For many, once a risk register is defined, it often remains largely unchanged; however, this is a mistake. Many firms operate in an environment of continuous turbulence; therefore, we believe that firms should seek to actively build their risk registers based on events that occur within their firms or externally within their industry.

After any significant event, firms should conduct a root-cause analysis exercise to understand the event entirely, learn from it and embed those learning into the risk management process and firms’ culture.

A crucial part of the risk management process should be continuously reviewing events and identifying risks that materialised but were not already on the risk register. Firms should also use events to trigger the closing of risks that may no longer be relevant.

In a firm that we work with the operations team have embedded a continuous improvement process that calls for all event of a certain severity to be formally reviewed. As part of this review process, there is an expectation that every event should link to at least one operational process, technology (systems and digital assets), risks and controls.

They specifically seek to identify, and report on, operational risks that materialised but were not in the risk register at the time of the event.

This process is also used by one of the most famous and innovative firms out there.

If you look at the various reasons why we blew up starships, and you looked at the risk list, none of the reasons they blow up was on the risk list. Elon Musk, CEO of SpaceX, August 2021

To ensure your resources are focused on the right things, use events to drive a continuous improvement process around your risk register, add new risks as they are identified, and close existing ones that may no longer be relevant.

It is easy to think Enterprise Performance & Risk Management is about numbers, but it is really about high-quality conversations informed by data, information and analytics.

At KRM22, we advocate the implementation of an integrated, real-time, enterprise risk management approach which enables firms to operate at the optimal threshold of risk-taking, driving increased and sustainable shareholder returns.

In this article, I am going to introduce two important concepts related to setting boundaries for risk-taking and seeks to clarify there meaning. These two concepts are Risk Appetite and Risk Capacity.

Unfortunately, there is not a definitive and universally agreed definition for these terms. It is also worth noting that these terms are often used interchangeably and out of context. Where possible, I will refer back to the world's two leading enterprise and operational risk management standards; ISO31000:2018 Risk Management and COSO Enterprise Risk Management Framework.

Risk Appetite

We define Risk Appetite as "the amount and type of risk that a firm is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders'. With the inclusion of the phrase "and must take" we are explicitly signals that risk-taking is a fundamental part of strategy and value creation.

Without taking risk, nothing is achieved. Therefore we see Risk Appetite as a key part of both delivering firm objectives and managing risk.

The COSO Enterprise Risk Management Framework 2018 states that "The organisation defines risk appetite in the context of creating, preserving, and realising value". It lacks a clear and concise definition of what is Risk Appetite.

However, its predecessor, the 2004 version of the COSO framework includes this definition "risk appetite as the amount and type of risk that is acceptable to be taken by an organisational entity over a defined time period, to achieve the objectives of that strategy".

The ISO31000 standard does not include the term Risk Appetite. However, it uses the term Risk Criteria, which has a similar, if broader meaning. Under the definition of Risk Criteria, it includes a statement "the organisation should specify the amount and type of risk that it may or may not take, relative to objectives. Within the definition of Risk Criteria, the ISO31000 standard goes on to state "It [the organisation] should also define criteria to evaluate the significance of risk and to support decision-making processes. Risk criteria should be aligned with the risk management framework and customised to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the organisation's values, objectives and resources and be consistent with policies and statements about risk management.

However, the ISO 73:2009 Risk management — Vocabulary does explicitly define Risk Appetite as the "amount and type of risk that an organisation is willing to pursue or retain".

Risk Capacity

Also known as Risk-bearing capacity, we define Risk Capacity as the maximum amount of risk that a firm can take before the firm fails should those risks crystallise.

We believe that knowing your firm's Risk Capacity is an essential part of the Enterprise Risk management framework. By understanding the firm's Risk Capacity, Boards, and Executive teams can make better strategic and operational decisions. They can also take specific actions to increase Risk Capacity.

Many firms have to submit an ICAAP and ILAAP for regulatory purposes. Too often, this is approached as an annual regulatory compliance exercise only. Forward-looking firms leverage the ICAAP and ILAAP process to understand their Risk Capacity and drill into what risk-taking will lead to the firms failure.

