As risk professionals, we’re tasked with the responsibility to minimize and mitigate risk, all while battling skeptical and reluctant executives for increased budget and more resources. The risk management paradox is a tough pill to swallow. When you’re doing your job well, nobody notices. And when something goes wrong, you’re the scapegoat. So, how do you prove the value of something not happening?
In partnership with The Risk Management Society, Resolver hosted a webinar to answer questions many risk managers struggle with:
We have also provided a full transcript of the webinar at the bottom of this resource.
Jimmy: Hello, and welcome to a Resolver-sponsored RIMS webinar titled “Proving the Value of Your ERM Program.” My name is Jimmy, and I’ll be the moderator for today.
A few notes before we begin. If you have any questions for the presenter during today’s session, please submit them by typing in the question box. You can submit them at any time, but we will reserve time at the end of the presentation for Q and A. If we do not have enough time to answer all questions, we will answer them by email after the live session.
A copy of the PowerPoint presentation is available under the Handout tab.
Now, I’d like to turn today’s presentation over to our speakers, Jamie Gahunia, strategic project manager ERM at Resolver, Brian Link, managing director at MobiusOne, and Navin Maharaj, lead director at PWC’s Canadian ERM operations. Welcome, all.
Jamie: Hi, everyone. And thank you for joining Resolver’s webinar, “Proving the Value of Your ERM Program.” The webinar is presented in partnership with RIMS, and I’m here today with two ERM leaders to answer your question I’m sure everyone who’s here today has struggled with: How do you demonstrate the impact and value of your risk management program?
Before we get started I wanted to introduce myself as moderator for today’s session. My name is Jamie Gahunia. I’ve been involved with many ERM implementation programs myself, especially on the technology side. If anyone hasn’t heard of Resolver, we are one of the software providers of the Gartner Magic Quadrant as an integrated risk management solution. So that would include risk, security, business continuity, internal audits, compliance, and IT risks.
So there is an interesting statistic from one of the big four surveys that concluded that companies in the top 20% of risk maturity generated three times the level of the EBITDA as those in the bottom 20%. With that being said, let me introduce our two ERM experts to shed some light on this important topic of value.
So first up is Navin. Navin is the lead director of PWC’s Canadian ERM operations. He heads the ERM team across Canada and has over fifteen years of experience working with businesses to design and implement risk management, internal audit, business continuity, and compliance programs.
Our second speaker is Brian Link. As Jimmy mentioned, he is the managing director of MobiusOne and retired partner of Ernst & Young, where he led ERM, internal audits, regulatory compliance, and fraud prevention programs for Fortune 500 companies, government, and nonprofit clients internationally.
Okay so now that we’ve got introductions out of the way, let’s get started. So the first question to our panelists is to you Brian, first up. In your opinion, what is the biggest challenge of ERM today
Brian: Yeah that’s a good question. I’ve been involved in many ERM implementations and programs. Some at the outset, some mid-flight, some that were on life-support. And one thing I’ve noticed is that there tends to be a three-year lifecycle wherein an enthusiastic champion comes in, starts the program often from internal audit, and there’s an initial flurry of activity and some great outputs. Risk registers and heat maps, and so forth, and then that’s seen as sort of the completion of the process, rather than what it really is, which is beginning. The basis by which you then make decisions around what to do.
So I think that getting that executive sponsorship upfront is critically important in budgeting and strategic planning, and budgeting and forecasting and so forth … Helps to make it stick, and helps to generate some of that value.
Jamie: And what about yourself Navin?
Navin: I would sort of echo some of those sentiments. One of the other things that I would say, in terms of the challenges for ERM, is basically keeping it going once. So the continuous sustainability of the program, so keep that running. The other one I would suggest probably, what I have seen is alignment with strategy. Often you see a lot of ERM programs being started or initiated at the request of the board, at the request of the CEO, or as a result of something that has happened to the organization. And there is not that really explicit link with the strategy goals and objectives of the organization.
