The firm of Arthur J. Gallagher & Co. has published an interesting and challenging paper, Collaborative Risk Management: “Risk Management” vs. “Managing Risk”. While it is targeted at organization s in higher education, its message is relevant for all.
The firm is an insurance broker that provides consulting services related to risk management. One of their principals, Dorothy Gjerdrum, was one of the individuals involved in the paper. She is their Executive Director for the Public Entity & Scholastic Division; the leader of the committee (the Technical Advisory Group of which I am a member) that represents the US standards agency (ANSI) in risk management related standards (especially the global risk management standard, ISO 31000:2004); and a friend.
I am putting that friendship and my respect for her as a risk management practitioner aside to review this paper.
Let’s get the main criticism out of the way: this whole idea of Collaborative Risk Management (CRM) is a repackaging of proven and long-established principles. The authors say that they are writing the paper because too many organizations are treating risk management as a project instead of a continuing management process. However, I don’t think they need to provide a new name for established best practices.
Yet, I agree with many of the statements in the paper and we should focus on those instead of the name the authors put to risk management. Here are some excerpts with my comments:
“There can be a tremendous difference between institutions that have risk managers and institutions that manage risks. One end of the spectrum is represented by the often-overworked individual with an overstuffed portfolio. At the other end…will be found… multiple integrative teams and a culture that rewards risk ownership and builds risk assessment into every initiative. These teams take into account an appropriate stratification of risk, assuring that board-level, administration-level, and operational-level risks all have proper owners and teams working on them. Support and a structure are established whether or not, and long before, exhaustive “risk registers” are created. Rather than slogging through a cumbersome catalog of many and unequal risks, a strategic, carefully selected few have coalesced and become the main focus. “Risk” has become a category incorporated in the planning process, like staffing and budget, for every enterprise of the institution—woven into the culture not by the efforts of one employee, but by many teams.”
The paper restates the argument more simply: “the key is an understanding of the difference between ‘risk management’—perhaps assigned to one harried Director of Risk Management (or Chief Risk Officer, or Audit, Compliance, Legal, or Finance)—and ‘managing risk,’ which top-flight institutions realize is a collaborative, distributed, networked assignment for everyone.”
Comment: It is indeed time to move to the management of risk, where the risk manager neither owns the fish nor gives them to executives and the board. Instead the CRO teaches the organization how to fish and assesses his own performance by the number who can fish without help. The CRO counts the fish harvested by others and provides the board with consolidated reporting.
The paper continues:” Much positive collaboration can take place when teams are utilized, and the team leader sees the job of the team as ‘managing risk’ for the institution as a whole. On such teams, the risk manager may be a frequent participant but may be the leader on only a select few, if any.”
I don’t know why, but the refrain I have been using the past few years seems to becoming popular. I use it for both risk management and internal audit, saying that they “have to stop being the department of ‘no’, and become the department of ‘how’. Gallagher says it well:
“Operational risk managers have long bemoaned the fact that, like a James Bond villain, we are occasionally nicknamed “Dr. ‘No!’” Internal clients sometimes feel they have exciting ideas for programs and opportunities with great institutional benefits, but when they run those ideas past risk management, all they hear is “No!” because operational risk management focuses on the negatives. Admittedly, part of this is defensive: someone needs to point out the risks and possible downfalls of ideas for which the proponents only see the positive. But this role may cast operational risk managers in an unpleasant light. No one wants to talk with risk management if it only means their ideas will be shot down.
The new landscape of risk management is bringing a simple, one-word change: risk management is now the process of trying to help others get to “Yes!”
The paper tackles the need to remember that risk management is not only about navigating the possible adverse effects of uncertainty; it is also about seizing opportunities:
“[Effective] risk management specifically aims to incorporate positive risks. That is, [it] means to consider opportunities and the cost of not being able to leap at them—such as letting other schools gain a competitive advantage, or missing out on a clear demographic shift. While operational risk management has historically weighed the cost of a course of action, [effective risk management] also considers the potential costs of not acting—the “carpe diem!” failures…..ERM is about… achieving success as much as avoiding failure.”
