Posted tagged ‘Enterprise Risk Management’

How to Build and Use a Risk Register

December 18, 2014

From Harry Hall at www.pmsouth.com

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

ERM: Who is Responsible?

November 7, 2014

Masks

The Board is Responsible.

The CEO is Responsible.

Top Management is Responsible.

The CRO is Responsible.

The Business Unit Heads are Responsible.

The CFO is Responsible.

And on and on…

But this sounds like a recipe for disaster.  When everyone is responsible, often no one takes responsibility.  And if everyone is responsible, how is a decision ever reached?

Everyone needs to have different responsibilities within an ERM program.  So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.

And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities.  Those new roles are most often called:

  • Risk Owners
  • Risk Committee Members

But there are lots and lots of ways of dishing out the partial responsibilities.  RISKVIEWS suggests that there is no one right or best way to do this.  But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task.  (Three Lines of Defense is nice, but not really necessary.  There are really only two necessary functions – doing and assurance.)

To read more about a study of the choices of 12 insurers &

Risk Culture, Neoclassical Economics, and Enterprise Risk Management

September 22, 2014

Pyramid_of_Capitalist_System copyFinancial regulators, rating agencies and many commentators have blamed weak Risk Culture for many of the large losses and financial company failures of the past decade. But their exposition regarding a strong Risk Culture only goes as far as describing a few of the risk management practices of an organization and falls far short of describing the beliefs and motivations that are at the heart of any culture. This discussion will present thinking about how the fundamental beliefs of Neo Classical Economics clash with the recommended risk practices and how the beliefs that underpin Enterprise Risk Management are fundamentally consistent with the recommended risk management practices but differ significantly from Neo Classical Economics beliefs.

Risk Culture and Enterprise Risk Management (1/2 Day Seminar)

September 2, 2014

Afternoon of September 29 – at the ERM Symposium #ERMSYM

Bad risk culture has been blamed as the ultimate source of problems that have caused gigantic losses and corporate failures in the past 10 years. But is that a helpful diagnosis of the cause of problems or just a circular discussion? What is risk culture anyway? Is it a set of practices that a company can just adopt or does culture run deeper than that? How does risk culture vary between countries and continents? How do risk cultures go bad and can they be fixed? This is, of course, a discussion of the human side of Enterprise Risk Management. 

This half-day seminar (1 – 4:30 p.m.) will draw together materials from business organizational theorists, anthropologists, regulators, rating agencies, investors, corporations, insurers and auditors to help define risk culture and diagnose problem causes. The objective is to provide the attendees with multiple perspectives on risk culture to help them to survive and thrive within the potentially multiple risk cultures that they find themselves operating alongside – or against. In addition, the speakers will draw upon their own experiences and observations to provide a number of practical examples of how risk cultures can and do go wrong. This discussion may help you to identify the signs of devolving risk culture if they start to appear in your organization. Finally, the difficult topic of fixing a bad risk culture will be discussed. That part of the discussion will help attendees to attain a realistic perspective on that extremely difficult process. 

The seminar will be presented by three speakers from very diverse backgrounds. Andrew Bent, Risk Coordinator for Suncor Energy Inc. has also worked in multiple levels of government in New Zealand and Canada. Bent has co-authored several articles and papers on strategic risk assessment and the use of root cause analysis in risk management. Carol Clark is Senior Policy Advisor at the Federal Reserve Bank of Chicago where she has most recently been focused on operational risk issues associated with high speed trading. Her research has been published in the Journal of Payment Systems Law, the Federal Reserve Bank of Chicago’s Chicago Fed Letter and Economic Perspectives as well as Euromoney Books. Dave Ingram is Executive Vice President at Willis Re where he advises insurers on ERM practices. Ingram has worked extensively with both Life and Property and Casualty insurers on various aspects of risk management over the past 30 years. He has recently co-authored a series of articles and papers on risk culture and has had a number of experiences with the risk cultures of over 200 insurers.

Speakers: 
Andrew Bent, ARM-E, ARM-P, CCSA, CRMA, Risk Coordinator, Suncor Energy
Carol Clark, Senior Policy Advisor, Federal Reserve Bank of Chicago 
David Ingram, CERA, PRM, EVP, Willis Re

Registration

The History of Risk Management

August 28, 2014

Please find a new permanent page on RISKVIEWS – The History of Risk Management.  It is a simple list of major historical events that are important to Risk Management and ERM as it is practiced today.  This list was compiled with the help of INARM

Risk Management development has not followed a particularly straight line.  Practices have been adopted, ignored, misused.  Blow up have happened.  Some of those blow ups are mentioned on another page in RISKVIEWS – Risk Management Failures

But Risk Managers have learned from those blow ups and the next generation of Risk Management programs incorporated those learnings. 

The most important thing to know about risk management that we have learned from history is that risk management must be practiced in earnest.  No amount of good talks or fancy charts will take the place of roll up your sleeves and do it risk management.  Promoting that sort of Risk Management is the objective of this Blog. 

