Risk Management: Lessons from the Edge

What should an effective Chief Risk Officer (CRO) actually deliver?

The image above—a rescue operation on Mount Rainier—is a stark reminder of what happens when risks aren't properly managed. In the mountains, a lapse in judgment can be fatal. In business, while the stakes might not always be life and death, they certainly can be the difference between an organization that thrives and one that fails.

To provide true strategic value, a CRO must deliver seven critical pillars:

1. A Risk Framework: The CRO is responsible for designing and maintaining an enterprise-wide framework used to identify, assess, treat, and monitor risks. This is commonly called an Enterprise Risk Management (ERM) system. The CRO also collaborates with the board to define the "risk appetite" the company is willing to accept to achieve its goals.

2. Risk Identification: From a holistic ERM perspective, the categories of risks that the CRO identifies within a Risk Register may include:

a. Strategic Risks: These impact long-term goals and direction. Examples include entering new markets, competition shifts, and poor strategic decisions that could prevent the company from executing its business strategy.

b. Operational Risks: These stem from daily processes, internal systems, and people. Common issues include supply chain disruptions, system failures, human error, and operational halts.

c. Financial Risks: These involve threats to a company's financial stability and assets including market volatility, liquidity, and credit exposure.

d. Compliance Risks: These arise from failing to comply with internal company policies, procedures, and cultural values, and external legal requirements, codes and standards.

e. Reputational Risks: These concern harm to brand value due to negative public perception.

f. Cybersecurity/IT Risks: Specifically covers data breaches, ransomware, and technology obsolescence.

g. Environmental Risks: Focuses on impacts to surface water, ground water, air, ecosystems, biodiversity, waste management, and climate change from a life-cycle perspective.

h. Human Capital Risks: Addresses talent shortages, labor disputes, and workplace health and safety.

i. Stakeholder Risks: Potential adverse impacts to customers and external stakeholders.

j. Vendor/Third-Party Risks: Potential third-party events that may have a significant adverse impact on the organization.

3. Risk Assessment: The CRO must assess organizational risks contained in the Risk Register with respect to potential impacts and the likelihood of occurrence to relatively score and rank them. Limited organizational resources should be focused on risk and allocated in alignment with these scores.

4. Risk Treatment: The CRO is responsible for ensuring that risks are appropriately treated via procedures, policies, systems, training, insurance, contract terms, avoidance, etc.

5. Risk Monitoring: The CRO must ensure that adequate systems are in place to detect the occurrence of risk events and monitor trending data to prevent risk events. Prevention is better than detection. AI can help.

6. Risk Event Contingencies: The CRO should ensure that appropriate risk event response strategies are in place should identified risk events occur.

7. Risk Management Reporting: The CRO communicates the organization's risk management status to the CEO, board of directors, and relevant stakeholders.

Risk Management is a dynamic process. An organization’s risk profile is constantly changing. Making a static list of perceived risks every few years and “putting it on a shelf” or into a computer folder that is rarely accessed, is of little value. A dynamic risk management system is driven by audit and investigation findings that provide the likelihood of risk occurrences based on real-life data rather than from subjective speculation. A dynamic risk management system undergirds risk monitoring by providing risk occurrence trending. It almost goes without saying, that the entire organization must be using the same dynamic risk management system for all of this to work. If each functional area approaches risk management independently, there is no consistency or alignment and disfunction is the expected outcome. The importance of a shared Enterprise Risk Management system cannot be overstated. The organization must identify, assess, manage, monitor, and communicate risks using the same methodologies in a collaborative manner to achieve strategic value. An effective risk management system relies on Root Cause Analysis (RCA) to identify the underlying root cause(s) of detected risk events. Without RCA, risk management efforts might not be solving the real problems.

The US Department of Justice (DOJ) Criminal Division guidance, “Evaluation of Corporate Compliance Programs” serves as benchmark for compliance programs. The key components of those guidelines are framed around an effective risk management system. Here is what that looks like: The environmental compliance program focuses greater attention and resources on the highest ranked risks. A shared Enterprise Risk Management system is used to make business, operational, compliance monitoring, and audit focus decisions. The risk management system is driven by data. Risk assessments are regularly updated. Company procedures align with the risk management system. Compliance training is driven by the risk management system. It’s the CRO’s job to ensure that the compliance program aligns with the guideline’s risk management criteria.