The authors have suggestions for bringing the disciplines of risk management to the decisions and actions of the board and top executives:
“One significant challenge with integrating risk management throughout the institution is determining whose job it should be. Strategy is traditionally the province of the Board. A healthy Board asks strategic questions: “Where should the institution go next? What major initiatives should we undertake? What societal and demographic forces may threaten our success, or propel us to further greatness?” Few operational risk managers are asked to consider these high-level issues, or to report on them to the Board, much less to manage them. Since ERM incorporates consideration of strategic issues (along with any issues that keep the institution from reaching its objectives), there is a common disconnect between it and what institutional risk managers have traditionally done each day.”
They continue: “Certain types of risk should be managed directly by the Board, through the use of Board committees. On the other hand, the Board does not run many aspects of the ERM process—the Board is not in a position to drive ERM initiatives through the institution on a daily basis. The way forward is to delineate carefully the respective roles of the Board, senior administrators, and operational risk managers. Stratification is key—some risks, such as strategic questions, major initiatives, and general societal and demographic shifts, are the role of the Board. We might call this true “strategic risk.” Senior administrators, by contrast, are responsible for implementing the decisions of the Board as operations of the institution, and minding specific risks facing the institution as a whole (“institutional risk”). Likewise, operational risk management will likely be aware of, and in a position to address, risks that may be below the sight lines of the Board or senior administrators, but nevertheless might affect the eventual success of the institution in achieving its objectives (“unit risk”). These different risk types should be handled by different groups across the institution. Successful [risk management] must incorporate the perspectives of all of these participants, in their proper strata. Thus risks, besides having aspects such as frequency and severity, have an altitude, a level at which they are best managed. A Board thus manages risk via linkage between various levels of stratification: committees report up to certain senior-level administrators, who may report to Board committees and thus to the full Board.”
Comment: this idea of altitude is intriguing. It may work for some and not for others. They key is to understand who owns and is responsible for managing risk (typically the individuals who own and manage performance and achievement of the related objectives). This requires that top-level objectives and risks are cascaded down across the enterprise and that people take ownership of that slice of the objective and risk that is in their area of responsibility.
The authors spend a lot of time reviewing what causes risk management initiatives and programs to fail. I will let you read through these, just excerpting one point. This talks to a feature of many risk management programs where management (and the CRO) may feel, in error, that they have effective risk management.
“The biggest problem……… was that once a board committee or senior administrator indicated an ERM program was wanted, the institution often plunged at once into a process of risk identification. Long lists of risks—risk registers— were created, some with hundreds of entries. Risk managers, and ERM teams, are getting stuck at this risk register phase and are having difficulty moving on to actual management of the risks. There seems to be an 80/20 problem: 80% of scarce ERM time is spent on identification and assessment (frequency, severity, velocity and the like), and only 20% is applied to strategic thinking.”
Comment: I frequently lament (such a good word) two things: 1. There is too much emphasis on identifying the risk and not enough on taking action to optimize outcomes, and 2. People are managing a relatively static list of risks instead of implementing a risk management program that is “dynamic, iterative, and responsive to change” and embedded into organizational processes (ISO and COSO both say this). As I said earlier, the CRO must teach managers and executives to fish.
The document also provides advice for getting risk management right. Again, I won’t go into detail: it repeats many of the suggestions others have made about support from the top, ensuring the right risk culture, selective appropriate guidance (they prefer the ISO 31000:2009 risk management standard), and more.
There is one important point that they infer but don’t state directly.
Risk managers have used workshops as an effective technique for identifying, assessing, and treating risk. But we should ask whether it makes sense to have a team (for that is what this is) that is only responsible for the risk aspect of the decision-making process. There are probably teams (if not in name) that come together to address the performance side of the decision-making process, and it would be better to have them include the risk side rather than set up and run a separate risk workshop.
