340 likes | 543 Views
Moving from Risk Assessments to Action. Enterprise Risk Management Workshop September 20, 2010 Canadian Healthcare Risk Management Network. Leslie Thompson President LESRISK. Diana Del Bel Belluz President Risk Wise Inc. Agenda. 2. Agenda. 3. Typical Risk Decision-making Model.
E N D
Moving from Risk Assessments to Action Enterprise Risk Management Workshop September 20, 2010 Canadian Healthcare Risk Management Network Leslie Thompson President LESRISK Diana Del Bel Belluz President Risk Wise Inc. Not to be reproduced without permission.
Agenda Not to be reproduced without permission. 2
Agenda Not to be reproduced without permission. 3
TypicalRisk Decision-making Model Source: ISO 31000 Not to be reproduced without permission.
Main challenges of a ‘Risk Decision Model’ approach to ERM … Not to be reproduced without permission. • The model leads to a focus on individual enterprise risks in isolation that precludes a portfolio view of risk. • The model focuses on risk reduction, which drives risk aversion rather than reinforcing appropriate risk-taking behaviour. • The model fails to recognize that implementing ERM is an exercise in organizational development, making it difficult for ERM to gain traction.
ISO 31000 (but only to the Risk Decision Model)introduces the concept of Continual Improvement Not to be reproduced without permission.
“Experience is inevitable. Learning is not.” -Paul J. H. Shoemaker Not to be reproduced without permission. Successful ERM requires: • An organizational Learning Framework to guide • Systematic development of ERM capabilities, i.e., change management approach • 7
The Risk Wise ERM Implementation Process (geared to organizational learning) 1. Define ERM context and criteria 2. Assess risk and implications for performance 3. Integrate ERM into business practices 4. Close the ‘Learning Loop’ Not to be reproduced without permission.
ERM Best Practices: A Capabilities & Performance Perspective Not to be reproduced without permission. • Structural capital (structures & processes) • Establishing structures that clarify accountabilities • Building consideration of risk-taking and risk management into business processes • Developing and implementing control strategies for significant enterprise risks • Human capital (knowledge, skills and culture) • Developing ERM know-how • Cultivating an ERM mindset • Risk Intelligence capital (information flow) • Supplying risk information that is relevant & timely • Applying risk information (risk awareness and effectiveness) to: • Engage in candid discussions about risks (priorities) • Engage the board as well as staff to align resources (risk and resource optimization andorganizational learning)
The ERM Journey takes time… Hypothetical of Evolution of ERM Learn & Adapt Learn & Adapt Learn & Adapt Learn & Adapt Learn & Adapt
Agenda Not to be reproduced without permission. 11
Why you can’t implement ERM with a memo • It’s about people: • How work is done • What the “workers/people” believe and feel about their efficiency and effectiveness • What the people of the organization believe about making decisions under conditions of uncertainty • Organizational incongruencies: • Example: how people are rewarded • Example: Who leads? How do they lead? • Doesn’t Build Risk Aware Judgement: • Balancing risk intelligence with effective risk decisions • Other reasons? Not to be reproduced without permission.
Balancing risk the quality of risk information and the effectiveness of risk decisions with the objectives for your ERM program- where do you want to be? high ? Risk - Aware Judgment Effectiveness of Risk Decisions Risk Intelligence ? low high Quality of Information Not to be reproduced without permission.
The change management process: a tool for successful ERM implementation Building the Foundation for Commitment Keeping It Going Check Point Check Point Getting Agreement and Setting Direction Making Changes Check Point Source: Dr. Harvey Kolodny, Rotman School of Management Not to be reproduced without permission.
Agenda * See Nov-Dec 2008 issue of Risk Management Made Simple Advisory for article: “4 Catalysts to Embed Risk Management Culture” Not to be reproduced without permission. 15
CATALYST #1:Establish Clarity Around Objectives, Strategies, Roles and Responsibilities • Having a strategic goal and measurable objectives is fundamental to enterprise risk management. • Be explicit about what needs to be accomplished, how, by when, and who is responsible for what. • What are the things that need to be in place for success? • What are the milestones that would let us know when we’ve achieved success? • What is the strategic path to get to each milestone? • ASK YOURSELF:Does my organization have clear strategic objectives with explicit measurable milestones? Not to be reproduced without permission.
