Welcome to

Articles on best practices and our experiences in managing business, technology and data risk.

 


How to Create a Risk Bow Tie

July 4, 2018 in Enterprise Risk Management, General, Risk Cultures

 

A classic bow tie is a great fit for a stylish, formal event.

A risk bow tie is a great fit for an ERM program and can really move your enterprise risk discussions forward.

From their origins in managing hazards in the Australian energy sector, risk bow tie diagrams have really caught on as a useful tool for enterprise risk programs administered for executive teams and Boards of Directors.

And while it can take 10 steps to get a bow tie perfect on your tuxedo, a helpful risk bow tie diagram can be quickly generated out in 3 easy steps.

A risk bow tie diagram gets its name for the bow tie shape that it forms.  The centre of the bow tie is the “risk event” that an organization would like to avoid or lessen the impact of.  Root causes and consequences are mapped on either side of the event, along with the controls the organization has in place. 

The power of the bow tie diagram is its ability to model complex risks in a single intuitive diagram. Multiple scenarios can be displayed at once and causality and control effectiveness can be considered in a concise, intuitive manner.  This makes risk bow tie diagrams an extremely helpful tool for executive risk workshop discussions.

Here are those three easy steps to create a risk bow tie diagram:

1) Add the risk event to the centre of the diagram

This is the event that your organization wishes to avoid or lessen the impact of. A brief description of what the event would entail will provide context for your management team.

2) Identify the root causes and consequences of the event

Root causes are the contributing factors that trigger the risk event or increase the likelihood of it happening.  For example, the root cause of a serious data breach might be a cyber attack. Root causes get added to the left side of the bow tie. Consequences are the negative outcomes that would result from the risk event occurring. The consequences of a data breach may be loss of customers, reputational damage, regulatory penalties, legal expenses etc. Consequences go on the right side of the bow tie.

3) Identify your pre-event and post-event controls or mitigations

Pre-event controls are measures that seek to reduce the likelihood of a risk event occurring.  They go between root causes and the risk event on the bow tie diagram.  Post-event mitigations are measures that seek to lessen the impact of risk events when they do occur.  They go between the risk event and consequences on your bow tie diagram.

Once you have these pieces filled out, you can brainstorm what further controls might be used to manage the risk, identify common root causes that affect multiple risks, action plans that should be implemented to manage the risk and more.

And just like that, you are on your way.

We have had quite a bit of positive experience with bow ties in ERM programs and with bow tie functionality in our Essential ERM platform. If you’d like to discuss or have any questions, let us know!  Also tell us if you know an easy way to do a Half-Windsor…

Miles Smit, PhD

Tracker Networks

 

Add Democracy to Your Enterprise Risk Program

June 26, 2018 in Enterprise Risk Management, General, Risk Cultures

Risk voting is an easy, effective way to engage your business users and improve the quality of information in your ERM program.

So you’ve got your enterprise risk program off the ground and your executive team is receptive. Congratulations- that is a great position to be in. Now, how do you capitalize on this momentum and drive your risk program forward into the organization?

Alternatively, perhaps your ERM program has stalled after some early success and is now drifting dangerously towards becoming a dreaded annual checkbox activity. How do you reinvigorate your program and re-engage your executive team?

One great answer for both of these questions is risk voting.

If you are unfamiliar with the concept, risk voting is the process gathering risk rating information from a variety of business leaders and subject matter experts in your organization. Each contributor is given the opportunity to provide their own scoring for the elements of individual risks, such as the likelihood, impact, control effectiveness, risk tolerance etc. The values are consolidated and used for input into the overall rating of each risk.

Performing risk votes is not particularly difficult and there are multiple ways to do it. Some organizations keep it as simple as using online survey tools. This makes it easy for contributors but creates a large amount of work for risk managers who have to tabulate results and generate reports manually. An improvement over this is to use an ERM tool that has built-in voting functionality and does the tabulation and reporting automatically (disclaimer alert – our company produces the Essential ERM system and we are soon launching a new approach to risk voting).