So that is one challenge that I see. Another one is the engagement supported by and for the program. As Brian said, obviously when something starts up it’s brand new, it’s fresh, it’s the latest thing on the block, so a lot of people jump on it. But after about a year, two year, three or year four, the interest begins to die down. So keeping it going, keeping it sustainable, the alignment with strategy, and eventually measuring the value. How can I quantify, how can I demonstrate the value of a program that is supposed to eliminate or mitigate the bad things from happening in the first place? So if something bad does not happen, how can I prove the value that what I put in has actually helped mitigate something that has not yet occurred? So I’ll leave it at that.
Jamie: Okay. So you mentioned value a lot. With those challenges in mind though, many organizations struggle with actually tying a tangible value to ERM. It’s often described in abstract. A question for you Navin, can we actually measure the effectiveness of ERM? And if so, can you share what some of the performance indicators we should be looking at?
Navin: So the response to that, I would say, absolutely yes. We can measure it. The caveat that is with that is it depends on where you are. Let me share some of the things that I mean by that, and certainly metrics, and you guys can probably get an idea.
So some of the things that we can use to measure risk and the performance of the program is around the total cost of risk. So if I have a risk universe that has, let’s say, the top ten risks facing the organization, can I quantify those using some various assumptions and scenario analysis and what have you to get a dollar value? So that’s one. The total cost of risk. Another one is annual loss expectancy. So if this risk was to materialize, what is the total loss that the organization could potentially be exposed to? Risk coverage ratio is another one. Corporate performance. The percentage of attainment goal to which corporate performance is another one.
And you can have things like a decrease in insurance premium. You know, the percentage risk awareness in the organization. And it could even be as simple as, did we achieve our strategic objectives as originally planned?
Jamie: Brian any more thoughts?
Brian: Yeah. I would agree that, outside of financial services where key risk indicators are I think a bit more prevalent and even required from a regulatory perspective, in non-regulated industries where some of the measures are more subjective and a bit more qualitative, I agree with Navin that the primary metric is the degree to which the organization is achieving its objectives, and has explicitly identified and is managing risks proactively. So tying it to planning and budgeting and getting the timing right is critical.
Because frankly most risk assessment activity takes place when the executive management team has the time to do it, and that’s typically not in the midst of planning and budgeting. So unfortunately, in most organizations the risk assessment takes place three months after the planning and budgeting is done, which is when people have time, but it’s not the time that you want to do it. You want to do it right in the midst of developing those plans and coming up with a budget.
Because if you ask somebody off-cycle, and I have an example of that … I work with an organization where the director of IT, when we ask that person off-cycle what are your key risks? He thought to himself, and he shared this after the fact. He said, well, you know what, you’re just going to come in and audit me against this risk that I’m identifying for you, and I’m not going to be able to fix the problem because I don’t have the money. And then when we reset the program and aligned it to the budgeting and forecasting and planning process the next year, he enthusiastically raised his hand and said I’ve got all these problems. Because that was his opportunity to get some budget to address and remediate the issues. So that timing is absolutely critical.
Jamie: That’s good to know. On that note, I have the first poll question for our audience. What is currently the top value driver of your ERM program? If you could vote on the results and, as Jimmy mentioned at the beginning, the results will be shared at the end of the webinar.
Brian, are you able to comment on these results? Is it as expected?
Brian: Yeah. “Looking at the improved awareness of threats and risks,” that’s very consistent with what we often hear from board members in particular. Where what they’re concerned about is the unknown unknowns. What are some of the things that … What are our blind spots?
So not at all surprised by that. And then second, well actually tied for two, it seems, “compliance with legal and regulatory requirements,” certainly regulated industries, and “reducing the frequency and impact of negative events.” Especially I would say the latter. The impact of negative event, and that goes to then looking at when you identify and assess a risk, you don’t just look at is it well-controlled, but also look at do we have continuity plans? Do we have disaster recovery, crisis communication? All of those things in place to preserve and get back to value quickly.
Jamie: Excellent. Another issue we hear a lot is for some organizations ERM is not a must do, especially if it’s not financial services, but something we should be doing. But we rely a lot on department heads or risk owners to provide the information and assess the risk, which is on top of all the other responsibilities that they have. So before we go to the panelists for their responses, we actually have another poll for the audience, which is, if it’s applicable, what has worked for you in getting organizational buy-in for your ERM program?
