Upload
shyann-denman
View
215
Download
1
Embed Size (px)
Citation preview
Not to be reproduced without permission.
Moving from Risk Assessments to Action
Enterprise Risk Management Workshop
September 20, 2010
Canadian Healthcare Risk Management Network
Leslie ThompsonPresidentLESRISK
Diana Del Bel BelluzPresident
Risk Wise Inc.
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 2
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 3
Not to be reproduced without permission.
TypicalRisk Decision-making Model
Source: ISO 31000
Not to be reproduced without permission.
Main challenges of a ‘Risk Decision Model’ approach to ERM …
1. The model leads to a focus on individual enterprise risks in isolation that precludes a portfolio view of risk.
2. The model focuses on risk reduction, which drives risk aversion rather than reinforcing appropriate risk-taking behaviour.
3. The model fails to recognize that implementing ERM is an exercise in organizational development, making it difficult for ERM to gain traction.
Not to be reproduced without permission.
ISO 31000 (but only to the Risk Decision Model)introduces the concept of Continual Improvement
Not to be reproduced without permission.
“Experience is inevitable. Learning is not.” - Paul J. H. Shoemaker
Successful ERM requires:1. An organizational Learning Framework to
guide
2. Systematic development of ERM capabilities, i.e., change management approach
•7
Not to be reproduced without permission.
The Risk Wise ERM Implementation Process (geared to organizational learning)
1. Define ERM context and criteria
2. Assess risk and implications for performance
4. Close the ‘Learning Loop’
3. Integrate ERM into business practices
Not to be reproduced without permission.
ERM Best Practices: A Capabilities & Performance Perspective
• Structural capital (structures & processes) Establishing structures that clarify accountabilities Building consideration of risk-taking and risk management into
business processes Developing and implementing control strategies for significant
enterprise risks• Human capital (knowledge, skills and culture)
Developing ERM know-how Cultivating an ERM mindset
• Risk Intelligence capital (information flow) Supplying risk information that is relevant & timely Applying risk information (risk awareness and effectiveness) to:
Engage in candid discussions about risks (priorities) Engage the board as well as staff to align resources (risk and resource
optimization and organizational learning)
The ERM Journey takes time… Hypothetical of Evolution of ERM
Learn &
Adapt
Learn &
Adapt
Learn &
Adapt
Learn &
Adapt
Learn &
Adapt
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 11
Not to be reproduced without permission.
Why you can’t implement ERM with a memo
• It’s about people:– How work is done– What the “workers/people” believe and feel about their efficiency and
effectiveness– What the people of the organization believe about making decisions
under conditions of uncertainty
• Organizational incongruencies:– Example: how people are rewarded– Example: Who leads? How do they lead?
• Doesn’t Build Risk Aware Judgement:– Balancing risk intelligence with effective risk decisions
• Other reasons?
Not to be reproduced without permission.
Balancing risk the quality of risk information and the effectiveness of risk decisions with the objectives for
your ERM program- where do you want to be?
Eff
ecti
ven
ess
of
Ris
k D
ecis
ion
s
Quality of Informationlow high
high
Risk - Aware Judgment
Risk Intelligence
?
?
Not to be reproduced without permission.
Building the Foundation for
Commitment
Getting Agreement and Setting Direction
CheckPoint
MakingChanges
Keeping It Going
CheckPoint
CheckPoint
The change management process: a tool for successful ERM implementation
Source: Dr. Harvey Kolodny,Rotman School of Management
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts* for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 15* See Nov-Dec 2008 issue of Risk Management Made Simple Advisory for article: “4 Catalysts to Embed Risk Management Culture”
CATALYST #1: Establish Clarity Around Objectives, Strategies, Roles and Responsibilities
• Having a strategic goal and measurable objectives is fundamental to enterprise risk management.
• Be explicit about what needs to be accomplished, how, by when, and who is responsible for what. – What are the things that need to be in place for success?– What are the milestones that would let us know when we’ve
achieved success?– What is the strategic path to get to each milestone?
• ASK YOURSELF: Does my organization have clear strategic objectives with explicit measurable milestones?
Not to be reproduced without permission.
CATALYST #2: Articulate Risk Appetite & Tolerance
• Risk appetite and tolerance set important goal posts for appropriate risk taking.
• Determine criteria for decision-making before embarking on the process of assessing and weighing decision alternatives.
• ASK YOURSELF: Has my organization articulated its risk appetite and tolerance?
