Category Archives: Enterprise Risk Management

Risk Managers Gain Foothold as ERM Program Drivers

Posted on by

Fewer boards of directors are seen as their company’s top ERM program drivers, dropping to 26% in 2013 from 34% in 2011, according to the 2013 RIMS Enterprise Risk Management Survey, released today. This year risk managers came in as the second driver at 17%. By comparison, the second highest category in the 2011 report, which did not include risk management as an option, was “other” at 19%. Commenting on the 2011 report, Carol Fox, RIMS director of strategic & enterprise risk practice confirmed that many respondents wrote in their comments, that “other” was a risk management department initiative. “While I can’t do a direct comparison to this year’s 17%, I’d say it may be a shift as risk professionals take more of a leadership role in instituting ERM programs,” she said.

In 2011, in fact, part of the survey’s response was that “risk managers needed to take more of a leadership role with ERM. And since board leadership showed a drop [in 2013], risk managers may have taken up the slack,” she said.

Fox observed that concerns about rating agency requirements resulting from the financial crisis of 2008—that were some of the drivers for ERM in 2011—were also lower. “In 2013 ‘regulatory drivers’ for implementing ERM was 14%, dropping from 18% in 2011—so it is a shift,” she said.

What this means, she explained, is that more organizations understand the value of ERM. “It’s no longer about compliance with regulations or pressure from the rating agencies. They’re seeing the value in ERM itself.”

The board is still the largest driver, however. “That hasn’t changed, ERM is still very much top of mind for the board. As you look at the types of risk that can affect the objectives of the organization, they are mostly strategic. They are still the primary driver, but they were a higher driver in years past,” she said, adding, “This doesn’t say the board is less interested. The primary driver is the leadership role the risk professional is bringing.”

The 2013 RIMS ERM Survey was produced with Advisen LTD as a follow up to previous surveys in 2009 and 2011. The survey is free for both RIMS members and non-members and can be downloaded in RIMS newly revamped Risk Knowledge library at www.rims.org/RiskKnowledge.

 

When Your Commute Becomes Derailed

Posted on by

Just yesterday I remarked to my husband that my train, the Hudson line, has been amazingly stable and almost always on time. Especially when you consider that there have been major derailments of the Connecticut (May 17) and the Long Island (June 17) lines of the Metropolitan Transit Authority (MTA).

I should have known better. Just when you think you can take a breather, something is bound to happen, as it did this morning. Normally I would have been listening to the news and traffic report, but I was spending some time with my puppy before rushing to the ferry station. Once there I waited, but no ferry, and the few people who were there didn’t seem to know why. Annoying.

I called my husband and asked him to drop me off at the train station across the Hudson (parking is impossible there). On the train platform, however, I quickly learned that there was a big problem—the derailment of 10 CSX garbage train cars on a narrow portion of track used by the Hudson line. There were no injuries, but that is a whole lot of cleanup, not to mention the two tracks that need to be replaced, according to the conductor I talked to. He estimated it would take at least the weekend to repair the damage.

I have to say that I was impressed with the MTA’s contingency planning. The MTA gets a lot of flack, but it’s worth mentioning that they did get it right this time. What I expected to be a nightmare of delays and standing around waiting—on one of the hottest days of the year—wasn’t bad at all. The MTA train took us to Yonkers, just north of the derailment area, where we were quickly led to waiting busses. The busses transported the train’s passengers to a large subway station where we were ushered through a special turnstile, and our train passes were honored. The subway ride took a while, since it was a local covering more than 200 blocks. But a fellow passenger gave me an idea of the subway route and at what stop I should get off. Happily, I had only a block to walk to work.

Research shows that the MTA has an enterprise risk management plan in place. I found a 93-page document online that outlines significant business processes for the MTA bus company, bridges and tunnels, individual train lines and much more. It also notes which business processes have been reviewed. Under the listing of Maintenance of Equipment for the Long Island Railroad, for example, items that have been reviewed include locomotive daily inspection and diesel locomotive periodic inspection, rolling stock inspections and equipment surveys.

From what I have read, however, some passengers last night weren’t as lucky. They were told to wait for busses which didn’t arrive. That was right after the derailment, however, and it takes some time to put a major plan into action.

So, lessons learned:

• Listen to the traffic announcements on the radio every morning

• Don’t be too complacent when things go well

• Roll with the punches, occasionally things do work out

• Take time to play with the puppy, no matter what, even if you’re a little late for work

Discussing the Value of Risk Management at the RIMS Risk Summit

Posted on by

Late last week, 15 of the world’s top risk managers gathered at RIMS Risk Summit 2013 steps from Wall Street at Zurich’s Manhattan offices. Paul Walker, Ph.D., CPA, from the Center for Excellence in ERM at St. John’s University’s Tobin College of Business kicked off the morning by asking “How does your boss know you’re doing ERM well?”

