Risk Leadership Resilience or Efficiency - Is this the Holy Grail to embedding risk management? How risk managers embed risk
Vol 1 No 1
Special Feature The Top Risks of 2011 Proactive steps in risk management
The Risk Management Business Risk's role in risk management Understanding Your Customer Considering transaction risk Make a Risk Management Meal Putting together a three course risk meal
Peer Leadership The next generation of thinking IOR The Leadership Within Learning from inspirational leaders
Lifting your Sight on Risk Considering the risks with your head up, requires some different thinking theinnovationofrisk.com
Proud Supporters
A new way to show your risk information riskographics.com
The Risk Store "Where all great electronic books on risk management, innovation and leadership are sold."
http://theinnovationofrisk.com/store
2 Risk Leadership | Volume 1 Number 1
tableofcontents
Special Feature 15 - Top 10 Risks of 2011 We thought it prudent to cover what we see are the Top 10 risks for the rest of 2011.
In This Issue 3 | Effective risk management is like putting together a three course meal
20 | Understanding Your Customer
5 | Peer Leadership
23 | Resilience and efficiency is this the Holy Grail to embedding risk management?
11 | Mobile thinking for risk innovation 12 | Is the business of risk management Risk's business? 13 | Leadership comes from within
on the cover 7 - Lifting Your Sight on Risk There is a habit for people to focus on risks using a “heads down” approach and consequently neglecting to focus on risks, optimally, with their “heads up”.
25 | Tools - Emerging Technology 27 | The Power of the Individual 30 | Know Your Risks - The Guide
Vote for Top 10 Risks Vote for your top 10 risks of 2011 at
19 | Social Media - Risks and Rewards
http://theinnovationofrisk.com/ survey
about us publisher/president Scott North editors Scott North & Tania Driver photos presentermedia.com istockphoto.com swift publisher 2
writers Alev Bassilios
subscriptions To subscribe, email
Legal & Compliance
subscriptions@theinnovationofrisk.com
Scott North
editorial commemts For comments please contact
Strategy & Leadership Innovation Specialist
webmaster@theinnovationofrisk.com
James Wincott Operational Risk
A Note to Readers The views expressed in articles are the authors’ and not necessarily those of TheInnovationofRisk.com (a Division of Tedesen Pty Ltd). TheInnovationofRisk.com considers its sources reliable and verifies as much data as possible, although reporting inaccuracies can occur; consequently, readers using this information do so at their own risk. Each article opinion contains certain risks, and it is suggested that readers consult their relevant legal and/or risk professionals. TheInnovationofRisk.com is distributed with the understanding that the publisher is not rendering legal or financial advice. Although persons and companies mentioned herein are believed to be reuptable, neither TheInnovationofRisk.com or its authors accept any responsibility whatsoever for their activities. No part of this magazine may be reproduced or transmitted in any form or by any means without written consent of the publisher. All messages or letters to TheInnovationofRisk.com will be treated as unconditionally assigned for publication, copyright purposes and use in any publication or brochure, and are subject to TheInnovationofRisk.com’s unrestricted right to edit and comment.
Effective risk management is like putting together a three course meal Alev Bassilios Legal & Compliance
As the adage goes, too many cooks can spoil the broth. Accountability is the key component. If we ensure that everyone is empowered and trained to do their job, we should give them the accountability to deal with issues or events and trust that they will do what is required.
Effective risk management is like putting together a three course meal. This analogy may sound a little strange but will make sense as we progress through the tips for the chef (manager). Firstly, you have to know who you are cooking for and tailor the presentation and components of the meal to complement the tastes and requirements of those who will be consuming it. There is no point serving a roast for your main course if your guests are all vegetarian or having a Christmas theme during Easter. To translate, understand your audience and tailor your delivery and message so that it makes sense to them. Also, tailor your solutions to the businesses you are supporting, do not roll out the wiz bang solution if the risks can be mitigated using a simple approach. Ensure that tools and frameworks are simple and manageable to operationalise and therefore embed. Secondly, a good meal builds in flavour and intensity, with each course complementing and adding to the previous one. This takes your guests on a sensory journey and keeps them engaged throughout the whole meal. The translation being to take your stakeholders on the journey with you. Start with the basics and keep building on that so your stakeholders have time to understand and appreciate each component before the next one is presented. For example, ensure your stakeholders understand their risks and have identified relevant controls 4 Risk Leadership | Volume 1 Number 1
before you introduce concepts such as scenario planning, risk appetite or risk tolerances. If the foundations are not solid or subsequent components are introduced with no correlation to previous ones, it can lead to the perception that risk management is too complex or difficult. Thirdly, you need to have the best ingredients. It only takes one rotting tomato to give your guests food poisoning or leave such a bad taste in their mouths that they will not return. This translates to choosing the right inputs, people, processes, policies, frameworks and advisors so that when they are all thrown into the same pot and work together they produce a robust and effective risk management framework. Fourthly, it helps to have the best tools. An oven that consistently cooks your soufflÊ, a blowtorch to put the finishing touches on your crème brulee or an egg timer so that you don’t overcook your main course. This translates to setting your people up for success. Ensure they have access to the right tools, training, subject matter experts and mandate to effectively perform their role and achieve their objectives. Fifthly, if you are lucky enough to have a sous chef helping you, take advantage of their special skills. If you try to do everything on your own, chances are you will overcook some things and undercook others.
To translate, no-one can do everything on their own. Seek help, support, guidance and advice from multiple sources, including those who perform the same or a similar role to you; those who are not connected to your function so that they can give you a fresh perspective; and those who will give you their honest opinion if you have missed the mark. Collaborate to address common challenges, share knowledge and explore new ways of doing things. Sixthly, although a recipe book can be useful, you should also feel free to experiment. What’s the point of putting all that effort in if you can’t have fun with it? The translation is don’t be afraid to innovate! People should be encouraged to try something different and think outside the square.
And finally, as the adage goes, too many cooks can spoil the broth. Accountability is the key component. If we ensure that everyone is empowered and trained to do their job, we should give them the accountability to deal with issues or events and trust that they will do what is required. The organisational culture must support this by actively discouraging multiple people stepping forward to demand visibility of events that are in train, but who step back when actions or decisions are required. A robust consequence management framework will assist with forcing this change, if you are brave enough to enforce it. Happy cooking.