Interestingly both ISO31000 and the COSO Enterprise Risk Management Framework 2018 don't mention Risk Capacity.

Conclusion

Knowing your Risk Appetite and Risk Capacity are two essential tools for firms to use to define and clarity boundaries around their risk-taking. They both have a significant role to play in strategic and operational decision-making and help set the tone of a firm's enterprise risk management approach and culture.

Whereas Risk Appetite is about what risk and the amount of risk that is to be taken to create value, Risk Capacity is about survival. Therefore both are a critical part of your enterprise risk management framework.

And while having a 'fixed' definition of both is essential, there must be flexibility and a regular review process. Both Risk Appetite and Risk Capacity should reflect the state of the business internally and market conditions externally, and change as they change. Living through the COVID-19 crisis shows how quickly firms and market conditions can change.

First posted here

Risk Management, particularly Enterprise Risk Management, is often defined in terms of risk related to the achievement of objectives.

Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. - ISO31000. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en

The culture, capabilities and practices, integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving and realizing value – COSO Enterprise Risk Management, 2017. https://www.coso.org/Pages/erm.aspx

These definitions show the importance of linking risk to strategic objectives. However, the standards provide little guidance into how this linkage should be implemented.

Risk-Based Performance Management is unique in that it provides a structured methodology that sets out how businesses can integrate enterprise performance management and enterprise risk management.

One of the critical points of integration between these two management disciplines is the concept of a Probability of Execution (PoE).

The idea behind the Probability of Execution is to provide a risk-based view of the probability that an individual objective or a group of objectives will be achieved within their due date. Easy to say, but maybe more difficult to understand.

Let's go into that now.

When executives sit down to review performance against objectives, current good practice suggests that each objective has a small number of related Key Performance Indicators (KPIs) which indicate if the objective is on-track to be achieved or not.

Typically, KPIs are colour-coded using a traffic light or RAG RAG (Red, Amber & Green) approach.Within the RBPM methodology the preferred scoring approach is RAGAR (Red, Amber, Green, Amber, Red).

For many executive teams who use traditional performance management systems; whether that system is the Balanced Scorecard (BSC), Objectives & Key Results (OKRs) or simply a collection of objectives on a dashboard, getting all objectives to green and keeping them there is the desired outcome.

KPIs provide a performance perspective on the achievement of objectives, however they do not take into account the level of risks related to the accomplishment of an objective or objectives. This can create a false sense of security and lead to a surprise when objectives are missed due to a risk or risks crystallising.

Within the Risk-Based Performance Management (RBPM) methodology, the traditional KPI driven RAG status are complemented with the concept of a Probability of Execution.

The Probability of Execution is an aggregated, easy to understand percentage value showing the probability that a single objective, or group of objectives will be executed by their due date based on the various data points which have a causal relationship to the objective(s). This includes linkages between objectives and aligned processes and initiatives, and of course, risks, risk events and controls at various levels within the RBPM framework.

The Probability of Execution has proven to be a powerful, yet simple to understand and easy to action way of integrating risk into the strategy execution conversation.

A balanced suite of KPIs provides a performance perspective on the status of the objective. In contrast, the Probability of Execution provides a risk-based view which is, by its nature forward-looking. The Probability of Execution also work well with Appetite Alignment, another central concept within Risk-Based Performance Management.

Find out more about Gray Rhino Risk here

The COVID-19 pandemic is, with little doubt, the most challenging crisis many people will see in their lifetimes and without a doubt, it will be the more challenging crisis that many businesses will face. To successfully navigate these challenging times, firms will need to take a strategic approach; first and foremost, they must protect their existing business and then, look to grow its value as opportunities will no doubt emerge.

Firms who have implemented and embedded an integrated, enterprise approach to risk management will be best positioned for survival and growth at these uncertain times. Such an approach should include;

• Business Model and Strategy, including a suite of Business Objectives

• Risk Appetite and Risk Capacity

• Scenarios

• Financial and Non-Financial Risks. These risks will exist at the Enterprise, Market, Compliance, Technology and Operational level.

