Enterprise Risk Management: A Practical Guide to Quick Start

By Naina Mohamed

From the same opportunities and threats used for developing strategic plans to achieve organization objectives, we develop enterprise risk management, reaching to all areas and levels of the organization, to prevent divergence from those strategies. This is a practical guide on how to develop and implement such an enterprise risk management. If you do not have this in place, this is the perfect place to start for an effective enterprise risk management running in a short time. If you already have this in place, there are pearls of wisdom and experience, gathered from hundreds of different industries and thousands of individual practitioners that will further improve the enterprise risk management.

As you observe situations to identify risks, study possible events, their consequences and likelihood, evaluate opportunities and threats, decide on what to do and act on those decisions, you learn at each stage a wealth of knowledge shared by those who had been there, giving you the tools and means to enrich and manage those stages. You quickly go into the details of implementation throughout the organization.

Starting from the organization big picture, with a hands-on approach, you are taken through the processes of appreciating risks to organization objectives at all levels, what needs to be done to prevent or exploit those risks, how it should and should not be done, and the ways to do it.

As you walk through the central path of planning, implementing and managing enterprise risk management, there are branches of learning to enrich the understanding and insight along the way.

With more than 70 diagrams and charts, 30 over tables, numerous templates and pictures, you have a clear picture of what to do and how to enhance your enterprise risk management.

• Language: English
• Publisher: Naina Mohamed
• Release date: Sep 20, 2022
• ISBN: 9789834182229

Book preview

All rights reserved. This book contains material protected under International and Federal Copyright Laws and Treaties. Any unauthorized reprint or use of this material is prohibited. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording nor may it be stored in a retrieval system, transmitted or otherwise be copied for public or private use – other than for ‘fair use’ for research or private study or criticism or review or as brief quotations embodied in manuscripts, articles and reviews – without prior written permission of the publisher.

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of publication, and the publishers and author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publishers or the author.

Enquiries concerning reproduction outside of these terms should be sent to:

naina@competencyhouse.org

© Naina Mohamed, 2022

The right of the person writing and presenting as Naina Mohamed to be identified as the author of this work has been asserted by him in accordance with International and Federal Copyright Acts and Treaties

Published by Naina Mohamed

Naina Mohamed, 1951-

Enterprise risk management: a practical guide to quick start / Naina Mohamed.

ISBN 978-983-41822-3-6

1. Risk. 2. Risk management. 3. Risk assessment. 4. Risk register. 5. Risk analysis. 6. Risk chart. 7. Risk treatment. 8. Risk report. 9. Risk profile.

Dedication

This book is dedicated to the many organizations we consult for, and the people who attended our training programs on Enterprise Risk Management, raised questions and concerns, and shared their experiences. We are deeply indebted to all these persons and their organizations, for without them this book would not have been possible.

Contents

Dedication

Contents

Foreword

Preface

Chapter 1 What is Risk and Risk Management

All Good Managers Are Risk Managers

All Persons Can Be Good Risk Detectors

A Quick Overview of What We Do in Enterprise Risk Management

Chapter 2 Observe the Situation & Identify Risks

Knowing What to Look For

Threat and Opportunity Awareness

Politics

Economics

Strategic

Reputation

Legal / Compliance

Financial

Governance

Social

Health & Safety

Environment

Security – Information, Knowledge, Assets

Quality – Product, Service

Operations

Resources and Utilization

Technology

Risk Context

Risk Criteria

Numbering System for Traceability

Risk Criteria Determined by Stakeholders or Industries

Pre-Emptive Thinking

Competency Development Path

Identification of Risks

Considerations When Identifying Risks

What Influences Risk Identification

Methods and Tools to Identify Risks

Generate the Risk Register

Preliminary Analysis

Chapter 3 Study (and Analyze) Events, Consequences and Impacts

Complexity of Trigger, Events & Consequences

Study (and Analyze) Risk Causing Events:

Update the Expanding Risk Register

Study (and Analyze) Risk Consequences

Categorize Severity or Impact

Determine the Consequence Impacts

Mixed Categories

Considerations for Events and Consequences

Controls assessment

Update the Expanding Risk Register

Chapter 4 Study (and Analyze) Event Likelihood

Estimating the Likelihood of Occurrence

Categorizing the Likelihood of Occurrence

Considerations for Likelihood

Update the Expanding Risk Register

Chapter 5 Evaluate Risk Threats & Opportunities

Risk Evaluation

Risk Score

Risk Level

Update the Expanding Risk Register

Risk Matrix

Risk Criteria

Risk Chart

Square Risk Chart

Circular Risk Chart

Triangular Risk Chart

Complex Risk Charts/Graphs/Maps

Update the Expanding Risk Register

Risk Assessment

Risk Assessment Techniques

Chapter 6 Decide on What To Do

Situation of Concern Analysis

Decisions Based on Risk Appetite & Tolerance against Criteria

Opportunities & Threats, Positive & Negative Risks, Upside & Downside Risk Zones

Risk Criteria, Appetite & Tolerance With Risk Analysis

Using the Risk Register to Offset an Identified Threat

What We Have Done So Far

Risk Breakdown

Risk Evaluation Considerations

Decide on the Risk Treatment

Treatment Methods

Which Treatment?

