Introducing Marketplace: Fast-track your ERM system implementation
Learn More

Making Enterprise Risk Management Personal

They say charity starts at home – so does Enterprise Risk Management (ERM). We can learn a lot from what we do well in our own lives and apply the same principles to our work lives. 

Risk, according to the ISO 31000 standard, is the “effect of uncertainty on objectives”. “Objectives” are the starting point of ERM. You cannot do any meaningful risk management without starting with, and clearly articulating your objectives. This is the critical link between ERM and Strategy.

One of the objectives of most people in their personal lives, I hope, is: To live a long, healthy and fulfilling life.

The second step is to understand what critical processes need to work well in order to achieve our stated objectives. In our personal life example, these critical processes will consist mainly of our vital organs, our heart, liver, kidneys, brain and so on. In your business life, it is the critical processes on which your business depends – in other words, the critical parts of your operating model. Once we understand the critical functions/processes, we can then move to the third step of identifying the risks that could cause the functions/processes to fail.

In your personal life this will include such things as, heart attack, melanoma, lung disease and so on. In your work life it will be a suite of corporate risks including cyber attacks, internal and external fraud, third party failure and so on.

The next stage is to analyse our key risks in detail so we understand their root causes and how they link to the failure of the critical processes and, by default, our objectives. For example, a heart attack may be caused, among other things, from clogged arteries. Clogged arteries, may be caused by cholesterol which in turn could be caused by diet or be hereditary. Heart attack then leads to failure of the heart as a vital organ which leads to the failure of our long and healthy life objective.

We at Protecht, use Bow Tie analysis to analyse and document these parts, connecting root causes, with risk events, with failed critical processes, with objectives.

Lastly, we identify our controls.  For health risk, we may have diet, drugs, regular checkups, surgery etc. These controls can be classified into Preventive, Detective and Reactive, with Preventive operating proactively at the earliest point of the risk, Detective somewhere in the middle of the risk's life while Reactive controls operate at the end of risk's life focused on minimising impact.

Read the eBook: How to get more intimate with your controls and find out how you can build an optimal risk control framework.

An example bow tie for staff absenteeism is shown below: 

BowTie staff.png

Fig 1. Bow Tie analysis example

Source: Protecht.BowTie (available for iOS tablets on the App Store)

Once we have analysed our risks and related controls, we need to manage them i.e. the process of Enterprise Risk Management (ERM).

So how should we manage our health risks? 

  1. Go for a periodic (maybe annual) health check.
  2. Monitor indicators of your health between health checks. A Fitbit can help here.
  3. Be ready for, and manage, any health incident.
  4. Take appropriate actions if you believe health risks are not being adequately managed – additional medication, change of lifestyle and so on.
  5. Ensure that the key treatments you have over your health are effectively working. For example, ensuring you are taking your medication each day.

The process of ERM is the same.

  1. The Health Check is the Risk Assessment
  2. The Fitbit is Key Risk Indicators
  3. Dealing with incidents is Incident Management
  4. Tacking action is Issue and Action Management
  5. Checking treatment effectiveness is Controls Assurance

How healthy are you and how healthy is your business?

Download Free eBook

Related Articles

feature image
Risk Management

Retro Risk: Pepsi versus the Pentagon

How many brands can claim that their consumer goods promotion warranted a statement from the Pentagon? It turns out that the answer is “at least...
Read more
feature image
Enterprise Risk Management, ERM

RMIA speaking session: Maturing ERM to the next level

Maturing ERM to the next level by focusing on dynamic, real-time, integrated risk management The agenda for our RMIA conference presentation on...
Read more
feature image
Enterprise Risk Management

ERM Webinar Review: Moving from a Siloed to a True Enterprise Approach

The traditional siloed view of risk management has evolved over many years of its development as a discipline, but there is increasing pressure to...
Read more