A holistic enterprise risk management approach will set the context for your COVID-19 response and recovery.

To effectively respond to COVID-19, firms should quickly review and update any existing response plans (often referred to as a business continuity plan, incident management plan, or crisis management plan) to take into account the specific details of COVID-19.

I would recommend that your COVID-19 plan should be made up of a series of ‘crisis levels’ so that your response can quickly evolve as the nature of this pandemic evolves and changes. For example, for COVID-19, your crisis levels could include;

• Level 1 – Minor disruption to business activities

• Level 2 – Major disruption of business activities

• Level 3 – Partial cessation of business activities

• Level 4 – Complete cessation of business activities

• Level 5 – Firm Recovery or Resolution

At each level, we would recommend you include in your response plans the following eight critical components.

1. Business Impact Assessment (BIA)

Building on your existing enterprise risk assessment process and methodology, undertake a Business Impact Assessment to ensure that the impact of COVID-19 is fully considered, well defined and to identify potential gaps that currently exist.

The Business Impact Assessment should be used to create a shared understanding of the crisis across your business; the board and executive should be heavily involved in conducting the BIA and results should be shared within the firm, as widely as possible. Of course, with appropriate consideration given to protecting sensitive information that will be in BIA.

2. Financials

Determine how to stabilise your financial position to ensure you can survive the crisis in the short term, minimise damage to the business in the medium term and position the firm for growth in the long-term.

Quickly getting clarify on your cash, capital, liquidity and profitability over each of these time horizons is the key to successfully responding to COVID-19.

3. Objectives

Determine a set of very clear objectives for each stage of the crisis and be clear about accountabilities per objective. In the early stages of a crisis, it is reasonable to maintain your focus on pre-crisis objectives mostly; however, as the crisis evolves and deepens this may change.

As your firm moves through the various levels of a crisis; the number of objectives should be reduced to create focus, minimise distractions and ensure effective deployment of resources.

You should get to a point where the board and executive are focused on a small number of well-defined objectives, with clear accountabilities and a clear understanding of the ‘road-map’ which signal where the focus will move to, should the crisis go to the next level. Of course, this road-map must also signal when and how we recover the business and move to (a new) normal operating environment.

4. Critical activities, systems and assets

As the COVID-19 crisis evolves, your definition of what is critical to your business will change. Therefore, it is important to define, for each crisis level, clear, immediate objectives and a set of essential activities (processes and initiatives), systems and assets to be protected and managed.

For your firm to successfully get through COVID-19, and to be positioned for rapid recovery, your brand, your people and your information assets are going to be particularly important. Therefore, particular care must be given to managing these through the crisis.

If your firm has implemented the CIA triad (confidentiality, integrity, and availability) for information assets, use this prioritise and re-prioritise as the level of crisis changes.

Review your process architecture and portfolio of change initiatives to determine what is the earliest point when individual processes and initiatives can be shut down and restarted. If your firm uses the ‘big three’ business continuity indicators; Recovery Time Objective, Recovery Point Objective and Maximum Tolerable Period of Disruption, these should inform decision-making as the crisis evolves.

5. Risk Management, particularly 3rd Party Risk & Counterparty Risk

In any crisis, particularly one of the size and scope of the COVID-19, firms must continue to undertake their risk management activities. As per other critical activities, the level and nature of risk management activities undertaken during a crisis should reflect the crisis level which your firm is operating at. Given the nature of COVID-19, Financial, People, 3rd Party and Counterparty risk will be particularly important.

In addition to managing business-as-usual risk activities, a crisis such as COVID-19, will, without doubt, lead to gaps in the firm’s enterprise risk management framework and processes surfacing.

New risks that are directly related to the crisis will need to be managed as per existing risk management processes. Whether these risks become part of the business-as-usual risk management framework, is a decision for post-crisis.

6. Measurement

The old mantra of ‘can’t manage what you don’t measure’ applies during the COVID-19 crisis; however, what you measure should change in three distinctive ways.

