There seem to be a lot of angry talk about various risk management certifications on the web lately. Most comments are coming from people who are very ill-informed about how certification, any certification, works. As a creator of two national risk management certification programs that have been hugely successful in Russia, here are my two cents.
First, here are some sobering facts:
Almost every country in the world has its own national non-financial risk management certification; there are also a few pan-European and global ones
All are optional, none are compulsory by law (despite many unethical attempts to limit competition)
Most certifications are done by national risk management associations, although some countries have healthy competition that offers more than one certification program to local markets
Regulators and employers are mainly ignorant regarding non-financial risk management certifications, hence one certification program does not have noticeable advantage over the other
All certifications are built on some globally recognized foundation; ISO31000 seems to be a favorite one and is my favorite, as well
Certification is just an exam with options including self-study, online prep training or face-to-face prep training (how long the training is is irrelevant, because certifications test prior and existing knowledge; training is more like a refresher)
Most existing certification programs are useless because they still focus on conducting risk assessments and treating risk management as a stand-alone independent process — there are, however, some good ones
There is limited to no quality control or oversight in place
In this video, I give my advice on how to choose the best non-financial risk management certification:
Below is an example of the certification program developed by RISK-ACADEMY — a Russian leader in risk management training, Global Institute for Risk Management Standards (G31000) and the best risk managers from Russia and the CIS. The program is aligned with the international risk management standard ISO31000:2009 principles and shows numerous examples of how COSO:ERM 2004 is flawed in almost all regards.
It consists of four modules:
Module I: Risk Management Foundations
Definition of risk
History of risk management
International and national standards in risk management
Introduction to finances, project management and process management
Introduction to statistics
Module II: Risk Management in Decision Making
Tools and techniques to identify risks associated with decision making or the achievement of goals/KPIs
Tools and techniques to analyze and quantify effects of uncertainty on decisions or on achievement of KPIs (decision trees, sensitivity analysis, scoring models, Monte Carlo simulations, scenario analysis, bow-ties)
Risk mitigation within the confines of decision making and achievement of KPIs
Monitoring, reporting and communicating decisions made or the achievement of KPIs with risks in mind
Module III: Psychology and Culture of Risk Management
Cognitive biases inherent to decision making and risk management
Integrating risk management principles into the overall corporate culture
Principles of professional ethics
Module IV: Integrating Risk Management in a Business
Aligning risk management efforts with the overall risk appetite
A road map for integration of risk management:
Developing new and updating existing policies and procedures
Integration into decision making, planning, budgeting, purchasing, auditing
Risk management roles and responsibilities, risk management KPIs
Integrating risk information into management reporting
Resources required for the implementation of risk management
Monitoring and evaluation of the effectiveness of risk management (maturity models, including our own advanced risk management maturity model)
Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.
Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.
Step 1 – Strategic Objectives Decomposition
Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.
This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.
Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead.
Example: Risk Management Implementation
VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.
During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.
The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.
Step 2 – Identifying Factors, Associated With Uncertainty
Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.
Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:
Whether the assumption is associated with high uncertainty.
Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.
For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.
Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.
By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.
Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.
We will review what will happen to management projections after the risk analysis is performed in the next section.
The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.
When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.
The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.
The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:
The risks to achieving the strategy are significant and need to be managed
Strategic objectives may need to change unless most significant risks can be managed effectively
Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.
Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.
Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.
This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.
Step 4 – Turning Risk Analysis Into Actions
Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:
Revise the assumptions used in the strategy.
Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
Change the strategy altogether (the most likely option in our case)
Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.
At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.
Join our free webinar to find out more (click the link to see available dates and times). Read the full book from which this is adapted. You can download it for free here.
Risk management is ultimately about creating a culture that would facilitate risk discussion when performing business activities or making any strategic, investment or project decision.
Here are some of the key points that are often missed:
Risk management is not just about tools and techniques; it is about changing the corporate culture and the mindset of management and employees. This change cannot happen overnight. Risk managers need to start small by embedding elements of risk analysis into various decision-making processes, expanding the scope of risk management over time.
It is vital to break the status quo where risk management is seen as a separate and independent activity. Instead, risk managers should integrate risk management into all core business activities. This can be achieved by integrating risk analysis into decision-making processes, assisting management in evaluating projects and strategic initiatives with the use of risk analysis tools, integrating risk management into strategic planning, budgeting and performance management, incorporating responsibilities in job descriptions, providing management training, etc.
Risk managers should strive to become advisers to senior management and the board, advisers who are trusted and whose recommendations are listened to. To achieve this, risk managers may need to break away from traditional models like “three lines of defense” and instead choose to actively participate in the decision-making, take ownership of some risks and provide an independent assessment of risks associated with important business decisions, maybe even vetoing some high-risk activities.
To explore these topics, Elena Demidenko and I have written a free book, “Guide to Effective Risk Management 3.0” It talks about practical steps risk managers can take to integrate risk management into decision-making and core business processes. Based on our research and the interviews, we have summarized 15 practical ideas on how to improve the integration of risk management into the daily life of the organisation. These were grouped into three high-level objectives: drive risk culture, help integrate risk management into business and become a trusted adviser.
This document is designed to be a practical implementation guide. Each section is accompanied by checklists, video references, useful links and templates. This guide isn’t about “classical” risk management with its useless risk maps, risk registers, risk owners or risk mitigation plans. This guide is about implementing the most current risk analysis research into the business processes, decision making and the overall culture of the organization.