 

 

Key Ideas of ERM

July 24, 2014

For a set of activities to be called ERM, they must satisfy ALL of these Key Ideas…

  1. Transition from Evolved Risk Management to planned ERM
  2. Comprehensive – includes ALL risks
  3. Measurement – on a consistent basis allows ranking and…
  4. Aggregation – adding up the risks to know total
  5. Capital – comparing sum of risks to capital – can apply security standard to judge
  6. Hierarchy – decisions about risks are made at the appropriate level in the organization – which means information must be readily available

Risk management activities that do not satisfy ALL Key Ideas may well be good and useful things that must be done, but they are not, by themselves ERM.

Many activities that seek to be called ERM do not really satisfy ALL Key Ideas.  The most common “fail” is item 2, Comprehensive.  When risks are left out of consideration, that is the same as a measurement of zero.  So no matter how difficult to measure, it is extremely important to really, really be Comprehensive.

But it is quite possible to “fail” on any of the other Key Ideas.

The Transition idea usually “fails” when the longest standing traditional risk management practices are not challenged to come up to ERM standards that are being applied to other risks and risk management activities.

Measurement “fails” when the tails of the risk model are not of the correct “fatness“.  Risks are significantly undervalued.

Aggregation “fails” when too much independence of risks is assumed.  Most often ignored is interdependence caused by common counter parties.

Capital “fails” when the security standard is based upon a very partial risk model and not on a completely comprehensive risk model.

Hierarchy “fails” when top management and/or the board do not personally take responsibility for ERM.  The CRO should not be an independent advocate for risk management, the CRO should be the agent of the power structure of the firm.

In fact Hierarchy Failure is the other most common reason for ERM to fail.

What kind of Stress Test?

June 25, 2014

What kind of future were you thinking of when you constructed your stress tests?  Here are six different visions of the stressed future that have been the basis for stress tests.

  • Historical Worst Case – Worst experience in the past 20 – 25 years
  • Normal Variability – Stress falls within expected range for a normal five year period
  • Adverse Environment Variability – Stress falls within expected range for a five year period that includes general deterioration such as recession or major weather/climate deviation
  • Future Realistic Disaster – Worst experience that is reasonably expected in the future (even if it has never happened)
  • Adverse Environment Disaster – Worst experience that is reasonably expected in the future if the future is significantly worse than the past
  • Future Worst Case – Maximum plausible loss that could occur even if you believe that likelihood is extremely remote

Here are a long list of stress scenarios that comes from the exposure draft of the NAIC document for ORSA reviewers:

1. Credit

• Counterparty exposure (loss of specified amount to reinsurer, derivatives party, supplier)
• Equity securities (40%/50% drop, no growth in stocks in 3 years)
• General widening of credit spreads (increase in defaults)
• Other risk assets

2. Market

• 300 basis point pop up in interest rates
• Prolonged low interest rates (10 year treasury of 1%)
• Material drop in GDP & related impacts
• Stock market crash or specific extreme condition (Great Depression)
• Eurozone collapse
• U.S. Treasury collapse
• Foreign currency shocks (e.g. percentages)
• Municipal bond market collapse
• Prolonged multiple market downturn (e.g. 2008/2009 crisis/or 1987 stock market drop-or 50% drop in equities, 150bp of realized credit losses)

3. Pricing/Underwriting

• Significant drop in sales/premiums due to varying reasons
• Impact of 20% reduction in mortality rates on annuities
• Material product demonstrates specific losses (e.g. 1 in 20 year events)
• Severe pandemic (e.g. Avian bird flu based upon World Health Organization mortality assumption)
• California and New Madrid earthquakes, biological, chemical or nuclear terrorist attacks in locations of heaviest coverage (consider a specified level of industry losses)
• Atlantic hurricane (consider a specified level of industry losses previously unseen/may consider specified levels per different lines of coverage) in different areas (far northeast, northeast, southeast, etc.)
• U.S. tornado over major metropolitan area with largest exposure
• Japanese typhoon/earthquake (consider a specified level of industry losses previously unseen)
• Major aviation/marine collision
• Dirty bomb attack
• Drop in rating to BB

4. Reserving

• Specified level of adverse development (e.g. 30%)
• Regulatory policy change requires additional reserves (e.g. 30%)

5. Liquidity • Catastrophe results in material immediate claims of 3X normalized amounts
• Call on any existing debt
• Material spike in lapses (e.g. 3X normal rates)
• Drop in rating to BB

6. Operational

• Loss of systems for 30 days
• Terrorist act
• Cybercrime
• Loss of key personnel
• Specified level of fraud within claims

7. Legal

• Material adverse finding on pending claim
• Worst historical 10 year loss is multiplied at varying levels

8. Strategic

• Product distribution breakup

9. Reputational

• PR crisis
• Drop in rating to BB

These seem to RISKVIEWS to fall into all six of the categories.  Many of these scenarios would fall into the “Normal Volatility” category for some companies and into the worst historical for others.  A few are in the area of “Future Worst Case” – such as the Treasury Collapse.

RISKVIEWS suggests that when doing Stress Testing, you should decide what sort of Stress you are intending.  You may not agree with RISKVIEWS categories, but you should have your own categories.  It might be a big help to the reader of your Stress Test report to know which sort of stress you think that you are testing.  They may or may not agree with you on which category that your Stress Scenario falls into, and that would be a valuable revealing discussion.


Follow

Get every new post delivered to your Inbox.

Join 695 other followers

%d bloggers like this: