Tag Archives: ERM

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

RMORSA Part 5: Risk Reporting & Communication

Posted on by

Having standardized risk assessments and well documented mitigation and monitoring activities will equip your organization with a lot of risk intelligence. The question becomes: how do you report all of this information to your board and communicate it to your commissioner in a way that demonstrates the value of your ERM program? First, risk managers must be able to demonstrate how risks across the organization roll-up to impact the board’s strategic objectives; and second, ERM functions must track key metrics to validate the effectiveness of a formalized risk management approach.

Reporting on Critical Risks

Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business process activities relate to the objectives that senior leadership and the board require.  However, a common risk taxonomy allows organizations to gather risk intelligence at the business process level, and aggregate it to a high level for senior leadership.

For the top risks across the organization, often risk managers must provide the more detailed underlying data, such as which business areas are involved, their individual profile of the risk, their mitigation strategy and how the risk is being monitored.

The most commonly used method to determine top key risks is to rank risks based on the score from their assessment. This aggregate will depict which risks pose the most immediate danger to the enterprise, and should be reported on regularly. The second method uses your common language, root cause library to identify systemic risks. These are risks that have been identified by multiple departments, and may be more easily addressed with corporate wide policies or procedures rather than point solutions. And now that you have a complete and transparent mitigation library, you can publish effective controls from one department to another, reducing overlapping activities in your organization and leveraging the practices in departments that are the most effective in managing risk.

The State of ERM

When demonstrating the value of your ERM program, take a step back to evaluate just how many risks have been identified, and how well risks are being evaluated and mitigated. The common standards established by an ERM program will significantly enhance your risk identification process by allowing you to prioritize efforts to the most important risks that have the least assurance of control effectiveness.

You might find that over the past several quarters, the gap between the number of risks identified and those that have been addressed has grown. This isn’t a concern, but rather a sign that your organization has a clear path forward and is beginning to understand its entire risk universe.

You can also track your progress with the ERM guidelines outlined in the RIMS Risk Maturity Model. Providing your executives, board or commissioner with a bi-annual report on the maturity of your ERM program will show which areas you’ve improved upon and what areas need focus going forward. The model provides a repeatable process that enables internal audit to validate its quality and effectiveness. This same model also has the benefit of enabling you to benchmark your program against others in your industry, providing a transparent, third party evaluation of where your organization stands.

This concludes Steven’s series on ORSA Compliance. Looking for more ERM best practices and the latest industry trends? Subscribe to Steve’s Blog or visit www.logicmanager.com.

RMORSA Part 2: Risk Identification and Prioritization

Posted on by

The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, Risk Culture and Governance, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.

The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?

Take a Root-Cause Approach

The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise.  For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.

The key to this root cause approach is a common risk library, or Taxonomy, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.

By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.

Use a Single Set of Criteria

When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.

To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.

Tell a Story to Your Board and Executive Leadership

The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.

Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.

For more information on risk assessment best practices, download LogicManager’s complementary guide, “5 Steps for Better Risk Assessments.”

When Your Commute Becomes Derailed

Posted on by

Just yesterday I remarked to my husband that my train, the Hudson line, has been amazingly stable and almost always on time. Especially when you consider that there have been major derailments of the Connecticut (May 17) and the Long Island (June 17) lines of the Metropolitan Transit Authority (MTA).

I should have known better. Just when you think you can take a breather, something is bound to happen, as it did this morning. Normally I would have been listening to the news and traffic report, but I was spending some time with my puppy before rushing to the ferry station. Once there I waited, but no ferry, and the few people who were there didn’t seem to know why. Annoying.

I called my husband and asked him to drop me off at the train station across the Hudson (parking is impossible there). On the train platform, however, I quickly learned that there was a big problem—the derailment of 10 CSX garbage train cars on a narrow portion of track used by the Hudson line. There were no injuries, but that is a whole lot of cleanup, not to mention the two tracks that need to be replaced, according to the conductor I talked to. He estimated it would take at least the weekend to repair the damage.

I have to say that I was impressed with the MTA’s contingency planning. The MTA gets a lot of flack, but it’s worth mentioning that they did get it right this time. What I expected to be a nightmare of delays and standing around waiting—on one of the hottest days of the year—wasn’t bad at all. The MTA train took us to Yonkers, just north of the derailment area, where we were quickly led to waiting busses. The busses transported the train’s passengers to a large subway station where we were ushered through a special turnstile, and our train passes were honored. The subway ride took a while, since it was a local covering more than 200 blocks. But a fellow passenger gave me an idea of the subway route and at what stop I should get off. Happily, I had only a block to walk to work.

Research shows that the MTA has an enterprise risk management plan in place. I found a 93-page document online that outlines significant business processes for the MTA bus company, bridges and tunnels, individual train lines and much more. It also notes which business processes have been reviewed. Under the listing of Maintenance of Equipment for the Long Island Railroad, for example, items that have been reviewed include locomotive daily inspection and diesel locomotive periodic inspection, rolling stock inspections and equipment surveys.

From what I have read, however, some passengers last night weren’t as lucky. They were told to wait for busses which didn’t arrive. That was right after the derailment, however, and it takes some time to put a major plan into action.

So, lessons learned:

• Listen to the traffic announcements on the radio every morning

• Don’t be too complacent when things go well

• Roll with the punches, occasionally things do work out

• Take time to play with the puppy, no matter what, even if you’re a little late for work

ERM vs GRC: The Right Tool for the Job

Posted on by

What is the best way to build a birdhouse?

online pharmacy diflucan with best prices today in the USA

You may be able to use one tool with multiple functions, such as a multi-tool (a type of Swiss Army knife). However, the convenience afforded by these tools is achieved by reducing the effectiveness and efficiency for more complex projects. Most of us would rather have a tool belt with specific tools suited to the project, such as a hammer, screwdriver and utility knife. Why? Independent tools with specific uses are more powerful, more efficient and more effective at completing the tasks for which they were specifically designed. The tool belt acts as an integrator, a common platform on which the other functions are based.

ERM is the tool belt on which specific governance and compliance functions can be based. These two functions can exist independently, but when driven by risk-centric and data-grounded ERM practices, they become more efficient and effective.  ERM-driven governance divisions utilize risk intelligence to promote risk awareness and attitude throughout an enterprise.  ERM-driven compliance divisions utilize risk intelligence to bring all levels of enterprise into agreement with regulations, audit recommendations and corporate policies.

In today’s “risk-centric” business landscape, why is the combined approach of governance, risk and compliance (GRC) favored over ERM? GRC, like the multi-tool, has the capability to serve several functions — governance, risk management and compliance — in a holistic manner. This is meant to integrate silos and reduce redundancy, bureaucratic conflicts and work overlaps.

online pharmacy vilitra with best prices today in the USA

However, reality has shown that these benefits are often rarely or never realized. Real-world GRC implementations have been marred by repeated failures to anticipate or mitigate adverse risk events.

online pharmacy vibramycin with best prices today in the USA

These events occur due to failures caused by the priority given to executive, governance and compliance objectives over solid risk-based business intelligence. Unable to effectively and efficiently drive a risk-centric organization, GRC is a tool weakened by its complexity.

The problems with multi-tools are the same problems faced by GRC. Most people — in this case, organizations — use only one or two tools, regardless of effectiveness or efficiency. More often than not, in current business implementations, GRC has a tendency to be driven primarily by regulations and largely bureaucratic objectives. The priority given to governance and compliance objectives over risk management has reduced the effectiveness and efficiency of ERM divisions. ERM has been demoted to an endorsement tool, one that is used to validate executive, governance and compliance processes and functions. This reversal of priorities costs organizations billions of dollars.

Don’t believe me? From the infamous Ford Pinto memo, to BP Deepwater Horizon, to the $6 billion JPMorgan debacle and most recently Hurricane Sandy, we have seen how the focus on governance and compliance above real risk has substantially increased the effect of adverse risk events. These failures point to fundamental problems within GRC framework and implementation.

These problems suggest:

  1. There is not enough attention paid to the exhaustive discovery of risk, how risks are connected, and how risks are integrated into all business processes, functions and strategies.
  2. If governance and compliance functions continue to be given priority over enterprise risk management, organizations can expect to pay massive penalties to cover mistakes.
  3. Third, but by no means last, truly risk-centric organizations should have a belt of effective and efficient tools, each specifically suited to a task and driven by risk intelligence.

Without addressing these points, all-too-frequent and massive failures will continue to be a factor in business environments and a continued source of material for news media outlets. These failures should be anomalies. Driven by proper ERM implementation, a successful governance and compliance function can produce effective and sustainable benefits for all stakeholders.