Cross Treatment

Records of Treatment Methods Selection

Treatment Priority

Update the Risk Register

Risk Control Measures for Casualties in Processes

Hazard Assessment vs Risk Assessment for Processes

Limits to Hazard Prevention

Risk Control Measures for Casualties from Products

Chapter 7 Act On Decision

Risk Treatment Action Report

Risk Treatment Plan

Risk Treatment Project Plan

Treatment Effectiveness

Monitor the Implementation & its Control

Treatment & Controls Monitoring Record

Update Risk Record and Register

Close the Treatment Action Report

Chapter 8 What Next

Update Relevant Management Systems

Monitor & Review

Improve

Efficiency of Risk Management

Accuracy of Risk Management

Usability of Risk Management

Knowledge Base of Risk Management

Raise the Bar – the Context & Criteria

Risk Record

Records

Risk Profile

Reports

Consult

Revisit Risk Criteria

Communicate

Framework or System

Conclusion

Foreword

Traditional Risk Management has been about reacting to something having gone wrong and implementing controls according to its severity, preventing it from going wrong again, insuring and protecting the organization from damages and liabilities, incrementally adding on to the list of what goes wrong without much analysis of multiple sources and impacts from across the organization, and rarely considering the opportunities that come with risks.

On the other hand, Enterprise Risk Management (ERM) is about proactively identifying all possible sources of threats and opportunities to the organization's objectives, determining the upside and downside risks ranging from policies to detailed operations, in a holistic and connected manner, analyzing the potential severity and likelihood levels of these risks, and taking actions to prevent or exploit them.

Risk management, once limited to financial activities, has transcended to include all activities and situations faced by the organization, becoming an essential part of good governance. Also, from being a legal requirement for hazardous operations, risk management has become an essential part of most international management system standards. Furthermore, the ESG movement has made risk management an essential part for investing and funding. And enterprise risk management will continue to expand its usefulness in all business and societal organizations’, and governmental activities.

Many organizations that practise management system standards have also implemented risk management specifically for those standards. For example, quality management includes quality related risks, environmental standards look into environment related risks, and energy standards focus on energy related risks. These are not the holistic, organization-wide risk management that good governance requires.

This book is meant for organizations to quickly get started with risk management, organization-wide or in specific areas. It progressively builds the risk management operations for the organization, explaining why things are done in a particular way, and what are the possibilities to explore. The risk management practitioner can first start with some areas or activities of the organization to be expanded later or include all activities from the beginning. Examples and templates are provided for a quick start that can later be modified with increasing experience and needs.

User Friendliness

Further to training native English speakers, we have also extensively trained delegates for whom English is their second or third language. This book is written for both groups. We have kept the vocabulary clear and simple, and avoided long sentences and paragraphs, breaking up ideas into smaller portions for easy understanding and application.

This is a practical book. It communicates with first and second-person pronouns, ‘we’ and ‘you,’ telling what has to be done and why it is done, in a simple, sequentially systematic manner. By following the sequence, the user should be able to successfully run Enterprise Risk Management.

For Senior Management and the Board

Performance indicators, that provide past performance analysis, tell management how well the organization and its many functions and people are achieving the strategic goals. Risk scores complement this by providing information on what future performance could be like. With hindsight of the past and pre-emption of the future, senior management can prioritize what needs to be done, utilizing finances and other resources effectively.

Since the best way to start risk management is from the organization threats and opportunities, which is what we also do for strategic management, risk management presents another way of improving strategic planning, when the organization looks at risks in its internal and external environment. In this way, risk management substantially complements strategic management.

Risk management also forms the ‘third eye’ for senior management. Most management reports can be correlated to risk management reports. In this way, senior management can verify the validity of other reports. The pre-emptive nature of risk management guides senior management in making decisions.

Preface

We have been consulting and training on Enterprise Risk Management (ERM) since the early 2000s, having had delegates from organizations that wanted to start from scratch to those who had a cumbersome or complex ERM that they wanted to simplify and streamline. Many of them had formally studied ERM with a good idea of what it is all about. But almost all of them wanted to know how to implement ERM in a simple and streamlined manner. And that is what this book is about – quickly applying and seamlessly integrating ERM in your organization.

This is a practical guide that tells what has to be done (and should not be done) and the reasons for them. Whether you are a seasoned risk practitioner or a novice, there are pearls of wisdom in this book, collected over the years from the many people with whom we have improved their organizations, or who have attended our programs and shared their experiences. And we are deeply indebted to all these persons and their organizations, for without them this book would not have been possible.

It is not possible to put everything into one book of this size. You may have questions and suggestions. New ideas and methods will develop. Until the next edition of this book, please register for any new material or to post your suggestions and questions at this place:

https://mailchi.mp/e29e07668144/enterprise-risk-management

Chapter 1

What is Risk and Risk Management

You are all the time involved in something. It can be any situation; the activities at work, your organization's operations, new businesses, innovative technology, new markets, or options trading.

> Every situation has opportunities and threats. Sometimes a lot of opportunities and very few threats. Sometimes the other way round. Or a good mix of both. And every situation has outcomes or consequences; we get something out of it, or something happens.

> Every consequence can be positive or negative. You can never be completely certain about what and how the outcome will be. And each consequence has a probability or likelihood of occurring; some consequences have a high probability of happening and some are negligible. Each consequence also has a level of impact severity; sometimes high impact, and sometimes low.

Risk is the uncertainty about those situations and consequences, their severity of impact and likelihood of happening. This uncertainty or risk can be opportunities or threats.

When you are already involved in those situations, whether working in operations or investing in technology, the consequences will impact you (or your organization). Maybe you may not be involved yet, but you are looking into the opportunities and threats of the situation to determine if you want to get involved, despite some level of uncertainty or risk.

Since risk is uncertainty about the consequences, there is always risk in everything we do. It’s a matter of how big or small is the risk. Most of those risks are negligible, allowing us to focus on the few significant ones.

Most of the time organizations are involved in business and financial risks at the strategic planning level. But there are risks even at the