Search This Blog

Thursday, May 5, 2011

"Enterprise Risk Management" - COSO or ISO 31000

I have been recently asked to conduct a "workshop" on "Enterprise Risk Management". You know, the "COSO thing" which was a reaction to poor financial management. Followed by SOX et al. Ended up being a tick the box exercise for too many - and we had continued uncertainty and poor risk management. Not a good combination - as the latest financial crisis demonstrates.

So I was initially a little skeptical. Old wine, new bottles - maybe even a "corked" wine. However the organisers have been kind enough to steer away from a narrow, linear promotion of doctrine. Instead, I will facilitate the exploration of using the international risk management principles and guidelines (ISO 31000) to achieve enterprise-wide risk management outcomes. Ha! I hear you scoff - "that's hardly different". Well my friends, having worked in a few places and been around the traps for a few years I can tell you - not many entities actually have a tailored and integrated approach to risk management. Most are still characterised by a mixture of "layer cake" - with the top and bottom not knowing what each is up to. This mix is then pierced by some "silos" - of excellence maybe, but isolation definitely.

Anyway, if the topic appeals, and you are in Kuala Lumpur 5-6 July this year, and you can cover the fee - it would be great to have you as a participant. Regardless, the themes we will explore are laid out below if you just want to peruse and reflect.

Title: Enterprise-wide Risk Management
A workshop on using the international risk management principles and guidelines (ISO 31000) to achieve enterprise wide risk management outcomes.


Introduction to the scope of the workshop
 The risk management space is characterised by having a range of frameworks and guidelines. Many of these risk management frameworks reflect specific industry applications. Sometimes they have been developed to support quite narrow “agenda driven” purposes. Others are a reaction to risk events themselves. However, there are some which reflect a more thoughtful and engaging development. This workshop will consider the strengths of several approaches (such as Enterprise Risk Management, and Business Continuity Management). Further, we will explore how these specific applications can be integrated into a context sensitive application of the International Risk Management Principles and Guidelines to achieve relevant and robust outcomes in support of your entity’s objectives.


Pre-reading
On  January 11, 2011 – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence – released a new thought paper relating to ERM aimed at providing guidance to help organizations advance along the ERM maturity curve. If participants get an opportunity to pre-read this thought paper, they should find it provides useful background (especially if they are new to this area):



 Key elements and workshop sessions

1.    The maze of Standards, Frameworks, Principles and Guidelines


·         The structure of several specific standards (frameworks, principles, guidelines and standards) – in particular, Enterprise Risk Management COSO; Business Continuity Management BS 25999 and Risk Management ISO 31000.
·         How these different “standards” relate to each other.
·         How they can be harmonized into a nested framework which is aligned to your needs and context.


Learning outcomes include:
·         Knowledge of the structure of Enterprise Risk Management COSO; Business Continuity Management BS 25999 and Risk Management ISO 31000.
·         Understanding how these standards relate to each other.
·         Awareness of issues when translating standards into context.


2.    Gap Assessment

This session will explore:
·         Why it is important, as an early activity, to map where you are against where you need to be (in relation to risk management capability).
·         Identifying the necessary elements which should be measured.
·         What performance criteria for the elements might look like.
·         How the gap assessment might be displayed and communicated.
·         Developing an easy to use tool suitable for your context.


 Learning outcomes include:
·         Awareness of the importance of gap assessment.
·         Knowledge of the core relationship between necessary elements to be measured and sufficient performance criteria underpinning those elements.
·         Knowledge of how gap assessments might be displayed and communicated.
·         Knowledge of how to developing an easy to use tool suitable for your context.


3.    Decision Making

This session will explore:
·         What characterizes good decision making.
·         Whether risk management is just good problem solving re-badged.
·         Why analytic – deliberative processes are crucial.
·         Some tools and techniques for good decision making.


Learning outcomes include:
·         Awareness of what characterizes good decision making.
·         Knowledge of what differentiates risk management from good problem solving.
·         Awareness of why analytic – deliberative processes are crucial.
·         Knowledge of some tools and techniques for good decision making.

4.    Risk Criteria

This session will explore:
·         Developing risk assessment criteria.
·         Developing risk treatment selection criteria.
·         The criticality of context when developing risk criteria.
 
 Learning outcomes include:
·         Understanding a range of issues involved in the development of risk assessment criteria.
·         Understanding a range of issues involved in the development of risk treatment selection criteria.
·         An awareness of critical, context sensitive factors when developing risk criteria.


5.    From Principles to Integrated Implementation

This session will explore:
·         Different models for implementing Enterprise-wide Risk Management
·         Key issues of stakeholder engagement, marketing and training.
·         Drafting an action plan for an Enterprise Risk Management initiative


Learning outcomes include:
·         Awareness of the advantages and disadvantages of different models for implementing Enterprise-wide Risk Management
·         Understanding the importance of stakeholder engagement, marketing and training.
·         Knowledge of drafting an action plan for an Enterprise Risk Management initiative


6.    Risk Assessment

This session will explore:
·         The process role of risk assessment.
·         A range of tools and techniques.
·         A particular focus on vulnerability through scenario analysis.
·         Some of the pros and cons - and what can we learn from them.
 Learning outcomes include:
·         An awareness of the core role of risk assessment processes.
·         An awareness of a range of tools and techniques.
·         Knowledge of why it is crucial to focus on vulnerability through scenario analysis.
·         Knowledge of lessons learnt from inappropriate risk assessments.


7.    Business Resilience

This session will explore:
·         Leveraging the top three to five foreseeable extreme event scenarios.
·         The advantages of moving away from a focus on extreme events and hazard to a focus on the vulnerability of the things we depend upon.
·         The application of a scalable tool aligned with a best practice Business Continuity Standard (BS 25999).


 Learning outcomes include:
·         Understanding the value of leveraging the top three to five foreseeable extreme event scenarios.
·         Understanding the advantages of moving away from a focus on extreme events and hazard to a focus on the vulnerability of the things we depend upon.
·         Understanding how to apply a scalable tool aligned with a best practice Business Continuity Standard (BS 25999).

8.    Continuous Improvement

This session will explore:
·         How to improve corporate capabilities on an ongoing basis by training and exercising
·         The key role of well designed desktop exercises before any extreme event
·         The key role of sensitively facilitated organization debriefs after any extreme event.


Learning outcomes include:
·         Awareness of the importance of improving corporate capabilities on an ongoing basis by training and exercising.
·         Understanding how to manage a well designed desktop exercises before any extreme event.
·         Understanding how to manage a sensitively facilitated organization debrief after any extreme event.