Navin, perhaps you want to comment on the results that you see.
Navin: Excellent. We would love to. I love the second one. Getting the executive buy-in to and from the top. I think that’s imperative. You need to have the support engagement and buy-in from the top of the organization for ERM to be a success. You need to have that champion at the executive level, probably the presidency as well. And that individual actually goes to the board of directors or the financial risk committee to present these materials. You need to have that sort of champion. That leader and that person that supports this program at the top.
So definitely. The individual relationships is another key one. I think … Listen, to be frank and open, we can have the best processes, we can of the best methodologies and concepts, the best looking graphs and charts, but if we don’t have the trust, the engagement of the folks across the organization, we essentially have nothing. If we don’t have people that are willing to step up to provide information around new and emerging risks, status of risks, or you have folks that are telling you what you would like to hear, then you’re not getting the real information. And one of the easiest ways to build that or get that is by creating relationships. So walking the halls. Talking to people. Grabbing a coffee. Trying to find out what people are working on and how you can get into some of those initiative projects. Not from a risk identification perspective, but how can I help you achieve what you are trying to achieve?
And you need to show that value proposition. What is it that you bring to the table? And making it mandatory is one that we tend to shy away from. We do not really try to force risk on individuals. That is definitely one we would like people to naturally pick up. Making the process more affective, absolutely, I’m a firm believer in keeping it concise, keeping it simple. You focus on the key things. That way you can touch what are the actual variables that are preventing the organization from achieving its objectives?
So absolutely I would say nailed it on the head, well done.
Jamie: Excellent. Navin, you touched on this earlier, but sometimes we see ERM programs that start off really strong and then lose momentum overtime. Maybe you can elaborate on that Navin. What are some examples where you have seen where organizations were effectively able to drive sustainable value beyond the first two to three years? What do the top performers do really well, and how do they differ from those that fail?
Navin: Certainly. Again, another great question. I would say continuous evolution. That is one of the key parameters in terms of keeping the program sustainable. You need to continuously scan your environment internally, externally, what’s happening. I’m not talking about looking for risks at this point, but overall the ERM program. Are there tools, are there technologies that can help me advance the way I do things? Can I do things faster? Smarter? Can I utilize less resources and ask less of people and get the same information? What are my peers doing? What’s the best practice?
For example, I kid you not, there was an ad that came out for a role, and I saw the role being advertised and they are referencing a standard, right? In the job description that is ten years old. That standard has been updated twice, but they are referencing something that’s ten years old. So again, keeping fresh, keeping up to date and analyzing what’s happening around you is one of the key things.
Innovate is another way. How can I do things differently? You need to keep ERM fresh. We cannot keep doing the same things over and over and over again. It’s going to get still, it’s going to become redundant, people are going to look at us, and when you call they’re just going to hang up the phone or just not invite you to meetings. You won’t get time to meet the guys that would like to meet.
Some of the other things, very very quickly. Again, communication. I’ve seen organizations that really have an excellent ERM program. Really push the ERM communication, so whether it be posters, you know on your notice board. You have things around it, risks. Every month you have sort of a poster of a challenge. What’s a new and emerging risk? You have your Internet site that’s fresh with information. You keep it relevant, and you report on relevant facts and information that are pertinent to the organization.
You align with other assurance functions. So risk by itself cannot stand on its own. So how does risk connect with internal audit? How does risk re: business continuity, risk re: privacy, risk re: compliance … How do all of these connect together to provide that corporate assurances for the organization? I would say measurement. This is near and dear to my heart. I firmly believe what doesn’t get measured doesn’t get managed. So for me measurement is key. And it’s something that I’ve seen in some of the leading organizations. They try to sort of put a measurement, try to quantify, try to have leading indicators around risk, around performance to show what are the variables and what’s the delta between the work that we’re doing versus not doing anything.
And I think all of these things collectively leads to an ERM program that is sustainable in the long haul.
Jamie: Excellent. Brian, any thoughts? Navin mentioned excellent ERM program, and he mentioned leading indicators a lot. How does one get to those indicators or develop those indicators, and then thus measure it so that they can sustain this ERM program?
