Managing Risk for Opportunity Managing Risk for Opportunity In the absence of certainty, the only way to maintain potentiality is to focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible (Peter Bernstein, Against the Gods, The Remarkable Story of Risk) Managing Risk for Opportunity Enterprise risk management (ERM) deals with the management of uncertainty, risk and opportunity towards the achievement of company goals and objectives. ERM overarches risk management specialisms. Risk Management specialisms and associated systems deal with technically specific methods of actually treating risks. For example: credit risk, business continuity, IT etc Policy without practice has no teeth. Process drives practice. Strategic Elephants Enterprise Risk Management: Objectives and Obstacles, Views upside as well as downside risks, Is where strategic and operational risks, as well as financial and hazard risks are collectively viewed, Sets policy with regard to: Risk Appetite, Risk management criteria, Resources to be applied to the treatment of risks, Overarches all risk management specialisms, Strategic Elephants 1. Risk strategy is owned by the Board, not by management. Management owns execution. 2. Both directors and management require knowledge of obstacles, understanding of variables, certainty of compliance and clarity are mission critical to good management where uncertainty prevails, 3. Financial and hazard risks are now mastered. Danger remains within however they are now part of the mainstream professional management organisation. We need to apply the same rigor to the management of strategic and operational risks. Strategic Elephants 4. In the presence of growing uncertainty, strategic and operational risks as well as residual financial and hazard risks require a clearly defined, well understood, people engaging and rigorously applied process management approach characterised by: Standard language, terms and definitions, Standard ERM framework, principals and risk management process, Standard methodology for estimating probabilities and impacts which releases us from the limitations, and excesses, of perception, Standard convention for assessing return on risk management effort, Clarity. Standard ERM Framework, Principals and Risk Management Process (Source ISO 31000 (Risk Management Draft also note ANZ 4360) Clarity Initial Risk Map Initial Risk Map 10 9 10 9 7 5 3 8 6 2 4 8 Probability 7 6 5 4 3 2 1 1 2 3 4 5 Consequence / Impact 6 7 8 9 10 1 Clarity Residual Risk Map Residual Initial Risk RiskMap Map 10 9 8 Probability Likelihoo 7 6 5 3 2 1 7 4 5 3 2 4 10 9 1 2 8 6 1 3 4 5 Consequence / Impact 6 7 8 9 10 The Business Case for ERM The question arises: ‘how credible is the measurement of initial and residual risks and also the associated projected improvement in risk management performance’. If the initial and residual risk maps are believed then it is clear that the case for the projected return on risk management effort will have been made. Measurement : General Measurement requires a: Start point, Finish Point, Units of measures in between. Process driven ERM methodology International Standard and common language Project management approach: Project Management Approach Scoping risk treatments…improvements in planning, controls, infrastructure, supply chain, communications, training, preparedness, resilience etc. Identification of required actions and expected outcomes, Project planning and costing, Performance of people who are assigned measurable tasks, Project performance monitoring (deliverables, milestones, gateways), Project communications, Measurement based return on effort …achievement of desired improvement in risk performance as illustrated in the projected variances between the initial and residual risk maps. Measurement: Estimating Probability and Impact Probability requires: Identified events, which occur In large numbers are Spread, are Independent in their occurrences, and are Directly comparable Hazard risks are insurable, Financial risks are treated through the use of financial instruments which over time are becoming more sophisticated and reliable. Strategic and operational risks, by and large, fit neither because: Insufficient frequency data, Events which have multiple variables and interconnections not treatable using conventional instruments, Magnificent 7 for ERM Without measurement you are a candidate for CFIT (controlled flight into terrain). Risk Committee: Board owns risk strategy, management owns execution, Align with international best practice (ISO and ANZ 4360) and international professional body guidance's: use one universal language, and process, Remove the fudge and adopt project management methods for monitoring, reporting and communicating key information to the risk committee. Consider stakeholders, establish risk appetite and risk management criteria, Synthesise obstacles to objectives , Decide on risk treatments and repeat the synthesis to get new probability and impact estimates for residual risk, Compare the two risk maps for return on effort to reducing obstacles to objectives Managing Risk for Opportunity The return on Risk is Profit! Risk is OK….once we know about it, have measured it and are treating it. ERM successfully embedded gives comfort to all Stakeholders ERM is a journey…you can set out tomorrow Managing Risk for Opportunity A final line from Mark Twain “ It ain’t what you don’t know that gets you into trouble; its what you know for sure that just ain’t so!” Thank You.