Still Using Spreadsheets for Managing Risks? – Switch to Risk Management Software

Managing risk is essential in every organization to accomplish its key objectives effectively. Risk management not only requires a reliable process to capture risks, but also needs a mechanism to document and administer the organization’s response.

An appropriate risk management tool always helps the risk managers to identify, assess, and prioritize the risks which can be prevented. Here, we will discuss about spreadsheets – commonly used risk management tools and their true costs. We will also know about the best tool to replace spreadsheets for effective risk management.

Spreadsheets are commonly used management tools because they are
• Convenient to use: Many people believe that spreadsheets are convenient to collect, code, sort and analyze data. Yes, they are better than paper based management systems, but they are risky.

• Flexible to enter data: With some basic encoding, spreadsheets offer flexible arrangements of rows and columns to enter data. They allow the user to configure and enter information in a way that suits his unique needs. But risk management involves analysis of various factors and a spreadsheet may not be helpful.

• Low cost or free option: Spreadsheets are either available as freeware or at low-cost. That is why organizations use them extensively. But they fail to understand the fact that the true cost of a tool should be defined by the operational costs that affect the business on long-run; not by the initial cost of the tool.

Are they really beneficial?
Many business owners and risk managers today are using spreadsheets as risk management tools unaware of the risks involved (however some are aware). Here are the risks involved:

• Inability to process huge amounts of data: Although spreadsheets are a good solution for small volumes of data, the processing and calculation will become complicated with the continual growth.

• Time consuming: Risk management requires collecting great deal of information, which often results in huge number of spreadsheets interlinked to each other. A little change to the data structure becomes a great task. This makes risk managers spend countless hours validating data, double checking formulas, and updating values, which is as a time-consuming process.

• Complex to find mistakes: It is quite difficult to find mistakes in a spreadsheet with lot of data. It is often time consuming process to find where exactly the mistakes have occurred.

• Limits the depth of risk analysis: With each change made to a spreadsheet, links between the information are lost making it difficult to analyze relationships over time. Without these links, it becomes tough to link risks and their controls. Also they offer limited access to past and current data making it difficult to compare data overtime.

• Intensive labor: The process of risk management involves continuous updating of data and it increases day by day. Updating data and using spreadsheets effectively requires lot of time and effort. So intensive labor with good knowledge of using the shortcuts and formulas is compulsory.

• Lacks security: A user can accidentally or intentionally delete vast amounts of critical information. Spreadsheets are highly vulnerable to virus attacks, hard disk crashes, and other unexpected disasters.

Underlying costs of using spreadsheets
In general, people think that spreadsheets are free, but they never calculate the underlying costs that can impact the business. Following are the true costs of using them.

• Labor costs: As discussed earlier, it takes lot of effort to create, maintain, organize, and report using spreadsheets. However, the fact that these things require labor, which in turn results in huge costs to the company, is often ignored.

• Opportunity costs: Spreadsheets consume lot of your time and effort, which you can productively use for adding value to the organization. Many business owners, in fact, lose many opportunities hanging around with spreadsheets.

• Risk and non-compliance costs: Spreadsheets lack in company wide visibility, accountability, security and control which results in increased costs in terms of failed audits, unforeseen events, increased insurance costs and so on.

• Scalability costs: A small company can manage and use one spreadsheet to track all records. But as the business grows, the effort of maintaining and consolidating these records increases exponentially. At one point this process fails and negatively impacts the business.

• Human error costs: Spreadsheets are vulnerable to manipulation, which can dramatically impact the company. Moreover, with the increasing chances of human errors, it is difficult to consider that the data is valid and reliable. These human errors can cost a lot to the company.

Effective tool to replace spreadsheet – Risk Management Software
After seeing all the risks and costs involved with spreadsheets, one would certainly ask for a better tool to manage risks and here is the solution – the Risk Management Software. It can effectively replace spreadsheets in the risk management process. Following are the benefits of using risk management software.

