Guide To Effective Risk Management 3.0

Authors: Alex Sidorenko and Elena Demidenko

This book about risk management is different from the other books that I already read about the subject. It is an e-book that not only works with text. The texts, usually a page per subject as an appetizer, are alternated with to do checklists, and many lists with click-through options to videos on youtube and URLs with web pages with further explanation. It is a handy book full of tips of do’s and don’ts of tasks that belong to risk management. These checklists are a useful task list for a CRO in a company.

The structure is realized in 3 major objectives: 1) Drive risk culture; 2) Help integrate risk management into business; 3) Become a trusted advisor. What did I remember?

Drive risk culture: make sure you have a suitable framework for working on risk management. Knowledge of the regulations that the company must comply with is important. In addition, ISO 31000 can be a handy standard. Moreover, the management of suitable risk analysis techniques is an advantage. Already from the beginning of the book the authors talk about Monte Carlo and scenario analysis. As always, involving top management is a must. All classics of risk management are discussed. But there are also useful tips such as the fact that you best discuss risks per topic in the board meeting instead of making risk management a separate subject of these meetings. Furthermore, a no-blame culture is essential. That is logical, because you still have to work with others to improve the performance of the organization. Another important psychological tip is to determine risk management responsibilities in the job descriptions. Furthermore, it was an eye-opener that risk management is primarily a matter of change management for the culture of the organization.
Help integrate risk management into business: it is important that risk management is not something that comes with it, but something that is included in the work itself. It is very important, for example, that it is integrated in taking the different types of decisions. After all, an informed decision always makes a trade-off between the advantages and disadvantages (the impact) and the chances that these will occur. That is why it is also important that the business and the CRO speak the same language. And if things go wrong, the business must be able to escalate in a simple way.
Become a trusted advisor: know the business, but also know your risk management techniques. Maintain your skills of scenario analysis, stress testing, Monte Carlo techniques, game theory, behavioral psychology … a lot of different scientific techniques can be applied. They take care of it, together with a look at the environment, that you can inform the management of emerging risks. Finally, you do not do it all alone. You can rely on the help of people in the organization (risk champions) but you can also rely on the knowledge of colleagues in other organizations. So networking is the message.

The number of topics is very large, and with all referrals in it, it is a very strong book. It is advisable to take your time and also see the videos, as a different form of learning. Because of this structure, the book does not have to be read from front to back, but can be started at a certain point, depending on the needs of the moment.

The book is freely available on the website of RISK-ACADEMY:

Risk determination with risk typology

Author: Manu Steens

The determination of the risks is one of the important steps in risk management, to arrive at a risk register with accompanying action plans as an intermediate step.

In this respect, according to the principle of subsidiarity, the lowest in rank that can sensibly determine the risks is the right person to list the necessary risks. This applies to risks at all levels in the organization.

The first step therefore consists of determining the target group of the brainstorming session for the risks. For operational risks these can be process or project managers, but also newcomers who do not yet have a lot of vision on risks. For they constantly come into contact with unforeseen issues, and cooperating in the risk analysis raises their awareness and alertness. For tactical and strategic risks these can be board members. The target group of the risks must also be determined. For the normal risks these can be the managers, for large risks and strategic risks one must report to the top management / management board.

Once the target groups for determining the risks and reporting have been determined, the risks themselves must be assessed. This can be done with a risk typology. In addition, there are several possibilities. These are always dependent on the organization itself, which must therefore be well known by those who choose / design the appropriate risk typology. Below we present a number of examples of risk typologies (not exhaustive).

A first possible division is as follows:

  • Financial risks
  • Legal requirements
  • Legal compliance
  • Reputation
  • Specific to the industry
  • Data integrity and reliability
  • Confidentiality of the data
  • Security of your own data
  • Disaster recovery and continuity planning
  • Operational risks

A second possible division is as follows:

  • External risks
    • Nature
    • Politics / law and regulations
    • Social / social
    • Economy / market, fairs, …
  • Internal risks
    • Strategy
    • Legal / financial consequences legal form
    • Continuity
    • Quality
    • Fraud / Compliance …
    • Material risks (loss of damage)
    • Safety of people / resources
    • Financial risks
    • Critical knowledge
    • Capacity …

A third possible division is as follows:

  • Operational risks:
    (Willem De Ridder, ‘Risicobeheersing met toegevoegde waarde’): “The risk of loss as a result of inadequate or failing processes, people and systems or as a result of external events.”
  • Strategic risks:
    (Lizanne Vroom, ‘Risicomanagement vanuit het Dynamisch Business Model’): “The danger of (capital) loss and / or the survival of the organization as a result of changes in the organization’s environment, the lack of response or an incorrect response. Changes in the environment of the organization, business adverse decisions or incorrect implementation of the chosen strategy. ”

A useful way to work with this risk typology is to brainstorm with a SWOT method. Note that making this SWOT does distinguish between internal matters (strengths and weaknesses) and external issues (opportunities and threats), but is not yet a risk analysis in itself. It can be used to formulate the risk statements on the basis of each item in the risk typology, in relation to the operational projects, processes, objectives or strategic objectives. So in fact to do risk identification. The risk typology used can also depend on this. In addition, the SWOT method with its confrontation matrix is ​​suitable for formulating measures.

A brainstorming session is best with a group of about 4 people, or a coach. The latter must always challenge the group to formulate the risk statements properly, and also, according to the principle of a Bow-Tie, to formulate the causes and consequences, causes of causes and consequences of consequences, etc. The 5x ‘why’ and 5x ‘what then’ question method applies here. In this way the participants in the brainstorm eventually formulate the risk statements in the form of ‘The organization / the process / project … has problem / opportunity … with the cause (s) … and effect (s) …’.

One can choose to split the causes and consequences with the problem over several risk statements, or to group the causes and group the consequences. These are then challenged with preventive and reactive measures respectively. The Bow-Tie method is then very suitable to indicate whether all the stated causes and consequences are being addressed with measures.