Over the last 15 years I have implemented risk management in hundreds of organisations across Europe, Australia and Middle East. Here is a step by step guide how I actually did it. May not work every time and some decision makers will ignore risks no matter what we do, but it did win the Best ERM implementation awards in Europe and US in 2021 and 2014 :)))
A. Despite the fact that risk management is a decision making tool, you should probably get Risk Management 1 sorted first, to keep the auditors, rating agencies and regulators at bay. It’s RM1, so keep it as simple and as quick as possible, this is less than 10% of the overall effort.
Auditors love asking for policies and procedures, so give them what they want and make it pretty
A1. Develop a short risk management policy structured around ISO31000 principles – this one is very easy, just follow the steps below:
- take existing corporate policy template
- take the principles from ISO31000:2018
- build a policy around the principles, keep it short. I think I have an example on my download page.
A2. Develop a very basic risk management framework document, aligned with ISO31000 – same as above, use the ISO31000:2019 to develop a framework document. Stick to the text of the standard as close as possible, don’t reinvent the wheel. Borrow some good sentences from COSO: ERM 2017 as well, just for fun. Claim that the document is aligned with both. Auditors love that.
A3. Identify and fulfil any other regulatory or shareholder requirement regarding risk management – this is also an important step, as many industries have additional risk management requirements, make sure you crossed them all when drafting policy and framework documents.
Apparently organisations should have a risk appetite and a risk profile, so do it as well. It’s not real, but will win some brawnie points with the stakeholders.
A4. Develop a high level risk profile, linking key risks to strategic objectives – this is basically a colourful risk register. You can talk to some of the key decision makers, but you really don’t have to. Competitor 10K reports and sample risk registers like the one I have will do the job.
A5. Document risk appetite – did you notice how I put risk appetite after risk profile? This is just to show that RM1 is just window dressing, it doesn’t matter how you do it, it’s not real. You don’t believe me it’s not real, well allow Grant Purdy, one of the creators of the AS/NZS 4360 and ISO31000, share his sobering views. This is a must watch for all risk managers. Jack Jones, Chairman, The FAIR Institute, also has a compelling case why RM1 is a waste of time, but still necessary unfortunately.
Documenting risk appetite is super simple:
- review existing Board level policies
- identify any corporate or regulatory limits, for example investment deals above 1B can only be approved by the Board, that’s a limit. Or zero tolerance on safety incidents, AML or bribery, those are also limits. Financial delegations are also limits.
- collect all existing limits and put them into a single document. Call it risk appetite statement. Laminate it and use colours to show auditors you are serious about it.
Congratulations, now you have a nifty package to take to rating agencies, insurance companies and banks. This RM1 documentation will allow your company to improve credit rating, get cheaper financing from the banks and get lower premiums from the insurance companies. The amount of money saved by just doing RM1 will cover risk team salaries for the next 5 years at least.
B. OK, now it’s time to do some real Risk Management 2 (RM2)
When implementing RM2 start with the key decisions
B6. Develop a specific risk analysis methodology for each key decision type – the organisation should implement risk management by:
- identifying where, when and how different types of decisions are made across the organisation, and by whom;
- modifying the applicable decision-making processes where necessary by applying some of risk analysis techniques to the actual decision making process. This will help decision makers make informed and intelligent decisions based on proper risk analysis. Which techniques work and which don’t? I have an article on that.
- ensuring that the organisation’s arrangements for managing risk are clearly understood and practised.
B7. Provide tools to the decision makers or perform risk analysis on key decisions yourself – this is an important step to decide whether the risk team will become a methodology and monitoring centre and the actual risk analysis will be performed by decision makers or the risk team will become the analysis support centre and will perform all risk analysis themselves given the decision makers just the outputs. It’s a complex decision. If the decision makers are not mature, don’t have strong quant skills and are very biased, then risk team must become the analysis support centre and perform all risk analysis. Here is important to work with internal auditors to make sure risk analysis quality is sufficient to support decision making.
This is pretty basic stuff but if decision science is new to you, I recommend reading good books that had all the answers for the last 10+ years.
Next step is to integrate risk analysis into planning and budgeting
B8. Change the way uncertainty is accounted for during planning by moving away from single point estimates to ranges. Sam Savage, Executive Director of ProbabilityManagement.org, author of the Flaw of Averages – Why we Underestimate Risk in the Face of Uncertainty, Adjunct Professor in Stanford University’s School of Engineering and a Fellow of the Judge Business School at Cambridge University, will desribe this better than I ever could. Make sure you watch his workshop. It’s free, but places are limited.
B9. Replace traditional scenarios run by finance with more sophisticated risk modelling. How? Allow Hans Læssøe, ex-LEGO Group’s Strategic Risk Management, to share his story.
Next step is to integrate risk analysis into KPIs and performance management
B10. Use simulations to change how KPIs and performance targets are calculated and how performance against them is measured. Sam Savage has some very interesting examples for you. So does Brian Putt, Chevron’s decision support for over 25 years.
C. Implementing risk management 2 is as much about culture as it is about process
It is important to make sure roles and responsibilities reflect risk-based decision making
C11. Update existing position descriptions to include responsibility for risk-based decision making, planning and performance management
C12. Update existing committee charters to include responsibility for risk-based decision making, planning and performance management
Most staff do not have risk management training and unable to adequately consider uncertainty when making decisions
C13. Provide risk-based thinking training to decision makers. I have numerous courses for that online and offline at the https://riskacademy.blog.
C14. Include risk management competencies into existing business training programs. Over the years I have discovered that it is actually much better to make every training course that HR department runs a little bit risk-based than do a standalone big risk training.
Need to establish clear communication channels
Here are some ideas:
- C15. Set up and become a secretary for the Risk Committee
- C16. Present risk related topics at every corporate speaking opportunity
- C17. Include risk management topics on the meeting agendas
- C18. Write risk management speeches for executives at every opportunity
- C19. Participate in corporate events and run own risk competitions
It is important to provide transparency through disclosure as well
- C20. Disclose information about risk-based decision making in the annual report
- C21. Disclose information about risk-based decision making on the corporate intranet
- C22. Disclose information about risk-based decision making on the corporate website
D. Last thing is to develop the risk management team itself
Risk management requires special competencies
- D23. Develop quantitative skills
- D24. Develop soft skills
- D25. Develop a strong understanding of the nature of the business and the specifics of decision making within the organisation.
Risk management 2 requires tools beyond common GRC systems
- D26. Invest into proper modelling tools. There are plenty of RM2 systems on the market and some are actually amazing.
- D27. Automate RM1 if possible. While most GRC/ERM products are a waste of time they help automate RM1 and reduce the amount of time spend on meaningless risk reports. The reports don’t stop being meaningless, but more time can be allocated to RM2 activities.
Networking should be a big part of team development
- D28. At every opportunity meet and exchange ideas with other global risk managers
- D29. Quickly separate RM1 from RM2 risk experts. Spend your time interacting with RM2 risk managers and experts, don’t waste time on RM1 gurus. I have a whole list of RM2 experts.
30. Have fun and if you are not having fun doing the above, if the management is blocking any attempt to improve decision making, start looking for a new job. Seriously, your current company is probably a swamp and you don’t want to be a part of it in the long term. Good risk managers don’t resign but they get fired by mutual consent, that way you get 3-6 months compensation, which is always nice :))