Enterprise Risk Management: A Practical Guide to Quick Start
()
About this ebook
From the same opportunities and threats used for developing strategic plans to achieve organization objectives, we develop enterprise risk management, reaching to all areas and levels of the organization, to prevent divergence from those strategies. This is a practical guide on how to develop and implement such an enterprise risk management. If you do not have this in place, this is the perfect place to start for an effective enterprise risk management running in a short time. If you already have this in place, there are pearls of wisdom and experience, gathered from hundreds of different industries and thousands of individual practitioners that will further improve the enterprise risk management.
As you observe situations to identify risks, study possible events, their consequences and likelihood, evaluate opportunities and threats, decide on what to do and act on those decisions, you learn at each stage a wealth of knowledge shared by those who had been there, giving you the tools and means to enrich and manage those stages. You quickly go into the details of implementation throughout the organization.
Starting from the organization big picture, with a hands-on approach, you are taken through the processes of appreciating risks to organization objectives at all levels, what needs to be done to prevent or exploit those risks, how it should and should not be done, and the ways to do it.
As you walk through the central path of planning, implementing and managing enterprise risk management, there are branches of learning to enrich the understanding and insight along the way.
With more than 70 diagrams and charts, 30 over tables, numerous templates and pictures, you have a clear picture of what to do and how to enhance your enterprise risk management.
Related to Enterprise Risk Management
Related ebooks
Ioannis Tsiouras - The risk management according to the standard ISO 31000 Rating: 3 out of 5 stars3/5Risk Management Simplified: A Definitive Guide For Workplace and Process Risk Management Rating: 5 out of 5 stars5/5Risk Management and Information Systems Control Rating: 5 out of 5 stars5/5Introduction to Risk Analysis Rating: 0 out of 5 stars0 ratingsGuide to effective risk management 3.0 Rating: 0 out of 5 stars0 ratingsEnhanced Enterprise Risk Management Rating: 0 out of 5 stars0 ratingsBusiness Continuity Management: Choosing to Survive Rating: 3 out of 5 stars3/5Security Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Effective Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratingsBusiness Continuity Planning: A Step-by-Step Guide With Planning Forms Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Risk Assessment: Getting it Right Rating: 4 out of 5 stars4/5Security Risk Management: Building an Information Security Risk Management Program from the Ground Up Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5The Manager's Handbook for Business Security Rating: 0 out of 5 stars0 ratingsFundamentals of Information Security Risk Management Auditing: An introduction for managers and auditors Rating: 5 out of 5 stars5/5A Risk Management Approach to Business Continuity: Aligning Business Continuity and Corporate Governance Rating: 0 out of 5 stars0 ratingsThe Chartered Risk Manager Professional Rating: 5 out of 5 stars5/5International Security Programs Benchmark Report: Research Report Rating: 3 out of 5 stars3/5Governance Risk And Compliance A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsHow to Manage Risk and Compliance? Rating: 0 out of 5 stars0 ratingsBusiness Continuity: Playbook Rating: 0 out of 5 stars0 ratingsSecurity And Risk Management Tools A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsBecoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Introduction to Enterprise Risk Management: A Guide to Risk Analysis and Control for Small and Medium Enterprises Rating: 0 out of 5 stars0 ratingsThe Business Continuity Management Desk Reference Rating: 0 out of 5 stars0 ratingsBusiness Continuity Exercises: Quick Exercises to Validate Your Plan Rating: 0 out of 5 stars0 ratingsEnterprise Risk Management Complete Self-Assessment Guide Rating: 5 out of 5 stars5/5The Certified Operational Risk Manager Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5The Art of Risk Management: Learn to Manage Risks Like a Pro Rating: 3 out of 5 stars3/5