1. Reduce your business-as-usual measurement

To reduce your people’s workloads, and to create focus, reduce the amount of measurement in line with decisions around the firm’s objectives, risks, and critical activities, systems and assets.

2. Use measurement to trigger changes in your response

Use measurement, along with updated risk and business impact assessments, to trigger changes in your response to the crisis. With COVID-19, there are good data sets available which can be included within your decision-making processes. This includes external data sets such as inflection rates, inflection growth rates, death rates. Additionally, national and local governments are communicating actions that the population must take, which will be vital in your respond decision-making.

3. Add measurement to track your response

Add a new, limited set of metrics to track how well your firm is responding and aligned these measures to your (new) prioritises. Change these metrics as your firm moves to different crisis levels.

7. Response Plan and specific tasks

The response to COVID-19 will be driven by a series of very specific, short-term (hopefully) response plans and tasks with clear accountabilities that need to be executed as quickly and effectively as possible. If your firm creates a specific COVID-19 crisis management team or manages through existing management structures, having clear visibility to the status of your response plans and associated actions will be vital. Response plans should signal what will need to be done next at each step, which of course can and probably will change rapidly and often.

8. Communication Plans

Finally, no document about responding to COVID-19 would be complete with mentioning communication. The way that your senior leaders and the firm as a whole communicate to your firms’ stakeholders, both internal and external stakeholders will be vital in navigating this crisis and positioning your firm for recovery and post-crisis growth.

This blog post was originally written by Andrew Smart and posted here

In 2014, the world avoided a global outbreak of Ebola, thanks to thousands of selfless health workers -- plus, frankly, some very good luck. In hindsight, we know what we should have done better. So, now's the time, Bill Gates suggests, to put all our good ideas into practice, from scenario planning to vaccine research to health worker training. As he says, there is no need to panic but we need to get going.

In the matter of a few weeks, the way that people work and play has been turned on its head due to COVID-19. Governments and businesses worldwide have been scrambling to react to the latest twists and turns of this crisis. Many have been caught flat-footed and ill-prepared. Given the nature of COVID-19, and the speed with which it has spread and the impact it is having globally, it is tempting to think about COVID-19 as a Black Swan event.

Blacks Swans

Nassim Nicholas Taleb popularised the concept of a Black Swan event in his highly acclaimed book, The Black Swan. Taleb characterised a Black Swan event using the following three criteria;

1. It is an outlier; it lies outside the realm of regular expectations because nothing in the past can convincingly point to its possibility.

2. It has an extreme impact

3. Despite its outlier status, we work hard to develop an explanation for the event, after the fact, making it explainable and ‘predictable’ (even though it was never previously predicted)

The temptation for Government, Business and other leaders to label COVID-19 as a Black Swan event is compelling.

By labelling it a Black Swan, they do not have to confront the uncomfortable question of; why were we not prepared for this?

By labelling it a black swan, we can brush away concerns that none of our risk management reports or dashboards mentioned pandemic. When voters, regulators, investors and other key stakeholders ask the uncomfortable questions; labelling COVID-19 a black swan event provides an easy answer.

This would be fine except for one very import thing; it is not a Black Swan event.

COVID-19 is no black swan

Simply stated, COVID-19 is not an outlier. It is within the realms of our regular expectations, and there are several similar events in the past.

• Spanish flu (1918, 1957 and 1968) was estimated to have infected 500 million people and resulted in 50 million deaths.

• Severe Acute Respiratory Syndrome (SARS) (2002-2004), a coronavirus, resulted in approximately 8000 cases reported with 774 deaths across 29 countries.

• Middle East respiratory syndrome (MERS) (2012 – 2013) aka Camel Flu, another coronavirus. Approximately 1360 cases reported and 527 deaths.

• Western African Ebola virus epidemic (2013–2016). 26, 646 reported cases and 11,323 deaths.

One could also add to this list the various outbreaks, many relatively localized, of bird flu and swine flu that have occurred regularly over the last 20 plus years.