CATALYST #2:Articulate Risk Appetite & Tolerance • Risk appetite and tolerance set important goal posts for appropriate risk taking. • Determine criteria for decision-making beforeembarking on the process of assessing and weighing decision alternatives. • ASK YOURSELF:Has my organization articulated its risk appetite and tolerance? Not to be reproduced without permission.
Risk Appetite vs. Risk Tolerance • Executives don't end up in the news or in jail merely because they took a risk. They end up there for not managing their business risks properly. • We expect our leaders to take appropriate decisions that balance upside and downside elements of risk: upside risk (benefit/opportunity) ≥ risk (threat) + cost • Risk Appetite: the size of 'bet' the organization is willing to take to achieve it's objectives. It needs to be commensurate with goals and capabilities. • A clear Risk Appetite is necessary to determine appropriate goals and strategic direction. • Risk Tolerance: the margin by which the organization is willing to accept either over- or under-shooting its objectives. • A clear Risk Tolerance is critical for resource allocation decisions Not to be reproduced without permission.
Upper Bound (e.g. 90% of customers satisfied with service quality) Objective (e.g. 85% of customers satisfied with service quality) Lower Bound (e.g. 75% of customers satisfied with service quality) An example - the Zone of Risk Tolerance 100% 90% Zone of Risk Tolerance for ‘customer satisfaction with service quality’ 80% 70% 60% 50% • A firm may have a strategic goal to have an average customer satisfaction rating of 85% (its Risk Appetite). • Operationally, it is prepared to accept ratings in the range of 75% to 90% (its limits of RiskTolerance) 40% 30% 20% 10% 0%
Why are some executives reluctant to articulate their risk appetite & tolerance? * • They mistakenly believe that if they don't formally commit to a tolerable level of risk then they can't be held accountable for setting it incorrectly. • They don't know how to go about articulating risk appetite and tolerance. * See March 2008 issue of Risk Management Made Simple Advisory for article: “The Tricks to Tolerance” Not to be reproduced without permission.
CATALYST #3:Use Risk Intelligence to Drive Excellent Performance • Risk and performance are linked. • Develop an understanding of the relationship between the drivers of your performance and your risk. It enables you to anticipate the future and gives you more time to think, plan and innovate *. • Ultimately, you’ll experience fewer downside risk events and be able to exploit more upside risks. • ASK YOURSELF:Has my organization linked its risk and performance indicators? • See Risk Management Made Simple Advisory ‘New Subscriber Bonus’ for how to map the link between drivers of risk & performance. • See June 2008 issue of Risk Management Made Simple Advisory for article: “The Anticipation Advantage” Not to be reproduced without permission.
CATALYST #4:Foster Dissent and Inquiry (part 1) Executive decisions “are made well only if based on the clash of conflicting views, the dialogue between different points of view, the choice between different judgments.” Peter Drucker ‘Decision-makers need to foster conflict and dissent to ensure that the course of action selected enables the organization to achieve its performance objectives in a way that optimizes resources and balances risk better than all other plausible alternatives.’ MichaelRoberto ‘Great companies continually refine the path to greatness by confronting the brutal facts of reality.’ Jim Collins For a risk assessment process to be effective, it must bring to the surface all critical information for the decision at hand. This can’t be achieved if the organization has a culture of silencein which people are afraid to speak the truth. … Not to be reproduced without permission.
CATALYST #4:Foster Dissent and Inquiry (part 2) • One of the biggest contributions you can make is toquestion how well your organization’s risk estimates reflect its particular reality. • Is your risk estimate accurate? • Is your risk estimate based on high-quality information? • Is your risk estimate relevant? • Is your risk estimation process objective? • Is the risk estimation model built on solid assumptions? • Initial assessments of risks may have to be based on opinion. However, transition as quickly as possible to evidence-based measures. It is only way to distinguish between valid and invalid assumptions and guard against willful blindness. • ASK YOURSELF:Does my organization foster dissent and inquiry in its strategic decision-making? Can the truth be heard? Not to be reproduced without permission.