Brian: Yeah, I think indicators are important, and I’ll touch on that in just a minute, but as Navin was speaking, one thing I want to reflect on is where we’ve seen things really work and where they’re really sustainable is where the organization’s done a great job of answering the question, why are we doing this? Because there’s a lot of skepticism out there around ERM. And it’s understandable and it’s legitimate. So you have the answer that question very succinctly. Why are we doing this? For all the parents out there, it’s not because I said so. That doesn’t work very well or for very long. So if you really want it to stick it’s really all about answering the question why? And then empowering people, giving them the tools they need, and giving them the autonomy to own it themselves so it becomes part of the fabric of the business. Not something that’s imposed, but something that just becomes part of the fiber of how they get things done.
Because as important as the things that could go wrong, the risks, more importantly is the things that must go right. So that’s what really gets people I think engaged.
In terms of how we then measure it, I think that KRIs are important. Also getting some of the fundamentals, important … Again a quick example there. A very common approach and it’s in most of the standards is multiplying impact times likelihood to come up with risk or inner ranking. And invariably, the risks that could sink the ship are very low probability risks. So they might have a very high impact score but very very low risk likelihood score, so they end up dropping off the radar. And I’ve seen time and time again, those are the ones that end up being catastrophic to the organization.
We had one where there was a risk of a flood within a major manufacturing facility. Very very low risk, it was a 1 in 100 year flood, and they just had one two years ago so they were thinking somewhat naively, well we’re not going to have another one for another ninety years. But then it happened to years later, put the whole plant underwater, and could have put the whole organization out of business. Fortunately they were able to identify some outside manufacturing capability to compensate. But I put a big warning sign over around that one. It’s not a KRI. It’s actually something much more pervasive, which is, instead of impact and likelihood, maybe look at inherent impact and control effectiveness to help inform what those responsive actions should be.
Jamie: Okay, excellent. So let’s actually switch to the board for a second. So since the risk is overseen by the board, what is the most important thing for the board to know? And Brian, this question is for you. How do we get them to pay more attention? Is a heat map with a list of top risks good enough? Why or why not?
Brian: Yeah. Yeah, so most boards, either because lifting standards or their own charters [inaudible 00:22:02], they have a fiduciary responsibility for risk management oversight. And that I think incorporates two dimensions. One is giving them the capability to know what are the top risks? The ones that really matter. Getting away from what I call enterprise list management, where they have enough things the board has to review. You really need to give them something succinct. So these are, let’s say, the top ten or twenty risks to the organization, max. And give them a simple view of what’s the risk? Who owns it? How has it been assessed? And then most importantly, and I can’t emphasize this enough, the assessment is just the beginning.
From there you have to then say what do we need based on this assessment? Do we need independent assurance? Do we need some remediation? Can these lower level risks be applied toward a control self-assessment program? That sort of thing.
And the second dimension that they need is a sense of comfort that the risk management program itself is well designed and operating well. So that’s the second dimension. One is knowing what the key risks are, and secondly knowing that the program that’s in place is designed and operating affectively. And that’s where they can turn to internal audit or to an external party to say, hey we’d like to have a review to make sure, since we’re relying upon this … To let us know as a board what these key risks are, that it’s really designed and operating well. And that’s where, looking at the frameworks that are out there, be it ISO 31000 or the new COSO ERM, the framework comes in to play, because then you can measure it against something.
And I think the new COSO ERM scanner is excellent, and it ties things explicitly to strategy, as we talked about quite a bit. And really gives you a sense of what should you look for in a leading practice ERM program?
Jamie: Okay. Excellent. Navin, before you respond I’d like to ask the audience a poll question, which is how much time does your board spend talking about risk management?
And as the results come up, Navin, if you could comment on the board and the results as well.