Not to be reproduced without permission.
Risk Appetite vs. Risk Tolerance
• Executives don't end up in the news or in jail merely because they took a risk. They end up there for not managing their business risks properly.
• We expect our leaders to take appropriate decisions that balance upside and downside elements of risk:
upside risk (benefit/opportunity) ≥ risk (threat) + cost• Risk Appetite: the size of 'bet' the organization is willing to take to
achieve it's objectives. It needs to be commensurate with goals and capabilities.– A clear Risk Appetite is necessary to determine appropriate
goals and strategic direction. • Risk Tolerance: the margin by which the organization is willing to
accept either over- or under-shooting its objectives. – A clear Risk Tolerance is critical for resource allocation
decisions
Not to be reproduced without permission.
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0%
Zone of Risk Tolerance
for ‘customer
satisfaction with service quality’
An example - the Zone of Risk Tolerance
• A firm may have a strategic goal to have an average customer satisfaction rating of 85% (its Risk Appetite).
• Operationally, it is prepared to accept ratings in the range of 75% to 90% (its limits of Risk Tolerance)
Why are some executives reluctant to articulate their risk appetite & tolerance? *
Not to be reproduced without permission.
1. They mistakenly believe that if they don't formally commit to a tolerable level of risk then they can't be held accountable for setting it incorrectly.
2. They don't know how to go about articulating risk appetite and tolerance.
* See March 2008 issue of Risk Management Made Simple Advisory for article: “The Tricks to Tolerance”
CATALYST #3: Use Risk Intelligence to Drive Excellent Performance
• Risk and performance are linked.
• Develop an understanding of the relationship between the drivers of your performance and your risk. It enables you to anticipate the future and gives you more time to think, plan and innovate *.
• Ultimately, you’ll experience fewer downside risk events and be able to exploit more upside risks.
• ASK YOURSELF: Has my organization linked its risk and performance indicators?
Not to be reproduced without permission.
* See Risk Management Made Simple Advisory ‘New Subscriber Bonus’ for how to map the link between drivers of risk & performance.
* See June 2008 issue of Risk Management Made Simple Advisory for article: “The Anticipation Advantage”
CATALYST #4: Foster Dissent and Inquiry (part 1)
For a risk assessment process to be effective, it must bring to the surface all critical information for the decision at hand. This can’t be achieved if the organization has a culture of silence in which people are afraid to speak the truth. …
Not to be reproduced without permission.
Executive decisions “are made well only if based on the clash of conflicting views, the
dialogue between different points of view, the choice between different
judgments.”
Peter Drucker
‘Decision-makers need to foster conflict and dissent to
ensure that the course of action selected enables the organization to achieve its
performance objectives in a way that optimizes resources and balances risk better than
all other plausible alternatives.’
Michael Roberto
‘Great companies continually
refine the path to greatness by
confronting the brutal facts of reality.’
Jim Collins
CATALYST #4: Foster Dissent and Inquiry (part 2)
• One of the biggest contributions you can make is to question how well your organization’s risk estimates reflect its particular reality. – Is your risk estimate accurate?– Is your risk estimate based on high-quality information?– Is your risk estimate relevant? – Is your risk estimation process objective?– Is the risk estimation model built on solid assumptions?
• Initial assessments of risks may have to be based on opinion. However, transition as quickly as possible to evidence-based measures. It is only way to distinguish between valid and invalid assumptions and guard against willful blindness.
• ASK YOURSELF: Does my organization foster dissent and inquiry in its strategic decision-making? Can the truth be heard?
Not to be reproduced without permission.
Group Discussion
• Break into groups of 3. Each group to focus on 1 catalyst• Task 1: Each individual takes 1 minute to jot down their
answer to the question: “Have you applied this catalyst in your organization? (No / Partially / Fully)”
• Task 2: In your group, take 3 minutes each to discuss:– If your answer is “No” or “Partially”:
• Tell the group the main barrier/challenge that is preventing you from fully applying the catalyst.
• Ask the other members of your break-out group for advice on how you might overcome your main challenge.
– If your answer is “Fully”:• Share with the group your lessons learned and pointers based on
your experience.
• Be prepared to share key insights with the other break-out groups.
Not to be reproduced without permission.
