Moving from Risk Assessments to Action

Not to be reproduced without permission.

Moving from Risk Assessments to Action

Enterprise Risk Management Workshop

September 20, 2010

Canadian Healthcare Risk Management Network

Leslie ThompsonPresidentLESRISK

Diana Del Bel BelluzPresident

Risk Wise Inc.

Agenda

2:00 Overview, Goals, and Introductions

2:10 PART 1:

Why a framework isn’t enough.

2:20 Why you can’t implement ERM with a memo.

2:30 PART 2:

Catalysts for inspiring appropriate risk management action

2:45 Group discussion

3:15 PART 3:

Applying change design to ERM Implementation

3:30 Group exercise

3:55 Closing Thoughts

Not to be reproduced without permission. 2

Agenda


2:10 PART 1:



2:30 PART 2:



3:15 PART 3:


3:30 Group exercise




TypicalRisk Decision-making Model

Source: ISO 31000


Main challenges of a ‘Risk Decision Model’ approach to ERM …

1. The model leads to a focus on individual enterprise risks in isolation that precludes a portfolio view of risk.

2. The model focuses on risk reduction, which drives risk aversion rather than reinforcing appropriate risk-taking behaviour.

3. The model fails to recognize that implementing ERM is an exercise in organizational development, making it difficult for ERM to gain traction.


ISO 31000 (but only to the Risk Decision Model)introduces the concept of Continual Improvement


“Experience is inevitable. Learning is not.” - Paul J. H. Shoemaker

Successful ERM requires:1. An organizational Learning Framework to

guide

2. Systematic development of ERM capabilities, i.e., change management approach

•7


The Risk Wise ERM Implementation Process (geared to organizational learning)

1. Define ERM context and criteria

2. Assess risk and implications for performance

4. Close the ‘Learning Loop’

3. Integrate ERM into business practices


ERM Best Practices: A Capabilities & Performance Perspective

• Structural capital (structures & processes) Establishing structures that clarify accountabilities Building consideration of risk-taking and risk management into

business processes Developing and implementing control strategies for significant

enterprise risks• Human capital (knowledge, skills and culture)

Developing ERM know-how Cultivating an ERM mindset

• Risk Intelligence capital (information flow) Supplying risk information that is relevant & timely Applying risk information (risk awareness and effectiveness) to:

Engage in candid discussions about risks (priorities) Engage the board as well as staff to align resources (risk and resource

optimization and organizational learning)

The ERM Journey takes time… Hypothetical of Evolution of ERM

Learn &

Adapt

Learn &

Adapt

Learn &

Adapt

Learn &

Adapt

Learn &

Adapt

Agenda


2:10 PART 1:



2:30 PART 2:



3:15 PART 3:


3:30 Group exercise




Why you can’t implement ERM with a memo

• It’s about people:– How work is done– What the “workers/people” believe and feel about their efficiency and

effectiveness– What the people of the organization believe about making decisions

under conditions of uncertainty

• Organizational incongruencies:– Example: how people are rewarded– Example: Who leads? How do they lead?

• Doesn’t Build Risk Aware Judgement:– Balancing risk intelligence with effective risk decisions

• Other reasons?


Balancing risk the quality of risk information and the effectiveness of risk decisions with the objectives for

your ERM program- where do you want to be?

Eff

ecti

ven

ess

of

Ris

k D

ecis

ion

s

Quality of Informationlow high

high

Risk - Aware Judgment

Risk Intelligence

?

?


Building the Foundation for

Commitment

Getting Agreement and Setting Direction

CheckPoint

MakingChanges

Keeping It Going

CheckPoint

CheckPoint

The change management process: a tool for successful ERM implementation

Source: Dr. Harvey Kolodny,Rotman School of Management

Agenda


2:10 PART 1:



2:30 PART 2:

Catalysts* for inspiring appropriate risk management action


3:15 PART 3:


3:30 Group exercise


Not to be reproduced without permission. 15* See Nov-Dec 2008 issue of Risk Management Made Simple Advisory for article: “4 Catalysts to Embed Risk Management Culture”

CATALYST #1: Establish Clarity Around Objectives, Strategies, Roles and Responsibilities

• Having a strategic goal and measurable objectives is fundamental to enterprise risk management.

• Be explicit about what needs to be accomplished, how, by when, and who is responsible for what. – What are the things that need to be in place for success?– What are the milestones that would let us know when we’ve

achieved success?– What is the strategic path to get to each milestone?

• ASK YOURSELF: Does my organization have clear strategic objectives with explicit measurable milestones?


CATALYST #2: Articulate Risk Appetite & Tolerance

• Risk appetite and tolerance set important goal posts for appropriate risk taking.

• Determine criteria for decision-making before embarking on the process of assessing and weighing decision alternatives.

• ASK YOURSELF: Has my organization articulated its risk appetite and tolerance?


Risk Appetite vs. Risk Tolerance

• Executives don't end up in the news or in jail merely because they took a risk. They end up there for not managing their business risks properly.

• We expect our leaders to take appropriate decisions that balance upside and downside elements of risk:

upside risk (benefit/opportunity) ≥ risk (threat) + cost• Risk Appetite: the size of 'bet' the organization is willing to take to

achieve it's objectives. It needs to be commensurate with goals and capabilities.– A clear Risk Appetite is necessary to determine appropriate

goals and strategic direction. • Risk Tolerance: the margin by which the organization is willing to

accept either over- or under-shooting its objectives. – A clear Risk Tolerance is critical for resource allocation

decisions


10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0%

Zone of Risk Tolerance

for ‘customer

satisfaction with service quality’

An example - the Zone of Risk Tolerance

• A firm may have a strategic goal to have an average customer satisfaction rating of 85% (its Risk Appetite).

• Operationally, it is prepared to accept ratings in the range of 75% to 90% (its limits of Risk Tolerance)

Why are some executives reluctant to articulate their risk appetite & tolerance? *


1. They mistakenly believe that if they don't formally commit to a tolerable level of risk then they can't be held accountable for setting it incorrectly.

2. They don't know how to go about articulating risk appetite and tolerance.

* See March 2008 issue of Risk Management Made Simple Advisory for article: “The Tricks to Tolerance”

CATALYST #3: Use Risk Intelligence to Drive Excellent Performance

• Risk and performance are linked.

• Develop an understanding of the relationship between the drivers of your performance and your risk. It enables you to anticipate the future and gives you more time to think, plan and innovate *.

• Ultimately, you’ll experience fewer downside risk events and be able to exploit more upside risks.

• ASK YOURSELF: Has my organization linked its risk and performance indicators?


* See Risk Management Made Simple Advisory ‘New Subscriber Bonus’ for how to map the link between drivers of risk & performance.

* See June 2008 issue of Risk Management Made Simple Advisory for article: “The Anticipation Advantage”

CATALYST #4: Foster Dissent and Inquiry (part 1)

For a risk assessment process to be effective, it must bring to the surface all critical information for the decision at hand. This can’t be achieved if the organization has a culture of silence in which people are afraid to speak the truth. …


Executive decisions “are made well only if based on the clash of conflicting views, the

dialogue between different points of view, the choice between different

judgments.”

Peter Drucker

‘Decision-makers need to foster conflict and dissent to

ensure that the course of action selected enables the organization to achieve its

performance objectives in a way that optimizes resources and balances risk better than

all other plausible alternatives.’

Michael Roberto

‘Great companies continually

refine the path to greatness by

confronting the brutal facts of reality.’

Jim Collins

CATALYST #4: Foster Dissent and Inquiry (part 2)

• One of the biggest contributions you can make is to question how well your organization’s risk estimates reflect its particular reality. – Is your risk estimate accurate?– Is your risk estimate based on high-quality information?– Is your risk estimate relevant? – Is your risk estimation process objective?– Is the risk estimation model built on solid assumptions?

• Initial assessments of risks may have to be based on opinion. However, transition as quickly as possible to evidence-based measures. It is only way to distinguish between valid and invalid assumptions and guard against willful blindness.

• ASK YOURSELF: Does my organization foster dissent and inquiry in its strategic decision-making? Can the truth be heard?


Group Discussion

• Break into groups of 3. Each group to focus on 1 catalyst• Task 1: Each individual takes 1 minute to jot down their

answer to the question: “Have you applied this catalyst in your organization? (No / Partially / Fully)”

• Task 2: In your group, take 3 minutes each to discuss:– If your answer is “No” or “Partially”:

• Tell the group the main barrier/challenge that is preventing you from fully applying the catalyst.

• Ask the other members of your break-out group for advice on how you might overcome your main challenge.

– If your answer is “Fully”:• Share with the group your lessons learned and pointers based on

your experience.

• Be prepared to share key insights with the other break-out groups.


Pick your catalyst…

• CATALYST #1: Establish Clarity Around Objectives, Strategies, Roles and Responsibilities

• CATALYST #2: Articulate Risk Appetite & Tolerance

• CATALYST #3: Use Risk Intelligence to Drive Excellent Performance

• CATALYST #4: Foster Dissent and Inquiry


Agenda


2:10 PART 1:



2:30 PART 2:



3:15 PART 3:


3:30 Group exercise




Building the Foundation for

Commitment

Getting Agreement and Setting Direction

CheckPoint

MakingChanges

Keeping It Going

CheckPoint

CheckPoint

Where is your organization in the change management process?

Source: Dr. Harvey Kolodny,Rotman School of Management


InterventionChange Management Action

Understand the need for change

Enlist a core change team

Develop vision and strategy

Create a sense of urgency

Communicate the Vision

Act: Implement the vision

Consolidate the Change

Align and build congruence

.

Building the

Foundation for

Commitment

Getting Agreement

& Setting Direction

Making Changes

Keeping it going

?

ERM Implementation – designing the change


• LEARN as much as you can about both the benefits of ERM and how other groups have implemented it

• Evaluate your organization’s capacity and capabilities

• Diagnose organizational support and incongruencies

• Secure leadership support:

– Identify allies, influencers and resisters

– Engage an executive ERM champion

– Engage board or trustee support for the strategic benefits of ERM

• Develop an ERM function or task force

• Involve all organizational silos in the development of your own ERM framework, and definitions

• Promote a common language

• Establish feedback loops and check-in

Stage 1: How do you build support for ERM?

Lesl

ie T

hom

pson

, 201

0


1. Each participant group chooses a spokesperson.

2. Task 1: In your groups review the change design map and

develop a list of change interventions consistent with the

objectives of the change management stage assigned to

your group:

• Stage 1: Building a foundation for commitment, or

• Stage 2: Getting agreement and setting direction, or

• Stage 3: Making changes, or

• Stage 4: Keeping the changes going

3. Task 2: Discuss at what stage your organization is in ERM

implementation and whether any of the suggested

interventions might work for you

4. We will pool our suggestions after 10 minutes and discuss

task 2.

Small Group Exercise

Le

slie

Tho

mps

on, 2

010


Some InterventionsUnderstand the need for change

Enlist a core change team

Develop vision and strategy

Create a sense of urgency

Communicate the Vision

Act: Implement the vision

Consolidate the Change

Align and build congruence

Getting Agreement

& Setting Direction

Making Changes

Keeping it going

ERM Implementation – designing the change

• Learn about ERM• Learn about ERM in your organization• Evaluated ERM capacity & capability• Develop an ERM task force• Secure leadership support

• Learn about ERM• Learn about ERM in your organization• Evaluated ERM capacity & capability• Develop an ERM task force• Secure leadership support

• Customize the ERM process• Define terms and risk categories• Communicate. Leaders show support• Framework development • Training

• Customize the ERM process• Define terms and risk categories• Communicate. Leaders show support• Framework development • Training

• Identify and assess risks for each dept.• Aggregate enterprise risks• Develop a risk map• Develop a risk appetite statement• Review alternative risk management strategies and take action

• Identify and assess risks for each dept.• Aggregate enterprise risks• Develop a risk map• Develop a risk appetite statement• Review alternative risk management strategies and take action

• Integrate with planning, budgeting, performance measurement

• Build infrastructure support: IT, organizational architecture

• Refine assessment methodologies• Share best practices. Celebrate

• Integrate with planning, budgeting, performance measurement

• Build infrastructure support: IT, organizational architecture

• Refine assessment methodologies• Share best practices. Celebrate

Building a Foundation for Commitment

Building a Foundation for Commitment

Agenda


2:10 PART 1:



2:30 PART 2:



3:15 PART 3:


3:30 Group exercise




Questions and Conclusions

Leslie Thompson MBA, MFA, FSCI, CMC, ICD.DLESRISK(416) [email protected]

Diana Del Bel Belluz M.A.Sc., P.Eng.

Risk Wise Inc.(416) [email protected]

Date post:	17-Jan-2016
Category:	Documents
Upload:	blythe
View:	40 times
Download:	2 times

Moving from Risk Assessments to Action

Documents