Sunday, August 23, 2009
Tuesday, August 18, 2009
Reputation Risk is not a Risk
Reputation risk is a second order risk. It is caused by some other risk event. Coke cannot go out and buy some reputation risk insurance but it can try to ensure that it's factories don't stop working or rat droppings don't show up in its beverages. These can be treated or controlled. It is only when the first order risks fail will Coke suffer from a risk event to it's reputation.
The best an organization can do is ensure that after an event it has an effective communication strategy in place to minimize the negative effects to its reputation and get its customers back.
Summary: Reputation = second order risk. So stop wasting time and putting it on your risk profiles as if you can do something about it. Focus on the risks which you can actual treat.
The best an organization can do is ensure that after an event it has an effective communication strategy in place to minimize the negative effects to its reputation and get its customers back.
Summary: Reputation = second order risk. So stop wasting time and putting it on your risk profiles as if you can do something about it. Focus on the risks which you can actual treat.
Wednesday, July 09, 2008
Everyone knows where the icebergs are
Before the Titanic struck that iceberg almost a century ago, the captain was told that there were icebergs in those waters but dismissed the junior officer's warning. He was heard saying: "In my thirty years at sea, I've never struck an iceberg before. Full speed ahead."
Everyone knows where the icebergs are. Risk management just makes you do something about them.
So do you want to manage your risks proactively or after you rip a whole in side of your ship and send thousands of people to a grizzly death at the bottom of the North Atlantic?
Everyone knows where the icebergs are. Risk management just makes you do something about them.
So do you want to manage your risks proactively or after you rip a whole in side of your ship and send thousands of people to a grizzly death at the bottom of the North Atlantic?
Monday, May 12, 2008
A Common Sense Approach to ERM
In a sentence, The Riskczar says the common sense approach to describing the process of risk management like this: First you identify your risks, you figure out which ones are the most important, next you decide how to address and then you do something about it and tell everyone how you are doing from time to time.
Friday, May 09, 2008
ERM Creates Value
ERM helps leaders deal effectively with the current or potential events that create uncertainty and respond in a way that balances the downside of the uncertainties that we want to avoid against the upside.
The big picture outcomes of ERM are: no big mistakes, no big surprises and no big missed opportunities.
The Riskczar says: (1) It is less expensive to manage risk prior to the event than to deal with the crisis after it has occurred, and (2) The goal is not to eliminate risk but to manage the risks that we have.
The big picture outcomes of ERM are: no big mistakes, no big surprises and no big missed opportunities.
The Riskczar says: (1) It is less expensive to manage risk prior to the event than to deal with the crisis after it has occurred, and (2) The goal is not to eliminate risk but to manage the risks that we have.
Wednesday, May 07, 2008
Islands of Risk Management Capabilities
Risk management is not something new to you; there are islands of risk management capabilities throughout the organization.
Sometimes we call it hedging or insuring or security, but it’s all risk management. Enterprise risk management (ERM) is merely a process that pulls these disparate islands together at an enterprise level using common definitions, measures and processes.
Sometimes we call it hedging or insuring or security, but it’s all risk management. Enterprise risk management (ERM) is merely a process that pulls these disparate islands together at an enterprise level using common definitions, measures and processes.
Monday, May 05, 2008
Risk Management Frameworks are Boring
There are plenty of frameworks out there on the Internet that you can read or download for free so why not just read one of those? Well, first of all, frameworks are boring; people who write policies for a living even think frameworks are boring.
The Riskczar suggest you try to read he two most popular ERM frameworks are the COSO ERM Framework and the Australia/New Zealand 4360 Framework.
The Riskczar suggest you try to read he two most popular ERM frameworks are the COSO ERM Framework and the Australia/New Zealand 4360 Framework.
Sunday, May 04, 2008
Enterprise Risk Management is Pretty Simple
Enterprise risk management (ERM) is pretty simple. Financial institutions, regulators and consultants, would have you believe that risk management is very complicated, requires advanced mathematical training, an MBA or Ph.D., a knowledge of Latin or Greek and nothing short of a miracle to implement.
The Riskczar says: What you need is the right attitude and a leap of faith that you and your business will be better off. You will make better decisions, spend less and earn more.
Thursday, January 19, 2006
A Greek Tragedy
He has just woken up from a nightmare.
If this was a movie he would have sat up, opened his eyes and screamed, revealing to the viewer that we just witnessed a dream sequence, but Spiro’s eyes simply opened and he sighed quietly. Spiro's sigh was so quiet that he needed to nudge Nikki to wake her from her slumber.