Group Discussion • Break into groups of 3. Each group to focus on 1 catalyst • Task 1: Each individual takes 1 minute to jot down their answer to the question: “Have you applied this catalyst in your organization? (No / Partially / Fully)” • Task 2: In your group, take 3 minutes each to discuss: • If your answer is “No” or “Partially”: • Tell the group the main barrier/challenge that is preventing you from fully applying the catalyst. • Ask the other members of your break-out group for adviceon how you might overcome your main challenge. • If your answer is “Fully”: • Share with the group your lessons learned and pointers based on your experience. • Be prepared to share key insights with the other break-out groups. Not to be reproduced without permission.
Pick your catalyst… • CATALYST #1:Establish Clarity Around Objectives, Strategies, Roles and Responsibilities • CATALYST #2:Articulate Risk Appetite & Tolerance • CATALYST #3:Use Risk Intelligence to Drive Excellent Performance • CATALYST #4:Foster Dissent and Inquiry Not to be reproduced without permission.
Agenda Not to be reproduced without permission. 26
Where is your organization in the change management process? Building the Foundation for Commitment Keeping It Going Check Point Check Point Getting Agreement and Setting Direction Making Changes Check Point Source: Dr. Harvey Kolodny, Rotman School of Management Not to be reproduced without permission.
Building the Foundation for Commitment Getting Agreement & Setting Direction ERM Implementation – designing the change Intervention Change Management Action Understand the need for change Enlist a core change team Develop vision and strategy ? Create a sense of urgency Communicate the Vision Making Changes Act: Implement the vision Consolidate the Change Keeping it going Align and build congruence . Not to be reproduced without permission.
LEARN as much as you can about both the benefits of ERM and how other groups have implemented it Evaluate your organization’s capacity and capabilities Diagnose organizational support and incongruencies Secure leadership support: Identify allies, influencers and resisters Engage an executive ERM champion Engage board or trustee support for the strategic benefits of ERM Develop an ERM function or task force Involve all organizational silos in the development of your own ERM framework, and definitions Promote a common language Establish feedback loops and check-in Stage 1: How do you build support for ERM? Leslie Thompson, 2010 Not to be reproduced without permission.
Small Group Exercise Leslie Thompson, 2010 • Each participant group chooses a spokesperson. • Task 1:In your groups review the change design map and develop a list of change interventions consistent with the objectives of the change management stage assigned to your group: • Stage 1: Building a foundation for commitment, or • Stage 2: Getting agreement and setting direction, or • Stage 3: Making changes, or • Stage 4: Keeping the changes going • Task 2:Discuss at what stage your organization is in ERM implementation and whether any of the suggested interventions might work for you • We will pool our suggestions after 10 minutes and discuss task 2. Not to be reproduced without permission.
ERM Implementation – designing the change Getting Agreement & Setting Direction Making Changes Keeping it going Some Interventions • Learn about ERM • Learn about ERM in your organization • Evaluated ERM capacity & capability • Develop an ERM task force • Secure leadership support Building a Foundation for Commitment Understand the need for change Enlist a core change team • Customize the ERM process • Define terms and risk categories • Communicate. Leaders show support • Framework development • Training Develop vision and strategy Create a sense of urgency Communicate the Vision • Identify and assess risks for each dept. • Aggregate enterprise risks • Develop a risk map • Develop a risk appetite statement • Review alternative risk management strategies and take action Act: Implement the vision • Integrate with planning, budgeting, performance measurement • Build infrastructure support: IT, organizational architecture • Refine assessment methodologies • Share best practices. Celebrate Consolidate the Change Align and build congruence Not to be reproduced without permission.
Agenda Not to be reproduced without permission. 32
Leslie ThompsonMBA, MFA, FSCI, CMC, ICD.D LESRISK (416) 924-6393 lthompson@lesrisk.com www.lesrisk.com Questions and Conclusions Diana Del Bel Belluz M.A.Sc., P.Eng. Risk Wise Inc. (416) 214.7598 Diana.Belluz@riskwise.ca www.riskwise.ca Not to be reproduced without permission.