Whether you are climbing a mountain or scaling a strategic plan, the goal is the same: Navigate the danger to reach the summit. An effective CRO provides the framework and the foresight to ensure you don't just survive the journey—you master it.

The following is a modified excerpt from my PhD dissertation explaining the risk management process based upon the 2009 version of the ISO Risk Management Standard. The latest version was issued in 2018. The ISO 31000:2018 update simplified the guidelines to be more practical for any type of organization. The 2018 version assigns ownership of risk management to top management and oversight bodies. Leaders are now directly accountable for ensuring that risk management is integrated into all organizational activities, governance, and strategy setting, rather than it being an isolated departmental function. The 2018 update highlights the importance of risk management as an essential role in decision-making at every level. The updated standard reinforces that risk management is not a one-time assessment but a dynamic, iterative process. It encourages continuous monitoring and review, allowing organizations to revise process elements based on new experiences, knowledge, and analysis.

THE INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) RISK MANAGEMENT STANDARD

Risk Management Fundamentals ‍ ‍

The ISO 31000:2009(E) standard provides generic principles and guidelines on risk management that can be applied to any type of risk associated with a wide range of activities, processes, and projects. This standard is intended for use with other ISO standards such as the ISO 14001 Environmental Management System standard; however, unlike ISO 14001, ISO 31000 is not intended for certification purposes. Under the risk management standard, “risk” is defined as “effect of uncertainty on objectives” and “risk management” is “coordinated activities to direct and control an organization with regard to risk.” The management of risk in accordance with the ISO risk management standard increases the likelihood of achieving sustainability performance objectives including environmental objectives established within an environmental management system. The ISO standard further explains that “risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.”

Risk Management Framework ‍ ‍

ISO 31000:2009(E) defines “risk management framework” as a “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization” and risk management success depends on this framework. The components of a risk management framework include: (a) a risk management policy that defines, mandates, and expresses the organization’s commitment to risk management; (b) assigns risk management responsibilities; (c) establishes accountability; (d) integrates or embeds risk management effectively and efficiently within the organization’s practices and processes; (e) provides internal and external communication plans; (f) monitors risk management performance against indicators; and (g) continuously improves the risk management framework. The organization’s risk management framework is implemented by applying the risk management process through a risk management plan.

Risk Management Process

ISO 31000:2009(E) specifies that stakeholder communication and consultation along with monitoring and review should take place throughout the risk management process. Communications and consultations at an early stage “help ensure that risks are adequately identified” and “ensure that the interests of stakeholders are understood and considered.” The stages of the risk management process are: (a) establishing the risk management context; (b) risk identification; (c) risk analysis; (d) risk evaluation; and (e) risk treatment.

Risk Management Context and Criteria

Establishing the risk management context includes consideration of external and internal factors including, but not limited to the following: stakeholder values and perceptions, political factors, legal requirements, and organizational culture and processes. Part of establishing the context is to define criteria to be used to evaluate the significance of risk. Criteria should be derived from organizational objectives, legal requirements, and organizational policies. ISO/TR 31004:2013(E) defines “risk criteria” as “the parameters established by the organization to allow it to describe risk and make decisions about the significance of risk that take into account the organization’s attitude to risk. These decisions enable risk to be assessed and treatment to be selected.” The IEC/ISO 31010:2009 standard on risk management techniques further explains the purpose of defining risk criteria as necessary to decide: (a) how a level of risk will be determined; (b) when a risk needs treatment; (c) when a risk is acceptable and/or tolerable; and (d) whether and how combinations of risks will be considered.

Risk Assessment

“Risk assessment” is the risk management process stages of risk identification, risk analysis and risk evaluation.

Risk Identification

“Risk identification is the process of finding, recognizing, and recording risks”. The purpose is to identify “what situations might exist that might affect the achievement of objectives.” A question that might be asked is “what could go wrong?” As previously discussed, management system compliance objectives typically include government regulatory requirements and performance requirements derived from organizational policies. When risks are identified, the organization should identify any existing controls affecting the risks. These controls might include design provisions or organizational processes. Risks can be identified using evidence-based methods such as checklists and historical information. Risks can also be identified using systematic team approaches that rely upon subject matter experts. Brainstorming is a technique that is often used to improve the accuracy and completeness of risk identification. Larson and Gray describe a project management approach to risk identification where risks are identified by creating a risk breakdown structure. The Project Management Institute Project Management Book of Knowledge defines “risk breakdown structure” as “a hierarchically organized depiction of the identified project risks arranged by risk category.” The Project Management Book of Knowledge is now provided as International Organization for Standardization (ISO) Standard 21500:2012.

Risk Analysis

In the Risk analysis stage of the risk management process, the consequences and probabilities of risk events are determined for identified risks. Existing controls are considered in this determination. The consequences and probabilities of risk events are combined to determine a level of risk. The methods used for analyzing risks can be qualitative, semi-qualitative or quantitative depending on the application, data availability, and decision-making needs of the organization. Qualitative assessments typically define risks using terms such as “high, medium, or low.” Semi-quantitative assessments often use numerical scales for consequence and probability and combine them to produce a level of risk using a formula. Quantitative assessments estimate practical values for consequence and their probabilities. When insufficient information is available to perform quantitative assessments, comparative semi-quantitative or qualitative ranking of risks by specialists knowledgeable in their respective field may be effective.

The comparative semi-quantitative approach to ranking risks is often used for project management and it is well-suited for oil sand development projects. Larson and Gray describe a semi-quantitative approach for project risks using a version of the Failure Mode and Effects Analysis (FMEA) technique to assess risks where the probability of a risk event, the impact of the risk event, and the ability to detect an occurrence of the risk event are each scored on a five-point scale and each risk is scored using the following equation:

Impact x Probability x Detection = Risk Value

They point out that the quality and credibility of the risk analysis process requires that the different levels of risk probabilities, impacts, and detection abilities need to be defined for each point on the scoring scales. Under the IEC/ISO 31010:2009 standard on risk management techniques, this approach is described as the use of risk indices. This standard defines the use of “risk indices” for risk analysis as “a semi-quantitative measure of risk which is an estimate derived using a scoring approach using ordinal scales. Risk indices can be used to rate a series of risks using similar criteria so that they can be compared.” The standard further states “risk indices are essentially a qualitative approach to ranking and comparing risks.”

Risk Evaluation

The ISO 31000:2009(E) standard states that “risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based upon this comparison, the need for treatment can be considered.” In the evaluation of risks, some of the decisions to be made are: (a) whether a risk needs treatment; (b) priorities for treatment; and (c) whether an activity should be undertaken. The cost and benefits of accepting the risk verses treating the risk may be a decision factor. Risks are often placed into one of the following three categories: (1) risks that are intolerable and risk avoidance or treatment is essential; (2) risks where the cost and benefit of taking the risk are balanced against the cost and benefits of risk treatment; and (3) risks that are negligible or so small that no treatment is needed.

Risk Treatment

The ISO 31000:2009(E) standard states that “risk treatment involves selecting one or more options for modifying risks, and implementing those options.” Whether the residual risk levels are tolerable following treatment is a factor. Potential risk treatment options include the following: (a) avoiding the risk; (b) retaining or taking the risk; (c) removing the risk source; (d) changing the likelihood; (e) changing the consequences; and (f) sharing the risk with others. “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment.” Larson and Gray organize risk treatment options into four categories that encompass the previously discussed ISO 31000:2009(E) list: (a) mitigating risk; (b) avoiding risk; (c) transferring risk; and (d) retaining risk. There are two basic strategies for mitigating risks; the first is to reduce the likelihood that the event will occur, and the second is to reduce the impact of the potential adverse event. Risk avoidance is changing the project plan to eliminate the risk. Transferring risk to another party usually occurs via a contract, insurance, performance bonds, or warranties. Retaining risk is a conscious decision to accept the risk of an event occurring. Larson and Gray distinguish between a risk treatment and a risk contingency plan. Risk treatment occurs before a risk event can occur and a risk contingency plan goes into effect after a risk event occurrence has been detected.