Enterprise risk management
BAWA was the venue once again for this well attended event. Our speaker tonight David O’Regan and spoke recently at the SWWE Branch Corporate Advisory Group Meeting. We were impressed and wished to provide the opportunity for members to understand a different perspective about risk management focussed on the enterprise or business level.
We are grateful tonight to David for offering to present his thoughts on Enterprise Risk Management, (ERM). David works for LSC Ltd, and is a risk professional with a deep understanding of both the theory and practice of managing risk.
David explained that risk management had its genesis in financial institutions who were concerned about compliance and protecting investment. Since the 1960’s risk management has been applied to projects, typically in a bottom up approach with responsibility lying with the Project Manager, it is therefore focussed on the project alone.
He explained further the limitations of such an approach. At an organisation level, there is no centralised view of the totality of risk across its portfolio of projects, related risks, such as shortage of suitably qualified and skilled staff are unlikely to be managed corporately. Risk management is likely to be applied inconsistently with biases from individual PMs and there is no formal oversight of how risks are managed. At the project level, risk can be managed in a bubble, and risks are not always managed by the right people at the right level, also projects may not get the required support and resources to manage risks.
David explained that ERM is not different from traditional project focussed RM, but that it is supplementary and is intended to address the limitations by taking a holistic view of risk across an organisation.
He outlined the ISO 3100 RM process. It is important to understand the context within which the organisation operates, both internally and externally, and the stakeholder expectations. This provides a complete picture for the business, programme and project, and allows the organisation to develop a risk strategy: risk aggressive, risk adverse, or a blend of both. The organisation can then plan how risk is to be managed at the enterprise level, and what the benefits and outcomes are. The plan is then communicated throughout the organisation so that there is consistency, and well as to external stakeholders such as regulators and shareholders.
Monitoring is needed to collect and analyse risk data and information, which will be required in a standard format. Responsibility for monitoring and decision making needs to be made clear. Review of the processes is required to confirm the benefits are being delivered, to check trends and to adjust to changes in the risk context of the organisation.
David then looked at 4 case study scenarios to demonstrate the advantages of using ERM to supplement traditional RM. He emphasised the value of ERM in allowing a wider context to be understood, consistency in approach, assurance that projects are managing risks effectively, that risks are managed at the right level, better decision making and better confidence for stakeholders such as regulators, shareholders, and customers.
Successful implementation of ERM needs top level buy in, clear organisational structure and responsibilities, an effective information system, well trained risk managers and the right culture which values the benefits of ERM.
In conclusion, David summarised the limitations of traditional RM, how ERM addresses those limitations by:
– Creating a common structure and approach to risk management
– Ensuring accountability
– Communicating risk information to the right people
– Constantly reviewing both risks and risk management to make sure the process is effective and efficient
– Using the wider business to help projects meet their target
The presentation slides can be viewed below