• No results found

Many components can make up the risk management capability; some of the key elements are discussed below:

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Many components can make up the risk management capability; some of the key elements are discussed below:"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Successful Security, Risk and Control Programs

from DelCreo, Inc., an Enterprise Risk Management Company

DelCreo Enterprise Risk Management Framework Part II

Strategic planning is an area that I believe to be critical for the success of all security, risk and control managers. Details on our new Strategic Planning workshop are available at

http://www.delcreo.com/delcreo/education_training/stratplan.cfm In November, I wrote about the DelCreo Framework for Enterprise Risk Management, and detailed half of this approach. This month (where did the December Newsletter go? - too much Christmas

shopping!) I have detailed the second half of this framework. You can download a copy of this framework from the DelCreo website at

http://www.delcreo.com/delcreo/free/docs/ERM%20Framework.ppt ENTERPRISE RISK MANAGEMENT CAPABILITIES

Many risk assessments focus completely on identifying risks and potential exposures, and neglect a review of the capability of the organization to manage the risks. I believe that the most effective risk assessments identify, classify and articulate the

likelihood/impact of risks, and then address the current ability of the organization to manage those risks.

Many components can make up the risk management capability; some of the key elements are discussed below:

Risk Functions

Various risk management functions must participate, exchange

information and processes, and cooperate on risk mitigation activities to fully implement an ERM capability. Some of these risk management functions might include:

- Business Continuity Planning - Internal Audit - Insurance - Crisis Management - Privacy - Physical Security - Legal - Information Security - Credit Risk Management

Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions. Optimize magazine has recently had several excellent articles about enterprise risk management. One item recently grabbed my attention: In a recent survey conducted by Optimize, 40% of the companies that participated in the survey identified the CIO as the

(2)

executive most likely to own Enterprise Risk Management in their

organization! (Optimize, January, 2004, p. 67). For more details and analysis on this article, see my blog at

http://www.delcreo.com/delcreo/about_delcreo/delcreo_blog.html . In the last article, we briefly addressed risk appetite. DelCreo has researched and developed a method over the past seven years that many clients have used to successfully develop and define risk appetite. Using this method, the risk appetite is then used across various risk management functions, allows for the cascading of your risk appetite into the organization (and across) and becomes a critical link in

operationalizing a concept that heretofore has been very nebulous. For more details, please contact me at [email protected].

Risk Management Processes

Effective Risk management processes can be used across a wide range of risk management activities, and include the following:

- Risk Strategy and Appetite

- Define risk strategy and program. - Define risk appetite.

- Determine treatment approach.

- Establish risk policies, procedures, and standards. - Assess Risk

- Identify and understand value and risk drivers. - Categorize risk within the business risk framework. - Identify methods to measure risk.

- Measure risk.

- Assemble risk profile and compare to risk appetite and capability. - Treat Risk

- Identify appropriate risk treatment methods. - Implement risk treatment methods.

- Measure and assess residual risk. - Monitor and Report

- Continuously monitor risks.

- Continuously monitor risk management program and capabilities. - Report on risks and effectiveness of risk management program and capabilities.

Although the risk management process is relatively easy to understand, very few organizations have formally documented and implemented a risk management process that is used across the organization.

Organization

The Chief Risk Officer (CRO), Enterprise Risk Manager or even the Enterprise Risk Committee, may manage the enterprise risk management activities. Their duties would typically include:

- Provide risk management program leadership, strategy and implementation direction.

- Develop risk classification and measurement systems.

- Develop and implement escalation metrics and triggers (Events, incidents, crisis, operations, etc.).

(3)

metrics and triggers.

- Develop and deliver organization-wide risk management training. - Coordinate risk management activities - some functions may report to CRO, while others will be coordinated.

Culture - Creating and maintaining an effective risk management culture is very difficult. Special consideration should be given to the

following areas:

Knowledge Management - Institutional knowledge about risks, how they are managed, and experiences by other business units should be

effectively captured and shared with relevant peers and risk managers. My experience in helping clients develop and implement online knowledge management systems has shown the potential benefit of knowledge

management efforts:

- Reduce the risk profile through the enhanced risk identification and management capability

- Decrease the total cost of risk

- Develop and deploy risk assessment tools globally

- Enable the company to capture risk assessment information continuously

- Allow users to access complex risk modeling and forecasting tools through simple web-based interfaces and applications

- Become the universal starting point for all users as they look for risk related tools, people resources and knowledge

(For more details, see

http://www.delcreo.com/delcreo/services_products/riskweb.cfm )

Metrics - The accurate and timely collection of metrics is critical to the success of the risk management program. Effort should be made to connect the risk management programs to the Balanced Scorecard, EVA, or other business management/metrics systems.

