Many components can make up the risk management capability; some of the key elements are discussed below:

Transcription

1 Successful Security, Risk and Control Programs from DelCreo, Inc., an Enterprise Risk Management Company DelCreo Enterprise Risk Management Framework Part II Strategic planning is an area that I believe to be critical for the success of all security, risk and control managers. Details on our new Strategic Planning workshop are available at In November, I wrote about the DelCreo Framework for Enterprise Risk Management, and detailed half of this approach. This month (where did the December Newsletter go? - too much Christmas shopping!) I have detailed the second half of this framework. You can download a copy of this framework from the DelCreo website at ENTERPRISE RISK MANAGEMENT CAPABILITIES Many risk assessments focus completely on identifying risks and potential exposures, and neglect a review of the capability of the organization to manage the risks. I believe that the most effective risk assessments identify, classify and articulate the likelihood/impact of risks, and then address the current ability of the organization to manage those risks. Many components can make up the risk management capability; some of the key elements are discussed below: Risk Functions Various risk management functions must participate, exchange information and processes, and cooperate on risk mitigation activities to fully implement an ERM capability. Some of these risk management functions might include: - Business Continuity Planning - Internal Audit - Insurance - Crisis Management - Privacy - Physical Security - Legal - Information Security - Credit Risk Management Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions. Optimize magazine has recently had several excellent articles about enterprise risk management. One item recently grabbed my attention: In a recent survey conducted by Optimize, 40% of the companies that participated in the survey identified the CIO as the

2 executive most likely to own Enterprise Risk Management in their organization! (Optimize, January, 2004, p. 67). For more details and analysis on this article, see my blog at In the last article, we briefly addressed risk appetite. DelCreo has researched and developed a method over the past seven years that many clients have used to successfully develop and define risk appetite. Using this method, the risk appetite is then used across various risk management functions, allows for the cascading of your risk appetite into the organization (and across) and becomes a critical link in operationalizing a concept that heretofore has been very nebulous. For more details, please contact me at mark@delcreo.com. Risk Management Processes Effective Risk management processes can be used across a wide range of risk management activities, and include the following: - Risk Strategy and Appetite - Define risk strategy and program. - Define risk appetite. - Determine treatment approach. - Establish risk policies, procedures, and standards. - Assess Risk - Identify and understand value and risk drivers. - Categorize risk within the business risk framework. - Identify methods to measure risk. - Measure risk. - Assemble risk profile and compare to risk appetite and capability. - Treat Risk - Identify appropriate risk treatment methods. - Implement risk treatment methods. - Measure and assess residual risk. - Monitor and Report - Continuously monitor risks. - Continuously monitor risk management program and capabilities. - Report on risks and effectiveness of risk management program and capabilities. Although the risk management process is relatively easy to understand, very few organizations have formally documented and implemented a risk management process that is used across the organization. Organization The Chief Risk Officer (CRO), Enterprise Risk Manager or even the Enterprise Risk Committee, may manage the enterprise risk management activities. Their duties would typically include: - Provide risk management program leadership, strategy and implementation direction. - Develop risk classification and measurement systems. - Develop and implement escalation metrics and triggers (Events, incidents, crisis, operations, etc.). - Develop and monitor early warning systems, based on escalation

3 metrics and triggers. - Develop and deliver organization-wide risk management training. - Coordinate risk management activities - some functions may report to CRO, while others will be coordinated. Culture - Creating and maintaining an effective risk management culture is very difficult. Special consideration should be given to the following areas: Knowledge Management - Institutional knowledge about risks, how they are managed, and experiences by other business units should be effectively captured and shared with relevant peers and risk managers. My experience in helping clients develop and implement online knowledge management systems has shown the potential benefit of knowledge management efforts: - Reduce the risk profile through the enhanced risk identification and management capability - Decrease the total cost of risk - Develop and deploy risk assessment tools globally - Enable the company to capture risk assessment information continuously - Allow users to access complex risk modeling and forecasting tools through simple web-based interfaces and applications - Become the universal starting point for all users as they look for risk related tools, people resources and knowledge (For more details, see ) Metrics - The accurate and timely collection of metrics is critical to the success of the risk management program. Effort should be made to connect the risk management programs to the Balanced Scorecard, EVA, or other business management/metrics systems. The balanced scorecard is a management system (not only a measurement system) that enables organizations to clarify their vision and strategy and translate them into action. It provides feedback around both the internal business processes and external outcomes in order to continuously improve strategic performance and results. When fully deployed, the balanced scorecard transforms strategic planning from an academic exercise into the reality of organizational measurement processes. (Robert S. Kaplan and David P. Norton's new book, Strategy Maps: Converting Intangible Assets into Tangible Outcomes is an excellent reference guide for this topic). EVA (Economic Value Added) is net operating profit minus an appropriate charge for the opportunity cost of all capital invested in an enterprise. As such, EVA is an estimate of true "economic" profit, or the amount by which earnings exceed or fall short of the required minimum rate of return that shareholders and lenders could get by investing in other securities of comparable risk. Stern Stewart developed EVA to help managers incorporate two basic principles of finance into their decision making. The first is that the primary financial objective of any company should be to maximize the wealth of its shareholders. The second is that the value of a company depends on