I welcome your thoughts on this and the other aspects of this interesting paper. It is worth downloading and reading.
Deloitte has given us food for thought in an article “The Four Faces of the CIO”.
Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.
The roles are:
- Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
- Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
- Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
- Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”
In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.
This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:
- 36% as an operator, compared to a desired level of 14%
- 43% as either strategist of catalyst, compared to a desired level of 71%
I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.
Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.
I welcome your views.
If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.
After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:
- Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
- Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
- How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
- Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
- What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
- What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
- How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
- How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
- Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
- Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
- How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
- How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
- What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?
I have probably missed a few items. What would you add?
Please share your comments and views.
While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.
This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.
Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.
In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.
So let’s turn to the more common usage of GRC – governance, risk management, and compliance.
Earlier this year, in April, I wrote companion pieces on GRC:
Seven months on, I am starting to think that the term is becoming even more meaningless in practice.
Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.
The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).
But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:
“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”
I love and agree with this sentiment.
To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:
“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”
We could leave it there, in a confused and confusing world.
But enough is not enough.
Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):
- Identity and Access GRC
- Legal GRC
- 3rd Party GRC
- Enterprise GRC
- GRC gamification
Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.
Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?
I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:
“The reliable achievement of objectives while addressing uncertainty and acting with integrity”
Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).
What do you think?
Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?
I welcome your views.
How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?
None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?
Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?
Do you really expect to hire exceptional people with just-above-average compensation?
Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?
At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.
I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.
The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.
I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.
Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.
I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.
I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.
Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?
How many of your sales team are “average”?
How many of your engineers are “average”?
What are you doing about it?
I welcome your comments and stories.
The other day, I was on a call with other members of an oversight committee. We were talking about the high level project plan for our new products and I asked to see a version that showed key deliverable dates. The chair of our small committee agreed, suggesting that the project manager add a diamond to the dates or otherwise indicate when the various deliverables would be completed.
But the project manager replied that the deliverable dates were in the detail of each “sprint” (the project was being managed using agile management techniques). We were looking at a higher level and he would be happy to show us the plans for each individual sprint.
I told him that I understood that the deliverables were in the sprint-level detail, but needed to see the deliverable dates on the higher-level project plan. Without that, I would not be able to see whether the plan was acceptable and the products would hit the market at the right time. For example, I could not see whether the timing of it made sense to work on deliverables serially or in parallel, or when oversight activities needed to occur.
His response was that he couldn’t run the project using two different project management techniques. Implying that my requirement was old-fashioned (I admit here that I have been managing or overseeing major projects since he was in grade school), he reiterated that he was using agile project management.
I tried to tell him that agile is how you run the project day-to-day, but for oversight purposes I needed to see the big picture – especially when the deliverables were to be completed.
Noting my rising tone, the chairman intervened and suggested that the project manager take the chart he was showing us and simply overlay the deliverable dates. He needed them as well.
The lesson here is that I, as an oversight and big picture person (at least in this role on this project), was talking a different language than the project manager.
I respect the project manager for his expertise and experience in running projects to successful completion. But, he was unable to put himself in my shoes, understand my needs, and then express himself in a way that communicated what I needed to know.
The same issue applies when technical experts, whether in finance, information security, risk management, internal audit, or other area, need to communicate with people in a more senior management or board position. They tend to think and talk in technical detail, while senior management and board members think and talk in terms of the bigger picture.
- Understand the questions that senior management and the board need answers to.
- Answer those questions directly.
- Only provide additional detail when necessary to answer the questions – to their satisfaction, not yours – or when asked for more detail.
- Get to the point quickly.
For example, when a risk, security, or audit practitioner is talking to an executive officer, recognize that they want to know (a) is there anything I need to worry about, (b) is there anything I need to do, and (c) is there a need for me to continue to monitor the situation. They don’t need to know details when there is nothing for them to spend time on.
I welcome your views. If you can share experiences and stories, that would be appreciated.