• Effective control over GRC processes: Risk management software helps in the effective control over the GRC (governance, risk management, and compliance) processes with proper documentation and work flow. They also help managers in risk assessment and analysis, visualization and reporting.

• Data security: User can limit the availability of data by creating passwords. He can also give full access to all the data to a particular group of people within the organization. This feature eliminates the risk of manipulation of data.

• Real time recording: Recording and updating information regarding risks is easy using this software. You need not spend hours to update the data.

• Reliable audits: This software offers full protection to all the data in the system with fully automated backups. This allows auditors to extract robust and reliable audit trails without unnecessary effort and thus it helps them in identification of risks, and creation of risk management strategies.

• Automated risk reporting: It provides the user with clear information on their objectives and risks associated. It also informs about the required actions and scheduled dates to implement them to prevent risks.

• Clear and consistent reports: A unique feature of this software is that it provides clear and consistent reports making it easy for managers to view the risks in real-time.

How to choose effective risk management software
With growing demand of the risk management software, many companies offering this software evolved in the market. Therefore it is important to choose the effective one to reap the maximum benefits. Following are some tips to choose a good one.

• Reputed vendor: A well established and experienced vendor definitely offers standard products as he fully understands risk management standards.

• Maximum features: Before buying the product, make sure that it has all features to help you in managing the risks properly.

• Customer service and tech support: As this product is new for the organization, it is important to choose a company that offers 24/7 tech support and timely customer service. Moreover, as risk environment demands a constant change of compliance, make sure that the vendor is offering regular product updates and maintenance releases.

An upgrade in the existing technology never says that the existing product is of no use, instead offers the user with more useful features. Upgrading to latest tools like risk management software enhances the organization’s capabilities in managing risk.

Posted in Uncategorized | Comments Off

Strengthening the CFO’s Role in Strategic Risk Management

Strengthening the CFO’s role in strategic risk management to lead Capital intensive business in market volatility

Capital Intensive Businesses

Capital-intensive business exists with lower margins. Management is always expecting Return on Capital Employed (ROCE) above the cost of capital. The major businesses are Oil & Gas, Infrastructure, Construction, IT etc.

Market Volatility Challenges

Market volatility, ceaseless pressure on margins and demanding stakeholders increase the difficulties of thriving in an increasingly interconnected, interdependent and unpredictable global economy.

Many organizations have yet to adapt to this new state of the economic landscape. Doing nothing is no longer an option – they need to adjust and take action now.

Many organizations are now transforming their businesses to strengthen their organization to save costs, create more client-centricity, restore stakeholder confidence and/or embed new business models.

For many organizations, long-term success depends on the success of these transformation programs. To make it more challenging, the margin for error continues to be small, and the environment in which transformation needs to happen continues to increase in complexity.

Strategic Risk Management

• It’s a process for identifying, assessing, and managing both internal and external events and risks that could impede the achievement of strategy and strategic objectives.

• The ultimate goal is creating and protecting shareholder and stakeholder value.

• It’s a primary component and necessary foundation of the organization’s overall enterprise risk management process.

• It is a component of Enterprises Risk Management (ERM), it is by definition effected by boards of directors, management, and others.

• It requires a strategic view of risk and consideration of how external and internal events or scenarios will affect the ability of the organization to achieve its objectives.

• It’s a continual process that should be embedded in strategy setting, strategy execution, and strategy management.

Identifying concrete steps for CFOs to increase involvement in risk management for investment decisions

Concrete Steps to Increase the CFO’s Involvement in Risk Management

• Build a tight link between risk management and other Business Process

• Lead a corporate-level discussion of Risk Preference, Focusing on Risk Choice and select optimal mix

• Use Risk Analytics to communicate investment and strategic Decisions

Build a tight link between risk management and other Business Process

• Focus on foresee issues which will emerging in the future instead of current issues.

• On the basis of prioritization a guidelines to be issued for which Business performance metrics would be effected.