The balanced scorecard is a management system (not only a measurement system) that enables organizations to clarify their vision and strategy and translate them into action. It provides feedback around both the internal business processes and external outcomes in order to

continuously improve strategic performance and results. When fully deployed, the balanced scorecard transforms strategic planning from an academic exercise into the reality of organizational measurement

processes. (Robert S. Kaplan and David P. Norton's new book, Strategy Maps: Converting Intangible Assets into Tangible Outcomes is an

excellent reference guide for this topic).

EVA (Economic Value Added) is net operating profit minus an appropriate charge for the opportunity cost of all capital invested in an

enterprise. As such, EVA is an estimate of true "economic" profit, or the amount by which earnings exceed or fall short of the required minimum rate of return that shareholders and lenders could get by investing in other securities of comparable risk. Stern Stewart developed EVA to help managers incorporate two basic principles of finance into their decision making. The first is that the primary financial objective of any company should be to maximize the wealth of its shareholders. The second is that the value of a company depends on

(4)

the extent to which investors expect future profits to exceed or fall short of the cost of capital.

(Source: http://www.sternstewart.com/evaabout/whatis.php )

Training - Effective training programs are necessary to ensure that risk management programs are effectively integrated into regular business processes. For example, strategic planners, responsible for the strategic planning process, will need constant reinforcement regarding the risk assessment processes. (For more information on training, see

http://www.delcreo.com/delcreo/education_training/proeducation.cfm ) Communication - Frequent and consistent communications around the purpose, success, and cost of the risk management program are a necessity to maintain management support and to continually garner necessary participation of managers and line personnel in the ongoing risk management program.

Tools - Appropriate tools should be evaluated, purchased or developed to enhance the effectiveness of the risk management capability. Many commercial tools are available and their utility across a range of risk management activities should be considered. Quality information about risks is generally difficult to obtain and care should be exercised to ensure that information gathered by one risk function can be

effectively shared with other programs. For example, tools used to conduct the business impact assessment should facilitate the sharing of risk data with the insurance program. (For more information our tools, see

http://www.delcreo.com/delcreo/services_products/tools_technology.cfm )

Enterprisewide Integration

ERM and other related security, risk and control programs should

effectively collaborate across the enterprise and should have a direct connection to the strategic planning process, as well as the critical projects, initiatives, business units, functions, etc.

Broad, comprehensive integration of risk management programs across the organization generally lead to more effective and efficient programs. Risk Attributes - Risk attributes relate to the ability or

sophistication of the organization to understand the characteristics of specific risks including their lifecycle, how they act individually or in a portfolio, and other qualitative or quantitative characteristics. Lifecycle - Has the risk been understood throughout its lifecycle and have appropriate risk strategies been developed and implemented before the risk occurs, during the risk occurrence, and after the risk occurs? Achieving the optimal balance between risk and cost of managing risk is only possible if the lifecycle of the risk is well understand and risk strategies and treatments are appropriately applied.

Individual and Portfolio - the most sophisticated organizations will look at each risk individually, as well as in aggregate or in

portfolio. Viewing risks in a portfolio can help identify risks that are natural hedges against themselves, and risks that amplify each other. Knowledge of how risks interact as a portfolio can increase the

(5)

ability of the organization to effectively manage the risks at the most reasonable cost.

Qualitative and Quantitative - Most organizations will progress from being able to qualitatively assess risks to being able to quantify risks. In general, the more quantifiable the information about the risk, the more treatment options available to the organization.

Risk Functions, Risk Management Process, Organization, Culture, Tools, Enterprise-wide Integration and Risk Attributes are some of the most common elements of understanding your risk management capability. Other elements exist and may be more or less relevant depending on industry, geography, etc. Many people have struggled with the

challenge of clearly defining what enterprise risk management is. I believe that clearly defining the capability elements of enterprise risk management is the key to understanding it. As this discipline evolves, DelCreo will continue to define and explore the most important capability components of enterprise risk management.

Please see more on “ERM Framework” in the Risk Strategies That Work Section below.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~

DelCreo is an (ISC)_ Authorized Training Partner

Register now for high quality, cost-effective training that really packs a punch! Upcoming DelCreo Professional Education courses: Date: Topic: Location:

Feb. 17-18, 2004 CRISIS AND INCIDENT MANAGEMENT Dallas, TX

http://www.delcreo.com/delcreo/education_training/incidentmgt21704Dalla s.cfm

Feb. 19-20, 2004 RoI FOR INFORMATION SECURITY Houston, TX

http://www.delcreo.com/delcreo/education_training/inofsecroi21904Housto n.cfm

Feb. 23-24, 2004 BUILDING COMPLIANCE-BASED AWARENESS Las Vegas, NV

http://www.delcreo.com/delcreo/education_training/compliance22304Vegas. cfm

Feb. 25, 2004 BCP METRICS-MANAGING A BCP PROGRAM San Jose, CA

http://www.delcreo.com/delcreo/education_training/bcpmetrics22504SanJos e.cfm

Feb. 26, 2004 STRATEGIC PLANNING San Jose, CA

http://www.delcreo.com/delcreo/education_training/stratplan22604SanJose .cfm

(6)

Mar. 9-10, 2004 RAPID RISK ASSESSMENT WORKSHOP Dallas, TX

http://www.delcreo.com/delcreo/education_training/rapidrisk3904Dallas.c fm

Mar. 11, 2004 BCP METRICS-MANAGING A BCP PROGRAM Dallas, TX

http://www.delcreo.com/delcreo/education_training/bcpmetrics31104Dallas .cfm

Mar. 16, 2004 STRATEGIC PLANNING Chicago, IL

http://www.delcreo.com/delcreo/education_training/stratplan31604Chicago .cfm

Mar. 17-18, 2004 BUILDING COMPLIANCE-BASED AWARENESS Atlanta, GA

http://www.delcreo.com/delcreo/education_training/compliance31704Atlant a.cfm

Mar. 31-Apr. 1, 2004 CRISIS AND INCIDENT MANAGEMENT Cleveland, OH http://www.delcreo.com/delcreo/education_training/incidentmgt33104ClevO H.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~

Risk Strategies That Work on “ERM Framework”

o Risk assessments should identify and understand risks as well as the organizations ability to manage risk o Develop and articulate your organization's risk appetite, this is a key element of an effective ERM approach o Create an ERM Council/Committee, even it is ad hoc, and in the beginning you are the only one driving the show. o Attempt to document/develop the roles and responsibilities of the various risk management related organizations, how you will collaborate, share information, etc. How will the most common risks be handled? Get agreement among the key players o Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions o Understand the lifecycle aspects of key risks. Develop risk strategies that address the most critical risks before, during and after they occur

*********************************************************************** *******

DelCreo, Inc.

An Enterprise Risk Management Company

“Helping Risk Professionals Develop and Rollout Successful Risk Programs”

(7)

U.S./Toll-free: 866.DELCREO International: 001/801.756.4180 www.delcreo.com [email protected]

© 2003 DelCreo, Inc. All rights reserved. You are free to use material from the Successful Risk Programs eZine in whole or in part, as long

as you include the following complete attribution, including live website link.

“By DelCreo, Inc. - An Enterprise Risk Management Company. Please visit DelCreo's website at www.delcreo.com for additional risk articles,

resources, tools, and services for Risk Professionals on how to develop and rollout successful risk programs.”

*********************************************************************** ******

To unsubscribe or change subscriber options visit: http://www.aweber.com/z/r/?TAyMLCyMtMysDOxsDEyM

References

Download now ( PDF - 7 Page - 41.85 KB )

Related documents

FIRE SAFETY INSPECTIONS

Trace heating and localised heating systems Inspect/Test Weekly Check for correct function to prevent freezing including water tank and valve houses Remote alarms to

IMPAIRMENTS TO FIRE PROTECTION EQUIPMENT

• A policy document that mandates use of a formal permit to monitor all impairments to fire protection and/or detection systems.. • Senior management support and endorsement for

MANAGING CHANGE

• Form a dedicated project management group that will be responsible for initial screening, gathering feedback, validating action points and following changes through to completion..

WINTER PRECAUTIONS

This checklist should be used at sites in cold weather climates that have water-based fire protection equipment, to prevent or reduce the potential for freezing of

PHOTOVOLTAIC PANELS

 Thermographic testing shall be performed on a yearly basis (twice per year where combustible materials are present) These surveys must include all electrical equipment such

FIRE PROTECTION SYSTEMS

Fire sprinkler systems provide a network of pipes that deliver pressurised water to a system of sprinkler heads that open when a predetermined temperature is reached, typically around

PROTECTION OF CHILDREN AND VULNERABLE ADULTS

This Risk Control Guide provides information and guidance on some of the common risk exposures in which businesses who are responsible for the Protection of Children and

OCCUPATIONAL HEALTH

Employers are required to assess the risks arising from manual handling activities and control them using the strategy of Eliminate, Minimise, Assess and Reduce exposure in