Bill Gates also hightlighted the risk of a virus-driven global pandemic in 2015 via a Ted Talk he gave in light of the Western African Ebola virus epidemic.

COVID-19 can hardly be called a Black Swan and outside the realm of regular expectations when;

• Governments have included Pandemic on National Risk Registers. For example, the UK Government National Risk Register 2017 included the risk of a pandemic caused by the emergence of new infectious diseases was one of the key risks.

• Governments have ‘war-gamed’ a pandemic scenario; as the UK Government did on October 2016 and as the outgoing US administration did on January 2017.

So if COVID-19 is not a Black Swan, how should we categorise it?

Gray Rhinos

Rather than a Black Swan, perhaps we should categorise COVID-19 as a Gray Rhino. In the context of risk management, the concept of a Gray Rhino was introduced by Michele Wucker in her book; THE GRAY RHINO: How to Recognize and Act on the Obvious Dangers We Ignore. Wucker characterised a Gray Rhino as a highly probable, high impact yet neglected threat.

Could a global pandemic, such as COVID-19 be considered a highly probable event? Would such an event be high impact? Was this is a threat that was neglected? I think the answer to each of these questions is yes.

• Highly probable – as already stated, there have been several similar events as COVID-19, including SARS and MERS both of which are strains of coronavirus.

• High impact – again, the effect from similar previous events and the current crisis demonstrates the high impact nature of this event.

• Neglected threats – given the number of governments, particularly those in the ‘western’ world which had a global pandemic on their national risk registers or had ‘war-gamed’ this risk, and given the apparent lack of preparation done, it is clear global pandemic was a neglected threat.

While I have set out a series of steps that can be taken in response to the COVID-19 crisis here (insert link), below, I would like to set out some thoughts on how and where to include ‘Gray Rhinos’ risks within your Enterprise Risk Management framework.

Many business and risk leaders will naturally feel, in light of COVID-19, that Gray Rhinos type risks should be included in regular board and executive risk reporting packs. However, for many firms, this is probably not the right approach.

Regular Board and Executive risk reporting should focus on those risks directly related to delivering the firm’s strategy; including delivering specific objectives, maintaining the right level of capital and liquidity and protecting operational performance in their ‘normal’ operating conditions. At this moment, pandemic might be regarded as normal operating conditions however it is probably better to make use of an emerging risk report or dashboard to include highly probable, high impact risks.

Alternatively, (and my recommended approach) pandemic and other similar Gray Rhino type risks could be included in scenarios. For many firms, the use of scenarios within their Enterprise Risk Management framework is often limited to meeting regulatory obligations such as the ICAAP, ILAAP and SREP.

However, extending the use of scenarios and war-gaming to ‘stress’ your business strategy, business model and operational resilience in the face of Gray Rhino risks, can add significant value to firms. Four areas where incorporating scenarios into your Enterprise Risk Management framework adds values include;

1. Establishes a shared view and clarify around the firm’s operating environment and strategy. In particular, the critical success and risk factors of the firm’s strategy, and their relative importance on the firm.

2. Enable the firm to establish and maintain the right level of capital and liquidity under ‘normal’ business operating conditions, and quickly understand new levels when operating conditions change.

3. Enables robust challenge and stressing of underlying assumptions made around the firms business strategy, business model and operational model.

4. Finally, including scenarios within your Enterprise Risk Management framework helps create a ‘Risk-Based decision-making’ culture; a culture where risk, of all types, are key considerations within the decision-making process.

So COVID-19 is not a Black Swan event but it does add a new phase to the risk management lexion – Gray Rhino and as is often said, one should never waste a good crisis.

Once we have got through COVID-19, use this experience to strength your approach to risk management, and if I can leave you with two recommendations they would be;

1. Review your approach to risk management and ask do you have an enterprise approach that works, in good times and bad?

2. Consider the use of scenarios as part of your enterprise risk management approach but go beyond using these just to met regulatory obligations (as important as that is) and use them to generate actionable business insights and to build a Risk-Based culture.

This blog post was originally written by Andrew Smart and posted here