cause - Blog - Global Risk Community2024-03-28T17:43:15Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/causeRMORSA Part 2: Risk Identification and Prioritizationhttps://globalriskcommunity.com/profiles/blogs/rmorsa-part-2-risk-identification-and-prioritization2013-09-27T15:00:00.000Z2013-09-27T15:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="http://logicmanager.com/wp-content/uploads/2013/09/istock-cyber-crime1.jpg" target="_blank"><img src="http://logicmanager.com/wp-content/uploads/2013/09/istock-cyber-crime1-300x230.jpg?width=300" width="300" class="align-right" alt="istock-cyber-crime1-300x230.jpg?width=300" /></a></p><p><span>The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation,<span class="apple-converted-space"> </span><a href="http://www.riskmanagementmonitor.com/rmorsa-risk-culture-and-governance/">Risk Culture and Governance</a>, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.</span></p><p><span>The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?</span></p><p><strong><span>Take a Root-Cause Approach</span></strong></p><p><span>The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise. For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.</span></p><p><span>The key to this root cause approach is a common risk library, or<span class="apple-converted-space"> </span><a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/">Taxonomy</a>, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.</span></p><p><span>By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.</span></p><p><strong><span>Use a Single Set of Criteria</span></strong></p><p><span>When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.</span></p><p><span>To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.</span></p><p><strong><span>Tell a Story to Your Board and Executive Leadership</span></strong></p><p><span>The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.</span></p><p><span>Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.</span></p><p><em><span>For more information on risk assessment best practices, download LogicManager’s ebook</span></em><span class="apple-converted-space"><i><span> </span></i></span><span><em>, “<a href="http://www.logicmanager.com/ebook-5-steps-for-better-risk-assessments" target="_blank">5 Steps for Better Risk Assessments.</a>”</em></span></p></div>Bow tie - Cause and Effect Analysishttps://globalriskcommunity.com/profiles/blogs/bow-tie-cause-and-effect-analysis2012-07-02T16:33:04.000Z2012-07-02T16:33:04.000ZMartin Davieshttps://globalriskcommunity.com/members/MartinDavies92<div><div><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2">There are several ways to look at operational risk but perhaps one of the most exciting and intuitive methods in use today is Cause-Effect Analysis.</span></div><div><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2"> </span></div><div><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2">In this short post, we look at how Cause-Effect Analysis works and we extend the bow tie concept further for measuring operational risk directly.</span></div><div><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2"> </span></div><div><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2"><span style="color:#0000ff;"><a href="http://causalcapital.blogspot.sg/2012/07/cause-and-effect-analysis.html" target="_blank"><span style="color:#0000ff;">Click here to continue reading</span></a></span><br /></span></div></div>Is your GRC program overly focused on compliance?https://globalriskcommunity.com/profiles/blogs/is-your-grc-program-overly2011-03-29T07:00:00.000Z2011-03-29T07:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>No company falls out of compliance over-night. It’s a gradual process resulting from a combination of overlooked issues, that together create a serious problem. Strangely enough, compliance issues often result from taking an overly compliance-focused approach to risk management; a common problem for Governance, Risk, and Compliance (GRC) programs.</p><p>Take for example J&J who, after a series of product recalls in 2009, has once again fallen out of compliance and now<a title="faces a permanent FDA injunction" href="http://online.wsj.com/article/SB10001424052748704823004576192923011606158.html" target="_blank"> faces a permanent FDA injunction</a> shutting down at least one plant and requiring at least five years of severe FDA oversight. So what went wrong?</p><p>While J&J undoubtedly took the 2009 recalls seriously, they focused on correcting compliance issues rather than digging down to the root causes of those problems and correcting them at the source. The result? Manufacturing plants are once again out of compliance just two years later and the public’s trust in J&J products is beginning to wane.</p><p>Focusing on compliance is akin to adding another bilge pump because your boat has taken on too much water rather than seeking out and repairing the leak. The real solution to a company’s compliance issues is to adopt an integrated approach to risk management; one that can <a title="identify root causes" href="http://logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/">identify risk root causes</a> and their impact enterprise-wide, an approach that focuses on <a title="performance management" href="http://logicmanager.com/erm-software/knowledge-center/best-practice-articles/performance-management-with-erm/">performance management</a> not just meeting compliance goals.</p><p>These are the hallmarks of an ERM-approach to risk management. This approach means assessing risks at the operational process level and understanding the consequences of those risks enterprise-wide.</p><p>It doesn’t matter whether you sail under the flag of ERM or GRC, the difference is in the approach. Does your organization take an ERM-approach to managing risk?</p><p>Visit the <a title="Achieve your goals in half the time" href="http://logicmanager.com/erm-software/knowledge-center/ensuring-erm-sustainability/"><strong>RIMS Risk Maturity Model assessment</strong></a> and learn more about evaluating your program on one of the seven key attributes that drive ERM performance.</p></div>