structure insurance programs in the most
economically efficient manner, while also meeting the
risk-tolerance goals of the organization as a whole.
We recently worked with a audit firm to develop a risk assessment report for their client. The mandate which we got was clear, we had to make a presentation which was highly visual and would make the risk areas come alive while simultaneously ensuring that the document was crisp. The client loved the end product (which we delivered in approximately 21 hours).
First Removalists Furniture Transportation Is a leading company in Abu Dhabi and Dubai. if you are looking for movers in abu dhabi call us on 0525633557 or visit our website www.firstremovalists.ae
Reprint of Healthcare Financial Management Association article discussing the importance of implementing enterprise risk management in a healthcare setting. 14 years later ERM in healthcare may now be critical to organizational survival.
Up to 5% of an organization’s assets disappear each year due to fraudulent activity. Using retail loss prevention as a case study, this presentation leads you through a discussion about the best practices protecting an organization’s assets.
Presentation by: Jamie Burr, Application Manager, Resolver Inc.
Татьяна Будишевская
Старший менеджер Deloitte
Современная методика оценки культуры управления рисками в организации
Практические инструменты внедрения риск-культуры
Risk Reimagined! Series- The Relationship Between Strategy, Governance and Ri...Resolver Inc.
Copyright notice: The following slides are intended for professional use within an organization for discussion purposes only. Any other uses or modifications are strictly prohibited.
In this presentation, Norman Marks and Richard Anderson discuss two related topics. The first is the relationship between the strategies set by the organization, its governance, and risks to its objectives. Their conversation addresses:
• How does a senior executive or board member gauge the effect of risk on corporate objectives?
• Is it enough to review a list of top risks at every board meeting?
• How does the board know whether risk management is adding value?
• How do you measure success?
• Where do reward and opportunity factor in?
The second topic is one that is heavily debated among practitioners, whether the concepts of risk appetite and tolerance can be applied effectively in practice. Areas they cover include:
• What is risk appetite? What is risk tolerance?
• Is it a useful concept or an overly complicated piece of mumbo jumbo?
• How can you help the board and top management set desired levels of risk and also help decision-makers take the right level of the right risks?
• Does it make sense to be “risk averse”?
Employee Engagement and Your Enterprise Security Risk Management StrategyResolver Inc.
Employee engagement is top of mind for the C-suite as a key factor to drive corporate business objectives and profitability, but what about leveraging engagement to manage risk? Gain insights into how human resources and risk management intersect with strategic and tactical approaches to reducing risk through talent acquisition, on-boarding, culture and HR policies.
Presentation by: Amanda Ono, Director of Talent, Resolver Inc.
Shift from the common “Controls-focused” approach beginning with a fresh look at your Risk Assessment. Bring greater efficiency and automation to your risk and compliance processes using RGP services and policyIQ.
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
Finance is the procurement (to get, obtain) of funds and effective (properly planned) utilization of funds. It also deals with profits that adequately compensate for the cost and risks borne by the business
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Ever wondered what the purpose of risk management is? (No, it's really not to manage risks!) Take a look at our whitepaper on how to get real value out of your risk management arrangements and let me know what you think.
2. CONTENTS
II
CONTENTS
INTRODUCTION 1
IS YOUR RISK MANAGEMENT PROCESS REALLY ASSESSING RISK? 1
IS YOUR RISK ASSESSMENT CONTEXT DRIVEN? 2
DOES YOUR RISK MANAGEMENT PROCESS ADDRESS ROOT CAUSE OF FAILURE? 2
WHAT DOES YOUR BUSINESS PERFORMANCE TELL YOU ABOUT RISK? 3
WHAT DO RISKS TELL YOU ABOUT YOUR CONTROLS? 4
WHAT DO CONTROLS TELL YOU ABOUT YOUR RISKS? 5
ARE YOU UP FOR THE TASK OF RISK MANAGEMENT? 6
KNOWLEDGE AND EXPERIENCE REQUIREMENTS FOR RISK MANAGEMENT
LEADERS 6
ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS 7
ABOUT THE AUTHOR 7
3. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
1
INTRODUCTION
Government bail outs, pro-cyclical financial markets, and an overall economic meltdown have
placed a significant focus on the discipline and practice of risk management. In light of these
events, risk professionals and organizational leaders are taking an introspective view of their
risk management practices. By considering these seven questions, organizations and risk
professionals will sharpen their daily risk management tools and be better equipped to make
tactical improvements to risk management practices.