Peer Leadership Scott North
Strategy & Leadership
• Peer leadership is being inspirational in your thoughts, actions and words • Mindset needs to be around being one team • Leadership is not a competition sport
Peer Leadership is Golden True Leadership Is Informal If it is your desire to become a CEO, President, or Supreme Ruler, then there is no grudge held here. If it is your desire to improve yourself, your family, and your community then title alone is not enough. You have to have influence. To have influence you must be able to lead your peers. Peer leadership is really about the golden rule: do unto others, as you would have them do unto you. via Peer Leadership Is Golden. h t t p : / / e z i n e a r t i c l e s . c o m / ? P e e r- L e a d e r s h i p - I s Golden&id=4835865
The internet is teeming with information on a wide range of topics around leadership. Zite, an iPad application, that brings articles on key topics to you through learning what you want to read, provides a great source on leadership. Specifically, this application recently generated some excellent articles about what makes a great leader. In particular, how critical it is being a leader of not just those that work for you, but those that work with you, that is your peers. The article from EzineArticles.com by Erroin Martin on "Peer Leadership" immediately strikes true to this topic by its title, as it resonates with how great leaders should think, feel and act. It is safe to say this article is quite brief but it appears as though a lengthy conversation has only just begun. Scanning the internet for resources on this topic still leaves you feeling incomplete and, to be honest, empty inside. The best way to describe the current discussion on this topic is as if someone has waved a scrumptious chocolate fudge sundae under your nose and then "poof" it has just disappeared. There are probably plenty of papers and articles on this topic because it makes sense for it to be a widely discussed topic, but alas finding them is not very simple. In this reagard, references on peer leadership exist in research papers on sporting teams, but they never specifically mention peer leadership. This makes some sense. Sporting teams will generally have a Captain and Coach but in the heat of the battle on the playing field, there are times when it is not the Captain leading but another player who takes the leadership role. Being a true on field leader in these instances is actually about providing the environment for others to lead. Think about the best on-field leaders, they will definitely not always be in the action and commanding others, instead they are the leaders that support their team mates to succeed. They encourage others to step up and "win" the contest, whilst all the time taking every opportunity to model leadership through their actions. You see them. In Australian Rules parlance, they are the leaders throwing themselves in front of a fi erce contest,
6 Risk Leadership | Volume 1 Number 1
Peer Leadership intervening to spoil a pass, making the hard tackles and doing the "one percenters" whenever and wherever possible. But what is peer leadership in the context of the "business world"? Peer leadership is leadership by example and it includes fulfilling the commandment "do unto others as you would have them do unto you", but it goes beyond these two aspects alone. Peer leadership within any organisation is being inspirational in your thoughts, actions and words to everyone around you. If you see or identify a situation or a problem between your peers, it is helping them work through the issue. If you see a peer struggling, it is providing that helping hand whether it be financially or operationally. It is about forgetting about what you are responsible for and stepping into the position of thinking about what the organisation is responsible for and then acting accordingly. It is being accountable and transparent in all your actions, and when a situation arises that has conflict, it is about recognising that, stepping into it and helping resolve that conflict, whether it be between you and a peer, or between two of your peers. Sometimes you see peer leadership best exampled when there is a change of the leader of the peer leaders. In these circumstances there may be a time when no-one is steering the ship or alternatively there is a handover occurring between leaders. It is during this time that peer leadership takes organisations to the next level. During these times, peer leadership organisations thrive because the leadership team does exactly what these two separate words mean. Let's review these two words both separately and together. A "Leadership team" is a collective or group of people that generally report to the same overall leader as "direct reports". Essentially they come together representing their individual teams and work to achieve the overall organisation goals.
However, these two words are taken too often as a status symbol and a "collective" mindset occurs that makes it almost appear that the "leadership team" is a singular word to represent a meeting rather than what it really means. It is the power of each individual word in "leadership team" that makes true leadership. Firstly, every person in the "leadership team" needs to be a leader, not a boss, but a leader through inspiration and example. Then, the mindset needs to be around being a team. And this is where peer leadership really plays a key part. So, returning to the sporting link from earlier. Within a leadership team, being a peer leader, is all about those "one percenters". It is about tackling not just your direct opponent but anyone of the opposition so you can help release the ball to your team mates. It is about laying that bump or putting in that shepherd (or blocking for other codes) so your team mate can succeed. It is about supporting your peers so you can see them achieve their goals whilst at the same time achieving the teams (organisations) goals. There are not enough peers leaders. Leadership seems to be seen as a competition on an individual level, rather than a team sport. There is a pyramid of roles in an organisation and only one person can be the CEO, but if getting to the top means showing how good you are, and how bad everyone else is, well, then the organisation itself has some major problems to contend with. We all see it when we read the papers about organisations and their leaders. How often do you see a leader stepping back and rather than being in the limelight, allowing others to be in the limelight and supporting them from behind? Not very often, but when you do, it is truly noticeable and amazing to see.
Giving you the heads up on
Lifting your sight on risk
Scott North
Strategy & Leadership
There is a habit for people to focus on risks using a "heads down" approach consequently, neglecting to focus on risks optimally, with their "heads up".
Considering the risks with a "heads up" approach requires some dierent thinking and there are new insights into this practice.
8 Risk Leadership | Volume 1 Number 1
Emerging risks require the organisation and employees to lift their head enough to focus attention on the internal and external indicators. In addition, organisations need to narrow in on the leading indicators rather than the lagging indicators.
Lifting your sight on risk Over time there has been a trend in businesses to focus on risks with their "heads down" and therefore neglecting risks only apparent when their "heads are up". Considering the risks with your heads up requires some different thinking and current insights into this practice are extremely thought provoking. "Heads down" risk thinking is quite simply the process of assessing and responding to risks that relate to current events, processes and people. For example, a single minded organisational focus on the risks relating to the production process, technology risks or people risks. We consider this risk management practice, the basics of good risk management. "Heads up" risk thinking is best practice risk management. This practice involves not just the strategic sections of your organisation but all employees of your organisation lifting their focus beyond just the day to day risks to the profile of risks that are over the horizon. When we refer to risks we consider breaking risk into three distinct time frames.
The primary issue with risks is the element of probability. In particular, when you start discussing scenario risks, it becomes extremely difficult to actively consider these as their probability is unknown and may even be dismissed by some as impossible. In our view, the "impossible" risks are the ones that are worth spending more time on than less, but that is a matter of opinion of course. "Scenario Thinking for Innovation and Risk" from the theinnovationofrisk.com covers the approach for managing the scenario risks, and therefore we will not cover that specifically here.
1. Current risks. These are the risks that are currently being managed by the business as part of day to day activities.
Therefore, we will shift our focus to summarising the techniques and tools to use for emerging risks (which can also be used for the other risk time frames).
2. Emerging risks. These are the risks that are currently popping their heads above the horizon and will require some form of action or response within the next 12 months. These risks are however inevitable.