• Business Planners conduct adhoc analysis of upside versus risk, focusing most, if not all, of other attention on a single “Center Cut” scenario.

• Highlighting exactly where and how risk will affect the Business Plan

• Incorporating systematic stress testing using macro scenarios which will reflects possible impact on financial planning

• Applying probabilistic “financial at risk” modeling for major investment decision these efforts. (Cash in hand vs cash needs)

Lead a corporate-level discussion of Risk Preference, Focusing on Risk Choice and select optimal mix

• It is critical to have clear answers to the following questions before making decisions:

o What is the company’s competence in the market?

o Are the decision makers familiar with the risks involved including the tail risks and understand their potential impact?

o Is the company capable of surviving extreme events?

• Risk appetite articulates the level of risk a company is prepared to accept to achieve its strategic objectives.

• Risk appetite frameworks help management understand a company’s risk profile, find an optimal balance between risk and return, and nurture a healthy risk culture in the organization. It explains the risk tolerance of the company both qualitatively and quantitatively.

• Qualitative measures specify major business strategies and business goals that set up the direction of the business and outline favourable risks.

• Quantitative measures provide concrete levels of risk tolerance and risk limits, critical in implementing effective risk management.

Use Risk Analytics to communicate investment and strategic Decisions

• CFO plays an important role in financial and strategic aspects of investments and the evaluation of major decision. He leads the discussion and rival proposals and solutions and often hold powerful decision rights.

• Major Projects with value at stake comparable to total risk from current company operations are discussed and decided with qualitative list of major risks.

• The CFO is ensuring by defining right set of core financial and risk analytics to run for each option to ensure this value stake is brought to light and debated.

EXAMINING LEADING PRACTICES APPLICABLE TO CFOS THAT CAN AUGMENT A COMPANY’S FINANCIAL HEALTH

Best Practices applicable for Company’s Financial Health

CFO have several options to compete more effectively in the Risk Management decisions. Improving returns starts with rethinking where to play-and with four strategic steps that many companies often overlook when it comes to improving performance.

Where to play: A more profit-focused portfolio

• The most pressing issue for leadership teams in capital intensive industries is whether to stay in businesses in which margins have been relentlessly driven down. Many companies are choosing to exit low-profit businesses that once were considered to be core. As they rebalance their portfolios, they are migrating up the value-added chain, investing in related sectors where new technologies can provide competitive advantages.

• Profit pool mapping is an important tool for assessing whether and where it makes sense to do business. In heavy industries, management teams often are so focused on volumes and tonnage that they overlook where the biggest profit pools are. By understanding the sources and distribution of profits across their industry, companies can gain an inside edge on improving returns.

• The premium end of the business typically represents a very large proportion of the profit pool. The best opportunities often cluster there for companies competing in capital-intensive industries.

• Picking the right place to play in the value chain is also critical to improving returns-and the most profitable spot varies across industries.

Best Practices applicable for Company’s Financial Health How to win: Four strategic steps to improving returns

1. Improve the cost base and review capex continually –

• In capital-intensive industries where low returns have become endemic, reducing costs and improving capex efficiency are important ways to improve performance – New developing market entrants in capital-intensive industries have built a strong competitive advantage by keeping capex relatively low. By contrast, the focus on cutting costs at many established players means they sometimes lose sight of improving capex. One way to get the balance right: Develop a more disciplined approach to managing capex, and benchmark the company’s performance against the industry’s leaders.

• Cost discipline makes a critical difference. One-time efforts usually fail to deliver savings that stick, as our research shows. One explanation is that in tough times, management teams are quick to cut costs, but when the cycle swings up, they tend to take their eye off cost improvement and focus on growth-related priorities.

• Developing a rigorous approach to cost improvement and nurturing the right capabilities to optimize working capital can help capital-intensive companies outperform.

