Joanna Makomaski

Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

Column: Risk Management

Hunger for Risk

By: | April 28, 2016 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

We see them everywhere in our risk management world — the terms of art — “risk appetite and tolerance.” We are also seeing heightening obligations set by regulators and rating agencies guiding organizations to articulate their appetite for risk and tolerance of risk.

Research commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) urges an organization to “consider its risk appetite at the same time it decides which goals or operational tactics to pursue. To determine risk appetite, management, with board review and concurrence, should take three steps:

  • Develop risk appetite.
  • Communicate risk appetite.
  • Monitor and update risk appetite.

Three easy steps — but are they really? Things would be a lot easier if we could agree on what exactly “risk appetite and tolerance” means.

To express risk appetite, one has to truly understand strategic risks and create rules around which risks should be taken in order to achieve objectives.

Sometimes we can get overzealous with our risk taking, so it is prudent to give yourself a realistic cushion and set triggers to alert you when you are nearing unwanted risk thresholds.

To express risk appetite, one has to truly understand strategic risks and create rules around which risks should be taken in order to achieve objectives.

I call this zone “risk tolerance” — the level of excess risk you can take for a while before getting back to your normal risk-taking habits.

Advertisement




The subprime mortgage debacle that led to the latest financial crisis is a case in point.

In a market of ever-increasing house prices, it was tempting to grow mortgage revenue by relaxing underwriting criteria. If borrowers defaulted, the logic was, lenders could seize and resell the house. The problem was no one was accounting for total risk on the table and early warning signals went unheeded.

Relating your risk appetite and tolerance is akin to describing your consumption habits for risk. Risk appetite is about taking in healthy risk, not avoiding it. Not taking in risk when you need to could leave your organization unsatiated and unhealthy.

Consider Research in Motion (RIM), makers of the BlackBerry. According to the “Wall Street Journal,” RIM’s chiefs dismissed the iPhone after it was unveiled in 2007.

“It wasn’t a threat to RIM’s core business,” said the company founder’s top lieutenant, Larry Conlee.

“It wasn’t secure. It had rapid battery drain and a lousy [digital] keyboard.”

Clearly, the company was overlooking an important strategic risk.

COSO offered three easy steps for defining risk appetite and tolerance. Allow me to now offer mine.

Decide which risks you will eat and make sure they are good for you and not junk. Eat just enough to satisfy hunger for strategy achievement.

And make sure you continually measure your strategic objectives to ensure you are staying within bounds of your corporate stomach.

Share this article:

Column: Risk Management

ERM Kick-Start

By: | April 4, 2016 • 2 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]

Living through many Canadian winters has allowed me to witness this very scene: Exasperated drivers stuck in the snow.

Tires whirl. They spin at high speeds, neither advancing nor falling back. How disheartening.

All too often I see this very problem with persons charged with implementing enterprise risk management (ERM) programs. I sense their frustration around the perceived futility of their efforts and lack of traction of ERM within the organization.

I hear comments such as: “I work really hard but no one seems to really care about ERM,” or “I can’t get any attention or resources to support my efforts.”

Stakeholders such as a CFOs and CEOs often have different agendas, needs, and expectations of ERM and risk assessment efforts. Do they understand they will be involved in the ERM effort and to what degree?

These individuals toil for months, even years, only to watch their ERM efforts get de-scheduled from the corporate agenda, rerouted to another division, outsourced or eliminated altogether.

Is there a solution? I believe so. Over the years, I have been using a system that I call: “ERM kick-start.” The genius of the ERM kick-start method is that it encourages you to do less, not more, to get further.

Similar to freeing your car from the snow — you should treat the gas pedal gently, make small motions, rock back and forth until you gain some traction and only then will you find yourself move forward.

The idea holds true with the ERM kick-start method. For those individuals who suffered less than successful attempts at ERM implementation, the first step to the ERM kick-start method involves taking a solid look at the journey already taken to date.

First, I’d verify if an ERM needs assessment was conducted. Were key stakeholders consulted on what they need and how they will benefit from the ERM program?

Advertisement




Stakeholders such as a CFOs and CEOs often have different agendas, needs, and expectations of ERM and risk assessment efforts. Do they understand they will be involved in the ERM effort and to what degree?

It is also critical to discuss the proposed currency expected for risk measurement with all stakeholders. Will risk assessment results be expressed in dollars, relative scores or qualitative descriptions?

Who will be looking at or using the risk evaluations results? When? Why? How often?

What is the planned protocol to validate, document, circulate and protect risk information? Where will the risk arbitrator sit? In other words, who will have final say as to whether a risk is a risk to the organization? How will risk efforts and response planning be widely communicated?

It is also critical to discuss the proposed currency expected for risk measurement with all stakeholders. Will risk assessment results be expressed in dollars, relative scores or qualitative descriptions?

ERM kick-start requires this kind of information to help shape a realistic ERM vision for the organization.

Traction is best gained by delivering on small chunks of your pre-agreed-to plan. Letting everyone know what you will deliver on, and showing progress will gain you support.

Deliver in smaller chunks and kick-start your ERM vision. &

Share this article:

Column: Risk Management

Risk School for Boards

By: | March 1, 2016 • 3 min read
Joanna Makomaski is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at [email protected]
Topics: ERM | March 2016 Issue

Hard to believe it has been 15 years since we first heard the term Sarbanes-Oxley Act, SOX. Does anyone remember the Enron scandal anymore?

Advertisement




We’ve been bombarded with new scandals year after year ever since. They reveal unreliable financial reporting, appalling corporate governance failures, inadequate risk management, and now persistently weak IT security.

Regulators have been continually heightening their expectations of board oversight, particularly after the 2008 global financial crisis.

They insist that boards play a greater role in risk management oversight and ensure that the company’s risk management practices are in step with its strategic direction. Also, if risk-taking strays beyond the company’s risk appetite, it should be identified and escalated.

Seems reasonable, in theory. But we need a closer look at risk management processes and systems including boards.
Most boards consist of great people, who want to do a great job. But there is a problem with giving this oversight responsibility to our boards, especially if they are ill-equipped.

Board members often get little practical guidance on how to effectively oversee risk cultures and appetites.

“Many corporate failures can be attributed to the board’s inability to recognize the underlying risks faced by the company, and to take timely and appropriate mitigating actions,” according to Aon’s “Global Risk Management Survey 2015.”

Most boards consist of great people, who want to do a great job. But there is a problem with giving this oversight responsibility to our boards, especially if they are ill-equipped.

It goes beyond the boardroom. According to the “2015 Report on the Current State of Enterprise Risk Oversight,” by NC State and the American Institute of CPAs, 60 percent of the C-level received little or no risk management training and guidance.

So — no surprise — I’m fielding an increased number of requests for board and C-suite training on enterprise risk management, risk culture and metrics.

Ghislain Giroux Dufort of Baldwin Risk Strategies, who co-authored an article in March 2015 on board oversight, is seeing the same trend. He underscores the importance of providing practical training on risk management to directors. It is the only way boards will comfortably recognize the risks that should be taken or managed in order to achieve strategic objectives.

Advertisement




Business landscapes are constantly changing. But risks should never paralyze an organization. Businesses need to be alert to change, have adaptable strategies, and not only mitigate existing risk but also take informed risks.

Risk analyses that only focus on individual risks without any link to corporate strategic objectives deliver very little value and can also be dangerously misrepresentative. Boards need to be equipped to challenge this.

Before regulators get too heavy-handed with our boards, let us first offer them an understanding of what they should be seeing from management — a composite picture of risks clearly linked to objectives.

Share this article: