Accendo Reliability

Your Reliability Engineering Professional Development Site

  • Home
  • About
    • Contributors
  • Reliability.fm
    • Speaking Of Reliability
    • Rooted in Reliability: The Plant Performance Podcast
    • Quality during Design
    • Critical Talks
    • Dare to Know
    • Maintenance Disrupted
    • Metal Conversations
    • The Leadership Connection
    • Practical Reliability Podcast
    • Reliability Matters
    • Reliability it Matters
    • Maintenance Mavericks Podcast
    • Women in Maintenance
    • Accendo Reliability Webinar Series
    • Asset Reliability @ Work
  • Articles
    • CRE Preparation Notes
    • on Leadership & Career
      • Advanced Engineering Culture
      • Engineering Leadership
      • Managing in the 2000s
      • Product Development and Process Improvement
    • on Maintenance Reliability
      • Aasan Asset Management
      • CMMS and Reliability
      • Conscious Asset
      • EAM & CMMS
      • Everyday RCM
      • History of Maintenance Management
      • Life Cycle Asset Management
      • Maintenance and Reliability
      • Maintenance Management
      • Plant Maintenance
      • Process Plant Reliability Engineering
      • ReliabilityXperience
      • RCM BlitzĀ®
      • Rob’s Reliability Project
      • The Intelligent Transformer Blog
    • on Product Reliability
      • Accelerated Reliability
      • Achieving the Benefits of Reliability
      • Apex Ridge
      • Metals Engineering and Product Reliability
      • Musings on Reliability and Maintenance Topics
      • Product Validation
      • Reliability Engineering Insights
      • Reliability in Emerging Technology
    • on Risk & Safety
      • CERMĀ® Risk Insights
      • Equipment Risk and Reliability in Downhole Applications
      • Operational Risk Process Safety
    • on Systems Thinking
      • Communicating with FINESSE
      • The RCA
    • on Tools & Techniques
      • Big Data & Analytics
      • Experimental Design for NPD
      • Innovative Thinking in Reliability and Durability
      • Inside and Beyond HALT
      • Inside FMEA
      • Integral Concepts
      • Learning from Failures
      • Progress in Field Reliability?
      • Reliability Engineering Using Python
      • Reliability Reflections
      • Testing 1 2 3
      • The Manufacturing Academy
  • eBooks
  • Resources
    • Accendo Authors
    • FMEA Resources
    • Feed Forward Publications
    • Openings
    • Books
    • Webinars
    • Journals
    • Higher Education
    • Podcasts
  • Courses
    • 14 Ways to Acquire Reliability Engineering Knowledge
    • Reliability Analysis Methods online course
    • Measurement System Assessment
    • SPC-Process Capability Course
    • Design of Experiments
    • Foundations of RCM online course
    • Quality during Design Journey
    • Reliability Engineering Statistics
    • Quality Engineering Statistics
    • An Introduction to Reliability Engineering
    • An Introduction to Quality Engineering
    • Process Capability Analysis course
    • Root Cause Analysis and the 8D Corrective Action Process course
    • Return on Investment online course
    • CRE Preparation Online Course
    • Quondam Courses
  • Webinars
    • Upcoming Live Events
  • Calendar
    • Call for Papers Listing
    • Upcoming Webinars
    • Webinar Calendar
  • Login
    • Member Home

by Greg Hutchins Leave a Comment

How to Structure Your ERM System

How to Structure Your ERM System

Guest Post byĀ Patrick OwĀ (first posted on CERMĀ Ā® RISK INSIGHTS – reposted here with permission)

Andy Benoit once said, ā€œMost geniuses — especially those who lead others — prosper not by deconstructing intricate complexities but by exploiting unrecognized simplicities.ā€

This statement is so true when corporate leaders and managers tend to over-complicate processes or over-engineer systems in organizations. Designing and implementing your organization’s enterprise-wide risk management system is no exception.

Therefore, it is time to effectively restructure and simplify your risk management system.

A three-tier approach to managing risks and issues

A three-tier approach to managing risks and issues has been developed many years ago and it has helped many organizations cut through the noise and complexity of risk management. Simplicity was the key.

Structure your organization’s enterprise risk management system using this three-tier approach for effective management, reporting, and governance of your organization’s risks and issues.

Risk and issues can be actively managed across three tiers in an organization, as conceptually shown in the diagram below.

flowchart of three tiers on a structure ERM with planning, risk management, and governance included.

You could have more than three tiers. But do limit it to three tiers for simplicity, practicality, and easy implementation. The bigger your organization, the simpler it has to be for effective implementation.

As Albert Einstein said, ā€œIf you can’t explain it to a 6-year-old, you don’t understand it yourself.ā€

Since you need to explain your risk management system to a 6-year old, don’t over-complicate it!

At each organizational tier, there will be objectives that have been cascaded from the tier above using one of three cascading methods – adoption, distinctive, or shared.

Risks and issues that may positively or negatively affect the organization’s ability to achieve the objectives are identified, managed, and reported as part of the risk management process at all tiers.

These risks and issues are oversight by the relevant committees, teams, or working groups. These governance arrangements at each tier will ensure that the appropriate controls and treatments are developed and implemented to strengthen existing controls, implement new treatments, and reduce the level of risk to an acceptable level within the organization.

If you systematically review and assess what governance arrangements that are currently in place at each tier in your organization, there may be a lack of clarity and consistency. In most cases, these governance arrangements are not documented and formally reviewed for effectiveness and efficiency. Years of layering on policies and procedures over policies and procedures have made the organization bureaucratic and inefficient.

Accountability for Tier 1 risk and issue is generally assigned to the Managing Director, someone who is best placed to lead the management of the risk and issue on behalf of the Executive Board and organization. In our example, the Managing Directors report to the Chief Executive Officer.

Strategic or organization-wide objectives are cascaded from Tier 1 to Tier 2 as divisional Tier 2 objectives as part of the strategic and business planning processes. This line-of-sight and alignment with the overall purpose and vision of the organization are vital. It ensures effective strategy execution and implementation of strategic plans.

Link to the achievement of these cascaded Tier 2 divisional objectives are those Tier 2 risks and issues that may have an impact on the entire division. This linkage is important as risk management helps organizations succeed by achieving their objectives.

Directors are accountable for the identification and management of Tier 2 risks and issues. In our example, the Directors report to the Managing Director.

Divisional executives have oversight over the management of these Tier 2 divisional risks and issues. They will decide whether any significant Tier 2 divisional risk or issue needs to be escalated to a Managing Director or the Executive Board for information or decision based on pre-agreed escalation triggers and business rules.

This process occurs as part of the organization’s governance arrangements, including the escalation and cascading pathways, and monitoring and reporting pathways.

Divisional objectives are cascaded from Tier 2 to Tier 3 as branch, project, or operational objectives.

Link to the achievement of these cascaded Tier 3 objectives are those Tier 3 risks and issues that may have an impact on a branch, a project, or operations.

Managers and team leaders are accountable for the identification and management of Tier 3 risks and issues.

Branch executives, managers, and team leaders have oversight over the management of these Tier 3 risks and issues. They will decide whether any significant Tier 3 risk or issue needs to be escalated to a Managing Director or divisional executives for information or decision based on pre-agreed escalation triggers and business rules.

Project performance, risks, and issues will be reported to the relevant area that has accountability over the delivery of the outcomes and objectives including its non-performance. This is where shared risks across organizational boundaries are managed collaboratively.

Escalation, cascading, and reporting processes

There will be pre-agreed escalation, cascading, and reporting processes; escalation triggers; and business rules as part of the three-tier approach to managing and reporting risks and issues, as shown in the diagram below. This will enable the creation of an effective structure for operating your enterprise risk system.

pryamid showing three tiers of an ERM system structure including escalation and reporting pathways

In essence, on the left-hand side of the triangle, escalation and cascading pathways are based on pre-defined, pre-approved escalation triggers for escalating information and business rules for cascading information. This eliminates any discretion and ad-hoc decision-making.

Escalation triggers for escalating information define the conditions under which escalation actions occur along an escalation pathway. The escalation pathway clarifies the boundaries and channels of decision-making. For example, if a risk is rated as critical, that risk information is escalated to the tier above within an agreed timeframe – there are no ifs, no buts. The risk rating acts as the escalation trigger for the escalation of risk information. There is clarity as to what information is escalated and when it is escalated.

Additionally, a risk or an issue can be cascaded when it is no longer considered critical and the accountability for the active management of that risk or issue can be delegated downwards to lower-tier management. The business rule for cascading the information is clearly defined and accountability is accepted, as documented in the manager’s job description and business processes.

On the right-hand side of the triangle, monitoring and reporting pathways reflect the organization’s governance arrangements. Performance (and non-performance) can be actively and systemically managed at all tiers using this approach.

The business rules for escalating relevant or critical information to higher tiers, including performance and risk information, are also known and well understood. This includes knowing what to report, the reporting frequency, and who reviews, prepares, and receives the information. The clarity drives good corporate governance and positive risk culture.

There are also defined and clear business rules for responding to bad news or poor performance. Agreed action plans are cascaded for implementation, monitoring, and reporting. Everyone is across the information and is clear on the next action steps to take.

Let’s not over-complicate risk management or management in general for that matter. Risk management is good management.

The essence of risk management is to help us succeed, which is our goal. And there are many ways to get to our destination. Find that easier way that is well understood by everyone and effective in enabling the organization to succeed and achieved its goals.

Professional bio

Patrick Ow is a corporate and personal trainer and coach at Practicalrisktraining.com.

As a Chartered Accountant with over 25 years of international risk management experience, he helps individuals and organizations succeed by making better-informed decisions under uncertainty and taking the right opportunities and risks. He has developed PrOACT 31000, a practical yet simple framework based on the world-class PrOACT decision-making framework and the international risk management standard, ISO 31000.

Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution and Things Parents Wish They Knew Earlier: The Family Risk Management Handbook.

Filed Under: Articles, CERMĀ® Risk Insights, on Risk & Safety

« Rate of Occurrence of Failure
FMEA Detection Risk: Insights and Advices »

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

CERMĀ® Risk Insights series Article by Greg Hutchins, Editor and noted guest authors

Join Accendo

Receive information and updates about articles and many other resources offered by Accendo Reliability by becoming a member.

It’s free and only takes a minute.

Join Today

Recent Articles

  • Risk Prioritization in FMEA – a Summary
  • What Are Best Practices for Facilitating Qualitative Assessments?
  • So, What’s Still Wrong with Maintenance
  • Foundation of Great Project Outcomes – Structures
  • What is the Difference Between Quality Assurance and Quality Control?

© 2023 FMS Reliability Ā· Privacy Policy Ā· Terms of Service Ā· Cookies Policy

This site uses cookies to give you a better experience, analyze site traffic, and gain insight to products or offers that may interest you. By continuing, you consent to the use of cookies. Learn how we use cookies, how they work, and how to set your browser preferences by reading ourĀ Cookies Policy.