Mastering 21st Century Enterprise Risk Management: Firing Dated Practices | The Best Practice of ERM | Implementation Secrets

Mastering 21st Century Enterprise Risk Management

Firing Dated Practices | The Best Practice of ERM | Implementation Secrets

Author

Gregory M Carroll

Production Editor

Rebekah Donaldson

Reviewer

Special thanks to Greg Hutchins at CERM Magazine

ISBN: 9781483510446

Copyright 2013 Gregory M Carroll. Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported License. For details on the Creative Commons license, visit: http://www.creativecommons.org/licenses/by-nc-sa/3.0

To contact the author:

Greg Carroll

Fast Track Aust PTY Ltd

+61755918977

http://www.fasttrack365.com/contact

http://www.linkedin.com/in/gregorymcarroll

For additional work by the author:

http://www.fasttrack365.com/resources

http://www.fasttrack365.com/blog

Contents

Foreword

Introduction

Understanding risk

Part I. Learning from the Past: Firing Failed Risk Practices

Why 20th century risk management failed

Over-promised

Incorrectly structured

Inaccurately implemented

Complex interrelationships not mapped

Inappropriately focused

Part II. Getting It Right: Implementation Secrets

IBM and Queensland Health's billion dollar fiasco

Secrets to successful risk management

Gen Y & 21st century risk management

Selecting ERM software

Getting software implementation right

Part III. A New Approach: 21st Century Best Practices

Enterprise risk management framework

Scenario analysis – an alternative view of the future

Structural/casual risk modelling

Shareholder value strategy

Conclusion

Addendum: How to Design a True Enterprise Risk Management System

Definitions

1. Identification

2. Evaluation

3. Monitoring

4. Aggregating

5. Management

More information

Foreword

Being a business owner, I keep an eye out for marketing ideas. I use a switched-on U.S. based marketing consulting firm B2B Communications (b2bcommunications.com) who educated me on 21st century marketing. Having a successful business for over 30 years, to say I am learning a whole new paradigm is an understatement. As a result, I have been following an Australian marketing guru Bruce Rasmussen (@bruceras), who just released interesting survey results: Bruce’s research found that, admirable traits such as 'building the relationship' and 'following up after the sale,' with which virtually all sales people have been brought up, are the staple approach in the ICT sales community. The only problem is that these behaviours are no longer considered to be best practice.¹

In one of my blog posts I put forward the case that the character and modus operandi of Gen Y is changing the way people will work in the future, and the very traits we complain about may be the solution to our biggest problems.²

A common theme raised at the 2013 OpRisk conference was the paradigm shift in risk management. This was supported by a Milliman research report³ that found:

1. Basic risk indicators and standard formula are ultimately a very blunt model; and

2. Structural/causal-based risk models are the leading emerging best practice in the field

In other words, the accepted practice is failing and there is an entirely new approach to risk management.

Then I watched a video on 3D Printing⁴ -- a technique used to produce physical products from digital designs. The Economist compares it to the invention of the steam engine and the printing press. Business Insider says it's the next trillion-dollar industry. And everyone from BMW, to Nike, to the U.S. Air Force is already using it every day. The Motley Fool Investment Advisors claim it will put an end to the Made-in-China era in the same way digital music downloads put an end to CD mass production.⁵

The pace of innovation and adoption is accelerating. Google, GPS, the iPad, and DNA evidence were research projects just 20 years ago. They are the norm today.

Accepted best practice in risk management has failed. The rate of technological change has accelerated. A fundamental change in business is happening, and a majority of businesses today will not be around in 10 years unless they urgently adopt major transformations.

Think I’m overstating the situation? Ford, one of the largest companies in Australia for the last 50 years, is shutting plants.

Just as the 1890s world of the Wild West had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, in which we still operate today, be long forgotten by the 2020s. When I note:

The environment has changed... The nature of selling has changed... The nature of work has changed...

The nature of risk management has changed...

The rate of change of technology has accelerated... The movement of capital has accelerated...

The intrusion of compliance has accelerated... And volatility is now the norm...

... I feel like Sarah Connor (Linda Hamilton) in the last scene of Terminator, driving toward the storm clouds on the horizon, thinking. The unknown future rolls toward us. I face it, for the first time, with a sense of hope.

Greg Carroll

linkedin.com/in/gregorymcarroll

Introduction

Risk management has traditionally focused on the downside—the what if—of risk. What if I get audited; will my documentation be in order? What if someone gets hurt? Risk has also traditionally been siloed at many organisations, with each functional area requiring its own unique parameters. Accounting and finance are concerned with financial regulations; manufacturing is concerned about safety and equipment validation.

To further complicate the situation, each functional area turned to a different software supplier to obtain the risk management solution that would meet their specific regulatory requirements. The goal was to stay out of trouble. Aside from the obvious IT application management nightmare, the siloed, stay-out-of-trouble approach to risk management became a model for inefficiency and escalating costs.

Modern risk management philosophy goes beyond staying out of trouble. It incorporates the upside of risk—the people and process efficiencies that result when a holistic risk management framework is integrated into all aspects of the business and aligned to specific business objectives. Investing in risk management, as with all other investments, must produce a return. Mastering 21st Century Enterprise Risk Management explains why many risk management systems are broken and what needs to be done to fix them. It also explains the pitfalls to avoid when deploying an enterprise risk management system.

Whether you're new to risk management or a seasoned veteran, you'll learn effective approaches and emerging models that are backed by real-world examples.

Welcome to 21st century risk management.

Understanding risk

Although most think they know what risk is, there seems to be a fair bit of misunderstanding outside the risk fraternity.

Like the motor vehicle, risk is not good or bad. So before we dive in, let’s take three minutes to cover some basics:

00:00 Definition

Risk is the level of uncertainty in any situation. Risk management is a system that identifies, quantifies and attempts to reduce or eliminate uncertainty. As an event in one part of an organisation can affect other unrelated parts (the butterfly effect), Enterprise risk management (ERM) is a coordinated linking of all organisation risks into a single model so everyone is aware of the effect immediately. ISO31000 is a new international standard that provides a framework and process, for an effective enterprise risk management system.

00:25 Identification

A good risk management system must start with a set of corporate objectives, not at the detail level.

Objectives need to cover all aspects, including financial, operational, marketing, as well as OHS