Even at the highest level, the challenge to communicate and demonstrate the value of risk still can impede the success of a risk management program. While those in the room with complex ERM programs seemed to have buy-in from the C-suite, others still in the process of implementing the discipline struggle “stating their case.”

Later in the day, the conversation turned to reputation risk. A debate circled around that value proposition. Attendees agreed that any risk identification or assessment exercise that failed to include reputation risk would be deemed incomplete by leadership.

buy advair rotahaler online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/advair-rotahaler.html no prescription pharmacy

But, the question remained: “Is reputation risk a risk that needs to be managed independently or is an organization’s good reputation a by-product of managing its other risks well?”

While no real consensus was reached, Carol Fox, RIMS director of strategic and enterprise risk practice, acknowledged that discussions like that are the reason the Summit is held and the debate would be something that RIMS explores in greater detail.

At the end of the day, the Summit covered everything from best practices in identifying, assessing, reporting and monitoring risks, to steps for identifying risk appetite and risk tolerance.

buy cytotec online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

So, that brings us back to the question, “how does your boss know that you’re doing ERM well?

buy seroquel online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/seroquel.html no prescription pharmacy

While it was agreed that benchmarking, case studies, data analytics and other quantitative measures are fundamental to getting ERM off the ground and proving its value, unfortunately if those options fail, sometimes risk practitioners need to wait for a good crisis or a new opportunity to showcase the extent of their ERM program and how it adds quantitative value to the organization.

ERM vs GRC: The Right Tool for the Job

Posted on by

What is the best way to build a birdhouse?

online pharmacy diflucan with best prices today in the USA

You may be able to use one tool with multiple functions, such as a multi-tool (a type of Swiss Army knife). However, the convenience afforded by these tools is achieved by reducing the effectiveness and efficiency for more complex projects. Most of us would rather have a tool belt with specific tools suited to the project, such as a hammer, screwdriver and utility knife. Why? Independent tools with specific uses are more powerful, more efficient and more effective at completing the tasks for which they were specifically designed. The tool belt acts as an integrator, a common platform on which the other functions are based.

ERM is the tool belt on which specific governance and compliance functions can be based. These two functions can exist independently, but when driven by risk-centric and data-grounded ERM practices, they become more efficient and effective.  ERM-driven governance divisions utilize risk intelligence to promote risk awareness and attitude throughout an enterprise.  ERM-driven compliance divisions utilize risk intelligence to bring all levels of enterprise into agreement with regulations, audit recommendations and corporate policies.

In today’s “risk-centric” business landscape, why is the combined approach of governance, risk and compliance (GRC) favored over ERM? GRC, like the multi-tool, has the capability to serve several functions — governance, risk management and compliance — in a holistic manner. This is meant to integrate silos and reduce redundancy, bureaucratic conflicts and work overlaps.

online pharmacy vilitra with best prices today in the USA

However, reality has shown that these benefits are often rarely or never realized. Real-world GRC implementations have been marred by repeated failures to anticipate or mitigate adverse risk events.

online pharmacy vibramycin with best prices today in the USA

These events occur due to failures caused by the priority given to executive, governance and compliance objectives over solid risk-based business intelligence. Unable to effectively and efficiently drive a risk-centric organization, GRC is a tool weakened by its complexity.

The problems with multi-tools are the same problems faced by GRC. Most people — in this case, organizations — use only one or two tools, regardless of effectiveness or efficiency. More often than not, in current business implementations, GRC has a tendency to be driven primarily by regulations and largely bureaucratic objectives. The priority given to governance and compliance objectives over risk management has reduced the effectiveness and efficiency of ERM divisions. ERM has been demoted to an endorsement tool, one that is used to validate executive, governance and compliance processes and functions. This reversal of priorities costs organizations billions of dollars.

Don’t believe me? From the infamous Ford Pinto memo, to BP Deepwater Horizon, to the $6 billion JPMorgan debacle and most recently Hurricane Sandy, we have seen how the focus on governance and compliance above real risk has substantially increased the effect of adverse risk events. These failures point to fundamental problems within GRC framework and implementation.

These problems suggest:

  1. There is not enough attention paid to the exhaustive discovery of risk, how risks are connected, and how risks are integrated into all business processes, functions and strategies.
  2. If governance and compliance functions continue to be given priority over enterprise risk management, organizations can expect to pay massive penalties to cover mistakes.
  3. Third, but by no means last, truly risk-centric organizations should have a belt of effective and efficient tools, each specifically suited to a task and driven by risk intelligence.

Without addressing these points, all-too-frequent and massive failures will continue to be a factor in business environments and a continued source of material for news media outlets. These failures should be anomalies. Driven by proper ERM implementation, a successful governance and compliance function can produce effective and sustainable benefits for all stakeholders.