1. Is Your Risk Management Process Really Assessing Risk?
2. Is Your Risk Assessment Context-Driven?
3. Does Your Risk Management Process Address Root Cause of Failure?
4. What Does Your Business Performance Tell You About Risk?
5. What Do Risks Tell You About Your Controls?
6. What Do Controls Tell You About Your Risks?
7. Are You Up For the Task of Risk Management?
IS YOUR RISK MANAGEMENT PROCESS REALLY
ASSESSING RISK?
In far too many cases the answer to this question is NO. Many so-called risk management
processes are not necessarily identifying and assessing risks. Many risk management practices,
as implemented, are simply identifying and assessing the risk of control failure, not the specific
risk the control is to mitigate.
Risk-based thinking approaches the assessment with the premise that risks are predictable and
avoidable. The risk-based discipline tracks loss events, analyzes root causes, and eliminates or
mitigates the cause of the risk failure. Control-based thinking takes the approach that events are
unpredictable and unavoidable, and controls are needed to mitigate the risks. Negative impacts
are the result of broken controls, not of unidentified or mitigated risks.
A simple indicator on the general emphasis on controls versus risks in common practice is
outlined in the table below which reflects the word count comparison of two risk management
frameworks (Basel II and ISO 31000) and several well-known control frameworks including the
risk-based PCAOB AS5, ISO 27001, and the COSO Guidance on Monitoring Internal Control
Systems. The word count is a simple tally of where the words risk and control appear in the
referenced documents. The relevant emphasis on risk and control is evidenced in the
word counts.
WORD COUNT COMPARISON
Risk Control
Basel II 1,500 67
ISO/DIS 31000 339 5
COSO Monitoring (Volumes 1 and 2) 175 641
ISO 27001:2005 65 192
PCAOB AS5 168 635
Risk-based thinking
approaches the
assessment with
the premise that
risks are predictable
and avoidable.
4. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
2
If a risk is defined as a broken or failed control, a control-based approach is in use and controls
are primarily being assessed, not risks.
If inherent or residual risks are not measured and assessed, a control-based approach is being
used and controls, not risks, are being assessed.
If an organization reports on control effectiveness over risks, controls and not risks are being
assessed. Risks are just there to hang controls from, not to be understood and managed.
There is nothing wrong with identifying and assessing controls. It is a perfectly valid approach.
But by itself it is insufficient and has proven to be inherently unreliable. It is imperative to know
what risks the controls are addressing and to identify those risks first. For example, little faith
would be put in a doctor who prescribed medication without identifying symptoms, e.g.,
performing a risk assessment. Don’t trust control assessments where no risk assessment is
conducted (or vice versa).
IS YOUR RISK ASSESSMENT CONTEXT DRIVEN?
Black swans hide where no one thinks to look. The history of risk assessment suggests that
at least half of the problem is not looking in the right place for risks. The other half is looking
in the right places and failing to find the risk. Context-driven risk assessment refers to the process
of identifying all the topics or areas that need to be risk assessed. Contexts can be accounts,
strategies, laws and regulations, organization entities, lines of business or any other relevant
topic areas.
It is wrong to believe that the right contexts will be identified and addressed from within the
organization by business operational managers and professionals. These leaders have typically
been proven to be blinded by narrow vision, short range thinking, or do not have perspective
across the entire entity to have a good handle on the enterprise-wide risks. Therefore, context
must be identified at the organization level and the related risk assessments must be coordinated
by senior management and the board.
DOES YOUR RISK MANAGEMENT PROCESS ADDRESS
ROOT CAUSE OF FAILURE?
With control-based approaches, there is typically no requirement for root cause analysis.
In the control-based approach, control breakdowns simply need to be identified and reported,
regardless if the root cause remains obscure.
For example with PCAOB AS5 there is no requirement for the identification, reporting or
remediation of any related root cause. Publicly-reported significant deficiencies and material
weaknesses do not require and seldom receive any root cause analysis. The COSO Guidance on
Monitoring Internal Control Systems does not require root cause analysis nor does ISO 27001.
It would be unthinkable today for an airplane to crash or a bridge to collapse without a detailed
public report on the root cause and measures taken to ensure the problem does not reoccur.
This degree of scrutiny does not generally exist in the risk management professions. Notable
exceptions are the quality, safety and environmental movements. Generally speaking, if incidents,
near misses and loss events are not tracked, the root cause of failure will not be analyzed. If the
root cause of failure is not addressed the problem will be repeated. The following table, created
by the U.S. General Accounting Office lists the causes of bank failures in the U.S. Although
created in 1987, it could have been written last week.
It is imperative
to know what risks
the controls are
addressing and
to identify those
risks first.
5. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
3
ROOT CAUSES OF BANK FAILURES (1987) % OF BANKS
Management Philosophy and Operating Style
Inadequate board supervision 49%
Over reliance on volatile funding sources 32%
Presence of dominant figure 37%
Excessively growth oriented philosophies 26%
Management Operational Practices
Lack of general lending policies 79%
Poor loan administration 42%
Poor loan documentation/inadequate credit analysis 41%
Inadequate loan loss allowance 29%
WHAT DOES YOUR BUSINESS PERFORMANCE TELL YOU
ABOUT RISK?
Many risk and control practitioners fail to consider business performance when assessing either
risk or control. In other words, it is not only possible, but common, to get a passing mark on risk
management or control effectiveness when business performance is screaming the contrary.
Here are some common symptoms of business performance issues that suggest risks are not
being managed:
1. Process performance/error rates are off target
2. Key performance indicators are consistently outside target
3. Key performance indicators are never outside target
4. Budget/actual variances are material (positive or negative)
5. Capital projects are delayed or over/under spent
6. Earnings volatility is out of line with peers
7. Variances cannot be explained by known risks
8. Clean 404 opinions are followed by material weakness disclosures
9. Internal audit recommendations always increase vs. decrease controls
Most risk and control frameworks fail to consider business or process performance. Neither SOX
nor the PCAOB AS5 pay much attention to business performance. COSO monitoring prefers
testing to monitoring performance. Basel II does support key risk indicators and key performance
indicators. The premise here is that over time, on target, consistent business or process
performance is de facto evidence of effective risk and control management.
Performance variances should be explained as unidentified or unmanaged risks. Unusual
business performance should be explained by unusual risks. But risk and control assessment
not tied to business or process performance is not helpful and may be dangerous.
Many risk and
control practitioners
fail to consider
business
performance when
assessing either risk
or control.
6. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
4
WHAT DO RISKS TELL YOU ABOUT YOUR CONTROLS?
In late 2007, Standard & Poor’s issued a discussion paper outlining their proposal to assess
corporate risk management practices as part of their credit rating process. The Sample Risk
Types they proposed in the discussion paper are very useful. In the normal course of events,
most companies would be expected to encounter most of these risk types, quite often in multiple
locations or processes. Not only that, but the nature and level of these risks will change
constantly over time and by location or process.
In short, most risks cannot be controlled, they must be managed.
STANDARD & POOR’S SAMPLE RISK TYPES
Environmental risks Financial risks Supply risks Management risks
Business continuity
Business market
environment
Environmental
Liability lawsuits
Natural
disasters/weather
Pandemic
Physical damage
Political risk
Regulatory/legislative
Terrorism
Capital availability
Credit counterparty
Financial market
risk
Inflation
Interest rates
Liquidity
Commodity prices
Supply chain
Corporate governance
Data security
Employee health and
safety
Intellectual property
Labor disputes
Labor skills shortage
M&A/restructuring
Managing complexity
Outsourcing problems
Project management
Reputation
Risk management involves an ongoing process similar to the diagram below. It involves clarifying
accountability and decision rules and continuously updating information and reporting. Risks
need managing, not controlling. Controls designed to manage risks must be appropriate to the
risk. COSO risk assessment, monitoring and control environment controls should be designed,
documented and tested.
In short, most
risks cannot be
controlled, they
must be managed.
7. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
5
You are beginning to manage risks if:
You can identify in which contexts these risks exist
You can track frequency distributions of instances of risks by type
You recognize risk identification and assessment in your compensation/reward system
You track incidents/loss events/issues and actions associated with key risks
You have identified risk tolerances and appetite
WHAT DO CONTROLS TELL YOU ABOUT YOUR RISKS?
More controls do not mean less risk; the opposite is often true. Too many controls may be
evidence of lack of effective risk management practices. Good risk management considers
a variety of risk responses, of which controls are only one. The proliferation of control-based
approaches to risk has led to extensive identification, documentation, testing and reporting of
controls. That can be a mistake if carried to an extreme. If you have gathered more knowledge
about controls than about risks, and focus on the control side of the equation, it is a clear
indication of bad risk management practices.
Generally speaking, good risk management practices will produce a 3:1 or greater ratio of risks to
controls. Risk-based approaches gather more knowledge about risk than control. Today that ratio
is often reversed. Risk control ratios of 1:3 are common. Some balance is required, but generally a
risk control ratio of >1 is desirable. Risks can be documented and tested too, and should be
continually assessed. If you get the risk side wrong, you can’t get the control side right.
Low risk:control ratios indicate business management has not been involved in risk identification,
is unwilling to be candid or is not completely honest. In a healthy and safe environment, business
managers, if asked, will provide a wealth of detailed information. Rich, detailed knowledge of
More controls
do not mean less
risk; the opposite
is often true.
8. ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE
6
risks provides a basis for far more efficient-and-effective control portfolios. The more and better
the knowledge of risk, the more effective and efficient the control portfolio. Expect fewer, not
more controls, but expect them to be better, more powerful controls.
Standard & Poor’s, in assessing ERM, looks for compliance-based approaches to risk
management and scores them poorly. Low risk:control ratios are indicative of compliance-based
approaches to risk management.
Many control portfolios are designed from a react and respond perspective. They are not
designed with specific risks in mind. The philosophy is that risks are unknown and unavoidable
but enough controls will save the day. That has proven to be inefficient and ineffective.
ARE YOU UP FOR THE TASK OF RISK MANAGEMENT?
Risk management requires the mastery of a body of knowledge, specific skill sets and
the appropriate use of technology. A sample of the knowledge and skill requirements is
set out below.
KNOWLEDGE AND EXPERIENCE REQUIREMENTS FOR
RISK MANAGEMENT LEADERS
1. Technology implementation for risk management which includes knowledge of best
practices in a wide range of topics such as developing process structure, KPIs, KRIs and
selecting or designing other critical contexts for risk management
2. Experience leading and completing ERM assessments for the organization as a whole or
major business units or functions, completing SOX certifications and ORM and other process
level risk assessments
3. Selection and application of risk models and use of the risk identification and rating desktop
for identifying and classifying all relevant risks
4. Tools and techniques for root cause analysis and business process improvement
5. Development of reliable descriptions of loss events, incidents and issues or actions with
respect to the context selected
6. Understanding the major approaches to self-assessment and business reasons for adopting
self-assessment approaches to risk and control management
7. Understanding organizational risk and control self-assessment (RCSA) barriers and
implementation of effective tactics and tools for RCSA
8. Understanding of generally accepted control criteria including all major control and quality
models (COSO/CobiT/COCO/ISO/OTOL, etc.)
9. Understanding of generally accepted risk criteria including the leading risk standards and
frameworks (COSOERM, AS/NZ4360, ISO31000, etc.)
10. Linkages between SOX legislation, relevant PCAOB audit standards, the Basel II and
Solvency 2 ORM requirements and other major regulatory frameworks governing risk and
control such as Turnbull, J-SOX and IIA Professional Practice Framework, etc.
11. Understanding and implementing major industry specific risk and control assessment
frameworks
Risk management is a young profession with huge potential to help address and resolve some of
the worst problems we are experiencing on a day-to-day basis. But true professionals are rooted
in public service and some degree of altruism. There is a long way to go to achieve that goal. But
fundamental tools, practices, knowledge and skills exist today. Risk managers must proceed
carefully but quickly.
Risk management is
a young profession
with huge potential
to help address and
resolve some of the
worst problems we
are experiencing on
a day-to-day basis.