Emerging risks require the organisation and employees to lift their head enough to focus attention on both the internal indicators and the external indicators, and to really narrow in on the leading indicators rather than the lagging.
3. Scenario (or Future) risks. These are the risks that have some level of probability of happening in the future, however they are not inevitable but rather may range from almost never to highly likely to occur. It is the second and third risk time frames that address the "lifting your sight on risk" aspects that are critical to managing your organisation.
10 Risk Leadership | Volume 1 Number 1
Lifting your sight on risk Leading indicators need to include a focus on both internal and external data.
Working with third parties to obtain future or emerging risk assessments.
Internal Data This is the data that is within your own organisation and provides indicators of potential future issues.
However, just developing leading indicators does not manage the emerging or future risks. Every employee needs to lift their heads and be prepared to assess and analyse data from internal and external sources and then have a mechanism for sharing this with others. Organisations that truly manage emerging risks are very active in collaboration and knowledge sharing, and provide the platform for people to consider, but even more importantly, respond to emerging or future risks. This requires a level of maturity in the organisation that provides individuals the accountability to make decisions and implement them, whilst taking a level of risk.
Reviewing and assessing all strategic decisions and projects through the ongoing monitoring of the pre-implementation risk assessments (for these assessments we recommend utilising the Risk Management Standard framework, i.e. consequence v likelihood across a 5 point scale). Obtaining forecast data on key financial and nonfinancial indicators and "stress" testing the forecast data to provide upper and lower limits for assessment.
External Data This data is sourced from outside the organisation and provides valuable insight into the broader environment you are operating within. Scan strategic documents from third parties you utilise and other external bodies and perform a risk assessment on the impact of their strategies on your business (once again using your standard framework). Monitor the indicators from this analysis. Utilising tools such as Google alerts and Yahoo Pipes, which scan the internet for relevant content based on keywords of emerging risks or threats. There are many ways of then analysing this data but we recommend trying to make it as qualitative as possible to avoid time consuming qualitative analysis.
We consider the practice of emerging or future risk assessment as taking a risk position, rather than just purely risk management. The clear reason for this is no-one can actually perfectly predict the future, therefore assessing and implementing actions for future or emerging risks is taking a risk position. The actual risk may never eventuate therefore leaving you in a situation of either expending time, money and energy on something that actually does not occur, or perhaps even taking a position that is incorrect. This is where the ability of the organisation to be versatile and flexible is critical. In almost all circumstances an incorrect decision on the future can be managed to have less impact if you can
Lifting your sight on risk quickly and easily respond to the changing leading indicators, and also have assessed and considered the multiple responses to the differing futures. This will take a change in mindset, perhaps even completely changing your organisational focus, to be successful. In addition, it will not be a simple process and will take time, most likely with many slip-ups occurinhg along the way, but we believe at the end, if done correctly, the process of lifting your head on risk will actually result in improved business performance and even a leading position in your sector and industry.
Mobile thinking for risk innovation
Scott North Innovation
Each day we need to allocate some brain time to think about "different thinking" on risk management. In this regard there has been a significant rise in the usage of smartphones and mobile devices, and this is one area that Risk Managers need to spend more time considering for innovation. The risk profession has not as yet really embraced the mobile device as an enabler or tool for improving risk management. This is actually quite bizarre given that risk management is about managing risks and implementing controls to manage those risks. Therefore, it goes to reason that the function would be working on apps and uses for the device to help business better manage their risks. So, the question is, what are some of the "mobile thinking" ideas that utilise this growing platform so that the business can more efficiently and effectively manage their risks? Risk management needs to move beyond the impractical tradition tools that really are not user friendly or designed with a customer focus in mind, instead they need to move to a customer focus. This needs to include considering the tools and the locations of the customers, and the delivery methods that can best suit the consumer base. I really recommend you pose this question, What can we do to take the management of risks to the innovative level, particularly on mobile?
12 Risk Leadership | Volume 1 Number 1
Is the business of risk management Risk's business? Alev Bassilios Legal & Compliance
......it ultimately comes down to is who is accountable for risk management decisions. In the majority of cases, this would be the same individual who is accountable for running the business.
The risk management function has been likened to a lighthouse - always on the watch to make sure nothing goes wrong and lighting the way for everyone so they can navigate the safest path. However, this presupposes that the captain of the ship has taken accountability for ensuring that the ship is seaworthy, all personnel on board are competent and trained, any passengers have been provided with safety information and sufficient due diligence has been undertaken to understand the impact of the weather. Also, the Captain has to allow for the vagaries of the sea and ensure that the communications equipment on board the ship will function when needed so that the ship can communicate with the lighthouse operator. And we would all expect that a reasonable and semi-competent captain would have taken steps to make sure this is the case. So, in a corporate environment, does the same principle hold true? As a risk management function, are we satisfied that our role is to guide the business when danger is looming or do we think we need to step into the captain’s shoes and do everything that the captain ought to do? And what is the expectation from the business of the risk management function? You might say that this would depend on any number of factors – how much does the captain care about passenger safety, what is the captain’s appetite for risk, are there any other constraints on the captain. The list is endless. But what it ultimately comes down to is who is accountable for risk management decisions. In the majority of cases, this would be the same
individual who is accountable for running the business. After all, a business can only successfully be run and be self-sustaining if it is run in light of the risks that impact it, not despite the risks. So then, why are risk management frameworks, policies, procedures written by the risk management function using technical risk jargon, reviewed by the risk management community and rolled out to risk managers? Wouldn’t it be more constructive to work with senior executives to come up with a simple set of principles that can be incorporated by the business into existing business processes and therefore ensure that risk management is embedded? If the answer is yes, that risk management is the business’ responsibility, then what should the role of the risk management function be? Perhaps the answer is that just like engineers, navigators, meteorologists and other specialists who assist the captain of a ship to understand their environment and minimise their exposure, the role of the risk management function is to translate regulatory requirements and technical risk management principles into plain english to empower and support the business in managing its own risks and make informed decisions. The question is, as a risk management function, are we comfortable with being the lighthouse, guiding, supporting and assisting the captain to map out a course for his ship, and then calling in the coast guard if the captain chooses to take a dangerous course or gets into trouble? Happy sailing or happy guiding? The choice is yours.
