I heard a talk in Berlin recently that inspired me to think of risk in new projects this way. Take all the disruption or new projects and map them as follows:

Vertical axis is new growth

Horizontal axis should include transformational/blue ocean dimensions like:

• improved relationships with customers

• new customers

• future new business model to make you more competitive

High growth projects with high transformational / blue ocean possibilities are the key in a disruptive / ultra competitive world. That doesn’t mean we don’t identify the risks in those projects - we still should do that because it may be even more important. But here’s a lesson from long ago in my career. Identifying the risks takes serious thought and the most important risks come up at the end, not in the first 5 minutes. It takes deep thinking.

Again, from the white paper:

• Only 33% agreed that the CRO or ERM leader has been involved at the appropriate level.

• But 55% agreed that it is one of their “top risks.”

• 43% agree that they have identified the risks in the efforts but only 38% were confident in their risk identification efforts.

• 54% acknowledge that their testing, adoption, and implementation of their digital disruption efforts was “too little” or “far too little.”

• Only 32% agreed that they are “ready” to address digital disruption.

Although the final white paper is forthcoming, it seems wise to share some of the interesting findings:

• 85% of ERM leaders agree that digital disruption and transformation will have a significant impact.

• The # 1 reason companies are moving forward with digital disruption efforts is because they believe their business model is at risk. 76% listed “remaining relevant” as the reason for making a change.

I recently attended the Lean Startup Summit in Berlin. A few ERM/startup takeaways:

First, use an ERM approach to identify the risks in the startup. Instead of COSO’s risk categories or strategic objectives, consider using the dimensions of usability, feasibility, and value. Use these prompts to get the team to identify and map the risks on impact and likelihood. Manage the big ones right away. The startup may depend on it.

Second, identify the critical success factors in the launch of the startup (at the Summit this was applied to a product launch). Using those factors, attempt to reduce the risk of each product launch factor via testing. As the tests prove successful, the risk is lowered. Document the test results and (hopefully) reduced risk.

Third, once the product or company is launched the next steps are focus, focus, focus. This was labeled horizon one and the focus seemed to be on selling that product/idea and getting it out. But according to research done by this company on scaling companies, a considerable amount of effort must be put into new products. Stated differently, they suggest that true long-term success must focus on the next product and time must be continuously allocated to the new ideas even while focusing on the current success.

Note we have a white paper on the ERM - innovation connection that has valuable additional content.

First, read your strategy document. I can’t emphasize this enough. We’ve got to know our own vision, mission, strategy, etc. Note that sometimes an understanding of this will cause a repositioning of certain risks.

Second, read what they read. Boards and executives are not necessarily reading COSO’s ERM Framework or the ISO Framework. Therefore, to understand their world and problems, read what they read. Some of my favorites in this area are:

Business Models

o  Business Model Generation (Osterwalder & Pigneur)

o  Value Proposition Design

Disruption

o  No Ordinary Disruption (Dobbs et al.)

o  Big Bang Disruption (Downes & Nunes)

o  Your Strategy needs a Strategy (Reeves et al)

o  Create Marketplace Disruption (Hartung)

o  Superforecasting (Tetlock and Gardner)

Strategy (more general)

o  Strategy beyond the Hockey Stick (Bradley et. al.)

o  Blue Ocean Strategy (Kim & Mauborgne)

o  The Lean Startup (Ries)

o  Playing to Win (Lafley and Martin)

o  Brand Resilience (Copulsky)

o  Discovery Driven Growth (McGrath and MacMillan)

o  Upside (Slywotzky)

o  Innovator’s Toolkit (HBS)

o  Geography of Genius (Weiner)

Strategic Execution

o  Achieving the Execution Edge (Bart & Schreiber)

o  When Strategy Execution Marries Risk Management (Ow)

o  Seven Strategy Questions (Simons)

o  Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)

And from the book above “Strategy beyond the hockey stick” I found the authors had an interesting favorite list of their own:

• Strategy: A History

• The Innovator’s Dilemma

• Good Strategy/Bad Strategy

• The Art of War

• Coopetition: a revolutionary mindset…

• The Lords of Strategy…

• Antifragile: things that gain from disorder

• The signal and the noise…

• Thinking fast and slow

• Decline and fall of the Roman Empire

• On war

• The strategy of conflict

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey". While navigating strategy and disruptive risks gets many headlines some fundamentals are still necessary for ERM to be effective. The study shows:

• 33% of ERM executives do not agree that their assessments are accurate,

• 48% do not look at risk connections/correlations,

• 58% have had unidentified risks impact them (surprises?), and

• only 46% agree that decision making involves explicit consideration of risk.

The lesson? Get better at how you identify, how you assess, and get involved early (if possible).

There has been talk about key risk indicators, bow-ties, etc. for some time. However, one extra reason to at least set up these risk driver scenarios is that it can help:

• identify new risks, and

• help get better metrics.

