The document discusses the importance of effective risk management in organizations, emphasizing that it should support strategic decision-making and operational performance. It highlights the need for a paradigm shift towards proactive risk management that captures opportunities while managing threats, aiming for better information and outcomes. The text outlines practical risk management processes and the critical roles of risk management practitioners in enhancing organizational success.

1. World-Class
Risk Management
Norman
MARKS
2017

3. The Risk Manager’s List
3
1. You might get run over by a car
2. You might get run over by a bicycle
3. Your home may be burglarized while you are out
4. You might be mugged
5. You might be shot in a drive-by shooting
6. A lot of bad things might happen

7. “Only xx% of [C-level] respondents
believe their risk management
processes support, at a high level,
the ability to develop and execute
business strategies”
Deloitte: Exploring Strategic Risk
7

8. “Only 13% of [C-level] respondents
believe their risk management
processes support, at a high level,
the ability to develop and execute
business strategies”
Deloitte: Exploring Strategic Risk
8

10. The Upgraded Risk Manager’s List
10
1. You might get run over by a car
2. You might get run over by a bicycle
3. Your home may be burglarized while you are out
4. You might be mugged
5. You might be shot in a drive-by shooting
6. A lot of bad things might happen
1. If you work you can earn money
2. You can meet your wife for lunch
3. You can pick up your children after school
4. I can get groceries and be able to eat
5. Getting exercise is healthy
6. A lot of good things might happen

11. The Upgraded Manager’s List
11
1. You might get run over by a car
2. You might get run over by a bicycle
3. Your home may be burglarized while you are out
4. You might be mugged
5. You might be shot in a drive-by shooting
6. A lot of bad things might happen
1. If you work you can earn money
2. You can meet your wife for lunch
3. You can pick up your children after school
4. I can get groceries and be able to eat
5. Getting exercise is healthy
6. A lot of good things might happen

13. 13
RISK MATRIX

16. Why We Need to Manage Risk
The purpose of managing risk is to increase
the likelihood of an organization achieving
its objectives by being in a position to
manage threats and adverse situations and
being ready to take advantage of
opportunities that may arise.
National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
16

17. 17

18. A Time of “Pervasive, Ongoing, Uncertainty”
- McKinsey

19. Risk management, piercing the fog of
uncertainty – Felix Kloman

20. 20

21. It’s about setting the right objectives
21

22. It’s about Making Intelligent Decisions
22

23. It’s all about Taking the Right Risks
23

24. 24
Why risk management?
“An effective [ERM] capability provides value
by giving organizations the confidence to take
on risk, rather than avoid it.
- Consultancy firm

25. 25
Why risk management?
“By effectively managing the right risks,
management has more timely,
comprehensive and a deeper
understanding of risk which, in turn,
facilitates better decision-making and
confidence to take on new ventures or
even to accept higher levels of risk.
- Consultancy firm

26. 26
Why risk management?
“The upshot of this investment
includes a greater competitive
advantage, reduced cost of capital
and a steady share price.”
- Consultancy firm

27. 27
Why risk management?
Better information leads to:
 Better decisions
 Protection of value
 Seized opportunities
 Agile, optimized performance

28. 28
Drive business results
“In an increasingly competitive, fast-paced
world, organizations need to continually
advance their risk management practices,
building on the strong foundation of protection
and compliance into an expanded focus on risk
factors that impact strategic decision-making
and operational performance.”
- Consultancy firm

29. 29
Drive business results
“We believe a paradigm shift in risk management is
beginning, which is:
• Tied to the increasingly complex world in which
companies now operate
• Based on the awareness that uncertainty is
embedded in (and impacts) everything we do
• Focused on both capturing upside opportunities
as well as protecting the business.”
- Consultancy firm

30. 30
Drive business results
“You need [risk management] to become part of
the rhythm of the business: meaning within the
flow of strategic and business planning,
operations, oversight and monitoring that runs
from the board to the line.”
- Consultancy firm

31. 31
Drive business results
“There are several key business processes, and structural and
functional components that make up this rhythm of the business,
working together to deliver business value creation. Within these
components of the business, we see four basic business process
suites:
• Strategic oversight and planning — board and executive
management level activities
• Business level planning/budgeting — management translation
of strategies into business plans and allocation of capital
• Operational execution — value creating implementation of
plans and strategies
• Monitoring and compliance — audit and compliance activities.”
- Consultancy firm

32. 32
The risk management process
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Communicateandconsult
Monitorandreview
Used by every manager for every decision