Leadership comes from within
Scott North
Strategy& Leadership
Leadership comes from within. There are so many examples of this that we see in individuals who are faced with personal challenges. Such as the leadership of Michael J Fox, who has shown that even with a terrible illness, he can show true leadership. Observe Michael in Spin City. Starting from the beginning, Season 1, and through to Season 4, the final season for Michael J Fox due to his diagnosis with Parkinsons disease. A terrible disease that no one should ever have to endure but a disease which has shown his true leadership. It is important to now note that we do not know Michael J Fox, and our only link to him is through his movies and TV shows throughout our childhoods. Michael has written three books, "Lucky Man", "Always Looking Up: The adventures of an Incurable Optimist", and "A Funny Thing Happened on the Way to the Future: Twists and Turns and Lessons Learned". Although his first two books are only available through iTunes as audio books in Australia, we were able to obtain his third book in electronic format, purchased through Kobo, called "A Funny Thing Happened on the Way to the Future". All three books have some very powerful themes running through them, that do not directly refer to leadership but in actual fact are all about leadership. In particular his strength of character to maintain his won dignity whilst at the same time continue to work and 14 Risk Leadership | Volume 1 Number 1
operate as an inspirational actor. leadership from within.
True
Beyong the books when you look at Michael J Fox there are multiple on screen and off screen examples that highlight his true leadership coming from within. The first observation is in relation to a character he played, Alex P Keaton. Alex P Keaton represented a role model to many people our age growing up. The primary reason was although he was focused on money as an achievement, he also held to strong principles of family, friends, achievement, a desire to learn, and he was not driven purely by greed. He was driven by a desire to make something of his life. In recent times, the "Wall Street" mentality, "Greed is good" has seen a major economic crisis eventuate through people living that motto. Perhaps, if these people who caused the crisis, had of based themselves less on "Gordon Gecko" and more on Alex P Keaton, we would not have seen the economic crisis. Of course, it is just a character in a TV show, but one suspects that part of Michael is within this character. Again, these observations are based on what we see in his character both on and off the screen. The second observation is on how he is handling his life post identification of his illness.
Leadership comes from within From his books it is clear, like many people, he has had his difficulties in dealing with this illness. However he has lead from within and shown others how to be dignified whilst maintaining leadership without the need to be the only person leading.
One would guess he doesn't need to write any books, or even read them for us as audio books (he could easily hire someone to read them for him as others do). Reruns, sales of DVDs and other royalties would most likely suffice any financial needs.
He shows us all how to respect ourselves and others, and to not fear who we each are or will be. But rather to embrace the life we have been given, no matter what hurdles are placed in front of us during that journey.
It appears that Michael is doing this because he wants people to read and hear what is happening to him. Of course part of this is to improve peoples understanding of his illness and to help to find a cure through his Foundation, The Michael J Fox Foundation. But again, this highlights his desire to not hide from his issues but to embrace who he is, and make others see he is just a normal person, with talent in acting and now writing. And although he has been hit by a terrible illness he is putting himself out there to be assessed by others and potentially ridiculed by those that disagree with his agenda. That is great leadership.
In his first book, "Lucky Man". he refers to the fact that if he was offerred the last 10 years back and to not have this illness, he would not take it. Of course, he never really has received this offer, so whether it would be possible to completely disregard it we will never know. However he is genuine in that his life is greater for what he has experienced. This is the true sign of a leader who understands themselves, there finite time on this planet and that life is about participating to the best of your ability under all circumstances, and helping achieve the goals you set yourself. The third observation is again about a role he played. Mike Flaherty, Deputy Mayor of New York City. He plays the leader of the team that services the Major of New York. It is a comedy, so there are elements of humour embedded in the character, however throughout the series he plays a leader that is not about hierarchy but about relationships with people. His leadership is also not about ordering them about, in actual fact there are many humorous examples where he cannot even get them to do what is needed to be done, but rather about guiding them through the complexities, allowing them to fail, and standing by them regardless of success or failure. Again, a true leader from within. The fourth observation is the fact he is continuing to write books, even speak them in audio format, and leverage his experiences to help others grow and achieve. Of course, he is getting paid, but as I said earlier, that is not the key point. Part of personal achievement is receiving financial recognition, and no one can ever deny someone receiving that.
Every day he actively participates in life, regardless of the issues he has, and what fate has brought him in life. There are many other examples in movies about the leadership roles he has taken, including in the movie "The Secret of My Success" where he plays a mailroom boy who pretends to be a Senior Executive and shows people that sometimes the best idea comes from the person you would least expect. This also reminds us never to discount someone because of a title or role, because they may have that one idea that is the next Facebook, iPhone, or Amazon. Michael J Fox will continue to show us about true leadership, not through telling us he is a great leader, but through not telling us and showing us that "great leadership comes from within".
Note: The author has no affiliation with Michael J Fox or his Foundation. However if you can help the Foundation then please go to the Michael J Fox Foundation website.
Special Feature External and internal fraud "Continue to ensure your fraud controls are in place."
Data security and privacy "Organisations need to consider the full gambit of the consumer experience and the quest to appease the customer, with the need to protect their data and also ensure a secure physical and non-physical environment."
Outdated business processes "Business processes age, just like technology and people."
Lack of skilled resources "Skilled resources, who can work in ever changing environments are critical to a successful organisations."
Customer centricity "This risk surrounds the customer now being empowered to make more decisions on price, quality and product attributes."