Management For You
Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5The 7 Habits of Highly Effective People: 30th Anniversary Edition Rating: 5 out of 5 stars5/5The 12 Week Year: Get More Done in 12 Weeks than Others Do in 12 Months Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Summary of The Laws of Human Nature: by Robert Greene - A Comprehensive Summary Rating: 4 out of 5 stars4/5Principles: Life and Work Rating: 4 out of 5 stars4/5The Ideal Team Player: How to Recognize and Cultivate The Three Essential Virtues Rating: 4 out of 5 stars4/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5I Moved Your Cheese: For Those Who Refuse to Live as Mice in Someone Else's Maze Rating: 5 out of 5 stars5/5The 12 Week Year (Review and Analysis of Moran and Lennington's Book) Rating: 5 out of 5 stars5/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5The 4 Disciplines of Execution: Revised and Updated: Achieving Your Wildly Important Goals Rating: 4 out of 5 stars4/5Spark: How to Lead Yourself and Others to Greater Success Rating: 5 out of 5 stars5/5Good to Great: Why Some Companies Make the Leap...And Others Don't Rating: 4 out of 5 stars4/5The Coaching Habit: Say Less, Ask More & Change the Way You Lead Forever Rating: 4 out of 5 stars4/5Emotional Intelligence Habits Rating: 5 out of 5 stars5/5Summary of The Five Dysfunctions of a Team: by Patrick Lencioni | Includes Analysis Rating: 4 out of 5 stars4/5The 5 Languages of Appreciation in the Workplace: Empowering Organizations by Encouraging People Rating: 4 out of 5 stars4/5Extreme Ownership: How U.S. Navy SEALs Lead and Win | Summary & Key Takeaways Rating: 4 out of 5 stars4/5The 360 Degree Leader Workbook: Developing Your Influence from Anywhere in the Organization Rating: 4 out of 5 stars4/5Managing Oneself: The Key to Success Rating: 4 out of 5 stars4/5The 80/20 Principle (Review and Analysis of Koch's Book) Rating: 4 out of 5 stars4/5Great Ceos Are Lazy: How Exceptional Ceos Do More in Less Time Rating: 4 out of 5 stars4/5Leadershift: The 11 Essential Changes Every Leader Must Embrace Rating: 5 out of 5 stars5/52600 Phrases for Effective Performance Reviews: Ready-to-Use Words and Phrases That Really Get Results Rating: 3 out of 5 stars3/5The New One Minute Manager Rating: 5 out of 5 stars5/5The Motive: Why So Many Leaders Abdicate Their Most Important Responsibilities Rating: 5 out of 5 stars5/5
Reviews for Enterprise Risk Management
0 ratings0 reviews
Book preview
Enterprise Risk Management - Naina Mohamed
All rights reserved. This book contains material protected under International and Federal Copyright Laws and Treaties. Any unauthorized reprint or use of this material is prohibited. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording nor may it be stored in a retrieval system, transmitted or otherwise be copied for public or private use – other than for ‘fair use’ for research or private study or criticism or review or as brief quotations embodied in manuscripts, articles and reviews – without prior written permission of the publisher.
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of publication, and the publishers and author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publishers or the author.
Enquiries concerning reproduction outside of these terms should be sent to:
naina@competencyhouse.org
© Naina Mohamed, 2022
The right of the person writing and presenting as Naina Mohamed to be identified as the author of this work has been asserted by him in accordance with International and Federal Copyright Acts and Treaties
Published by Naina Mohamed
Naina Mohamed, 1951-
Enterprise risk management: a practical guide to quick start / Naina Mohamed.
ISBN 978-983-41822-3-6
1. Risk. 2. Risk management. 3. Risk assessment. 4. Risk register. 5. Risk analysis. 6. Risk chart. 7. Risk treatment. 8. Risk report. 9. Risk profile.
Dedication
This book is dedicated to the many organizations we consult for, and the people who attended our training programs on Enterprise Risk Management, raised questions and concerns, and shared their experiences. We are deeply indebted to all these persons and their organizations, for without them this book would not have been possible.
Contents
Dedication
Contents
Foreword
Preface
Chapter 1 What is Risk and Risk Management
All Good Managers Are Risk Managers
All Persons Can Be Good Risk Detectors
A Quick Overview of What We Do in Enterprise Risk Management
Chapter 2 Observe the Situation & Identify Risks
Knowing What to Look For
Threat and Opportunity Awareness
Politics
Economics
Strategic
Reputation
Legal / Compliance
Financial
Governance
Social
Health & Safety
Environment
Security – Information, Knowledge, Assets
Quality – Product, Service
Operations
Resources and Utilization
Technology
Risk Context
Risk Criteria
Numbering System for Traceability
Risk Criteria Determined by Stakeholders or Industries
Pre-Emptive Thinking
Competency Development Path
Identification of Risks
Considerations When Identifying Risks
What Influences Risk Identification
Methods and Tools to Identify Risks
Generate the Risk Register
Preliminary Analysis
Chapter 3 Study (and Analyze) Events, Consequences and Impacts
Complexity of Trigger, Events & Consequences
Study (and Analyze) Risk Causing Events:
Update the Expanding Risk Register
Study (and Analyze) Risk Consequences
Categorize Severity or Impact
Determine the Consequence Impacts
Mixed Categories
Considerations for Events and Consequences
Controls assessment
Update the Expanding Risk Register
Chapter 4 Study (and Analyze) Event Likelihood
Estimating the Likelihood of Occurrence
Categorizing the Likelihood of Occurrence
Considerations for Likelihood
Update the Expanding Risk Register
Chapter 5 Evaluate Risk Threats & Opportunities
Risk Evaluation
Risk Score
Risk Level
Update the Expanding Risk Register
Risk Matrix
Risk Criteria
Risk Chart
Square Risk Chart
Circular Risk Chart
Triangular Risk Chart
Complex Risk Charts/Graphs/Maps
Update the Expanding Risk Register
Risk Assessment
Risk Assessment Techniques
Chapter 6 Decide on What To Do
Situation of Concern Analysis
Decisions Based on Risk Appetite & Tolerance against Criteria
Opportunities & Threats, Positive & Negative Risks, Upside & Downside Risk Zones
Risk Criteria, Appetite & Tolerance With Risk Analysis
Using the Risk Register to Offset an Identified Threat
What We Have Done So Far
Risk Breakdown
Risk Evaluation Considerations
Decide on the Risk Treatment
Treatment Methods
Which Treatment?
Cross Treatment
Records of Treatment Methods Selection
Treatment Priority
Update the Risk Register
Risk Control Measures for Casualties in Processes
Hazard Assessment vs Risk Assessment for Processes
Limits to Hazard Prevention
Risk Control Measures for Casualties from Products
Chapter 7 Act On Decision
Risk Treatment Action Report
Risk Treatment Plan
Risk Treatment Project Plan
Treatment Effectiveness
Monitor the Implementation & its Control
Treatment & Controls Monitoring Record
Update Risk Record and Register
Close the Treatment Action Report
Chapter 8 What Next
Update Relevant Management Systems
Monitor & Review
Improve
Efficiency of Risk Management
Accuracy of Risk Management
Usability of Risk Management
Knowledge Base of Risk Management
Raise the Bar – the Context & Criteria
Risk Record
Records
Risk Profile
Reports
Consult
Revisit Risk Criteria
Communicate
Framework or System
Conclusion
Foreword
Traditional Risk Management has been about reacting to something having gone wrong and implementing controls according to its severity, preventing it from going wrong again, insuring and protecting the organization from damages and liabilities, incrementally adding on to the list of what goes wrong without much analysis of multiple sources and impacts from across the organization, and rarely considering the opportunities that come with risks.
On the other hand, Enterprise Risk Management (ERM) is about proactively identifying all possible sources of threats and opportunities to the organization's objectives, determining the upside and downside risks ranging from policies to detailed operations, in a holistic and connected manner, analyzing the potential severity and likelihood levels of these risks, and taking actions to prevent or exploit them.
Risk management, once limited to financial activities, has transcended to include all activities and situations faced by the organization, becoming an essential part of good governance. Also, from being a legal requirement for hazardous operations, risk management has become an essential part of most international management system standards. Furthermore, the ESG movement has made risk management an essential part for investing and funding. And enterprise risk management will continue to expand its usefulness in all business and societal organizations’, and governmental activities.