2. Build the lowest-cost position

• Geography is another key factor for improving returns. Investing in geographies that offer the lowest landed cost position can create a strong competitive advantage. It’s particularly important in asset-heavy industries where the one-time cost of closing and moving businesses is high.

• The best-performing firms revisit their geographic footprint regularly, as cost dynamics are constantly evolving.

• Companies that can choose the lowest-cost geography up front gain a competitive edge. Those in mature industries need to weigh the short-term downside against the longer-term benefits of reducing complexity.

3. Use mergers and acquisitions strategically

• Smart acquisitions can help improve performance significantly, but many companies get off to a bad start by investing at the top of the cycle, when prices are at their peak, simply because that’s when cash is available. Leadership teams that take a strategic, disciplined and long-term approach to M&A instead of a tactical and episodic approach can improve returns significantly.

• Companies that nurture M&A as a core competence derive the greatest value from them. Their leadership teams devote time to developing a structured roadmap of the most attractive potential targets, making it easier to acquire assets when the right opportunity comes along-and to target acquisitions at the bottom of the cycle.

• Companies that are most experienced in M&A build their capabilities over time. They search hard for merger or acquisition candidates that will add to their operating profit and fuel balanced growth. They pursue nearly as many scope deals as scale deals, moving into adjacent markets as well as expanding their share of existing markets. Most importantly, they create Repeatable Models for identifying, evaluating and then closing good deals. What they typically find is that there are plenty of good prospects to be pursued and that the risk involved decreases with experience.

4. Service ace

• For traditional capital-intensive industries, service can be a highly profitable business in its own right, generating better and faster return on investment than new production facilities, large-scale R&D programs or acquisitions.

• Indeed, for many industrial manufacturers, investing in service is the only way to sustainably grow profits in a tough economic environment. Investing in a service business also lowers capital intensity.

• Investing in a world-class service business can become a strategic ace, elevating a company above competitors in an environment where differentiation on products and cost is difficult to achieve. The range of service opportunities, some larger than others, will vary by industry and company. Here again, mapping profit pools can help identify the potential size of service businesses and those with the greatest returns.

o There is no question that companies in capital-intensive industries operate in a difficult environment today. But leadership teams that commit to a bold ambition have opportunities to break away from the pack and achieve double-digit returns significantly above the cost of capital.

Best Practices applicable for Company’s Financial Health-Getting there requires a strategic shift toward a more profit-focused portfolio:

• Find the most attractive profit pools in your businesses.

• Adopt a mindset of continual cost improvement and capex optimization.

• Look for opportunities to drive down the company’s landed cost footprint by investing in the right geographies.

• Develop strong in-house M&A expertise and a structured roadmap of potential deals.

• Invest in related service businesses

Leadership teams that take these steps will not only give returns a powerful boost, they also will help to rebuild competitive advantage and position their companies to win in a changed industrial landscape.

Reengineering Strategies to improve the link Between Risk Management and Business Planning Process

• Business process reengineering is one approach for redesigning the way work is done to better support the organization’s mission and reduce costs.

• Reengineering starts with a high-level assessment of the organization’s mission, strategic goals, and customer needs.

• Within the framework of this basic assessment of mission and goals, reengineering focuses on the organization’s business processes–the steps and procedures that govern how resources are used to create products and services that meet the needs of particular customers or markets.

• Reengineering identifies, analyses, and redesigns an organization’s core business processes with the aim of achieving dramatic improvements in critical performance measures, such as cost, quality, service, and speed.

• Reengineering recognizes that an organization’s business processes are usually fragmented into sub processes and tasks that are carried out by several specialized functional areas within the organization.

• The CFO Act focuses on the need to significantly improve the government’s financial management and reporting practices. Having appropriate financial systems with accurate data is critical to measuring performance and reducing the costs of operations

Management & Decision Support Structure

• Investigate suggestion for reducing costs and to make them practical and acceptable

• Obtain definite prices and costs

• Present recommendation in comprehensive report

People & Organization

• Organize around outcomes and not tasks

• Have those who use the output of the process perform the process

• Built control in process systems

• Treat geographically dispersed resources

Policies & Regulations

• Develop policies and procedures

• Comply with compliances

• Environmental compatibility

Information & Technology

• Information should go along with the process

• Link all activities

• Capture information at source

• Create reports and real time online updates

Frame for Assessing Reengineering

• Assessing the Organisation’s Decision to Pursue Reengineering

• Reassessing of Its Mission and Strategic Goals

• Identifying Performance Problems and Set Improvement Goals

• Engagement in Reengineering

• Assessing the New Process’ Development

• Appropriately Managing of Reengineering Project

• Analysis of the Target Process and Developed with Feasible Alternatives

• Completion of Sound Business Case for Implementing the New Process

• Assessing Project Implementation and Results

• Following a Comprehensive Implementation Plan

• Executives Addressing Change Management Issues

• New Process Achieving the Desired Results

FOCUSING ON RISK PREFERENCE AND CHOICES FOR CFOs CONSIDERATION TO DELIVER ECONOMIC PROFIT DURING TOUGH CONDITIONS

CFOs need to develop a stronger focus on the economic and performance drivers of their business and need to understand how the effective allocation of scarce resource will help them achieve financial objectives. The CFO must build a performance management capability that can:

• Provide visibility and analysis of information to support resource allocation

• Support the decision-making process by providing the right information to the right people at the right time

• Demonstrate the financial impacts of different decisions and scenarios to enable the organization to predict and compare outcomes

• Incentivize executives and managers to make decisions that maximize marginal contribution

• Enable a data-driven view on resource allocations across the entire value chain (to include corporate strategy; sales, marketing and customer service; supply chain manufacturing and production; finance, HR, legal and compliance)

• Identify the most critical decision points that drive economic performance

With a unique perspective across the entire business, CFOs can provide valuable insight into the decisions that create or protect marginal contribution across the value chain. Armed with a detailed understanding of how and where growth in sales leads to growth in profits, they can offer an objective assessment of fixed and variable costs, and then identify how a reduction in costs can maintain revenues while improving profit contribution.

• Establish a clear, forward-looking line of sight on relevant data for critical decision points

Finance must have access to a robust data set, built around the decisions that drive most economic value in the organization, including assessment of opportunity cost. This demands accurate, verifiable underlying data and an understanding of how the data relates to value chain decisions. This will enable the CFO to conduct scenario planning around these different decision points.

• Develop aligned performance management processes that drive rational decisions

Finance must be able to translate insights and understanding into the desired end product – rational decisions that maximize the desired economic return. Aligning traditional resource allocation processes with business objectives helps ensure repeatability and the sustainability of the organization.

• Ensure compliance and make sure that finance’s voice is heard

The CFO and finance function must be positioned appropriately within the organization to be able to influence decision-making and action. Additionally, finance professionals must improve communication and influencing skills to ensure that their voice is heard and their advice is valued and acted upon.

Posted in Uncategorized | Comments Off

The Benefits of Choosing a Career in Risk Management

What is risk management:
Risk management is the process of identification, assessment and treatment of risks that seeks to minimise, control and monitor the impact of risk occurrence through the cost effective utilisation of resources.

Where does risk management apply
Risks occur in every walk of life, in every industry and in every service delivery enterprise, both private and public sectors. The severity of risks occurring depends upon many factors. In order to quantify such severities most organisations traditionally employ some sort of risk processes to assess the likelihood of risks occurring and their perceived or calculated impact. This enables risks to be prioritised and resources applied to meet the overall best interests of the organisation and its internal and external stakeholders.

Risks, great and small
In today’s connected and integrated world risks and their impacts can and do translate across international boundaries. No longer are they confined to departments and within individual companies. Economic boundaries and geographical structures are such that companies now need to assess risks in a world where a volcano in Iceland can cause the closure of a manufacturing plant in Japan.

Equally at the individual organisation level the importance of undertaking health and safety risk assessments in order to protect the health, safety and welfare of it’s employees is a legal obligation for many companies. Product manufactures will undertake design risk assessments in order to ensure that the ultimate users are protected from any safety related design hazard.

Local authorities are required to ensure that they provide safe highways and passage for the general public. For example, they will need to assess the amount of sand and grit they will need to ensure they can cope with the pressures of harsh winter weather to protect the individual motorists and the unsuspecting pensioner on an icy pavement.

All of the above and in many more private and public sector industries and services there is the basic requirement for someone or some persons to identify a potential risk, to evaluate the likelihood of the risk occurring and to calculate the impact or consequence of the risk in order to best minimise its impact.

Risk management – does it work?
Armed with the knowledge that risk is everywhere but that there are robust systems and processes to manage them is it safe to say that such systems and processes work?

Certainly there are many examples of where risk management has worked. If the available systems and processes didn’t work then they simply wouldn’t be used. Risk departments and risk mangers would be unlikely to exist and an irresponsible attitude to risk would likely be prevalent.

Risk management however does not work in all cases. It’s impossible not to be tempted to assert that the BP oil well catastrophe in the Gulf of Mexico could have been prevented if the risks had been fully evaluated. Similarly the lack of controls to adherence of risk processes that has resulted in global financial problems has been laid at the doors of some of the worlds largest financial institution and banks.

Another dimension to risk management
With the proliferation of risk management tools, the use of highly complex modelling techniques and experts and specialists in their fields of expertise, why is it that risks of the magnitude and scale noted above, to the trip hazard on the local pavement, to the vulnerability of the child in a local authorities occur?

It is simply that risk management is not just about rules and regulations. Successful risk management needs a culture and a set of values that ensures that it becomes part of an organisations DNA. If corporate culture is perceived as resentful towards those who raise risks then any risk process is useless. People will hope that the problems just go away. The culture must allow for honesty and openness that allows for maximum benefits to arise from the tools and modelling techniques.

Why choose a career in risk management?
Risk managers and people whose job it is to minimise the occurrence of risks are experts in their field. Their value contribution to any organisation is immense. Qualifications in risk management for some specialised industries – for example insurance – is sometimes necessary and will certainly add to an individuals self marketing capability. However a large number of active risk management individuals do not consciously set out on a career path of risk management. They some how stumble in to it. At this point there is a choice. Do you stick with the tools and techniques or do you grasp the risk agenda and take it forward? The emergence of enterprise risk management aligned to systems thinking; the inescapable link between successful risk intelligent organisations and culture; the in depth knowledge of an organisation and its independencies are immeasurable assets in a world where some have developed a low tolerance to risk. A career in risk management can be as dull as it can be exciting. The choice is yours.

But remember, risk is about taking the opportunity to grow, expand and compete more effectively. Without risk, there is no reward – for the organisation or for the individual.

Posted in Uncategorized | Comments Off

Enterprise Risk Management and the PMBOK

Enterprise Risk Management is a term used to describe a holistic approach to managing the risks and opportunities that the organization must manage intelligently in order to create maximum value for their shareholders. The foundation for the approach is the alignment of the organization’s management of risks and opportunities to their goals and objectives. One of the keys to this alignment is the “Risk Appetite” statement which is a statement encapsulating the direction the Board gives management to guide their risk management methods. The statement should describe in general terms what kinds of risk the organization can tolerate and which it can’t. This statement plus the organization’s goals and objectives guides management in the selection of projects the organization undertakes. The statement also guides management in setting risk tolerance levels and determining which risks are acceptable and which must be mitigated.

This article will attempt to review Enterprise Risk Management (ERM) and relate it to the best project management practices found in the PMBOK® (4th Edition). The source for most of my information about ERM comes from a study published by the Committee of Sponsoring Organizations (COSO) of the Treadway commission published in 2004. The Treadway commission was sponsored by the American Institute of Certified Public Accountants (AICPA) and the COSO consisted of representatives from 5 different accounting oversight groups as well as North Carolina State University, E.I. Dupont, Motorola, American Express, Protective Life Corporation, Community Trust Bancorp, and Brigham Young University. The study was authored by PriceWaterhouseCoopers. The reason for listing the oversight committee and authors is to demonstrate the influence the insurance and financial industries had over the study.

The approach suggested by the study, which is probably the most authoritative source of ERM information, is very similar to approaches taken to managing quality in the organization in that it places emphasis on the responsibility of senior management to support ERM efforts and provide guidance. The difference here is that, while Quality methodologies such as CMM or CMMI place the responsibility on management to formulate and implement quality policies, ERM takes responsibility right to the top: the Board of Directors.

Let’s go through the study recommendations and relate them to the processes recommended in the PMBOK. To refresh your memories, those processes are:

Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Response
Monitor and Control Risks

ERM begins by segregating goals and objectives into 4 groups: strategic, operations, reporting, and compliance. For the purposes of managing projects, we need not concern ourselves with operational risks. Our projects might support implementation of reports and our projects may be constrained by the need to comply with organizational or governmental guidelines, standards, or policies. Projects in the construction industry will be constrained by the need to comply with the relevant safety laws enforced in their location. Projects in the financial, oil & gas, defense, and pharmaceutical industries will also be required to comply with government laws and standards. Even software development projects may be required to comply with standards adopted by the organization, for example quality standards. Projects are a key means of implementing strategic goals so goals in this group are usually applicable to our projects.

The study recommends 7 components:

Internal environment The key component of the internal environment is the “Risk Appetite” statement from the Board. The environment also encompasses the attitudes of the organization, its ethical values, and the environment in which they operate.
PMBOK® Alignment The description in the study is actually very close to the description of Enterprise Environmental Factors. Enterprise Environmental Factors are an input to the Plan Risk Management process. The PMBOK also refers to the organization’s risk appetite in their description of Enterprise Environmental Factors, as well as attitudes towards risk.
Objective Setting Management is responsible for setting objectives that support the organization’s mission, goals, and objectives. Objective setting at this level must also be consistent with the organization’s risk appetite. The objective setting here may refer to objective setting for the project, as well as any of the other 4 groups.
PMBOK® Alignment Goals and objectives should include those that pertain to risk management. The project’s Cost and Schedule Management plans are input to the Plan Risk Management process. These documents should contain descriptions of the goals and objectives in these individual areas. These goals and objectives may determine how risks are categorized (Identify Risks), prioritized (Perform Qualitative Risk Analysis), and responded to (Plan Risk Response).
Event Identification Events that pose a threat to the organization’s goals and objectives are identified, as well as events that present the organization with an opportunity of achieving its goals and activities (or unidentified goals and objectives). Opportunities are channeled back to the organization’s strategy or objective setting processes.
PMBOK® Alignment This component aligns exactly with the Identify Risks process from the PMBOK. The only significant difference here is the recommendation that opportunities be channeled back to the organization’s strategy of objective setting processes. The PMBOK offers no guidance here but this component can be supported by simply referring any opportunity not identified with an existing project goal or objective back, to the project sponsor.
Risk Assessment Risks are scored using a probability and impact scoring system. Risks are assessed on an “inherent and residual” basis. This simply means that once a risk mitigation strategy has been defined, its effectiveness is measured by determining a probability impact score with the risk mitigation strategy in place. This score is referred to as residual risk.
PMBOK® Alignment This component aligns closely with the Perform Qualitative Risk Analysis process. This process provides for the probability and impact scoring for the identified risks. The Monitor and Control Risks process also supports this component. This is the process that measures the effectiveness of the mitigation strategies. This is the process that will determine the residual risks.
Control Activities Policies and Procedures are established to ensure that risk responses are effectively carried out.
PMBOK® Alignment This component is supported by the Plan Risk Management process. The output of this process is the Risk Management Plan which describes the risk management procedures the project will follow. Keep in mind that Control Activities is wider in scope than Plan Risk Management, the Plan will only cover those procedures that pertain to the project. The Monitor and Control Risks process also supports this component. This process ensures that the procedures defined in the plan are carried out and are effective.
Information and Communication This component describes how information pertaining to risks and risk management is identified, captured, and communicated throughout the organization.
PMBOK® Alignment This component is actually supported by the processes in the Communications Management knowledge area. The processes in this area manage all project communications. The Risk Management Plan will identify the information, how it is captured, and how it is maintained. The Communications Plan will describe to whom, when, and how the information is to be communicated.
Monitoring Specifies that ERM is monitored and changed when necessary. Monitoring and change are performed in 2 ways: ongoing management activities and audits.
PMBOK® Alignment Monitor and Control Risks supports this component. This process uses Risk Reassessment, Variance and Trend Analysis, Reserve Analysis, and Status Meetings to monitor risk management activities and ensure that the activities are meeting the project’s goals and objectives. This process also describes audits as a technique for determining whether planned activities are being carried out and are effective. One of the outputs of this process is updates to the Risk Management Plan in the case where activities are not effective in controlling risks. Preventive and Corrective actions are also recommended to address cases where activities are not being carried out, or are incorrectly performed.

ERM provides for assurance that it is effective by determining if all 7 components of ERM have been provided for, across all 4 categories of organizational goals and objectives. Project management will not cover off all areas of each component in each category, but will cover those organizational goals and objectives supported by the project and all the reporting and compliance goals and objectives that apply to the project.

Internal Control for ERM is provided for by the guidelines described in the Internal Controls – Integrated Framework document authored by COSO. We won’t go into detail describing these guidelines but treat them at a summary level. The ERM study aligns with the guidelines and refers the reader to that document for compliance details. The details of compliance would concern an organization implementing ERM but that must be instigated by the Board and would only concern a project manager if they were to be responsible for a project which implemented ERM. The guidelines place risk controls with other internal controls of the organization (keep in mind these guidelines are insurance and finance-centric). The guidelines provide for the assignment of responsibilities to 3 organizational roles: the Chief Financial Officer, the Chief Information Officer, and the Chief Risk Officer. The Chief Legal Officer is identified in lieu of a Chief Risk officer. The CFO is responsible for monitoring internal control of financial reporting, the CIO is responsible for monitoring internal control over information systems, and the CRO is responsible for monitoring internal control over compliance with laws, standards, and regulations. The guidelines re-iterate that risk management tone is set from the top of the organization as evidenced by the company officers responsible for monitoring.

The Internal Control – Integrated Framework guidelines also acknowledge that monitoring and control are prone to human error and that not all procedures have equal importance. They address this by the identification of the most critical procedures using “key-control analysis”. Key-control analysis is used to determine whether control procedures and processes are effective. The guidelines also attempt to provide direction in the identification of preventive or corrective actions to improve internal controls. They do this by evaluation of the information measuring the effectiveness. Only if the information is “persuasive” should corrections be made. The guidelines provide for internal audits of internal control procedures but acknowledge that every organization may not be large enough to warrant that role and that there is a place for external audits in internal controls.

Most of the reporting the project manager will be responsible for will be what the guidelines term as “internal”, that is the reports will only be read by management. In some cases reports may be read by 3rd party external organizations. The project manager’s reportage on risk management on their project may form a part of the information reported externally, but the project manager should not be made responsible for reporting externally.

The guidelines require that implementation of a framework be scaled to suit the size and complexity of the organization it serves. Scalability will require the organization to identify who will be responsible for a given activity. For example, the organization may not have a Chief Risk Officer in which case some other role must be identified for compliance responsibility. This responsibility will be delegated to the project manager when any compliance objectives form part of the project’s objectives.

Posted in Uncategorized | Comments Off