SlideShare a Scribd company logo

Hello ERM - It's Time to Go

Resolver Inc.
Resolver Inc.

Often, the best way to help your child grow up is to kick him/her out of the house. However, there’s always that anxiety – will they thrive, get hurt, fail? Many internal audit and/or risk functions became volunteer parents of their organization’s ERM programs, bringing enthusiasm and commitment to the role. However, ERM (and ESRM) works best when it’s owned and embedded into the fabric of the business. Unfortunately, most ERM programs fail within three years or less after leaving the nest. Why? Explore common challenges and proven strategies for coaxing ERM safely and successfully from the nest. Presentation by: Brian Link, CIA, VP – GRC Strategy & Partnerships, Resolver Inc.

Business
1 of 41
Download to read offline
I am the VP, GRC Strategy and Partnerships brian.link@resolver.com
I remember back when IA helped launch our ERM program – those were good times.
Let’s see, COSO ERM… kind of a strange bird, never really flew. ASNZ 4360 - it was a bit more pragmatic and action- oriented. ISO 31000 – wait, isn’t that 4360? COSO ERM update – new and improved… perhaps it will fly?
Go forth and identify, assess and manage risk! Don’t forget about inherent risk, risk appetite, linkage to strategy, KRIs, the three lines of defense. …I’ll be here if you need me!
Now I can relax a bit and get back to my day job. I’m sure the little one will be OK. He was flying, wasn’t he? I mean, his wings were flapping… right?
believe their organization has a “complete formal enterprise-risk management process in place”. indicate that their organization’s risk management process is “not at all” or “minimally” viewed as a proprietary strategic tool. of the organizations have boards that “mostly” or “extensively” review the top risk exposures NC State University Poole College of Management Enterprise Risk Management
Lack of alignment with strategy and business activities Inadequate planning and communication A focus on past risks rather than the future Lack of integration into business decisions Viewing the risk assessment or assessment of risk plan as the end of risk management process
Poor governance and “tone at the top” Practicing ELM instead of ERM Misunderstanding the “if you can’t measure it, you can’t manage it” mindset Not integrating risk management with strategy-setting and performance management Ignoring the dysfunctionalities and “blind spots” of the organization’s culture
Is something else inhibiting progress?
ALIGNMENT CAPABILITY RESOURCES MOTIVATION
▪ Align and embed risk assessment within planning & budgeting cycles ▪ Create a framework that places everyone, literally and figuratively, on the same page ▪ Connect the dots – all the way through to resilience and recovery ALIGNMENT
Planning Risk Assessment Budgeting Forecasting Planning Budgeting Forecasting Risk Assessment ALIGNMENT
CAE IT Audit CSO CFO CIO Business Manager
• IT • Plant / Physical • People • Financial • Reputation • Planning & Budgeting • Procure to Pay • Market to Order • Order to Cash • Hire to Retire • Acquire to Retire • Idea to Offering • Plan to Inventory • Payroll • Key / Non-key • Detective • Preventative • Mitigating • Manual • IT-dependent Manual • IT General Controls • IT Application Controls • Policies • Control Environment – Including Culture Strategic • Competition • Disruptive Tech • Macro-Economic • Reputation • Environment & Social Operational • Physical Security • IT Security • IT Ops • HR • Supplier Compliance • Regulatory • Legal • Ethics • Fraud Financial • Reporting • Credit / Counterparty • Market • Liquidity • Model • Insurance Standards, Frameworks or Guidelines • IFRS • COSO ICF • IIA – IPPF • ISO 31000 • COBIT 5 • NIST • ISO 27XXX Laws & Regulations • Bank Act • SOX • Privacy • AML • FCPA • Business Groups • Functions • Geography • Locations / Sites • Cyber • Physical Security • Health & Safety • Environment • Whistleblower • Fraud • Issue / Incident • Case Management • Business Continuity • Disaster Recovery • Crisis Management • Capital Projects • M&A • KPIs • KRIs • Limits & Thresholds • Analytics Key Stakeholders • Shareholders • Institutional Investors • Public-at-Large • Labor Unions • Ratings Agencies • Underwriters Changes / Opportunities: • Customer Expectations • Competitive Landscape • Labour Market • Economic Conditions • Technology
LOSS TRIANGLESTEADY STATE RECOVERED STATE ADVERSE EVENT PREVENT RESPOND RECOVERPREPARE Recovery premium Recovery deficit RECOVERED STATE Loss Triangle ALIGNMENT
Source: Oxford Metrica, Resilience Index 2015 ALIGNMENT
▪ Provide a clear definition of what risk is / is not ▪ Cast out the academic definition of Inherent risk ▪ Avoid Impact X Likelihood = Risk Rating ▪ Add a 3rd dimension such as Control Effectiveness, Management Preparedness, tec. CAPABILITY
Encourage respondents to identify the specific events that might trigger a failure. Objective: Reach the moon safely, land on it, and then return to Earth. Risk: Failure to land on the Moon. Risk: Oxygen tank explosion
Inherent Risk • Assumes no controls - really? • Too academic • Turns participants off to the risk assessment process, overall Enter – Maximum Foreseeable Consequence • Plausible, worst case scenario • Gives participants the license to think out of the box CAPABILITY
▪ Equipment (very specialized) ▪ Information (paper files), servers ▪ Inventory ▪ Raw material ▪ Sales $$$$$$$ ▪ New toll supplier relationships ▪ Appreciation of CM team value and benefits of testing ▪ Validation of insurance coverages ▪ Knowledge that your key competitor can’t wait to see you drown CAPABILITY CAPABILITY
3 MAXIMUM FORESEEABLEIMPACT CONTROL EFFECTIVENESS (or, MANAGEMENT PREPAREDNESS) 1 MonitorRemediate 4 2 What is a plausible, worst-case scenario/impact? HighLow High Potential CSA- focus Potential IA-focus CAPABILITY
believe that a “barrier” or “significant barrier” to ERM is that there are insufficient resources allocated to ERM. have not provided or only minimally provided training and guidance on risk management. NC State University Poole College of Management Enterprise Risk Management RESOURCES
Understand employee engagement Adopt/build an ERM framework
1. Why - Committing to a meaningful purpose 2. How - Choosing the best way of fulfilling that purpose 3. What - Making sure that one is performing work activities competently, and 4. When - Making sure that one is making progress to achieving the purpose Purpose Mastery Empowerment Impact MOTIVATION
▪ A non-cynical climate—freedom to care deeply ▪ Clearly identified passions—insight into what we care about ▪ An exciting vision—a vivid picture of what can be accomplished ▪ Relevant task purposes—connection between our work and the vision ▪ Whole tasks—responsibility for an identifiable product or service MOTIVATION
▪ Delegated authority—the right to make decisions ▪ Trust—confidence in an individual’s self-management ▪ Security—no fear of punishment for honest mistakes ▪ A clear purpose—understanding what we are trying to accomplish ▪ Information—access to relevant facts and sources MOTIVATION
▪ Knowledge—an adequate store of insights from education and experience ▪ Positive feedback—information on what is working ▪ Skill recognition—due credit for our successes ▪ Challenge—demanding tasks that fit our abilities ▪ High, non-comparative standards—demanding standards that don’t force rankings MOTIVATION
▪ A collaborative climate—co-workers helping each other succeed ▪ Milestones—reference points to mark stages of accomplishment ▪ Celebrations—occasions to share enjoyment of milestones ▪ Access to customers—interactions with those who use what we’ve produced ▪ Measurement of improvement—a way to see if performance gets better MOTIVATION
To motivate employees who work beyond basic tasks, give them these three factors to increase performance and satisfaction: ▪ Autonomy — Our desire to be self directed. It increases engagement over compliance. ▪ Mastery — The urge to enhance and expand our skills. ▪ Purpose — The desire to do something that has meaning and is important. Businesses that only focus on profits without valuing purpose will end up with poor customer service and unhappy employees (i.e. more risk) MOTIVATION
indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. admit they were caught off guard by an operational surprise “somewhat” to “extensively” in the last five years NC State University Poole College of Management Enterprise Risk Management
✓ Clear linkage to objectives ✓ Supportive “tone from the top” ✓ A purpose, delivered with passion (OK, perhaps slightly exaggerated)
brian.link@resolver.com

Recommended

The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the Future
Resolver Inc.
 
The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and Performance
Resolver Inc.
 
The Risk Paradox: Showcasing the Success of Security
The Risk Paradox: Showcasing the Success of SecurityThe Risk Paradox: Showcasing the Success of Security
The Risk Paradox: Showcasing the Success of Security
Resolver Inc.
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss Prevention
Resolver Inc.
 
Risk Management Case Study - Applied Concepts
Risk Management Case Study - Applied ConceptsRisk Management Case Study - Applied Concepts
Risk Management Case Study - Applied Concepts
Resolver Inc.
 
Spreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX ComplianceSpreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX Compliance
Resolver Inc.
 
App Showcase: Enterprise Risk Management
App Showcase: Enterprise Risk ManagementApp Showcase: Enterprise Risk Management
App Showcase: Enterprise Risk Management
Resolver Inc.
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management Strategy
Resolver Inc.
 

Recommended

The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the Future
Resolver Inc.
 
The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and Performance
Resolver Inc.
 
The Risk Paradox: Showcasing the Success of Security
The Risk Paradox: Showcasing the Success of SecurityThe Risk Paradox: Showcasing the Success of Security
The Risk Paradox: Showcasing the Success of Security
Resolver Inc.
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss Prevention
Resolver Inc.
 
Risk Management Case Study - Applied Concepts
Risk Management Case Study - Applied ConceptsRisk Management Case Study - Applied Concepts
Risk Management Case Study - Applied Concepts
Resolver Inc.
 
Spreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX ComplianceSpreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX Compliance
Resolver Inc.
 
App Showcase: Enterprise Risk Management
App Showcase: Enterprise Risk ManagementApp Showcase: Enterprise Risk Management
App Showcase: Enterprise Risk Management
Resolver Inc.
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management Strategy
Resolver Inc.
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
Resolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
Resolver Inc.
 
App Showcase: Compliance
App Showcase: ComplianceApp Showcase: Compliance
App Showcase: Compliance
Resolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core Assessments
Resolver Inc.
 
Globals - Too Big to Govern?
Globals - Too Big to Govern?Globals - Too Big to Govern?
Globals - Too Big to Govern?
Resolver Inc.
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
Resolver Inc.
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Resolver Inc.
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
Resolver Inc.
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
Resolver Inc.
 
App Showcase: Internal Audit
App Showcase: Internal AuditApp Showcase: Internal Audit
App Showcase: Internal Audit
Resolver Inc.
 
How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
Resolver Inc.
 
Integrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: BenchmarkingIntegrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: Benchmarking
Resolver Inc.
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to Core
Resolver Inc.
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101
Resolver Inc.
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
Corporater
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
Resolver Inc.
 
Bring Better Data to the Office Opinion Party
Bring Better Data to the Office Opinion PartyBring Better Data to the Office Opinion Party
Bring Better Data to the Office Opinion Party
Resolver Inc.
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB
 

More Related Content

What's hot

Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
Resolver Inc.
 
How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
Resolver Inc.
 

What's hot (20)

Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
App Showcase: Compliance
App Showcase: ComplianceApp Showcase: Compliance
App Showcase: Compliance
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core Assessments
 
Globals - Too Big to Govern?
Globals - Too Big to Govern?Globals - Too Big to Govern?
Globals - Too Big to Govern?
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
App Showcase: Internal Audit
App Showcase: Internal AuditApp Showcase: Internal Audit
App Showcase: Internal Audit
 
How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
 
Integrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: BenchmarkingIntegrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: Benchmarking
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to Core
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
 
Bring Better Data to the Office Opinion Party
Bring Better Data to the Office Opinion PartyBring Better Data to the Office Opinion Party
Bring Better Data to the Office Opinion Party
 

Similar to Hello ERM - It's Time to Go

Operational Leadership and Critical Risk Management
Operational Leadership and Critical Risk ManagementOperational Leadership and Critical Risk Management
Operational Leadership and Critical Risk Management
myosh team
 
Ms Tour Em Presentation Feb3
Ms Tour Em Presentation Feb3Ms Tour Em Presentation Feb3
Ms Tour Em Presentation Feb3
FNian
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Risk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every CoinRisk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every Coin
PECB
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
Richard Swartzbaugh
 
Risk Mgt in Today's World
Risk Mgt in Today's WorldRisk Mgt in Today's World
Risk Mgt in Today's World
fmbabs
 

Similar to Hello ERM - It's Time to Go (20)

Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
 
#corpriskforum2016 - Julia Graham
#corpriskforum2016 - Julia Graham#corpriskforum2016 - Julia Graham
#corpriskforum2016 - Julia Graham
 
Operational Leadership and Critical Risk Management
Operational Leadership and Critical Risk ManagementOperational Leadership and Critical Risk Management
Operational Leadership and Critical Risk Management
 
Ms Tour Em Presentation Feb3
Ms Tour Em Presentation Feb3Ms Tour Em Presentation Feb3
Ms Tour Em Presentation Feb3
 
Module 15 - Risk Management.pptx
Module 15 - Risk Management.pptxModule 15 - Risk Management.pptx
Module 15 - Risk Management.pptx
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Driving investment returns through talent
Driving investment returns through talentDriving investment returns through talent
Driving investment returns through talent
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 
Getting down to business with security
Getting down to business with securityGetting down to business with security
Getting down to business with security
 
Risk assessment and compliance 151119
Risk assessment and compliance 151119Risk assessment and compliance 151119
Risk assessment and compliance 151119
 
The Importance of Internal Controls in Fraud Prevention
The Importance of Internal Controls in Fraud Prevention The Importance of Internal Controls in Fraud Prevention
The Importance of Internal Controls in Fraud Prevention
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
 
Risk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every CoinRisk or Opportunity – There are 2 Sides to Every Coin
Risk or Opportunity – There are 2 Sides to Every Coin
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Presentations - DAY 1 - NXT 2019: The Future of EHS - eCompliance
Presentations - DAY 1 - NXT 2019: The Future of EHS - eCompliancePresentations - DAY 1 - NXT 2019: The Future of EHS - eCompliance
Presentations - DAY 1 - NXT 2019: The Future of EHS - eCompliance
 
Risk Mgt in Today's World
Risk Mgt in Today's WorldRisk Mgt in Today's World
Risk Mgt in Today's World
 

More from Resolver Inc.

Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 

More from Resolver Inc. (20)

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate Setting
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
 
Information Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeInformation Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data Safe
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver Core
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses Resolver
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management Strategy
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience Application
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business Resilience
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM Program
 
Risk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New RiskRisk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New Risk
 
How to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with ExecutivesHow to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with Executives
 

Recently uploaded

Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
ssuserf63bd7
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
Khaled Al Awadi
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
AUDIJEAngelo
 

Recently uploaded (20)

5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
Potato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdfPotato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdf
 
Event Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybridEvent Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybrid
 
Evolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdfEvolution and Growth of Supply chain.pdf
Evolution and Growth of Supply chain.pdf
 
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
 
India’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdfIndia’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdf
 
How to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptxHow to Maintain Healthy Life style.pptx
How to Maintain Healthy Life style.pptx
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
NewBase 24 May 2024 Energy News issue - 1727 by Khaled Al Awadi_compresse...
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
Vendors of country report usefull datass
Vendors of country report usefull datassVendors of country report usefull datass
Vendors of country report usefull datass
 
Hyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseHyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings release
 
Falcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small BusinessesFalcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small Businesses
 
April 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products NewsletterApril 2024 Nostalgia Products Newsletter
April 2024 Nostalgia Products Newsletter
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
 

Hello ERM - It's Time to Go

  • 1.
  • 2. I am the VP, GRC Strategy and Partnerships brian.link@resolver.com
  • 3. I remember back when IA helped launch our ERM program – those were good times.
  • 4. Let’s see, COSO ERM… kind of a strange bird, never really flew. ASNZ 4360 - it was a bit more pragmatic and action- oriented. ISO 31000 – wait, isn’t that 4360? COSO ERM update – new and improved… perhaps it will fly?
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. Go forth and identify, assess and manage risk! Don’t forget about inherent risk, risk appetite, linkage to strategy, KRIs, the three lines of defense. …I’ll be here if you need me!
  • 11.
  • 12. Now I can relax a bit and get back to my day job. I’m sure the little one will be OK. He was flying, wasn’t he? I mean, his wings were flapping… right?
  • 13. believe their organization has a “complete formal enterprise-risk management process in place”. indicate that their organization’s risk management process is “not at all” or “minimally” viewed as a proprietary strategic tool. of the organizations have boards that “mostly” or “extensively” review the top risk exposures NC State University Poole College of Management Enterprise Risk Management
  • 14. Lack of alignment with strategy and business activities Inadequate planning and communication A focus on past risks rather than the future Lack of integration into business decisions Viewing the risk assessment or assessment of risk plan as the end of risk management process
  • 15. Poor governance and “tone at the top” Practicing ELM instead of ERM Misunderstanding the “if you can’t measure it, you can’t manage it” mindset Not integrating risk management with strategy-setting and performance management Ignoring the dysfunctionalities and “blind spots” of the organization’s culture
  • 16. Is something else inhibiting progress?
  • 18. ▪ Align and embed risk assessment within planning & budgeting cycles ▪ Create a framework that places everyone, literally and figuratively, on the same page ▪ Connect the dots – all the way through to resilience and recovery ALIGNMENT
  • 21. • IT • Plant / Physical • People • Financial • Reputation • Planning & Budgeting • Procure to Pay • Market to Order • Order to Cash • Hire to Retire • Acquire to Retire • Idea to Offering • Plan to Inventory • Payroll • Key / Non-key • Detective • Preventative • Mitigating • Manual • IT-dependent Manual • IT General Controls • IT Application Controls • Policies • Control Environment – Including Culture Strategic • Competition • Disruptive Tech • Macro-Economic • Reputation • Environment & Social Operational • Physical Security • IT Security • IT Ops • HR • Supplier Compliance • Regulatory • Legal • Ethics • Fraud Financial • Reporting • Credit / Counterparty • Market • Liquidity • Model • Insurance Standards, Frameworks or Guidelines • IFRS • COSO ICF • IIA – IPPF • ISO 31000 • COBIT 5 • NIST • ISO 27XXX Laws & Regulations • Bank Act • SOX • Privacy • AML • FCPA • Business Groups • Functions • Geography • Locations / Sites • Cyber • Physical Security • Health & Safety • Environment • Whistleblower • Fraud • Issue / Incident • Case Management • Business Continuity • Disaster Recovery • Crisis Management • Capital Projects • M&A • KPIs • KRIs • Limits & Thresholds • Analytics Key Stakeholders • Shareholders • Institutional Investors • Public-at-Large • Labor Unions • Ratings Agencies • Underwriters Changes / Opportunities: • Customer Expectations • Competitive Landscape • Labour Market • Economic Conditions • Technology
  • 22.
  • 23. LOSS TRIANGLESTEADY STATE RECOVERED STATE ADVERSE EVENT PREVENT RESPOND RECOVERPREPARE Recovery premium Recovery deficit RECOVERED STATE Loss Triangle ALIGNMENT
