In my ongoing effort to remember what I read, a few notes about a book on Enterprise Risk Management: Mastering 21st Century Enterprise Risk Management: Firing Dated Practices | The Best Practice of ERM | Implementation Secrets; by Gregory M. Carroll.
Full Disclosure: Fast Track Founder
Before going any further, the book is written by the founder of an Australian company, Fast Track, which sells ERM and compliance software. On the one hand there is a bias in the book toward the software. On the other hand, EXCELLENT!, the company has been thinking about ERM for more than 30 years, who better to comment.
The ERM I Was Expecting
I have been on the periphery of the Risk Management Biz for most of my career and it never impressed me very much. It seemed like a bolt on activity to compile a ‘telephone book‘ of risks that would never happen. Worse, risk management takes precious management and organizational time away from operations which ironically increases risks. This is not to discount the value of risk management though and having mitigation plans for many of the likely scenarios (hacks, robberies, natural disasters, etc.). Starting with mitigation is why I wrote the blog series on ‘Anitfragile Risk Management (ARM)‘.
This book is short (about 80 pages) and has some good practical advice on ERM. I would not buy the full version but definitely take a good skim/read via your public libraries online services. The following xx items are my key takeaways from the book; there are more but these are ones that I will likely return to a few times.
- Risk Management in 30 Seconds.
- Acknowledgement that Risk Management is a Dark Art
- The Nature of Risks
- Risk Management is Really Opportunity Optimization
- Ten Rules for a Successful IT Project
Carroll presents a vision or ERM that is much closer to my view of ARM… to a point. So notes on the great points he makes in his book and the limitations of thinking about risk management when you are in the business of selling ERM systems (these editorial comments are in italics).
Risk Management in 30 Seconds
In ten paragraphs, Carroll runs through what is Risk Management, the summary of the summary is as follows (pp 4-5):
- 00:00 Definition: The level of uncertainty in any situation. Risk management is a system that identifies, quantifies and attempts to reduce or eliminate uncertainty.
- 00:25 Identification: ERM starts with a set of corporate objectives covering all aspects of the enterprise’s intents. Understand organizational risk appetite: the level of risk that can be tolerated on an on‐going basis.
- 01:00 Assessment: A subjective and preventive evaluation of each uncertainty in a specific area of operation by internal subject matter experts. A risk matrix grades the impact of a risk based on likelihood of it happening and the effect (consequences) if it does.
- 01:40 Control: A control is an action or measure that can alter an uncertainty.
- 02:00 Mitigation: Mitigation is a fancy word for an action that reduces or eliminates a risk.
- 02:45 Review: Review is value add and facilitates continual improvement.
This is a good overview and is entirely consistent with ISO 31000. Carroll’s point in this section is that risk management is not especially difficult and that a simple framework can help you. The ARM methodology turns the above 3 minute overview on its head however and places review and mitigation first and the other activities subordinate to these value add functions.
Acknowledgement that Risk Management is a Dark Art
Carroll describes risk management as being 80% Art and 20% science (p. 12). This is part of his view that organizational change and people management are central to an effective ERM systems.
Carroll is on the right track here but I would change his allocations slightly. I would put the Art part as being 90%, the Process Changes as being 9% and the ERM system itself as being 1%. Risk/Opportunity management is primarily a state of mind that is dependent upon trust, adeptness, competence of people. An ERM without this is doomed to failure, an organization with these attributes already has an ERM system.
The Nature of Risks
Carroll differentiates between the ‘Nature of Risk’ and the ‘Types of Risk’. Nature is a higher level classification that groups risks conceptually; how the risk presents itself and how it is subsequently managed (p. 13); they are as follows:
- Technical Risks are the broad group of risks whose state can be measured discretely and against which quantitative limits can be set and monitored. They are caused by variations that affect the system and are managed through use of mathematical models.
- Operational Risks are around the internal operations of a business, predominantly dealing with people, processes and systems and what most people think of in enterprise risk management. Qualitative by nature, they tend to be caused by changes to organisation or behaviour, and are managed though process management.
- Security risks are aggressive actions. They are intentional in nature, as opposed to other categories which are consequential in nature. They are premeditated attacks which are managed proactively through surveillance and defensively though multi‐layered safeguards commonly refer to as “defence‐in‐depth”.
- Black Swan events are events in human history that were unprecedented and
unexpected at the time they occurred. These once‐in‐a‐lifetime events are
unpredictable, occur abruptly and catastrophic in nature. Being unpredictable and occurring abruptly, the risk itself cannot be managed in a traditional sense, so we have to manage its effects using such methods as disaster planning and relief strategies.
Carroll acknowledges that the four presented are not meant to be exhaustive. Nevertheless, this is a much better starting point than an exhaustive ‘type of risk’ listing. The challenge I have seen with such lists is that very quickly organizations get bogged down into definitional quagmires. The above list can be thought of as having multiple dimensions, for example internal or external to the organization.
Risk Management is Really Opportunity Optimization
ISO 31000 focuses not on risks but on uncertainty which may be positive or negative to an organization. Carroll’s book is generally upbeat about both although most of his examples end up being of negative variety versus positive.
This upbeat note extends into systems implementations. Obviously his frame of references is for implementing an ERM system but his words of wisdom could be as easily applied to an ERP or other corporate system. Nothing new here but still a good refresher:
- People: The employees, managers, customers and other stakeholders. In particular, what motivates your employees and how can you align a project to these motivations to be most successful.
- Change Management: A project is not about the technology it is about how people will work once the project team has long gone.
- The System and the Project: Lastly, how the project and system will be implemented and then used to support the above.
Ten Rules for a Successful IT Project
- Don’t outsource requirement planning.
- With software vendors, big is not necessarily best (Note, I think there is some bias here on the part of Carroll toward his software and away from the larger systems; this bias may be entirely justified but full disclosure nevertheless).
- Choose a ‘people’ project manager.
- Have a living risk management protocol.
- Ensure all stakeholders have “skin” in the game.
- Use an agile implementation technique.
- A quick game is a good game.
- Plan your testing.
- Training – Sell the benefits.
- Treat as a change-management issue not an IT project.