Navin: Okay. Sure, so let me answer the question first of all in terms of what are some of the things that the board should be looking at. For me, when I look at the board directors, what they should be looking at, some of the key things that come to mind … It’s reporting. So am I getting the right information at the right time that allows me to make risk-informed decisions? So that’s one part of it. The other part of it is, if a risk is bubbling up in this area, what are the other potential things that could be impacted across the organization? And then measurement. How do I know that a high risk is actually a high risk? I can probably accept a certain level of risk beyond a certain threshold, and that can be fine for me if I am actively pursuing an opportunity, as an example.
So for me, the board needs to understand what are the risks facing the organization? What strategies could potentially be impacted, and what are we doing about it? I think Brian mentioned what are the unknown unknowns, which is also like black swans. So that is also a key piece. For me, it’s also their roles and responsibilities around risk management in addition to what I just mentioned, as well as … I think one of the critical pieces is actually getting a handle on what is the maximum [inaudible 00:26:15] limit of risk that we as an organization, that we as a board is willing to accept in the pursuit of our goals and objectives.
So the risk appetite and risk tolerance and all of this good stuff, I think is a fundamental piece of the board’s oversight role, as well as their insight role in terms of guiding the organization towards achieving what it has set out to achieve.
So in terms of the results, “less than ten minutes”, “it’s embedded in every meeting.” So this is some of the things that we actually see. Basically, every quarter you report to the board on your risk management or enterprise risk management efforts. And usually it is between five and ten minutes. It’s a fun thing, because I often say to my ERM folks or executives who lead ERM, our directors, what are you going to tell the board that they would’ve not already heard in five to ten minutes that you have? Meaning, if you are probably second, third in line, probably the audit group has come before you or the compliance group … You know, the privacy guy has spoken. What is it that you’re actually going to tell the board that they would have not already heard?
Whether it be the IT security team, what have you, talking about cyber security. So in that five to ten minutes you need to position yourself and your report towards the organization achieving what it set out to achieve. What are the big ticket items that we need to worry about, and what are we doing about them? What are the potential things coming down the pipeline that could impact us? And what is our state of readiness in terms of being able to respond, recover, and ensure we have a normal running organization that allows us to continue to operate as a going concern? By extension, helping us to achieve our objectives continuously, as well as exploit any opportunities that come down the pipeline.
Jamie: Excellent. So, actually this is a question for you, Brian. You mentioned the unknown unknowns. So it is often difficult for risk management to figure out what we don’t know, so we want to avoid being on the news, breaking the trust of our customers, and subsequently taking a hit on the bottom line. We need to understand our blind spots, but how do we do that? Brian can you share any strategies with us?
Brian: Sure. I think your greatest asset in that regard are the folks that are out there in the field, that are at the coalface, so to speak. Because they’re typically seeing, hearing, sensing the issues that are percolating up at a macro level in terms of the industry or customer issues, product issues, etc. So the key thing is giving them not only the incentive and motivation to give that feedback up to ideally their managers and let it filter up. But in some cases, understandably, there’s a fear of bad news. You don’t want to be the messenger, and you don’t want to shoot the messenger of that bad news, so sometimes management can be blockers of that information getting back to the board. So there’s two dimensions to it. One is, having an open culture that really does truly foster and encourage the sharing of that information up through management, up to the board. But if there are certain sensitivities around it, the second dimension is having some sort of a even anonymous recording mechanism whereby, not only those frontline employees, but also the customers and others can report up issues.
It doesn’t necessarily have to be the typical application of hotline and that sort of thing. But a more informal sort of friendly mechanism for asking for that information, that feedback, and sometimes in the guise of what are some suggested improvements? Because those improvement opportunities often speak to control issues that could be addressed relative to some of those [inaudible 00:30:40].
Jamie: Okay, excellent. Navin, what are your thoughts on the topic of blind spots and managing them?
Navin: I think this is a great one. This is a great one. Earlier when I referenced what is it that you’re going to tell the board in that five to ten minutes that they would have not already heard, I think this is one way that you can definitely capitalize and use that time effectively.
Let me just give you a stat here. We recently conducted a study and out of roughly 300 senior executives globally, 73% of the executives believe that within the next three years their organization will be impacted by a major event. So 73% of almost 300 senior executives globally believe that their organization is going to be impacted by a major event. Now out of the 73% only 25% indicated that they have systems in place to identify and mitigate such events.
So here you have a scenario, and these are leading global companies … Here you have a scenario where the movers and shakers in the business world are telling us that, hey, we know within the next three years something is going to hit us but we are not yet prepared, able to respond, able to identify, assess, or put action plans in place. And worse yet be in a position to measure and monitor and report on those things.
So for me when I look at, how do we figure out what we don’t know, right? There are a couple of things that we can definitely do to get that ball rolling and get those risks out in the open. Some of the things that we have often used, things like scenario analysis. So scenario analysis, not looking within your strategic plan timeline, but scenario analysis using a stretched variable and stretched timeline and stretched assumptions. So you perform the analysis and you baseline your assumptions over a ten to fifteen year time horizon. That gives you sort of a nice line of sight. Over the next two or three strategic planning cycles, what are your potential things that could come down the pipeline and impact the organization?
Another thing that we often do, and this might sound funny, but it’s actually called black swan hunting. So we actually conduct black swan exercises. So those unknown unknowns, we actually get a group of subjects together from across the organization, whether it be HR, technology, compliance, finance, what have you, in a room and generate brainstorming. What are some of the things that could potentially happened? Really looking at those things that are way out there.
Another thing that we do is data mining. Quite often for organizations, a lot of the risks that you potentially are exposed to inherent within your own processes, whether it be your mail room operations versus your technology operations versus the way you handle your projects, your two party vendor relationship, that management system … A lot of things are really within the processes that you currently have. So data mining exercises. Looking at your data, doing some data mining, categorizing your data, filtering it, and telling a story. Letting your data tell you a story of what’s truly happening within your organization.
And you don’t need to do this. I don’t want to scare anyone here, but you don’t need to do this for your entire organization as a whole. You can start in bite-size chunks. So look at your customer service data. Look at your social media industry, look at your employer relations. What is the data telling you? And you can start there.
Some of the other things, I think Brian had talked, are mechanisms that enables risk identification. So you have those governance systems across the organization that allows people identify anything that’s new and emerging. And again, without the fear of repercussions. You want people to be free and open to highlight and raise things without being persecuted or without a finger being pointed.
Peer comparison. That’s another nice one. You can look at what other organizations within your sphere of operations, what they are doing. And one of the other things that we’ve seen, and this is quite nifty … I’m not sure the audience might be aware, but I’m sure definitely most people will. Or should be. Futurists. There are a bunch of folks that actually look out twenty, fifty years out and they look at society as a whole. For example, what will the city of Toronto look like In fifty years? What will be the transportation infrastructure? What are the housing accommodations? How is banking going to look like in fifty years? How will we travel?
So there are a number of variables that these guys look at, and they are called futurists. And we often leverage those insights and reports in doing this sort of analysis. What could potentially go wrong? And again, this goes hand-in-hand with that long-term forecasting that I mentioned.
Anyway, I can go on and on about this topic but let me stop there. Over to you, Jamie.
Jamie: Excellent. Thanks Navin. So next question for our panelists is many organizations have yet to leverage technology for their ERM program. Why do you think that is? Maybe I’ll give it to Navin.
Navin: Sure, I think this is a great one as well. And so many things that we often see is the fear of change. Often what we have heard is that I have done this five, ten, fifteen years just like this. I have been using my Excel, PowerPoint, Word. It has worked fine. Why do I need to change? So there is that fear.
The other one is potential cost and complexity. Even now, a lot of folks still think that technology, risk technology, GRC tools are overly complex beasts and they cost a ton of money, and they are quite intensive in terms of the effort required to get these things up and running. So that’s also something that’s been raised as a potential hindrance. Another one, quite interestingly, is access to information. It depends on this one where you are, what type of business you are operating in, and your governing mechanisms, and what bodies have oversight over your operation. But access to information really speaks to the fear internally within the organization of sharing too much. If the IT guy tells the finance guy that these are some of the things that we might potentially be exposed to, will the finance guy talk to the insurance guy? Will our insurance premium go up? And then the insurance guy and the CEO will come to me to ask me what’s going on in the IT, why we don’t have controls in place.