Many organizations that practise management system standards have also implemented risk management specifically for those standards. For example, quality management includes quality related risks, environmental standards look into environment related risks, and energy standards focus on energy related risks. These are not the holistic, organization-wide risk management that good governance requires.
This book is meant for organizations to quickly get started with risk management, organization-wide or in specific areas. It progressively builds the risk management operations for the organization, explaining why things are done in a particular way, and what are the possibilities to explore. The risk management practitioner can first start with some areas or activities of the organization to be expanded later or include all activities from the beginning. Examples and templates are provided for a quick start that can later be modified with increasing experience and needs.
User Friendliness
Further to training native English speakers, we have also extensively trained delegates for whom English is their second or third language. This book is written for both groups. We have kept the vocabulary clear and simple, and avoided long sentences and paragraphs, breaking up ideas into smaller portions for easy understanding and application.
This is a practical book. It communicates with first and second-person pronouns, ‘we’ and ‘you,’ telling what has to be done and why it is done, in a simple, sequentially systematic manner. By following the sequence, the user should be able to successfully run Enterprise Risk Management.
For Senior Management and the Board
Performance indicators, that provide past performance analysis, tell management how well the organization and its many functions and people are achieving the strategic goals. Risk scores complement this by providing information on what future performance could be like. With hindsight of the past and pre-emption of the future, senior management can prioritize what needs to be done, utilizing finances and other resources effectively.
Since the best way to start risk management is from the organization threats and opportunities, which is what we also do for strategic management, risk management presents another way of improving strategic planning, when the organization looks at risks in its internal and external environment. In this way, risk management substantially complements strategic management.
Risk management also forms the ‘third eye’ for senior management. Most management reports can be correlated to risk management reports. In this way, senior management can verify the validity of other reports. The pre-emptive nature of risk management guides senior management in making decisions.
Preface
We have been consulting and training on Enterprise Risk Management (ERM) since the early 2000s, having had delegates from organizations that wanted to start from scratch to those who had a cumbersome or complex ERM that they wanted to simplify and streamline. Many of them had formally studied ERM with a good idea of what it is all about. But almost all of them wanted to know how to implement ERM in a simple and streamlined manner. And that is what this book is about – quickly applying and seamlessly integrating ERM in your organization.
This is a practical guide that tells what has to be done (and should not be done) and the reasons for them. Whether you are a seasoned risk practitioner or a novice, there are pearls of wisdom in this book, collected over the years from the many people with whom we have improved their organizations, or who have attended our programs and shared their experiences. And we are deeply indebted to all these persons and their organizations, for without them this book would not have been possible.
It is not possible to put everything into one book of this size. You may have questions and suggestions. New ideas and methods will develop. Until the next edition of this book, please register for any new material or to post your suggestions and questions at this place:
https://mailchi.mp/e29e07668144/enterprise-risk-management
Chapter 1
What is Risk and Risk Management
You are all the time involved in something. It can be any situation; the activities at work, your organization's operations, new businesses, innovative technology, new markets, or options trading.
> Every situation has opportunities and threats. Sometimes a lot of opportunities and very few threats. Sometimes the other way round. Or a good mix of both. And every situation has outcomes or consequences; we get something out of it, or something happens.
> Every consequence can be positive or negative. You can never be completely certain about what and how the outcome will be. And each consequence has a probability or likelihood of occurring; some consequences have a high probability of happening and some are negligible. Each consequence also has a level of impact severity; sometimes high impact, and sometimes low.
Risk is the uncertainty about those situations and consequences, their severity of impact and likelihood of happening. This uncertainty or risk can be opportunities or threats.
When you are already involved in those situations, whether working in operations or investing in technology, the consequences will impact you (or your organization). Maybe you may not be involved yet, but you are looking into the opportunities and threats of the situation to determine if you want to get involved, despite some level of uncertainty or risk.
Since risk is uncertainty about the consequences, there is always risk in everything we do. It’s a matter of how big or small is the risk. Most of those risks are negligible, allowing us to focus on the few significant ones.
Most of the time organizations are involved in business and financial risks at the strategic planning level. But there are risks even at the