Enterprise Risk Management (ERM) is a great tool for bringing some structure to understanding the list of things the board should be worried about, and as a means for categorising the risks into relative levels of worry.
In my last article, I proposed a “Hierarchy of Worry” for directors young and old, ranging from the Life Assurance (“Keep me out of Prison”) worry, to the Business Performance (“Keep the market happy and get my bonus”) worry. This is an attempt to categorise the complex variety of competing governance issues directors are faced with.
“That’s all well and good”, I hear you say, “but how can directors work out what to worry about, and how much they should worry about it?”
These are excellent questions, and they go to the three I posed in my last article, i.e.
- Do I know the things that should be happening in my business are happening?
- Do I know the things that shouldn’t be are not happening?
- Am I armed with the information to make informed decisions on behalf of the business?
Peering through the window
So how do you answer these questions? When you first put on the director shoes, or hat, a business at governance level is pretty opaque. Your window into it is through what people in the business tell you, and/or via those that provide a specific third party perspective (e.g. financial auditors). Enterprise Risk Management (ERM) is a great tool for bringing some structure to understanding the list of things the board should be worried about, and as a means for categorising the risks into relative levels of worry.
Building up the worry list
There are many techniques for building up a risk register, but the best ones are those that are relatively systematic and allow a business to uncover risks that are subtle or hidden, in addition to those that are intuitively obvious. I often see teams approaching this by getting senior people into a room and attacking the whiteboard with a dose of brainstorming. This can be very useful, don’t get me wrong. Experience and using empirical learning from the 4.6 billion years of making mistakes that have gone before, and attempting not to repeat those mistakes, is very important. However this approach relies on the people in the room remembering all of the past mistakes, and having very good predictive skills in identifying new ways for things to go wrong. It can be a bit hit and miss.
The best approaches I have seen typically map out the activity of interest in some detail, e.g. this might involve using a comprehensive work breakdown structure for a large construction project; a process map for a new business operation (e.g. moving a bricks and mortar organisation online); a functional model for a new organisation structure; or a best practice standards-based framework for a business activity (e.g. an ISO standard). Then you can start looking into element by element at what needs to work for that activity to succeed, and how those might fail, plus any other additional failure events. This approach reduces the chance that something might fall through the cracks.
Now don’t panic - I’m not suggesting that directors get involved in the detailed risk assessment in all parts of the business. What I have described is the kind of “bottom-up” risk management that should be taking place in all functions to some degree, in the business. Where ERM comes in is to provide a framework for all these risks to be brought into a common framework, and the ones worth worrying about given visibility from the top.
Categorising the worries
Ok, so the business has a robust idea of things to worry about. Deciding which of these risks to worry about the most is typically done by looking at the relative probability of something happening and the consequences if it were to eventuate. The combination of these leads to a determination of whether the risk is minor or extreme (i.e. business breaking). The next things to look at are the extent to which these can possibly be mitigated, and the extent to which they are currently mitigated.
For example, a major cyber-attack might be deemed to be relatively unlikely, but of high consequence (e.g. it might stop the business being able to trade online for several days) resulting in it being regarded as an extreme risk. The risk could be mitigated by procuring some internet security services from the network provider, but this is not yet in place. So in this case through the ERM framework the board of directors would have visibility that there is a current ‘Extreme’ risk (in fact a Level 2: Business Continuity “Keep me out of the 6 O’clock News” Worry), with an aim to reduce this in the short term with an identified mitigation.
What to look for
“Doesn’t all this mean that the director is still dependent on what people tell them?” I hear you ask.
Yes of course, but you have a means for testing how comprehensive a picture you are being given. For example, you can ask functional leaders to walk you through their risk management plan and mitigations. You can review the Enterprise Risk Register at board level periodically. You can ask for third party expert reviews and audit for completeness across all key business activities to give you confidence that the important things have been identified.
And it’s not all about the downside
I’ve said here that ERM is the director’s friend, and clearly from a “Hierarchy of Worry” perspective that is the case. In fact, risk management is a useful tool for all leaders in a business – I know I’ve certainly used it to tackle projects that looked pretty intimidating at the outset. An important thing to keep in mind is that risk and opportunity are the opposite sides of the same coin, and in a dynamic and often disrupted marketplace, the businesses best able to take calculated risks can see and exploit growth opportunities that less mature organisations may not. In this sense ERM can help directors perform one of their key roles – to make strategic decisions that take the business forward. ERM can therefore be a very useful tool for helping maximise upside, as well as to mitigate downside business impact.
Thanks for reading! I’ve described the “Hierarchy of Worry” and a means for working out what should be in it, look out for my next articles which will concentrate on some of the key business risks of the day.