“What is it, reh?” she asked.
“I had a nightmare,” Spiro continued, “where I forget the alphabet.”
Nikki, who was surprisingly supportive for a fiancée who has just been awakened, asks Spiro to explain.
“I am about five years old and Mrs Patzikakis asks me to sing the Greek alphabet. When I finish the class starts laughing because I have left out some of the letters.”
“Spiro, you must be under a lot of pressure at work. Go back to sleep. It’s just a silly dream, and to prove it, why don’t you sing the Greek alphabet to me?”
While it seemed like a ridiculous request for the brilliant risk manager and self-proclaimed risk czar, it was also an easy way to dispel his fears that he had forgotten his Greek alphabet. He begins singing: “alpha, beta, epsilon, zeta, eta, iota, lambda, mu, nu, xi, omicron, pi, sigma, tau, upsilon, phi, chi, psi and omega.”
Nikki suddenly sat up, opened her eyes and screamed, “you forgot delta, gamma, theta, rho and kappa. I think you better call Wharton in the morning and give back your MBA. You are familiar with the letters “M”, “B” and “A”, right?”
Spiro smiled.
“What’s so funny?”
It was at that moment that Spiro realized what caused this nightmare. He explained to Nikki that in his profession, delta, gamma, theta, rho and kappa are known as the Greeks. They are a set of factor sensitivities used by traders (and risk czars) to quantify the exposures of option portfolios. Each one measures how the portfolio’s market value responds to changes in an underlying variable. Obviously, the pressures at work were getting to Spiro.
Delta measures the sensitivity to changes in the price of the underlying
Gamma measures the sensitivity to changes in the delta
Kappa (or vega) measures the sensitivity to changes in the implied volatility
Theta measures the sensitivity to time
Rho measures the sensitivity to a change in interest rates.
But by now Nikki was fast asleep.
Friday, January 06, 2006
What can Grover teach us about risk management?
In a book called Project Manager's Spotlight on Risk Management by Kim Heldman, the author references The Monster at the End of This Book by Jon Stone and Michael Smollin to demonstrate the importance of having a risk response plan for dealing with monsters and threats in projects.
I took this allegory a step further and actually read this book to a room full of adults during my presentations on risk management basics.
In the book, Grover is concerned with the monster he is going to find at the end of this book. To mitigate this threat, Grover spends thousands of dollars on costly building supplies to prevent us from turning pages, so that we do not get to the end of the book.
As a risk management professional, I appreciate Grover’s proactive risk management approach, but unfortunately, our blue, furry little friend overreacts to the threat.
If he had only performed a proper risk assessment, rather than basing it on anecdotal evidence – he learns about the monster by reading the title page only – Grover may have realized that the monster did not have the catastrophic impact he expected it to have. It turns out the risk was not even material.
With more due diligence, Grover may have chosen a different risk treatment: he could have accepted the risk by doing nothing or transferred it to someone more naïve like Elmo.
This book is a great primer on risk management and one that your three-year old might also enjoy.
Monday, November 28, 2005
What Causes Risk?
In a previous article, we learned about the difference between the inherent and residual risks you face on the way to work: slipping in the shower, on the driveway or off the road. All these high inherent risks are reduced to low residual risks thanks to some preventative processes.
How do you anticipate risks you have never thought about? How can you prevent what you do not know? What are the unknown unknowns?
To solve this, you have to create the chain of events or a causal chain. What does the chain of interdependent events that ended in slipping on the driveway look like?
Why did you slip?
It was icy
Why was it icy?
I didn’t put down any salt
Why didn’t you throw any salt?
I didn’t buy any salt
Why didn’t you buy salt?
I didn’t know it would snow
Why didn’t you know it would snow?
I don’t listen to weather reports
This is a causal chain that starts with not listening to weather report and ends with slipping on the driveway.
Or does it?
Once you work backwards to identify the root cause, you can work forwards to identify interdependent risks you never considered and create chains of events that all link back to not listening to weather reports.
What are the events that occur after you slip on the driveway?
Did you miss the bus causing you to be late for a big presentation? Did you twist your knee causing you to miss the Marathon you were training for? These are both possible chains of events with the same root cause.
Take a moment to think of a mistake you made recently at your company and think about why it happened. Ask yourself “why?” five times in order to find the root cause. Can you think of other things that might go wrong if your root cause occurred again? What are the unknown unknowns that would link back to your root cause?
Bravo! You have just identified your first causal chain.
Since we cannot manage what we cannot measure and we cannot measure what we cannot see, everyone at your company needs to see, measure and manage their unknown unknowns.
How do you anticipate risks you have never thought about? How can you prevent what you do not know? What are the unknown unknowns?
To solve this, you have to create the chain of events or a causal chain. What does the chain of interdependent events that ended in slipping on the driveway look like?
Why did you slip?
It was icy
Why was it icy?
I didn’t put down any salt
Why didn’t you throw any salt?
I didn’t buy any salt
Why didn’t you buy salt?
I didn’t know it would snow
Why didn’t you know it would snow?
I don’t listen to weather reports
This is a causal chain that starts with not listening to weather report and ends with slipping on the driveway.
Or does it?
Once you work backwards to identify the root cause, you can work forwards to identify interdependent risks you never considered and create chains of events that all link back to not listening to weather reports.
What are the events that occur after you slip on the driveway?
Did you miss the bus causing you to be late for a big presentation? Did you twist your knee causing you to miss the Marathon you were training for? These are both possible chains of events with the same root cause.
Take a moment to think of a mistake you made recently at your company and think about why it happened. Ask yourself “why?” five times in order to find the root cause. Can you think of other things that might go wrong if your root cause occurred again? What are the unknown unknowns that would link back to your root cause?
Bravo! You have just identified your first causal chain.
Since we cannot manage what we cannot measure and we cannot measure what we cannot see, everyone at your company needs to see, measure and manage their unknown unknowns.
Inherent and residual risks
Were you aware of how risky it is for you to come to work? Since you woke up this morning, you could have slipped in the shower, in your driveway or off the road. It’s a wonder you got here in one piece!
Inherently, these are all risky events, but thankfully, you have put appropriate controls in place to lessen – or mitigate – these risks.
Although these inherent risks are high, the residual risks of getting to work are low: you have a rubber mat in your bathtub to keep you from slipping; you shovel your driveway in winter to prevent ice from forming; and, you make sure your tire pressure is correct and there is enough tread.
All these little things you do are controls for mitigating inherent risks that make the residual risks acceptable. Although many of us don’t consciously think about risk in these terms, many of the processes we perform in our lives are controls against some inherent risk. However, even with these controls, you can still slip in the shower, the driveway or off the road. There is always some element of residual risk.
Take a moment to think of three processes you perform at your company and imagine what it would be like if no one performed them? Would your company be exposed to more residual risk? Are these your key risks?
Congratulations. You have just identified your inherent risks, controls and residual risks.
Risk management is ongoing: you have to continuously monitor controls using different sorts of measurable indicators:
· Is the rubber mat on the bathtub floor? Yes or no?
· How many centimeters of snow will fall before someone has to shovel the driveway?
· Are tires rotated every 10000 km or is there 2/32” remaining on the tread?
How do you measure your controls and your residual risks at your company? How would you know when your controls are no longer working?
Each of us must anticipate events that have not occurred in addition to simply managing those that have already happened.
Inherently, these are all risky events, but thankfully, you have put appropriate controls in place to lessen – or mitigate – these risks.
Although these inherent risks are high, the residual risks of getting to work are low: you have a rubber mat in your bathtub to keep you from slipping; you shovel your driveway in winter to prevent ice from forming; and, you make sure your tire pressure is correct and there is enough tread.
All these little things you do are controls for mitigating inherent risks that make the residual risks acceptable. Although many of us don’t consciously think about risk in these terms, many of the processes we perform in our lives are controls against some inherent risk. However, even with these controls, you can still slip in the shower, the driveway or off the road. There is always some element of residual risk.
Take a moment to think of three processes you perform at your company and imagine what it would be like if no one performed them? Would your company be exposed to more residual risk? Are these your key risks?
Congratulations. You have just identified your inherent risks, controls and residual risks.
Risk management is ongoing: you have to continuously monitor controls using different sorts of measurable indicators:
· Is the rubber mat on the bathtub floor? Yes or no?
· How many centimeters of snow will fall before someone has to shovel the driveway?
· Are tires rotated every 10000 km or is there 2/32” remaining on the tread?
How do you measure your controls and your residual risks at your company? How would you know when your controls are no longer working?
Each of us must anticipate events that have not occurred in addition to simply managing those that have already happened.
Tuesday, November 15, 2005
The Duality of Uncertainty
HOW TO EMBED THE DUALITY OF UNCERTAINTY
November 2004
It is my mandate to embed risk management
To successfully embed risk management and make it a systemic capability, every mind needs to be retooled. It is not enough to have little islands of risk management capability: we need thousands, not tens of individuals to have this capability; we need a major cultural shift for the organization, top-level support and a lot of time.
