Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Andy Benoit once said, “Most geniuses — especially those who lead others — prosper not by deconstructing intricate complexities but by exploiting unrecognized simplicities.”
This statement is so true when corporate leaders and managers tend to over-complicate processes or over-engineer systems in organizations. Designing and implementing your organization’s enterprise-wide risk management system is no exception.
Therefore, it is time to effectively restructure and simplify your risk management system.
A three-tier approach to managing risks and issues
A three-tier approach to managing risks and issues has been developed many years ago and it has helped many organizations cut through the noise and complexity of risk management. Simplicity was the key.
Structure your organization’s enterprise risk management system using this three-tier approach for effective management, reporting, and governance of your organization’s risks and issues.
Risk and issues can be actively managed across three tiers in an organization, as conceptually shown in the diagram below.
You could have more than three tiers. But do limit it to three tiers for simplicity, practicality, and easy implementation. The bigger your organization, the simpler it has to be for effective implementation.
As Albert Einstein said, “If you can’t explain it to a 6-year-old, you don’t understand it yourself.”
Since you need to explain your risk management system to a 6-year old, don’t over-complicate it!
At each organizational tier, there will be objectives that have been cascaded from the tier above using one of three cascading methods – adoption, distinctive, or shared.
Risks and issues that may positively or negatively affect the organization’s ability to achieve the objectives are identified, managed, and reported as part of the risk management process at all tiers.
These risks and issues are oversight by the relevant committees, teams, or working groups. These governance arrangements at each tier will ensure that the appropriate controls and treatments are developed and implemented to strengthen existing controls, implement new treatments, and reduce the level of risk to an acceptable level within the organization.
If you systematically review and assess what governance arrangements that are currently in place at each tier in your organization, there may be a lack of clarity and consistency. In most cases, these governance arrangements are not documented and formally reviewed for effectiveness and efficiency. Years of layering on policies and procedures over policies and procedures have made the organization bureaucratic and inefficient.
Accountability for Tier 1 risk and issue is generally assigned to the Managing Director, someone who is best placed to lead the management of the risk and issue on behalf of the Executive Board and organization. In our example, the Managing Directors report to the Chief Executive Officer.
Strategic or organization-wide objectives are cascaded from Tier 1 to Tier 2 as divisional Tier 2 objectives as part of the strategic and business planning processes. This line-of-sight and alignment with the overall purpose and vision of the organization are vital. It ensures effective strategy execution and implementation of strategic plans.
Link to the achievement of these cascaded Tier 2 divisional objectives are those Tier 2 risks and issues that may have an impact on the entire division. This linkage is important as risk management helps organizations succeed by achieving their objectives.
Directors are accountable for the identification and management of Tier 2 risks and issues. In our example, the Directors report to the Managing Director.
Divisional executives have oversight over the management of these Tier 2 divisional risks and issues. They will decide whether any significant Tier 2 divisional risk or issue needs to be escalated to a Managing Director or the Executive Board for information or decision based on pre-agreed escalation triggers and business rules.
This process occurs as part of the organization’s governance arrangements, including the escalation and cascading pathways, and monitoring and reporting pathways.
Divisional objectives are cascaded from Tier 2 to Tier 3 as branch, project, or operational objectives.
Link to the achievement of these cascaded Tier 3 objectives are those Tier 3 risks and issues that may have an impact on a branch, a project, or operations.
Managers and team leaders are accountable for the identification and management of Tier 3 risks and issues.
Branch executives, managers, and team leaders have oversight over the management of these Tier 3 risks and issues. They will decide whether any significant Tier 3 risk or issue needs to be escalated to a Managing Director or divisional executives for information or decision based on pre-agreed escalation triggers and business rules.
Project performance, risks, and issues will be reported to the relevant area that has accountability over the delivery of the outcomes and objectives including its non-performance. This is where shared risks across organizational boundaries are managed collaboratively.
Escalation, cascading, and reporting processes
There will be pre-agreed escalation, cascading, and reporting processes; escalation triggers; and business rules as part of the three-tier approach to managing and reporting risks and issues, as shown in the diagram below. This will enable the creation of an effective structure for operating your enterprise risk system.
In essence, on the left-hand side of the triangle, escalation and cascading pathways are based on pre-defined, pre-approved escalation triggers for escalating information and business rules for cascading information. This eliminates any discretion and ad-hoc decision-making.
Escalation triggers for escalating information define the conditions under which escalation actions occur along an escalation pathway. The escalation pathway clarifies the boundaries and channels of decision-making. For example, if a risk is rated as critical, that risk information is escalated to the tier above within an agreed timeframe – there are no ifs, no buts. The risk rating acts as the escalation trigger for the escalation of risk information. There is clarity as to what information is escalated and when it is escalated.
Additionally, a risk or an issue can be cascaded when it is no longer considered critical and the accountability for the active management of that risk or issue can be delegated downwards to lower-tier management. The business rule for cascading the information is clearly defined and accountability is accepted, as documented in the manager’s job description and business processes.
On the right-hand side of the triangle, monitoring and reporting pathways reflect the organization’s governance arrangements. Performance (and non-performance) can be actively and systemically managed at all tiers using this approach.
The business rules for escalating relevant or critical information to higher tiers, including performance and risk information, are also known and well understood. This includes knowing what to report, the reporting frequency, and who reviews, prepares, and receives the information. The clarity drives good corporate governance and positive risk culture.
There are also defined and clear business rules for responding to bad news or poor performance. Agreed action plans are cascaded for implementation, monitoring, and reporting. Everyone is across the information and is clear on the next action steps to take.
Let’s not over-complicate risk management or management in general for that matter. Risk management is good management.
The essence of risk management is to help us succeed, which is our goal. And there are many ways to get to our destination. Find that easier way that is well understood by everyone and effective in enabling the organization to succeed and achieved its goals.
Professional bio
Patrick Ow is a corporate and personal trainer and coach at Practicalrisktraining.com.
As a Chartered Accountant with over 25 years of international risk management experience, he helps individuals and organizations succeed by making better-informed decisions under uncertainty and taking the right opportunities and risks. He has developed PrOACT 31000, a practical yet simple framework based on the world-class PrOACT decision-making framework and the international risk management standard, ISO 31000.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution and Things Parents Wish They Knew Earlier: The Family Risk Management Handbook.
Leave a Reply