  • 24. Source: Oxford Metrica, Resilience Index 2015 ALIGNMENT
  • 25. ▪ Provide a clear definition of what risk is / is not ▪ Cast out the academic definition of Inherent risk ▪ Avoid Impact X Likelihood = Risk Rating ▪ Add a 3rd dimension such as Control Effectiveness, Management Preparedness, tec. CAPABILITY
  • 26. Encourage respondents to identify the specific events that might trigger a failure. Objective: Reach the moon safely, land on it, and then return to Earth. Risk: Failure to land on the Moon. Risk: Oxygen tank explosion
  • 27. Inherent Risk • Assumes no controls - really? • Too academic • Turns participants off to the risk assessment process, overall Enter – Maximum Foreseeable Consequence • Plausible, worst case scenario • Gives participants the license to think out of the box CAPABILITY
  • 28. ▪ Equipment (very specialized) ▪ Information (paper files), servers ▪ Inventory ▪ Raw material ▪ Sales $$$$$$$ ▪ New toll supplier relationships ▪ Appreciation of CM team value and benefits of testing ▪ Validation of insurance coverages ▪ Knowledge that your key competitor can’t wait to see you drown CAPABILITY CAPABILITY
  • 29. 3 MAXIMUM FORESEEABLEIMPACT CONTROL EFFECTIVENESS (or, MANAGEMENT PREPAREDNESS) 1 MonitorRemediate 4 2 What is a plausible, worst-case scenario/impact? HighLow High Potential CSA- focus Potential IA-focus CAPABILITY
  • 30. believe that a “barrier” or “significant barrier” to ERM is that there are insufficient resources allocated to ERM. have not provided or only minimally provided training and guidance on risk management. NC State University Poole College of Management Enterprise Risk Management RESOURCES
  • 32. 1. Why - Committing to a meaningful purpose 2. How - Choosing the best way of fulfilling that purpose 3. What - Making sure that one is performing work activities competently, and 4. When - Making sure that one is making progress to achieving the purpose Purpose Mastery Empowerment Impact MOTIVATION
  • 33. ▪ A non-cynical climate—freedom to care deeply ▪ Clearly identified passions—insight into what we care about ▪ An exciting vision—a vivid picture of what can be accomplished ▪ Relevant task purposes—connection between our work and the vision ▪ Whole tasks—responsibility for an identifiable product or service MOTIVATION
  • 34. ▪ Delegated authority—the right to make decisions ▪ Trust—confidence in an individual’s self-management ▪ Security—no fear of punishment for honest mistakes ▪ A clear purpose—understanding what we are trying to accomplish ▪ Information—access to relevant facts and sources MOTIVATION
  • 35. ▪ Knowledge—an adequate store of insights from education and experience ▪ Positive feedback—information on what is working ▪ Skill recognition—due credit for our successes ▪ Challenge—demanding tasks that fit our abilities ▪ High, non-comparative standards—demanding standards that don’t force rankings MOTIVATION
  • 36. ▪ A collaborative climate—co-workers helping each other succeed ▪ Milestones—reference points to mark stages of accomplishment ▪ Celebrations—occasions to share enjoyment of milestones ▪ Access to customers—interactions with those who use what we’ve produced ▪ Measurement of improvement—a way to see if performance gets better MOTIVATION
  • 37. To motivate employees who work beyond basic tasks, give them these three factors to increase performance and satisfaction: ▪ Autonomy — Our desire to be self directed. It increases engagement over compliance. ▪ Mastery — The urge to enhance and expand our skills. ▪ Purpose — The desire to do something that has meaning and is important. Businesses that only focus on profits without valuing purpose will end up with poor customer service and unhappy employees (i.e. more risk) MOTIVATION
  • 38.
  • 39. indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. admit they were caught off guard by an operational surprise “somewhat” to “extensively” in the last five years NC State University Poole College of Management Enterprise Risk Management
  • 40. ✓ Clear linkage to objectives ✓ Supportive “tone from the top” ✓ A purpose, delivered with passion (OK, perhaps slightly exaggerated)