As the world has evolved, technology and business change have become intertwined. Business change driven by the need to quickly expand markets, develop existing markets or enhance business are now conflicting with the processes of technology best practice change and process disciplines. 16 Risk Leadership | Volume 1 Number 1
Top 10 Risks of 2011 .......having an ability to be adaptive and quickly responding to the change in consumer sentiment. Recent examples we have seen in this are Apple and the iPhone 4, the failures of Mother for Coca Cola, and the adaption of the fast food industry to incorporate healthier alternatives. Don't be left holding the unsellable, continually, review, adapt and evolve! What better time than right in the middle of 2011 to consider the remaining 6 months and the top risks that will impact your organisation. We detail our top 10 risks for you to consider in your own business risk analysis and assessment. Global economic conditions. Since the global financial crisis (GFC) the world economy has been steadily declining on many levels. Rapid and extensive government bail-outs and spending has resulted in increased economic pressures as the fall-out from the GFC continues. This all impacts the trust in the economy and consumers appetite for spending compared to saving. Organisations need to adequately balance the economic impacts with their needs to maintain a healthy operating profit, in an environment of reduced consumer spending. Consumer sentiment shifts. Over the past few years we have seen that consumers can very quickly and very ruthlessly, shift from liking your product to disliking your product. Consumer sentiment has seen the death of many brands, as the consumer switches to alternative products. The key to mitigating this risk is having an ability to be adaptive and quickly responding to the change in consumer sentiment. Recent examples we have seen in this are Apple and the iPhone 4, the failures of Mother for Coca Cola, and the adaption of the fast food industry
to incorporate healthier alternatives. Don't be left holding the unsellable, continually, review, adapt and evolve! Industry breaking new technologies. Quite simply the book industry is now experiencing the same evolution that occurred in the music industry and the movie industry. But this type of industry breaking new technology can and will occur in any industry. Unlike the first risk, this one is not as easy to mitigate, instead the organisation needs to make active, not reactive, decisions on the future of the industry they are in and how they wish to either participate or not in that future. Scenario planning is one technique to consider for these types of risks. C u s t o m e r c e n t r i c i t y. T h e customer is now more empowered to make better decisions on price, quality and product attributes due to the evolution of social technology. The internet, through online research and shopping, has provided the customer with the power position. Organisations need to always consider the customer at the centre of everything it does but the customer also wants to be protected in regards to privacy and security. Therefore, the organisation needs to balance these two aspects. Regulatory change. Where would a top 10 be without this old but secure favourite. The global financial crisis has empowered
Top 10 Risks of 2011 governments all around the world to step into industries with regulations to ensure future viability. Therefore, organisations need to manage this risk with the same vigour and attention as they have in the past, and if they did not, well those organisations are probably not around any longer. Data security and privacy. Another favourite for top 10 lists. However this risk is now enhanced through a consumer focus on speed and efficiency, which does not always lead to simple data security and privacy controls. Organisations need to consider the full gambit of the consumer experience and the quest to appease the customer, with the need to protect their data and also ensure a secure physical and non-physical environment. The traditional controls around risk management need to be reconsidered to providing more automated controls than ever before. External and internal fraud. Fraud has been around since the very first moment money exchanged hands. Now with the digital world exchanging billions of dollars this risk is in rapid expansion. Fortunately a lot of organisations have historically focused on this risk, but that does not mean it can be forgotten. The fraudsters, both internal and external, are one step ahead of where you are. Continue to ensure your fraud controls are in place but invest in technologies that keep you, as best as possible, one step ahead of these highly organised fraud conglomerates. Third party arrangements. The recent examples of failures of large third partiy providers has only made this risk more evident. It is not just financial failure you need to concern yourself with, it is also the service levels, their internal controls, their ability to deal with disasters, and the effectiveness and efficiency of their activities. 18 Risk Leadership | Volume 1 Number 1
The key controls over this risk are actual very similar to the controls you place over your own internal processes, it is just a third party doing it for you. Outdated business processes. Business processes age, just like technology and people. If you leave a business process unattended or not reviewed for longer than 3 to 6 months then you are destined to see a failure of some kind in that process. Every business process needs an accountable owner who also actively monitors the processes through metric reporting. This risk can cause massive reputational and financial damage if left unattended. Business process reviews through business efficiency teams are mandatory. Techniques like six sigma and kaizen are ways of managing this risk. Cost pressures. Post the global financial crisis (GFC) the world has seen a number of recessions and countries close to complete collapse. This has placed extreme pressure on the costs of all organisations. This risk is critical for organisations to manage and is something all organisations should have been managing prior to the GFC. Cost management is important, but like everything it needs to be balanced against sound risk appetite decisions. Just missing out on the Top 10 is environmental risk. Although you can consider this a longer term risk, it does impact today's business environment, particularly in a climate of countries considering responses such as carbon taxes. Environmental Risk. The recent events in Australia which have seen bushfires, cyclones and floods highlight the ever vulnerable nature of the human race to mother nature. However, is it too early to call out this risk as being a risk that will be ever present. For me, it is getting close, however all organisations disaster recovery methods and business continuity methods
Top 10 Risks of 2011 should be focused on managing this risk. This has not changed in the last few years, but perhaps now it is just more evident as we experience an increase in changing weather patterns and more urbanisation.
Top 5 Technology Risks
Mobile technology. With the rapid advancement of mobile technology in the past few years the operational risks associated with this technology have been left either untended or not considered thoroughly by those implementing the new technology. This has been driven purely from a speed to market perspective and although originally impacting a small subset of the online population, it is now mainstream. Historically in these new technology fields errors in delivery or content have generally been accepted by a small early adopter group. But with most of this technology now embraced by the norm, who expect a higher level of quality and richer content, this approach in now longer acceptable.
The National Law Review posted an article in February 2011 discussing the "10 IT Risk and S e c u r i t y Tr e n d s t o Wa t c h " ( s e e h t t p : / / www.natlawreview.com/article/10-it-risk-and-securitytrends-to-watch).
We agree with the majority of their observations as the top 10, but here is our brief summary of what we see are the top 5 in IT and Security Risks as we stand today. Business change versus technology change. As the world has evolved, technology and business change have become intertwined and inseparable. Business change driven by the need to quickly expand markets, develop existing markets or enhance existing businesses are now conflicting with the best practice rigid change processes of technology. This tension could result in costly business interruptions and system failures. To solve for this organisations must identify critical services where failure would cause significant, highly visible business outage, and enforce best practice and process disciplines in these areas using more adaptive methods (i.e. the traditional waterfall methods are now becoming fast redundant).
Organisations need to consider alternative methods of delivery which segment the population (i.e. Google beta release model), allowing new versions to be issued with errors but accepted by the early adopter population. It is important though that communication occurs to consumers to help them understand the "beta" concept. If beta cannot be performed for your industry, then consider methods which allow the flexibility but require some formalised testing process. A balance needs to be determined which meets your risk appetite. IT security and authentication. This is not a new risk, but more surprisingly a risk that is not always sen as the number 1 risk for online organisations. IT security and authentication is now considered a basic requirement of being online which can make it almost overlooked in terms of competitve advantage. The next evolution of this risk surrounds the increased level of customer data that is available on the digital planet, through either providing access to your customers, employees or third parties. Customer expectations on faster, more customer centric authentication, means there is a potential trade-off with customer functionality and IT security. This risk needs to be actively
Top 10 Risks of 2011 managed with a level head, and a true consideration of customer privacy. We do not need to mention recent examples of customer privacy issues, both in the online and non-online worlds. Cloud computing. Probably the fast mover in the pack. Cloud computing has moved extremely quickly from fringe consideration to almost part of executive vocabulary. The risks associated with cloud computing extend from privacy aspects of customer data, performance of the providers, integration of processes, and the financial stability of providers. Essentially all typical third part risks, but no longer is it just your business processes, it now is extending to your data, the life blood of your organisation. Social networking. This is an interesting one to throw in the mix because it is a medium that has such varying acceptance across the community. Sites such as Facebook clearly have a large volume of users, but as with Twitter, the level of active users varys considerably. These channels are also not renowned for their online sales, but this will change. The key question is when, how, and what role your organisation wants to play in participating in these areas. Unlike Second Life, these types of real-time, interactive online social channels appear here to stay and thrive. The key risk in these areas surround the controls over your reputation management, as regardless of whether you participate or not, people will use these technologies.