When forced to not just identify metrics but to first think through the drivers and consequences of the risks, executives begin to see new risks as their minds work through what’s causing the risks. Additionally, as they consider the final and most probable drivers, they then, and I would argue only then, can get the best possible metrics to manage the risk.

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey". One interesting result in that study is the number of programs that have ERM assessed in some way.

The study shows:

• 61% of organizations assess or benchmark their ERM process, and

• 65% have their management or board evaluate their ERM process.

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added. But the key to understanding that value are insights into some of the why it adds value. A couple of reasons stand out:

• 54% of ERM executives believe they add value because they helped their organization identify previously unknown risks.

• 76% of ERM executives believe they add value by helping their organization understand the real risks.

Discovering new risks and finally understanding risk is all about moving some unknowns into the known area. It’s got to add value.

The Center for Excellence in ERM at St. John’s University recently released the white paper “The ERM Journey." One thing that stands out in that white paper is how ERM executives believe value is added.

One obvious answer is to build the ERM infrastructure. Table 1 shows that high performing ERM companies have a higher percentage of agreement with the statement “We have the necessary infrastructure to support the ERM process.”

A second method is to integrate ERM better and in the right areas. Table 2 shows that high performing ERM companies have higher percentages of ERM integration in strategy, operations, and finance.

A third method shows up in Table 3. While building and integrating are important, some of the big ERM wins come from helping the culture become risk aware, building a relationship with risk owners, bringing “ah-ha” moments, and things like having business leaders promote and embed risk in their areas.

Adaptive Governance & Challenge. “In the Commission’s view, this will require boards to build… adaptive governance, which we define as… active involvement by directors in setting and maintaining a boardroom culture that is centered on open discussion, constructive challenge…” (NACD, 2018).

-      ERM Reaction: practice a challenge culture or contrarian view when risks are presented. Encourage boards to do the same. The goal is for the greater good of the organization.

Question Legacy Business Models. Allegiance to legacy business models with reluctance to question their future viability is a red flag according to board guidance (NACD, 2018).

-      ERM Reaction: include business model risk analysis in your risk assessment. 

Boards assess emerging risks. “The board should carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company’s business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur.” UK Corporate Governance Code 2018.

-      ERM Reaction: First, strengthen your emerging risks process. Two, include business model risk analysis in the process. Note, if you’re not in the UK you might be tempted to ignore this UK Guidance but it captures the growing pressure on boards over emerging risks and business models.

Exogenous Risks. “Boards have concerns about less controllable, exogenous risks.” 2019 NACD Corporate Governance Outlook. 

-      ERM Reaction: Convince the board how you’ve done this. Use black-swan or disruptive workshops to attempt to pull out these risks.

Trigger risks. “Trigger events or risk thresholds are not always clear in advance: even if their causes are relatively familiar, these risks may “develop in a non-linear manner,” as a result of “tipping points that might be detectable only in retrospect,” Board Oversight of Disruptive Risks (NACD, 2018). 

-      ERM Reaction: Identify which risks could be the tipping point or the trigger. Develop key risk indicators, risk drivers, or mind maps to help see the triggers. Managing/monitoring the non-trigger risk could be too late.

Assess vulnerability to Disruptive Risks. “Establish time on the board agenda, at least annually, for a substantive discussion of the company’s vulnerability to disruptive risks. Consider using approaches such as scenario planning, simulation exercises, and stress testing to inform these discussions.” NACD, 2018

-      ERM Reaction: Just do it.

Skills to Navigate Disruptive Risks. Boards should invest in the skills—within the organization and on the board itself—needed to navigate disruptive risks. (NACD, 2018).

-      ERM Reaction: lead or train your board on how to identify disruptive risks and link them to the business model. Ask them to include ERM and Board Risk Oversight training as part of the new board member onboarding/training.

This interview with Christensen points out that companies must address disruptive innovation (his first book) but his latest work also discusses problems and opportunities.

“His solution is simple, profound and right in front of your face: See big problems as big opportunities. Look for the intersection of non-consumption and what he calls “jobs that must be done.” Then create products—and processes—that serve those needs. By doing so, you’ll harness what he terms “market-creating innovation”—by far the most profitable, disruptive force in business (think electric light, iPhones and the Model T).”

For the practicing ERM executive or board member there is a valuable insight here. Look at your biggest risks on your map or register and seek the opportunity and upside of that risk instead of just identifying the risk and developing action plans. In other words, challenge management to think through the risk and find the opportunity. I’ve met one CRO that does this on their top risks in designated risk opportunity workshops. 

A company’s annual report offers a description of that organization’s business and the risks it faces. Risk disclosures are an important part of that report and should provide external stakeholders with valuable information about significant risks.

This research study represents an analysis of risk factor disclosures from large manufacturing companies on both the Tokyo Stock Exchange (TSE) and the New York Stock Exchange (NYSE).

English version

Japanese version

At one of our recent Center for Excellence in ERM Summits participants were asked to list their greatest ERM challenge. Their list is below. Perhaps others can learn from their wisdom.

Senior leadership socialization

Integration into the Strategy Formulation process.

Measuring the value of ERM.

Benchmarking the thoroughness of the program.

Applying consistent and/or universally-accepted risk assessment criteria across different business units/contexts.

Building awareness of the integration between ERM and Strategy

Competitor innovation. 

Consistent implementation of new ERM-related policies and procedures

Credit for the work that is done

Customer attrition 

Deepening organizational understanding of risks, and framing such in a way that facilitates Decision making 

Determining the purpose and "value add" of the ERM program and gaining C-Suite level support for ERM initiatives 

Differentiation between ERM level risk and operational risk.

Education on ERM to middle management

Ensuring the business actively monitors risk.

Ensuring underlying assumptions, modeling and forecasts are adequate to meet our short and long-term obligations and regulatory mandates.

Establishing an ERM system

Formalizing ERM throughout the organization. 

Getting involved in strategy setting and decision making.

Getting the attention of staff at all levels of the agency

Keeping the appropriate balance between profitability and growth

Maintaining a regular cadence of engagement - engagement tends to vary by the risk stakeholders

Maintaining Consistency

Moving from an ERM program that has a higher focus on reducing negative outcomes and managing risks to one that is fully integrated with the business and strategies, increasing the range of opportunities linked to performance ... creating, preserving and realizing value.

not enough resources around model, vendor and ops risk functions

Responsiveness from several business units

Risk appetite

Showing or proving how we add value 

siloed risk activities; no CRO

Standardize ERM governance across all regions.  Insert ERM or its principles into the strategic planning process across al regions.

Talent management

Time to work in ERM to decision making process.

Too many silos 

There is no official certification (that I know of) for ERM at this point. But how would a board know or an ERM leader determine that their ERM process is set up in a way they’d want? There are the obvious signs such as too many surprises, not seeing risks, not correctly assessing, etc. There is also a program review that can be done.

First, some organizations can and do benchmark with other programs to get feedback.

Second, other organizations hire outsiders to review their program and provide feedback.

Third, ERM leaders can do this on their own. An unofficial approach might be:

• Review your program for all COSO Components

• Review your program for evidence of all relevant principles (the word relevant) is critical.

• If your program has evidence of relevant principles, COSO components, and the components interact/work together then you’d unofficially have a good program.

Keep in mind:

• It can be very valuable to do this.

• This is unofficial; but if some senator gets mad at U.S. businesses again, they could make this the law (like they did with internal control / SOX).

• Tread lightly. Choose wisely. Make it an TQM opportunity for improvement thing instead of a do or die ERM thing. It works better, you get to the same place (since this isn’t 100% the law), and management sees it as a positive thing about performance, etc.

• Finally, if I were a board member I’d ask every ERM leader I know to do this.

Graduate ERM enrollment continues to rise this Fall 2018 at St. John’s University. We have almost 50 graduate students in my intro ERM course (including about 30 MS and MBA ERM students).

Great blog here from the Harvard Law School Forum. Those that work with boards should read the entire thing but here's two key paragraphs with my emphasis added:

Take-Aways

For as long as Caremark continues to be the law, directors should ensure that they at least meet the Caremark standard in connection with the #MeToo movement and other issues relevant to their businesses, but they should not be too concerned about new liability risks, even in the current environment. Meeting the Caremark standard includes periodically assuring that there is a system for information and problems to come to the board’s attention. The application of the Caremark standard to today’s issues does not require novel efforts.

However, reputational risks for companies and directors, distinct from liability risks, deserve to be highlighted in the current environment. The enterprise risk approach that many companies and boards take should be re-examined to ensure that they are designed so that reputational risk concerns will bubble up to the board. In our experience this adjustment has already happened at many companies.

Some ERM habits of high-performing organizations:

High-performing organizations are:

- more likely to factor risk into decisions than non high-performing companies

- twice as likely as low performers to be involved in decision making up front (instead of afterwards or never) 

- three times more likely to have "engaged" leadership on risk than low-performers

Preliminary data analysis based on the Center for Excellence in ERM at St. John's April 30th ERM Summit- The ERM Journey. Final analysis and white paper is forthcoming.

ERM: Tools & Techniques for Effective Implementation has been released by the IMA. This is a nice overview of ERM and can be given to colleagues that might not want to read the entire COSO ERM Framework or the ISO Framework. This updated report highlights:

* Risk identification techniques

* Analysis of Risk by Drivers

* Risk Assessment Tools, and

* Practical Implementation Considerations.