“Be Brave” Resolution #1 – Critique and Hone Your Risk Rating Scales
All risk rating scales are not created equal. The new year is a good time to consider critiquing yours…and honing them, as advisable.
Here are some thoughts for severity and likelihood rating scales:
1) Mere adjectival identifiers (e.g. high, rate etc.) are worthless, open to a multitude of individual interpretations. Instead, be brutally specific.
2) Consider allowing severity to be predicated on a variety of different indicators (e.g. financial impact, brand/reputation, regulatory, strategic etc.). Whatever column particularly lends itself to the risk in question – and best resonates with the risk owner – that’s how potential severity for that risk should be viewed.
3) Likelihood rating scales should not measure the chance of incurring any risk event (why worry about fender benders?) but, rather, the likelihood of a “significant” event (rated 3 or above), based upon the severity table that you formulate.
4) Customize your likelihood scales with absolute clarity. For instance an “almost certain” rating might expect a significant event once every year and, on the other end of the spectrum, a “rare” rating might project a significant event only once every 50 years. Focus on the likelihood a significant event and establish explicit temporal measures.
5) Rating scales can be equally applied to risks both before controls (inherent) and with controls in place (residual).
6) Risk results – the multiplicative product of severity and likelihood – is an eminently justifiable and understandable approach that melds together severity and likelihood, in order to put the combined ratings of all risks in your universe on an even playing field.
In summary: Break down your rating scales. Don’t be afraid to modify them. Don’t let “good enough” be good enough.
“Be Brave” Resolution #2 – Critically Evaluate Your Risk Register Reality
Immediately investigate the possibility of implementing an automated risk register solution that is customized, straightforward, intuitive and pragmatic.
Consider leaving behind your current use-case, whether it consists of merely performing ERM by hand (e.g. excel spreadsheets) or trying to make-do by utilizing someone else’s application (e.g. audit, insurance company, claims handler) that is inflexible and ineffective.
Double-down on emphasizing the importance of the risk register to your ERM program by establishing one risk owner for every exposure in our universe and identifying and monitoring controls for each risk, by line of defense. With this ERM governance structure in place, roles and responsibilities will be defined, accountability expected and ERM risk culture will benefit.”
One possibility worth consideration: ERM One™ is a viable alternative for those: a) without an automated tool or b) saddled with someone else’s application.
“Be Brave” Resolution #3 – Think in Terms of 60-Second Blocks of Time
Why 60 seconds? What are some actual tangible examples of why this strategy might work?
1) Develop ERM elevator speech #1 – a succinct one-minute summary of the strategic importance of ERM, an explanation that ties together the company’s key objectives to the iterative, tactical execution of risk management. You never know when you will need this. You are well served to be ready. Clear and simple, with conviction and passion.
2) Construct ERM elevator speech #2, of the same duration, encapsulating the key strategic ERM initiative of the moment (e.g. cyber risk, ESG etc.). There’s always a hot topic for ERM – that’s the beauty of the profession. Let your voice show the excitement. Revel in describing it.
3) On every single piece of written correspondence, force yourself to lead with a Summary or a Summary Recommendation paragraph that the reader can digest in one minute. No more than 225 words. Straight to the point. Make your best case. Don’t bury your key points at the end of a meandering e-mail. Captivate the audience up-front.
4) Use the entreaty “can I have one minute of your time on the phone?” via e-mail or text. If you have built a reasonable reputation, the person being beseeched will have a tough time refusing this request…do so judiciously and respectfully. Stick precisely to a minute – be uber-prepared as to what you are looking for.
Think 60 seconds.
Be Brave Resolution #4 – Focus on “Words Matter” and Actions Count” to Achieve GRC/ERM Excellence
Two (2) maxims for ERM/GRC excellence – 1. “Words Matter” and 2. “Actions Count”. Hand-in-hand, this pair of principles drives ERM/GRC performance.
Here’s the reasoning:
” Words Matter” – The disciplines of ERM and GRC demand precision. There is no room for inaccurate, nebulous, or empty wording. Ditto for jargon or obscure acronyms. Less is more. Get and give everything in writing. Record the chronology. Be explicit and date-specific in expectations. Hold to your deadlines. When in doubt, ask questions. Don’t assume anything. This world (of ERM/GRC) is far too important to merely guess. There is no place for the esoteric, academic or hypothetical. Total clarity is the byword, whether in establishing ERM/GRC context, laying down its foundational elements such as governance or culture or explicitly detailing the steps in tactical execution. Rating scales must have exact and rigorous definitions so there is no confusion. Language should be energetic and convincing. There’s a whole lot at stake, each and every single day.
“Actions Count” – Thrive on the adjective “actionable” and the noun “deliverable”. How are you converting context, philosophy and strategy into tangible and decisive action? Does your ERM/GRC program stop at the ivory-tower, risk appetite level (e.g. high, medium, low) or does it drill down and manage to explicit tolerances, through the establishment of key risk indicators (KRIs)? What is the escalation provision associated with every exceedance of risk tolerance? Is the three lines of defense a conceptual diagram or an embedded, day-in-and-day-out demonstration of risk culture? Are risk ratings from deputized risk owners appropriately critiqued and challenged in order to ensure the validity of risk priority rankings?
Two ideas worth remembering on ERM/GRC – “Words Matter” and “Actions Count”.
About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.