Social Media Risks and Rewards
Moore's Law describes the rapid growth of transitors on integrated circuits (doubling almost every two years). Social media can be likened to this law, with a rapid expansion in the tools and the usage in the last two years. This exponential growth provides the organisation with an interesting perspective on risk compared to reward for social media. There are 5 key risk versus reward propositions that must be considered in social media. 1. Individual freedom. The power of the single v o i c e h a s b e c o m e s i g n i fi c a n t l y m o r e pronounced, providing both positive and negative risks and rewards. 2. News spreads virally. In the past information took some time to become public, now it is almost instant;. 3. Environment for interaction. Social media provides the platform for interaction, the risk versus reward question is whether you participate or not (as people will be talking about you even if you do not). 4. Fraud. Social media is almost anonomous, therefore providing value in the ability to "speak" without fear of reprisal. However, it does allow people to not be who they say they are, therefore providing opportunities for fraudsters to obtain customer information. 5. Information mismanagement. Social media provides a signifi cant more amount of information than would otherwise be available. This increases risks involved in making decisions based on misinformation or information which is not appropriately managed. Social media can therefore be a friend and a foe, manage the risks and rewards wisely.
20 Risk Leadership | Volume 1 Number 1
Understanding Your Customer Scott North
On Risk Management
If you have a customer facing business with a diverse customer set you need to risk assess your customer base.
This involves considering the customer attributes, or factors, and using statistical analysis to evaluate ("grade") your customers.
Understanding Your Customer Understanding your customer is critical to business success, but beyond that it is critical to understanding the real risks of your business. So, we propose an idea that anyone who has a customer base should consider implementing. For marketing purposes you segment the customer base so as to ensure you use your finite marketing budget in the most appropriate manner. Customer based analysis also occurs across credit activities such as providing customers loans in order to determine the level of the risk associated with the customer. So, our concept is that anyone that has a customer facing business with a diverse customer set should look at risk assessing the customer base. What does this involve? Essentially this involves considering the customer attributes ("factors") and using statistical analysis to evaluate ("grade") your customers. This grading can then be used for anything from security protocols, product offerings, and pricing mechanisms. The biggest value in this analysis lies in the security protocols and product offerings that you would direct to certain customer segments. For example, if you have both physical locations and online offerings, then understanding your customer base is critical. There would be nothing worse than pushing all your customers to have to use online offerrings when they never want to use them. In this case, you would be exposing this customer, unknowingly, to a risk of account takeover without them really ever using the online tools. The first they would know of a problem is when they next visit the physical location or receive some sort of statement or account. By then, it will be too late for this customer and for you to recover the damage. And this applies to those customers who don't ever want to physically go to your store. If you have included in their offering the ability to physically visit, then you will have to carry associated costs in maintaining the physical presence.
22 Risk Leadership | Volume 1 Number 1
There is no definitive list of characteristics or factors you need to consider, however we recommend you think about the customer interactions with your business. Using these factors, you can then perform a quantitative analysis on your existing customer base to develop a rating mechanism. This rating mechanism will then provide you with the segmentation of your customer base, which can then be used to tailor your offerings to your customers, tailor communications, and develop specific outputs for your customers. Some of our initial thoughts on characteristics or factors are: • • • • •
Volume of transactions by the customer; Type of transactions; Value of the transactions; Number of accounts held; and Characteristics of the customer which relate to your product (but do not focus only on the basics of age, sex, etc).
From these characteristics you can consider your own risk appetite and develop plan figures that provide you with early warning signs. This should not be a once off exercise though. We recommend that you attempt to automate this analysis and ultimately invest in a real-time risk analysis system. However, in the initial instance a manual process on a monthly basis would be the minimum to develop enough historical data to be of benefit to future decision making. In addition, we recommend including a continuous improvement process into your business processes, this allows you to continually improve the outputs of your analysis and perform more reliable and effective risk analysis. This may all sound quite obvious, but in most modern risk management processes, there is a focus on the qualitative analysis through workshops and risk assessments. This is not a sustainable position, and is not really how your own mind even works when it makes decisions.
Understanding Your Customer Our minds accumulate a history of data, both our own and from others, and then through this we make a decision taking into the account the chance of something going wrong. Of course, like any quantitative analysis, you need to also overlay the qualitative characteristics you identify, but it needs to be a healthy balance. This is the exact same logic for performing this type of analysis as part of any effective risk management framework. Through doing this work, you will find it also focuses you on the future rather than solely on the past. And what will be even more amazing is you will actually find that the customer experience will be enhanced as you make decisions on functionality that match your specifi c customer segments within your customer base. In particular you will not force some customers to use something that they never actually want. However, this does not mean you will not need to force change if you feel that a segment is no longer within your true customer base. For instance if the costs to maintain multiple customer bases with different needs becomes cost inhibitive. If you reach this point help your customer find the provider that will satisfy them.
Although that will mean that the customer is no longer your customer, they will still be a satisfied customer and be an advocate for you and through them you may actually find you get more of the customers you can service. Organisations need to be socially responsible now, not just financially responsible. In this regard, we see this as servicing customers so they achieve what they need and want to achieve. This social responsibility is not just about environment concerns, but the broader social position of helping everyone achieve their goals. Utopian thinking, but it does make sense and perhaps the organisations that master this best will be the future most successful organisations. So, understanding your customer is not just critical to business success, but beyond that it is critical to providing the best social response whilst managing the different risks of each customer segement.
Resilience and efficiency - is this the Holy Grail to embedding risk management? James Wincott Operational Risk
Whilst the risk manager certainly has to be resilient in finding the right solution for the business, it's the efficiencies gained that the business truly values.
Looking up the dictionary defi nition of “Resilience” comes up with the following entry which at first glance has nothing to do with Operational Risk – “the ability to recover readily from illness, depression, adversity, or the like; buoyancy”. However on refl ection that description of illness, depression and adversity is often how a business feels after you have tried to embed the changes in the operational risk framework. It is easy to envisage that at times the embedding of scenario testing, KRI’s and maturity modelling has been challenging and a painful one for the business as they get to grips with how it is relevant to them. Essentially that is the test with resilience ensuring that it is both understood and relevant to the end user and not just a tool used by a Risk department to prove to the regulators that we have a compliant framework. So lets take a look using two examples where resilience and efficiency played a part in successfully embedding the risk framework. In any business one of the main ways to embed a strong risk culture is through its risk training. The risk training team was tasked with training the whole organisation (well over 3000 employees) in all aspects of the Risk & Compliance Management framework. This was a challenge when you consider the current team had only a few trainers and needed to run numerous face-to-face training sessions annually, to meet the ongoing demand. The other issue was whilst running these sessions the trainers noticed a low attendance rate of less than 50% in some states. This resulted in the 24 Risk Leadership | Volume 1 Number 1
need to re-book training sessions and in some cases trainers needed to fly trainers again and again to destinations just to complete the courses missed by the business the first time. The solution needed to be a radical one. The team consulted with the business to define why the face-to-face sessions were not being filled and established that in most cases where a business unit was asked to attend a number of staff could not be released for training due to the time critical nature of their roles. Staff needed to be at their desks to perform daily duties that clashed with the need to attend training at the same time. The solution was simple in concept, but much harder to implement and involved turning to technology. The technological solution was at the time used at a number of educational institutions. Sydney University, for example, had a number of courses that were on-line, using various pod casts to relay lectures to students too hung over to attend classes! After careful consideration of our options we established a vision internally to build and deliver e-training, through our corporate Learning Management System. This enabled our employees to complete training at times most convenient to them and their business unit. To implement this we used software to help build our e-training modules on a number of risk and compliance training topics, focusing on the high volume courses first. The first module took the longest to build as the trainers took time to learn the system. Once up and running we had 6
Resilience and efficiency - is this the Holy Grail to embedding risk modules built within 5 months, which allowed the business greater flexibility towards their training needs. Essentially an individual could now attend training at a time that suited them. The effect was amazing! Completion of the online modules was 100% and attendance at the remaining face-to-face sessions was increased to over 80%. In total the business saved over 80 business days and $200,000+ due to the efficiencies provided by e-training. By not having to travel to the training course most completed the course in a shorter timeframe than the previous face-to-face sessions. The second example where resilience and efficiency worked well was the work we did in simplifying the risk profile. A number of the risk profiles had been built up over time by the business, some of which were essentially a laundry list of risks and controls that kept getting longer each year. In some cases the result was a risk profile, which was 60 pages long for one business unit. Many of the controls for each risk were excessive with a ratio of 10 controls to every risk.
When you consider that the risk team needs to work closely with the business unit to apply a practical perspective interpreting the existing risk framework, the team also needs to then consider how it translates it into a language the business can understand. Whilst the risk manager certainly has to be resilient in finding the right solution for the business, it is the efficiencies gained that the business truly values.
Risk Attention! In life, it is extremely easy to forget what is important to you may not be important to others. In addition, not only do we sometimes forget what is important, we confuse what is urgent with what is important. For those of you familiar with Stephen Covey's "7 Habits" this will sound familiar.
The challenge here was to get the business to focus on their key risks, which was proving elusive when you consider the business had to review all 60 pages to get through their risk profile session in an hour and a half. The solution was to simplify by getting the business to focus on it key risks, essentially its top 10 risks, taking a top down approach. Where a number of controls existed against one risk these again were simplified down to a few key controls. Interviewing the General Manager’s first we were able to identify their main priorities and then cross checked that back to the detailed profiles to ensure that no key risks had been missed. Essentially then, the top 10 risks could be used within business planning sessions as a key strategic tool rather than simply being filed away until the next profiling workshop. So how important is resilience and efficiency in embedding a risk framework? Well both certainly have their part to play.
Showing resilience and efficiency requires the Risk Manager to be concious of the distinction between importance and urgency. Too often Risk Managers get caught up in what is considered urgent, thereby neglecting what is important and not actually delivering true businsss value. So, pay attention Risk choices of importance achievement of the Holy apparent to you and to business success.
Managers to the and urgeny and Grail will be more achieving ultimate
Tools Emerging Technology Tablets 2010 was the year of the tablets birth. In 2011 the tablet is expected to arrive into adulthood. The Risk Profession needs to embrace this device for its power in providing instant access to information, the ability to physically interact thereby making it a tool for engagement, and the portability which makes the device better able to be present when required.
Control the Internet Pipeline For a long time the internet has provided many individuals and organisations with a place to promote, advise and sell their products and ideas. Traditionally this content has been a user driven search process, however in recent times that model is changing to become more user "receives" process. This provision of information to the user, in a format the user prefers, provides the Risk Manager with the best opportunity to be advised of emerging risks, critical information on existing risks and even key performance indicators. iPad App of the Month : The Power of Zite Zite is a powerful application that has the functionality to not only ďŹ nd information on key topics, but to learn. Zite's learning ability is extremely powerful and eective. Essentially the user is provided content based on key topics. Then as the user reads the topics the application provides "thumbs up - thumbs down" capability (aka Tivo). Through these assessments the application learns what types of article topics you prefer.
26 Risk Leadership | Volume 1 Number 1
Examples of these technologies are detailed below.
ZITE Personalised Magazine
Yahoo
Tools Emerging Technology eReaders Quite simply, there is a dierence between a Tablet and an eReader. eReaders are designed for the sole purpose of reading books (magazines are available but the graphical content is not quite transferrable to the eInk technology). The Risk Manager is a unique role in that it is expected to discuss and engage on every possible risk a business may encounter. This is impossible to do on pure experience alone and therefore being well-read is critical to a Risk Managers success. There are many models of eReader but it is the Amazon Kindle that is now leading the way. The primary reason this is the market leader is the volume of content available through the Amazon on-line store. The other reason is the Kindle has the functionality to allow you to share excerpts from your reading with others through the social network sharing options.
The Social Network The rapidly expanding worlds of Twitter and Facebook make them more important to the Risk Manager than they would at ďŹ rst seem. Tweeting has become a way for individuals to not only share personal actions but also to share links to articles, stories and content on any and every topic. Within the quantum of information in this medium, there are many examples of information that may help the Risk Manager grow or assist with identifying potential risks. Facebook, traditionally seen as a location to interact with your friends and family is no longer limited to just that interaction. Facebook pages in particular allow individuals and organisations to distribute content through this medium. The Risk Manager therefore needs to be aware of the Social Network, not just from a personal perspective but on two fronts. These fronts being the risks associated with social media and the power of the information within social media. Social Media Risk Information now moves around the planet at astonishing rates. A disgruntled customer can immediately "tweet" their dislike and hundreds, if not thousands can read that comment. Organisations can ignore this risk at their peril. The best mitigant to this risk is active participation and monitoring. Social Media Data The upside to social media, particularly due to the speed and quantum of data discussed on the medium, is the early warning signs that can be gathered through analysing the data contained within social media. Creating searches and then quantifying "hits" can provide invaluable information in highlighting emerging risks.