A while back I recorded a short video on the topic of risk management organizational structure in a non-financial company. In the video I discussed various options for risk manager’s place in the overall organizational structure. Since there is really no single right answer, the few common options include: reporting directly to the CEO, reporting to the Board or Audit Committee, reporting to the CFO or the Head of Internal audit and so on. You probably already have a personal preference. I hope this article will help you to rethink it.
It really doesn’t matter…
The first conclusion I make in the video is that it actually doesn’t matter where risk manager sits as long as two important criteria are met:
Direct access to decision makers – risk managers must be close enough to the decision makers to be able to support the risk management integration into business processes and decision making and be able to reinforce risk management culture. This requires some level of seniority to be able to participate in the decision making and reach executives or Board members when required.
Access to information – risk managers need unfiltered access to various sources of information, including internal audit findings, IT data, production data, financial and accounting information, compliance data and so on. This requires good relationships with key information owners and established communication channels that will allow risk managers to use corporate data for risk analysis on a daily basis. The second criteria is the most important in my mind.
As long as these two criteria are met the risk manager will be able to fulfill his role almost anywhere within the organizational structure.
My personal experience was reporting to Head of Strategy, CFO, CEO, Chair of the Audit Committee and the Head of Internal Audit. And while, it’s unique to every organization and does depend to a large degree on the personal relationship with the supervisor/sponsor, I found that sitting together with Internal Audit makes perfect sense, because:
Internal audit doesn’t own many risks, so there is less pressure on risk managers to withhold information or exclude data from risk analysis. The opposite could be reporting to a CFO. Finance department originates and owns a lot of risks. I have come across companies where risk managers who reported to the CFO were pressured to exclude financial risks from the analysis or were prevented from integrating risk analysis into financial business processes.
Internal audit has direct communication channel with the Board and the Audit Committee. This helps to integrate risk management into strategic decision making.
Access to financial and operational company data. Internal auditors usually have full access to company data and facilities, which is invaluable when performing timely and accurate risk analysis.
Access to audit findings, non-compliances, control weaknesses and so on. Internal audit is a gold mine of data that can significantly improve quality of risk analysis. I was very fortunate to be able to communicate with Internal auditors on a daily basis. Their input helped me dramatically improve my risk analysis and hence improve the quality of the overall decision making in the company.
Risk management can also improve Internal audit planning and auditing procedures. The relationship works both ways.
Higher ethical expectations from Internal audit.
There are of course arguments against having risk management and internal audit in one department. I am sure you have thought of a few right now. Most of them are not real. I encourage you to write your arguments for and against in the comments below and I will try to respond to each one.
Lack of independence and conflict of interest are usually quoted as the main logic for separating risk management and internal audit. I find this quite naive: first to seriously think Internal audit is truly independent is a bit of stretch and second lack of independence with risk management in particular is literally the least of Internal auditor’s problems. I summarize my thoughts on the 3 lines of defense in the following video:
I was very fortunate to host a roundtable during the FERMA risk seminar in Malta. I am very thankful for the opportunity, because the experience of brainstorming for 45 minutes with the representatives from various small and medium enterprises (SMEs) really highlighted some major problems with modern-day risk management and risk managers.
Here are three things that I think all of us could learn from managing risk at SMEs:
SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value
For SMEs, time is pressure, management teams are small, margins are limited and, as a result, management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something’s not right…
I think it’s about time we had an honest look at some of the activities risk managers do:
Do risk assessments really change the way business processes work, change the manufacturing process and change the way products are sold?
Do risk managers bring something of value to the table when any important business decision is made?
Do risk assessments change the way executives make decisions, and is risk analysis available on time to support every significant decision?
Are risk registers looked at by the CEO before making an important decision?
Do risk owners check their risk mitigation actions regularly?
Do risk appetite statements in non-financial companies change the way the company operates and the way decisions are made?
Do employees regularly read risk management framework documents?
Do managers call the risk manager before making a decision when faced with uncertainty?
I suspect the answer to most of those questions is “not quite.” This could mean one of two things: Either the risk manager is not doing his job properly, or he is properly doing his completely wrong. My bet is on the second option. There is simply a better way than risk profiles, risk registers, risk frameworks, risk owners — and so on. Here is a short video about what the future holds for risk management.
SMEs don’t do risk management to mitigate risks; they do it to make better decisions
SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analyzed at any moment during the day — when an important decision is being made or at every milestone within the core business processes — you are probably doing something wrong.
If there is one thing I learned over the years it is that no one in the company, and I mean NO ONE, expects the risk manager to care about risks. Well, maybe some about-to-retire audit committee member would, but most executives wouldn’t have the courage to deal with the real risks if you showed the risks to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result.
You can assign risk ownership to top executives as much as you like — no one cares. SMEs learned the hard way that unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them when, instead, they could be saying things like, “the probability of meeting this objective is 10% — unless we change things,” “there is an 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.
Anyone can be a risk manager, but it’s not natural
Despite what we within the risk management community have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way System 1 and System 2 thinking operate in our brain make it literally impossible to see most of the risks associated with making decisions, let alone analyze them or manage them. Since the 1970s, many scientists, including two Nobel Prize winners (Kahnemann and Tversky), have discovered more than 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks.
This basically means risk surveys, most risk workshops and any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of alternatives, much better alternatives.
Someone needs to play the devil’s advocate. It would be good to hear from a CFO who says he doesn’t care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager.
But, then again, Europe is probably way too politically correct for that 🙂