Embedding risk may not be a measurable objective
We have dozens of measures focused on cost, efficiency and customer satisfaction. Can we systematically benchmark other companies on risk management? Can employees have personal performance metrics related to risk management? If so, how do you measure success and failure?
The duality of uncertainty
Risk is commonly defined (or believed to be) the uncertainty that hinders the attainment of our objectives. However, the Duality of Uncertainty suggests if there are bad risks that hinder, there must also be good risks that facilitate.
If the captain of a ship asks the first mate – who is trained to look for harmful risks – to stand in the crow’s nest high a top the vessel to look for threats, doesn’t it stand to reason that so long as he is up there, he should also be looking for opportunities?
Embedding any solution must address the Duality of Uncertainty. The bad and the good. The risks and the innovations.
Embedding innovation is a measurable objective
Innovation is understood so it can be promoted and it can be seen so it can be measured. Innovation must be embedded into your company's culture first because it is easier to encourage thousands of employees to embrace the discovery of good ideas – that will benefit everyone – than to teach them how to reject their individual threats.
As an additional benefit, making innovation a systemic capability makes good business sense because the unconventional creates competitive advantages.
Why not innovate?
I believe every company is filled with dreamers like Robert F. Kennedy who said: “dream of things that never were and ask ‘why not?’” The dreamers want to change the world but don’t know how to share their ideas. They demand more than just a pay cheque. They want a chance to make a difference.
Risk management redux
When the leaders of this company train me to share innovative ideas, doesn’t it stand to reason that once I am encouraged to identify opportunities and solutions, I will start identifying threats as well? Yes!
Let’s begin today
In the long-term, innovation facilitates the embedding of risk management as a systemic capability; in the short-term it provides you with inspiration and a competitive advantage that will continue to differentiate from your competitors’ outdated strategies.
Gary Hamel said that while you can’t bottle lightning, you can build lightning rods. You need to find your innovators, provide them with lightning rods so innovation can flourish. Let's begin handing out lightning rods and start making lightning.
November 2004
It is my mandate to embed risk management
To successfully embed risk management and make it a systemic capability, every mind needs to be retooled. It is not enough to have little islands of risk management capability: we need thousands, not tens of individuals to have this capability; we need a major cultural shift for the organization, top-level support and a lot of time.
Embedding risk may not be a measurable objective
We have dozens of measures focused on cost, efficiency and customer satisfaction. Can we systematically benchmark other companies on risk management? Can employees have personal performance metrics related to risk management? If so, how do you measure success and failure?
The duality of uncertainty
Risk is commonly defined (or believed to be) the uncertainty that hinders the attainment of our objectives. However, the Duality of Uncertainty suggests if there are bad risks that hinder, there must also be good risks that facilitate.
If the captain of a ship asks the first mate – who is trained to look for harmful risks – to stand in the crow’s nest high a top the vessel to look for threats, doesn’t it stand to reason that so long as he is up there, he should also be looking for opportunities?
Embedding any solution must address the Duality of Uncertainty. The bad and the good. The risks and the innovations.
Embedding innovation is a measurable objective
Innovation is understood so it can be promoted and it can be seen so it can be measured. Innovation must be embedded into your company's culture first because it is easier to encourage thousands of employees to embrace the discovery of good ideas – that will benefit everyone – than to teach them how to reject their individual threats.
As an additional benefit, making innovation a systemic capability makes good business sense because the unconventional creates competitive advantages.
Why not innovate?
I believe every company is filled with dreamers like Robert F. Kennedy who said: “dream of things that never were and ask ‘why not?’” The dreamers want to change the world but don’t know how to share their ideas. They demand more than just a pay cheque. They want a chance to make a difference.
Risk management redux
When the leaders of this company train me to share innovative ideas, doesn’t it stand to reason that once I am encouraged to identify opportunities and solutions, I will start identifying threats as well? Yes!
Let’s begin today
In the long-term, innovation facilitates the embedding of risk management as a systemic capability; in the short-term it provides you with inspiration and a competitive advantage that will continue to differentiate from your competitors’ outdated strategies.
Gary Hamel said that while you can’t bottle lightning, you can build lightning rods. You need to find your innovators, provide them with lightning rods so innovation can flourish. Let's begin handing out lightning rods and start making lightning.
Subscribe to:
Posts (Atom)