4 the extent to which investors expect future profits to exceed or fall short of the cost of capital. (Source: ) Training - Effective training programs are necessary to ensure that risk management programs are effectively integrated into regular business processes. For example, strategic planners, responsible for the strategic planning process, will need constant reinforcement regarding the risk assessment processes. (For more information on training, see ) Communication - Frequent and consistent communications around the purpose, success, and cost of the risk management program are a necessity to maintain management support and to continually garner necessary participation of managers and line personnel in the ongoing risk management program. Tools - Appropriate tools should be evaluated, purchased or developed to enhance the effectiveness of the risk management capability. Many commercial tools are available and their utility across a range of risk management activities should be considered. Quality information about risks is generally difficult to obtain and care should be exercised to ensure that information gathered by one risk function can be effectively shared with other programs. For example, tools used to conduct the business impact assessment should facilitate the sharing of risk data with the insurance program. (For more information our tools, see ) Enterprisewide Integration ERM and other related security, risk and control programs should effectively collaborate across the enterprise and should have a direct connection to the strategic planning process, as well as the critical projects, initiatives, business units, functions, etc. Broad, comprehensive integration of risk management programs across the organization generally lead to more effective and efficient programs. Risk Attributes - Risk attributes relate to the ability or sophistication of the organization to understand the characteristics of specific risks including their lifecycle, how they act individually or in a portfolio, and other qualitative or quantitative characteristics. Lifecycle - Has the risk been understood throughout its lifecycle and have appropriate risk strategies been developed and implemented before the risk occurs, during the risk occurrence, and after the risk occurs? Achieving the optimal balance between risk and cost of managing risk is only possible if the lifecycle of the risk is well understand and risk strategies and treatments are appropriately applied. Individual and Portfolio - the most sophisticated organizations will look at each risk individually, as well as in aggregate or in portfolio. Viewing risks in a portfolio can help identify risks that are natural hedges against themselves, and risks that amplify each other. Knowledge of how risks interact as a portfolio can increase the

5 ability of the organization to effectively manage the risks at the most reasonable cost. Qualitative and Quantitative - Most organizations will progress from being able to qualitatively assess risks to being able to quantify risks. In general, the more quantifiable the information about the risk, the more treatment options available to the organization. Risk Functions, Risk Management Process, Organization, Culture, Tools, Enterprise-wide Integration and Risk Attributes are some of the most common elements of understanding your risk management capability. Other elements exist and may be more or less relevant depending on industry, geography, etc. Many people have struggled with the challenge of clearly defining what enterprise risk management is. I believe that clearly defining the capability elements of enterprise risk management is the key to understanding it. As this discipline evolves, DelCreo will continue to define and explore the most important capability components of enterprise risk management. Please see more on ERM Framework in the Risk Strategies That Work Section below. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ DelCreo is an (ISC)_ Authorized Training Partner Register now for high quality, cost-effective training that really packs a punch! Upcoming DelCreo Professional Education courses: Date: Topic: Location: Feb , 2004 CRISIS AND INCIDENT MANAGEMENT Dallas, TX s.cfm Feb , 2004 RoI FOR INFORMATION SECURITY Houston, TX n.cfm Feb , 2004 BUILDING COMPLIANCE-BASED AWARENESS Las Vegas, NV cfm Feb. 25, 2004 BCP METRICS-MANAGING A BCP PROGRAM San Jose, CA e.cfm Feb. 26, 2004 STRATEGIC PLANNING San Jose, CA

6 Mar. 9-10, 2004 RAPID RISK ASSESSMENT WORKSHOP Dallas, TX fm Mar. 11, 2004 BCP METRICS-MANAGING A BCP PROGRAM Dallas, TX Mar. 16, 2004 STRATEGIC PLANNING Chicago, IL Mar , 2004 BUILDING COMPLIANCE-BASED AWARENESS Atlanta, GA a.cfm Mar. 31-Apr. 1, 2004 CRISIS AND INCIDENT MANAGEMENT Cleveland, OH H.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ Risk Strategies That Work on ERM Framework o Risk assessments should identify and understand risks as well as the organizations ability to manage risk o Develop and articulate your organization's risk appetite, this is a key element of an effective ERM approach o Create an ERM Council/Committee, even it is ad hoc, and in the beginning you are the only one driving the show. o Attempt to document/develop the roles and responsibilities of the various risk management related organizations, how you will collaborate, share information, etc. How will the most common risks be handled? Get agreement among the key players o Any enterprise risk management assessment should include a review of the interactions, sharing of information, collaborative approach to managing risk, etc. that exists among the various risk management functions o Understand the lifecycle aspects of key risks. Develop risk strategies that address the most critical risks before, during and after they occur *********************************************************************** ******* DelCreo, Inc. An Enterprise Risk Management Company Helping Risk Professionals Develop and Rollout Successful Risk Programs

7 U.S./Toll-free: 866.DELCREO International: 001/ DelCreo, Inc. All rights reserved. You are free to use material from the Successful Risk Programs ezine in whole or in part, as long as you include the following complete attribution, including live website link. By DelCreo, Inc. - An Enterprise Risk Management Company. Please visit DelCreo's website at for additional risk articles, resources, tools, and services for Risk Professionals on how to develop and rollout successful risk programs. *********************************************************************** ****** To unsubscribe or change subscriber options visit: