For many corporations this has meant identifying and implementing a completely new set and depth of internal controls, as well as new methodologies to manage them. The vast majority of assessment information must be traceably generated and maintained from within the organization. This requires the process to be intrinsically embedded in the company’s operations and processes. Herein lies the problem. Risk management and compliance are traditionally perceived as regulatory policing activities, and it is difficult to persuade management of their operational benefits. Most individuals regard risk-management processes as an additional burden, and for this reason the process must be driven by a strong management commitment or employees simply won’t cooperate, and the process will fail.

The stock markets have long been pressing for this information to be provided, as it gives them a heads-up on corporate performance and the likely effects on associated market sectors. In the United Kingdom, the requirement to report on corporate risk in the board’s annual report may soon become mandatory. Similar edicts are coming into effect in the rest of the European Bourses as well as Australasia. Heavy fines and associated bad publicity will be bestowed on those who don’t comply. The key disclosure requirements are as follows:

Practical Solutions

So, what constitutes an enterprise risk management implementation? It’s probably not what you imagine. If you’re thinking big server, Web-enabled, networked, multiuser risk-management software, you may well be wrong. And that could cost you dearly, because it’s really all about people and process and getting the two to work together.

Everyone does some sort of risk assessment and makes decisions based on their own analysis many times each day, whether it’s business-related or not, but we don’t normally document the process. An effective implementation will seek to formalize and record this activity. In any organization large enough to require an enterprise set-up, there will be a fantastically diverse array of personalities and dispositions, all essential in the well-balanced operation.

How do you guarantee the consistency of granularity, quality, and currency of information supplied at any given level in the organization’s hierarchy? In an informal or manual process, managers and executives will generally know who is gung-ho and who is risk-averse in their company and will moderate information accordingly. To implement an effective software solution, however, where the computers do not know or recognize personalities, you must be able to make allowances and collect information in a manner that is flexible and comprehensive enough to accommodate everyone’s techniques. Failure to do this effectively means that the inconsistency of input data will render outputs irrelevant and, worse still, people will begin to disregard the process and stop contributing.

It’s not all bad news, though. Risk management as a people-process is maturing, and recent advances in the defense industries such as expert systems and knowledge bases are now bringing benefits to the corporate enterprise. The use of such systems can overcome many inconsistencies, especially where previously recorded data is available to the organization. An additional benefit of using an expert system to collect and assess information is the creation and storage of intellectual property from an individual’s knowledge and experience. The ability to generate, share, and reuse expert knowledge in this way forms a large part of the benefit of any solution. In addition, specially formulated risk-stance assessments can be given to individuals to quantify their nature and then be applied to normalize data. This is done by measuring an individual’s perception of risks against a predefined set of scenarios and assessing their responses. In this way we can apply weightings to individual assessments and track the individual’s risk stance over time by retesting.

One of the most valuable lessons that can be learned from the defense industry regards the user-friendliness of any deployed solution. Although a risk assessment has been a mandatory requirement for almost every NATO defense project since the mid-1990s, the technical difficulty and additional burden of the process had left shortfalls in the implementation. In the United Kingdom, a dedicated team was set up to analyze and resolve the problem. Their conclusion was that although incumbent systems and processes were technically effective, the requirement for exceptional specialized knowledge and a capability for external risk modeling were so time-consuming and arduous that there simply wasn’t the time or inclination for the task. The team surveyed more than 200 defense workers and civil servants and concluded that the solution must, in order of importance, be easy to use, be compatible with core competencies, and require the minimum amount of additional work. By improving the accessibility of the systems and streamlining their processes, the team reduced average assessment time by a factor of eight and increased the uptake of the requirement from 10 to 95 percent.

Although those conclusions may sound obvious in retrospect, all too often the emphasis is placed on technical capability and professional competence because risk management has historically been an esoteric and specialized discipline. By providing an accessible means of expression, which is independent of personal ability or disposition and fits in with workflow, we can implement effective solutions that have a high persistency of use while reducing the total amount of workload.

System Requirements

Modern risk management software handles a lot more than just plain risk. Leading solutions can be described as process solutions that allow the distributed assessment, quantification, and aggregation of business risks, opportunities, and inherent variability — collectively known as uncertainties — to provide clear and concise outputs that ensure compliance with reporting mandates and best practices. Obviously there are different levels of benefit associated with individual systems, and it is in those areas that many of the hidden opportunities for business improvement can be found.

An effective solution will cater to both novice and expert risk managers, as well as everybody in between. This element is essential if you want to avoid heavy criticism from either end of the capability spectrum, reduce training costs, and maximize system uptake.

Your solution should provide a simple yet intuitive process for identifying and assessing uncertainties. This may be in the form of an expert system, or wizard, which provides a uniform approach to assessment for both novice and advanced users. The data collection process may be made available over a network system or intranet using Web forms. This process should include the collection of any assumptions or comments that support the assessment that has been made. This information may become critical if the assessment proves to be misguided and is investigated, especially if the individual who made it has departed. It will also be useful in maintaining the currency of the assessment. An audit trail of all subsequent changes to either assessment parameters or base information should also be recorded. The inability to record this category of information is one of the drawbacks of implementing an in-house solution based on a simple spreadsheet.

Your solution should allow for the input of both qualitative and quantitative data, including a mixture of the two types. The qualitative levels should be user-definable to reflect individual requirements and facilitate future refinement. Quantitative entries should allow the description of distribution data and shapes to more accurately describe any outcome.

Many modern applications allow opportunities to be expressed in addition to risks. This is a very important feature and should be high on the requirements list. Without the ability to assess both sides, it is impossible to make business-critical decisions effectively. By analyzing both positive and negative aspects of an outcome along with associated costs, you will be able to make more informed decisions as well as measure the effectiveness of your control plan. It is possible for your system to calculate the best mitigation or control strategies based on the inherent and residual risk exposures. Such a system will be able to automatically generate action or response plans and flag any areas where the adopted decision does not make logical sense and prompt for review.

A relatively new development allows for the description of multiple and different impact types such as reputation, safety, performance, or security, in addition to the normal cost impacts. The solution should allow the user to describe the impact of any risk, opportunity, or event in a variety of ways. This ability enables reporting based on different dimensions that describe alternate viewpoints. For instance, a safety officer may be interested in identifying all items that affect only his responsibilities whereas an operational manager will primarily be interested in performance.

For example, recent major upgrades to parts of the European rail network looked like massive zero-return costs unless they were viewed using the safety dimension. It is not correct to try to convert impacts on so-called soft factors into financial units during the assessment phase, although it is a common practice to do so because it is easier.

Incorporate a knowledge base into your system that can be maintained internally and enhanced by the collection of your own data as intellectual property. Your users should be able to search for and select source data to use in their assessments, and auditable case-specific information may be provided just for this purpose. A primary rule of risk management is to avoid guessing if you have data available; therefore, the system must support data collection, storage, and distribution.

Provide output measurement by mean value analysis as well as a statistical output based on sampling techniques, such as Monte Carlo Simulationor Latin hypercube. An effective statistical engine will allow optimization of much of the assessment work and will provide reports that are more useful. You should be able to quote any key performance indicator with at least its deterministic and mean values, as well as the associated 10, 50, and 90 percent confidence-limit values.

Effective Architecture

Finally, here’s the answer to the question of top-down or bottom-up approach: Do both. Effective uncertainty management brings huge benefits at both ends of the corporate tree, but the necessary techniques and user requirements at either end are generally incompatible with each other. While it might be useful to know what will affect the nuts and bolts when you build and supply your products or manage your projects, that level of granularity is just plain confusing at the top end of corporate governance risk.

Conversely, your high-level corporate risks and opportunities simply don’t apply to the nuts and bolts. In the real world, the two methodologies can be integrated by implementing two independent processes, which have a nonlinear interface. Your corporate risk system should be capable of reflecting the hierarchy of your organization in the way it aggregates the effects of risk and opportunity to the business as a whole.

This may also be reflected in a graphical user interface that displays the topographical layout in a tree-view that may be navigated to provide information at each level. The layout may either reflect the divisional structure of the company or be based on its susceptibility to legal, financial, and operational impacts. At some point, usually around the third or fourth level, the focus of assessment methodology will change from corporate to project or process.

At this point you should be able to describe each project or process and electronically incorporate data and information from a project or process risk assessment application. Such lower-level applications bring major benefits to the operational business, but rarely transpose themselves to regular board-level review. The effect of incorporating project-based assessments into the corporate risk set will ensure both currency of information and the accuracy of performance-based metrics that the system may provide. Additional benefits include the incorporation of existing assessment work from hands-on personnel and the redistribution of responsibility for increasing performance throughout the corporation.

For example, a production engineer at a Silicon Valley biotech company carried out an uncertainty assessment of a key production stage. One troublesome piece of equipment highlighted a potential production loss of around $3 million annually. The problem, but not its extent, was known to manufacturing. They were surprised to discover that the replacement of the old equipment with a newer type costing $100,000 would not only negate the losses, but would increase their capacity by $4 million annually, giving an aggregate increase of $6.9 million annually. The production engineer said he’d been trying to persuade management to agree to replace the equipment for more than a year.

An effective and practical risk implementation can be a genuinely holistic solution to a regulatory burden, where the benefit of the whole far exceeds the sum of its constituent parts. The key to creating true business advantage lies in changing internal culture and creating risk managers out of every employee. Distributing responsibility for performance and risk management by providing open and honest processes will help facilitate this change while demonstrably improving individual awareness and management of business-critical issues in the enterprise.