33. 33
Upgraded risk management process
• Anticipate what might happen
• Analyze the possibilities
• Is there a problem?
• What are the options?
• Which is best?
• Decide
• Act
• Review/monitor/learn

34. When do you manage risk?
• Every day
• Across the enterprise
• In every decision
• But….. Periodically take stock

35. How does the Risk Manager help?
• Periodic review, yes – BUT!!
• Process, systems, to enable informed
decisions every day by everyone
• Help everybody manage risk
• Help everybody succeed
35

36. 36
When Risk Management focuses
on the Negative
It fails to focus on the Positive
and Fails to help the organization
Succeed

38. World-Class Risk Management
• How confident are you in the information you
provide about risk?
• Is it reasonably accurate and complete?
• Does it provide an acceptable basis for
decision-making?

39. Risks to Risk Management
• Not every executive or board member
embraces and embodies risk management
• Normal human bias when considering risk
• An unwillingness to accept reality
• A reluctance to recognize and seize an
opportunity because of a fear of taking risk
• A reluctance to communicate changes in risk
levels for fear of retribution
39

40. Risks to Risk Management
• Failures to detect subtle changes in the
business environment
• Risk management processes running slower
than the speed of risk
• Excessive centralization or red tape
bureaucracy
• Insufficient, unreliable, or unclear information
• Changes in personnel
40

41. Risks to Risk Management
• The inability to adapt risk management
methods as the business changes
• Competing attention for management time
• Decisions made in a rush
• The deliberate violation of risk guidance
• Failures of internal control
41

42. Risks to Risk Management
• Errors of judgment and simple mistakes
• …and so on
42

43. Risk Reporting
• List of top risks
–Does it help the board and
management make decisions?
–Does it tell you whether you will
achieve objectives?
• Heat map
–Same questions
43

44. RISK MATRIX
44

45. 45

46. A range not a point
46

47. Objectives and their Risks
47

48. 48
Objectives and their Risks
Projected Achievement
Fall Short Achieve Exceed
Business
Objective
YTD
Performance
>7.8% 7.8%-
8.2%
<8.2%
Maintain
employee
turnover at 8%
per annum 8.15% 15% 80% 5%

49. Risk management in real life
• Select vendor(s) of critical materials
• Objectives:
– Cost management
– Quality products
– On-time delivery
49

50. 50
Options
• Single vendor
– Lower cost
– More important customer to vendor
– Risk of disruption
– Risk if vendor disappoints

51. 51
Options
• Two vendors
– Higher cost
– Less important customer to vendor
• May increase prices
• May affect deliveries
– Risk of disruption reduced
– Risk if vendor disappoints reduced

52. 52
Options
• Three or four vendors
– Highest cost
– Much less important customer to vendor
• May increase prices
• May affect deliveries
– Risk of disruption reduced
– Risk if vendor disappoints reduced

53. The selection
• Involved all affected parties
• Considered each option
• Not a matter of a single risk
• Which option, considering all potential effects,
would be best?
• An enterprise level risk appetite statement
would have no value
53

55. 55
The risk practitioner and the executive
• We share the same goal – performance
• Talk the same language
• Move from ‘no’ to ‘how’
• Management need information and process
• Help assess what might happen, alternatives
• Help managers make intelligent, informed
decisions
• Help them succeed!

56. 56
ASSESS AGAINST ISO 31000 PRINCIPLES
 Creates and protects value
 An integral part of organizational processes
 Part of decision-making
 Dynamic, iterative, responsive to change
 Tailored

57. 57
ASSESS IN REAL-LIFE
Does the practice of risk management
meet the needs of the organization?
57

58. ASSESS IN REAL LIFE
 What is the likelihood of
achieving enterprise objectives?
 Is that OK?
 What can we do to improve the
Extent and Likelihood of
Success?
 What will we do?

59. CAN YOU HELP THE BUSINESS MANAGE
AT SPEED?

60. 1. INSERT KEY INTO IGNITION
2. SHIFT INTO DRIVE
3. PRESS FOOT FIRMLY ON THE
THROAT OF MEDIOCRITY

61. THANK YOU!
Norman Marks, CPA, CRMA
Author; Evangelist for Better Run Business; OCEG Fellow;
Honorary Fellow of the Institute of Risk Management
nmarks2@yahoo.com
https://iaonline.theiia.org/norman-marks
http://normanmarks.wordpress.com/
Twitter: @normanmarks