Pick your catalyst…
• CATALYST #1: Establish Clarity Around Objectives, Strategies, Roles and Responsibilities
• CATALYST #2: Articulate Risk Appetite & Tolerance
• CATALYST #3: Use Risk Intelligence to Drive Excellent Performance
• CATALYST #4: Foster Dissent and Inquiry
Not to be reproduced without permission.
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 26
Not to be reproduced without permission.
Building the Foundation for
Commitment
Getting Agreement and Setting Direction
CheckPoint
MakingChanges
Keeping It Going
CheckPoint
CheckPoint
Where is your organization in the change management process?
Source: Dr. Harvey Kolodny,Rotman School of Management
Not to be reproduced without permission.
InterventionChange Management Action
Understand the need for change
Enlist a core change team
Develop vision and strategy
Create a sense of urgency
Communicate the Vision
Act: Implement the vision
Consolidate the Change
Align and build congruence
.
Building the
Foundation for
Commitment
Getting Agreement
& Setting Direction
Making Changes
Keeping it going
?
ERM Implementation – designing the change
Not to be reproduced without permission.
• LEARN as much as you can about both the benefits of ERM and how other groups have implemented it
• Evaluate your organization’s capacity and capabilities
• Diagnose organizational support and incongruencies
• Secure leadership support:
– Identify allies, influencers and resisters
– Engage an executive ERM champion
– Engage board or trustee support for the strategic benefits of ERM
• Develop an ERM function or task force
• Involve all organizational silos in the development of your own ERM framework, and definitions
• Promote a common language
• Establish feedback loops and check-in
Stage 1: How do you build support for ERM?
Lesl
ie T
hom
pson
, 201
0
Not to be reproduced without permission.
1. Each participant group chooses a spokesperson.
2. Task 1: In your groups review the change design map and
develop a list of change interventions consistent with the
objectives of the change management stage assigned to
your group:
• Stage 1: Building a foundation for commitment, or
• Stage 2: Getting agreement and setting direction, or
• Stage 3: Making changes, or
• Stage 4: Keeping the changes going
3. Task 2: Discuss at what stage your organization is in ERM
implementation and whether any of the suggested
interventions might work for you
4. We will pool our suggestions after 10 minutes and discuss
task 2.
Small Group Exercise
Le
slie
Tho
mps
on, 2
010
Not to be reproduced without permission.
Some InterventionsUnderstand the need for change
Enlist a core change team
Develop vision and strategy
Create a sense of urgency
Communicate the Vision
Act: Implement the vision
Consolidate the Change
Align and build congruence
Getting Agreement
& Setting Direction
Making Changes
Keeping it going
ERM Implementation – designing the change
• Learn about ERM• Learn about ERM in your organization• Evaluated ERM capacity & capability• Develop an ERM task force• Secure leadership support
• Learn about ERM• Learn about ERM in your organization• Evaluated ERM capacity & capability• Develop an ERM task force• Secure leadership support
• Customize the ERM process• Define terms and risk categories• Communicate. Leaders show support• Framework development • Training
• Customize the ERM process• Define terms and risk categories• Communicate. Leaders show support• Framework development • Training
• Identify and assess risks for each dept.• Aggregate enterprise risks• Develop a risk map• Develop a risk appetite statement• Review alternative risk management strategies and take action
• Identify and assess risks for each dept.• Aggregate enterprise risks• Develop a risk map• Develop a risk appetite statement• Review alternative risk management strategies and take action
• Integrate with planning, budgeting, performance measurement
• Build infrastructure support: IT, organizational architecture
• Refine assessment methodologies• Share best practices. Celebrate
• Integrate with planning, budgeting, performance measurement
• Build infrastructure support: IT, organizational architecture
• Refine assessment methodologies• Share best practices. Celebrate
Building a Foundation for Commitment
Building a Foundation for Commitment
Agenda
2:00 Overview, Goals, and Introductions
2:10 PART 1:
Why a framework isn’t enough.
2:20 Why you can’t implement ERM with a memo.
2:30 PART 2:
Catalysts for inspiring appropriate risk management action
2:45 Group discussion
3:15 PART 3:
Applying change design to ERM Implementation
3:30 Group exercise
3:55 Closing Thoughts
Not to be reproduced without permission. 32
Not to be reproduced without permission.
Questions and Conclusions
Leslie Thompson MBA, MFA, FSCI, CMC, ICD.DLESRISK(416) [email protected]
Diana Del Bel Belluz M.A.Sc., P.Eng.
Risk Wise Inc.(416) [email protected]