You know, in some cases this is exactly what we want. Identifying [inaudible 00:38:07]. But in some cases the individuals that have the charge for ERM functions in some organizations, not all, are actually fearful of sharing too much.
The last one, and I’ll just bubble the last two together, the last one is the value cannot be measured. So measuring the value. So I put the technology tool, the GRC tool in place, it cost me X amount of dollars, what’s the value added? How can I quantify the value added to the organization? And finally with that, privacy, right? Will this expose me? Where is my data going to be housed? How is this going to be in the US? [inaudible 00:38:48]. They have special privacy-related contact information in there. The way data can be housed. Who sees it? Who accesses it? GDPR. It just opens up a huge box, where people, they get a little bit nervous. They get concerned that by going down this road with technology and GRC tools, we tend to expose ourselves to too much risk.
Jamie: Absolutely. So on that note, Navin, sorry to cut you off, we have a final poll question, which is what tools are you currently using for your ERM program?
I can see that some of the questions are coming in. We will have time at the end of this program. So we’re just about to wrap up, and then we’ll take some of these questions.
Brian, can you comment quickly on the results of these spreadsheets? And then we’ll go to questions from the audience.
Brian: Sure. Yeah, not surprisingly Microsoft Office is the number one risk management technology out there I’d say, and Microsoft Excel in particular. But that’s very very consistent with what we see. But also, inherent in that are the issues around version control and sending attachments and trying to aggregate. There’s always this quarterly rush of the finish of trying to pull all that data together and emails flying around, sort of cat herding in the process. So yeah, this is consistent very much with what we see.
And I’d say for those that do adopt an ERM software, the other bit that I think is critically important is to remember that not only are the boxes able to address what you need on a normative basis for your industry sector … You know, like if you’re a credit union, I saw on the previous slide there, you want to not only have a credit union heat map but you want to tie that into your [inaudible 00:41:01] process and into your insurance and so forth.
And then take that normative model and don’t let the technology drive your process. Let the process drive your technology. And then that’s the other critical bit. In order to reduce the impact of [inaudible 00:41:17] is to have the flexibility within the software to mirror the language that you use, the taxonomy, the rating criteria, the reporting. So that when someone does use a new technology, if you’re switching from a spreadsheet to an ERM software, that it becomes very intuitive and familiar, because what they’re seeing is what they’re used to. So you kind of get the best of both worlds with that approach.
Jamie: Okay, excellent. So that actually concludes our initial questions, or our panelist’s questions on the seminar. We do have some questions from the audience. The first one I’m going to give to you, Brian, and that is how does budget allocation work in the whole risk process? So how do you involve risk in budget allocation?
Brian: Well I think in terms of planning, budgeting, forecasting and so forth, once the strategic objectives of the organization and targets and so forth have been set, and usually it’s in a draft form during the planning process, that’s the time to say okay, what could go wrong? And what are those associated risks? And using the IT example that I gave earlier around IT infrastructure falling apart but not wanting to reveal that off cycle, when you do it during the planning cycle you’ll get the key folks in the room engage to say, what could go wrong and do we need a budget to remediate that controlled efficiency that we have? Or do we want to get more aggressive around taking risks, and therefore spend more money, be it in risk transfer, or likely enhance control or risk management processes so that we can go even faster? So that’s another dimension.
But I’d say the more typical it is to say, okay, now that we identified where we want to go, what could go wrong? Let’s allocate the budgets accordingly. People are much much more forthcoming and honest to be asking what risks are if they know they then might get the budget to help address it.
Jamie: Gotcha. Another question, and this is for you Navin. You’re the measurement guy. Are there statistics that show how companies that have implemented either mature ERM programs perform? How do they perform versus their peers? For example, stock performance, sustainable growth, etc.
Navin: Right. So there are certain metrics that are published that can be looked at to draw sort of a comparison between one organization and another. In terms of specific risk metrics, I have not yet seen that. Now, one can infer that your net income, for example, has a direct correlation to the amount of risks that the organization faces. In that, if it is that we are managing risks and we are reducing the impact, or we are potentially eliminating risks altogether, then we are able to achieve our objectives, our performance goals, our targets, and realize all that income.