The Power of the Individual Scott North
Strategy & Leadership
The balancing process is also not something that can be just laid down and then left alone. It is a continual revisit and reassessment. There will be many errors and mistakes along the way, but these will only make the organisation stronger is the right focus is placed on each of these areas.
Individual accountability in risk management is the cornerstone of a quality risk management framework. The process of enabling accountability to occur is an extremely complex and intensive process. Anyone who states they have a simple model for success in driving accountability in regards to risk management is not providing you with a completely accurate picture. Don't just take our word for it, any Risk Manager will tell you the same thing. However, we can help in your endeavours to drive the individual accountability proposition. There are 5 key areas that are required to be considered: 1. 2. 3. 4. 5.
Governance; Education and training; Tools and processes; Rewards and recognition; and Consequence management.
Simply put, governance is the solid base that must be established for any effective business risk process. Governance begins with the establishment of a strong body or group that is tasked with the "ownership" of the discussions surrounding risk. Governance must include a strong risk committee with members from the business, formal reporting, structured and well controlled agendas, and robust minute taking. The governance needs to go beyond just the conversation of risk, and become the debate and then ultimate empowered and informed
28 Risk Leadership | Volume 1 Number 1
making body. The governance body must be challenged to step up to leadership in risk, and must then regulate and mandate to others the required minimal processes of acceptable risk management. Quite simply, without good governance you will not have effective risk management, no matter how good are the next 4 areas. The second area is education and training. Providing a robust and holistic set of education and training for the business will be the best preventative control you can implement. This front ends the conversation and if done well, will be the catalyst for management and all employees to have the information they need to make informed business decisions. Education and training is not just about "drumming" a beat of rules and procedures but rather playing the music of valued and well thought through decisions. When you consider education and training, don't limit your mind to traditional induction training or online training modules, but really branch out to alternative training techniques and partners. The traditional bastion of risk management is the third area of tools and processes. This is where you detail the processes that are needed to satisfy governance requirements and also
The Power of the Individual provide employees with some certainty of steps. It gives them the tools that enable them to record the appropriate risks, controls, and actions. It then enables them to document events and perform root cause analysis. This is the management information you require to perform all the other areas. The fourth area of rewards and recognition is an area that never seems to appear in frameworks. Not just risk frameworks for that matter, any frameworks. This area seems to be owber by the Human Resources function which is contrary to the actual point of the area. Reward and recognition is about relating individual actions of accountability and performance being recognised for their contribution to the business performance. Proactive consideration of risks is exactly the accountability and positive performance we should all endeavour to achieve. The Risk Managers role in this area is actually more important than the majority of the other areas. Recognising the actions of others is the most powerful message a human being can send. Therefore, ensure you focus due attention to this when setting up your model for individual accountability for risk.
But with rewards and recognition, comes the fifth area of consequence management. Within the confines of the organisations appetite for business decisions and risk taking, there needs to be set some boundaries. If these boundaries are exceeded without due processes occurring then individual accountability requires consequence management. This needs to include clear, concise and strong actions and focus those actions on the individuals who were accountable for the result. Consequence management is more than simply "knuckle wrapping" it has to be about lessons learnt and reinforced continually and consistently across the organisation. Don't underestimate the amount of effort that is needed in this area. It is significant and quite extensive, and ironically more time consuming than any other area. These five areas provide the cornerstones of individual accountability in risk management. It is a balancing act in ensuring all areas are adequately established and valued. The balancing process is also not something that can be just laid down and then left alone. It is a continual revisit and reassessment. There will be many errors and mistakes along the way, but these will only make the organisation stronger is the right focus is placed on each of these areas. It is the Risk Manager that has the accountability to make this happen, and through taking strong and clear stances in these areas you will have an extremely well risk managed business.
Developed by
The AS/NZS ISO 31000:2009 Risk management — Principles and guidelines standard contains 9,584 words , containing
Understand your business environment Simply, to know your risks you need to know your business and how it fits into the broader environment. Consider using the PEST Wheel as a way to bring out the key aspects that impact your business.
Brainstorm your business risks Use simple techniques to work through your risks such as brainstorming and mind mapping. Make this part of running your business.
30 Risk Leadership | Volume 1 Number 1
Analyse and understand business risks
The brainstorm should generate some "risk ideas" but these need futher understanding and analysis to best determine the risk. Consider asking about who, what, when, how and why, and also using the "5-Whys" technique.
Quantify your business risks Utilise formulaic approaches to quantify risks wherever possible such as historical instances in and outside your organisation, and leveraging data on processes. Plot the results on a visual that provides a simple view of the high/medium/low risks.
Control your business risks Develop process flow documentation and then establish appropriate controls to against the risk. Consider the possible different risk treatment strategies in the control process.
Determine and monitor risk indicators
Develop required action plans
Risk indicators are indicators that provide a barometer of tolerable levels of risk, give early warning signs and show measures of change in risks. Measures should include operational events, compliance events, and control failures.
Risks are not always adequately covered and therefore where the business does not accept the current level of control, then action plans should be established, monitored and reviewed.
Educate and communicate your business risks Effective risk management does not end with this process, it is ever changing and evolving. Therefore, develop learning modules for staff and continually communicate on the importance of escalation.
Graphics: PresenterMedia.com Graphic Design and Production: Riskographics Infographic Content and Author: TheInnovationofRisk.com Infographic Sources: AS/NZS ISO 31000:2009 Risk management— Principles and guidelines standard
http://beckmann-bio.com/graphics/pest_analysis.png for PEST framework shell. http://www.leighstringer.com/wp-content/uploads/2009/06/brainstorm.jpg for Brainstorm. http://bulbburner.com/2010/05/5-whys-and-the-pitfalls/ for 5-Whys approach. http://www.maf.govt.nz/environment-natural-resources/climate-change/resources-and-tools/adaptationtoolbox/step-3-how-will-climate-change-affect-me for quantifcation framework and http:// aace0910.blogspot.com/2009/11/learning-on-how-to-quantify-risk-factor.html. http://technet.microsoft.com/en-us/library/cc531022.aspx for process flow example. http://fairwarepromo.wordpress.com/ for hierarchy of controls. 32 Risk Leadership | Volume 1 Number 1
Risk Leadership
The world is evolving at a rapid pace and the role of risk management is playing a crucial role in the evolution. In order to successfully navigate this rapid change the Risk Manager must also adapt through innovation and leadership. Risk Leadership is about providing a medium for risk management to embrace the present and the future.
Risk Leadership | Volume 1 Number 1
theinnovationofrisk.com