Regardless of how you do it, voting on risks has many important and immediate benefits for your ERM program.

First, voting helps to eliminate some of the groupthink that can creep into risk workshops. When votes are done in real-time during a live risk discussion, some participants can be drowned out by louder voices in the room. There can be fear of speaking up against powerful individuals. It can be tempting for participants to simply follow the lead of the “big boss” in the room. Not every organization faces these dynamics, but there is no question that a more pure, organic result is achieved when your workshop participants can vote freely and anonymously. Results can be discussed immediately as a group and votes can be rerun where there is a need to generate consensus – all without drowning out important contributions from less forceful participants.

Second, risk voting can help you better prepare for risk sessions and use your executive team’s time more effectively. Votes can be conducted “offline” through emails that lead contributors to voting screens that they can complete on their own schedule. If this is done for top risks in advance of a risk workshop, it can help you identify the areas where you want to focus your time during the in-person discussion. For example, if you have a high degree of agreement on ratings for risks that are middle-of-the-pack in scoring, do you really want to focus as much time on them in a workshop? Perhaps all they need is a quick review of action plans and a more productive approach for your workshops would be to zero in on the risks that do not have a clear consensus from your management team.

Third, when you distribute voting out more broadly into the organization, you have the potential to engage more people into the risk management process. This helps you enhance your risk management culture and helps you gather input from the people who are closer to your daily operations. Not every risk or rating they identify will make it into the enterprise view that you share with your executive team and board, but you will definitely uncover some gems of insight that would not normally make their way up to the leadership team.

Finally, risk voting can play an important role in enhancing engagement in your enterprise risk program. Think about your own level of engagement in a subject when you are given the opportunity to vote on an online poll. As a participant in a vote, you are interested in the results and feel a sense of ownership for the outcome. The same is true for the risk votes you conduct. Your participants will be actively thinking about risk inputs and making risk decisions. Healthy debate may ensure, but your team members will be better engaged in the risk process, gaining useful experience and building up your organization’s risk culture. You will also be generating a treasure trove of information that can be later analyzed to gain new insights into how your organization makes risk-based decisions.

We’d love to hear your thoughts and experiences with risk voting. Is there anything we have missed or any tips and thoughts you can share? If so, please comment below or reach out to us – we’d love to chat.

Thank you!
Jason Doel

COO
Tracker Networks Inc.

What is Top-Down and What is Bottom-Up in ERM?

June 20, 2018 in Enterprise Risk Management, Risk Cultures

Building Effective Risk Cultures

In our first post we opened up the broad topic of effective risk culture, with a focus on the cardinal importance of communication and incentives.

This time we want to introduce an important question for any well-focused risk culture: Which activities require top-down, or centre-out leadership, and what depends on bottom-up or edge-in initiative?

As we suggested last time, culture can be framed as the behavior of individuals in a group, or setting. One thing you can rely on is that your people are already behaving in accordance with the priorities they perceive, and the incentives they actually feel.

But is the management of enterprise-level risks actually a perceived priority? What affects the organization as a whole won’t be felt by every team member, and not all parts of the broader team experience the same uncertainties.

So, INCENTIVES are primarily managed top-down with ERM, partly because the enterprise perspective is strongest at the top of the house, and partly because the authority to create real incentives tends to be concentrated. Question: Who sees the risks to the organization most clearly and are they able to materially incentivize those who can make a difference?

Conversely, with COMMUNICATION while priorities, protocols, and requirements tend to be transmitted top down, the more important part of risk communication may be from your people closer to the edge, be it in operations, finance, IT & cyber, and in market-facing roles. Question: How effectively do you gather risk insights from those outside the usual discussions and narratives?

Organizations that can establish and reinforce processes and tools to broaden the risk discussion, and match actons to well-aligned incentives will understandably manage risk more nimbly and more effectively.

Feel free to share your thoughts below and let us know what you would like us to discuss!

Sincerely,

Miles Smit, PhD

Tracker Networks

[contact-form-7 title="" id="4"]