Another one that people often look at is data breaches or privacy breaches. That’s another metric that can be used across the board. And what that essentially means is that you have effective risk governance, compliance, and privacy measures in place that allows you to secure and protect the organization’s interest. Another metric that we often see as well is downtime. So it’s called [inaudible 00:45:06], the system average duration frequency and system average duration index. Meaning, how often do your technology systems go down? And then how frequent are those systems down? Again all around the management assessment identification of technology risks and putting action plans in place to mitigate that.
A final one that I can toss out there is also your reputation quotient. So your reputation quotient is sort of a baseline of your social media industries, whether it be social media index, media [inaudible 00:45:40] team, your internal employee surveys, and all of that collectively comes together to define your reputation quotient, which has a direct correlation to the exposures of brand and reputation risk, your employee engagement, satisfaction, retention, recruitment. So all of those things together sort of factor into that reputation quotient.
So those are some of the measures at a first brush that I can say organizations can look at generically, irrespective of industry sector, to compare performance against one another from a risk perspective.
Jamie: Okay, excellent. Actually, before we get to the other questions, I just want to remind everyone we have a short survey to help benchmark your own ERM program against your peers here today. So again, the benchmarking results will be shared with you tomorrow along with the poll results. If you’re interested in learning more about Resolver or specifically how our customers have successfully used technology across the integrated risk management system, please visit our website or shoot up an email, Hello at Resolver dot com, or connect with Navin, Brian, or myself via LinkedIn.
So we have a couple more, we have time for a couple more questions, but other than that thank you so much for your time. Okay so I have a question for Brian. Brian you mentioned risk appetite before. There’s a question on what is your perspective on, quote, the uselessness of a risk appetite component for ERM in nonprofit sectors, such as higher education?
Brian: That’s a great question. I always say risk appetite tends to give people indigestion. The whole concept can be a bit obtuse and difficult to get your head around, and yet it seems to be quite prevalent, not only in financial services, but beyond. So looking at higher education and nonprofits, I think it’s … To get as quickly as you can from the obtuse conceptual academic view of risk appetite down to specific risk tolerances and limits. To say, what are the risks and the measures that we would use around incidents on campus? Let’s say. Or in terms of staff retention, or whatever those key risk measures are that you have, what’s the acceptable range or what’s the limit? I think that’s absolutely critical.
And one thing I wanted to also mention before I forget. There was earlier question around measuring shareholder value, and there are a couple really great studies that are out there. One was done by Oxford Metrica that looked at the impact of large risk events upon shareholder value. And there’s clearly a premium that … In fact, after significant risk events, those that manage well actually increase their shareholder value over time versus the ones that didn’t saw in almost all cases a permanent erosion of value. And then there’s some other studies that have been done through North Carolina State where they’ve looked at the risk premium, they call it. So reducing your overall data by having more advanced risk management is rewarded in the market, and they’ve got some good studies around that as well.
Jamie: Excellent. And final question is to Navin. You were mentioning GRC technology. In terms of time-saving, what could an organization expect switching to software from spreadsheets from a global ERM program point of view?
Navin: Yes this is great. I can safely say from my experience, you can see roughly probably at least a 70% reduction in the amount of day-to-day effort required by a dedicated staff on an ERM team, for example. I have experiences in terms of working with organizations where they have a global operations in 22 different countries, and their ERM team is essentially made up of two individuals and they utilize GRC tools and technologies. If you have a team of people within your organization and you are looking at probably local operations, you spend roughly, let’s say, eight hours, seven hours a day behind ERM. I can safely say if you implement technology and it’s done right … For example, you do your readiness assessment and have the technology and then the implementation and [inaudible 00:50:34], you can essentially cut your time between 50% and 60%. Definitely.
Jamie: Okay. Excellent. And that concludes our seminar. We would like to thank you for your time. And Brian and Navin, thank you so much for your contribution, and I will take it from there.
Brian: Thank you.
Jamie: Thank you.
Brian: Thanks very much.
Jimmy: With that I’d like to thank all of our speakers for their time and expertise. A copy of this webinar will be archived within a few days. Thank you and have a great day.