Recensies

Guide To Effective Risk Management 3.0

admin

Authors: Alex Sidorenko and Elena Demidenko

This book about risk management is different from the other books that I already read about the subject. It is an e-book that not only works with text. The texts, usually a page per subject as an appetizer, are alternated with to do checklists, and many lists with click-through options to videos on youtube and URLs with web pages with further explanation. It is a handy book full of tips of do’s and don’ts of tasks that belong to risk management. These checklists are a useful task list for a CRO in a company.

The structure is realized in 3 major objectives: 1) Drive risk culture; 2) Help integrate risk management into business; 3) Become a trusted advisor. What did I remember?

Drive risk culture: make sure you have a suitable framework for working on risk management. Knowledge of the regulations that the company must comply with is important. In addition, ISO 31000 can be a handy standard. Moreover, the management of suitable risk analysis techniques is an advantage. Already from the beginning of the book the authors talk about Monte Carlo and scenario analysis. As always, involving top management is a must. All classics of risk management are discussed. But there are also useful tips such as the fact that you best discuss risks per topic in the board meeting instead of making risk management a separate subject of these meetings. Furthermore, a no-blame culture is essential. That is logical, because you still have to work with others to improve the performance of the organization. Another important psychological tip is to determine risk management responsibilities in the job descriptions. Furthermore, it was an eye-opener that risk management is primarily a matter of change management for the culture of the organization.
Help integrate risk management into business: it is important that risk management is not something that comes with it, but something that is included in the work itself. It is very important, for example, that it is integrated in taking the different types of decisions. After all, an informed decision always makes a trade-off between the advantages and disadvantages (the impact) and the chances that these will occur. That is why it is also important that the business and the CRO speak the same language. And if things go wrong, the business must be able to escalate in a simple way.
Become a trusted advisor: know the business, but also know your risk management techniques. Maintain your skills of scenario analysis, stress testing, Monte Carlo techniques, game theory, behavioral psychology … a lot of different scientific techniques can be applied. They take care of it, together with a look at the environment, that you can inform the management of emerging risks. Finally, you do not do it all alone. You can rely on the help of people in the organization (risk champions) but you can also rely on the knowledge of colleagues in other organizations. So networking is the message.

The number of topics is very large, and with all referrals in it, it is a very strong book. It is advisable to take your time and also see the videos, as a different form of learning. Because of this structure, the book does not have to be read from front to back, but can be started at a certain point, depending on the needs of the moment.

The book is freely available on the website of RISK-ACADEMY:

https://www.risk-academy.ru/en/download/risk-management-book/

Crisis, Issues and Reputation Management

admin

Author: Andrew Griffin

In this book the author analyzes the links between issues, incidents and reputation. In addition, crisis management also comes to the surface. A crisis can arise from the issues or incidents, and can threaten the reputation. This book is therefore relevant in the current time frame in which organizations function. This is because these are increasingly occurring issues since the rise of social media.

The book is divided into two large parts.

A first part exposes the links between issues and incidents. This both in an external and internal context. The author further divides the issues in negative and positive, each with a possible reactive or proactive approach. This part ends with an overview of inter-related risks, or how internal and external issues and incidents can overlap during a crisis. All this is upholstered with a large number of examples.

So far the theoretical part.

The second part starts with an overview of the course of the reputation cycle before, during and after a crisis. The big steps are:

  1. Prediction, including the scanning of the horizon, the interests of the stakeholders, reputation assessments.
  2. Prevent, with, among other things, a reputation-risk architecture, training, awareness
  3. Being prepared for the crisis
  4. Solution, with issues management and change management
  5. Respond with strategic crisis management and crisis communication and
  6. Recovery with a lessons-based and performance improvement, the re-acquisition of trust and the changes in organization and strategy.

Each of these six steps is subsequently explored in a chapter. But actually every chapter is worth a book.

One of the biggest take-away messages of the book is that in a crisis for the organization there is always the opportunity to change and adapt.

Crisis Communications – The Definitive Guide To Managing The Message

admin

Author: Steven Fink

In 34 chapters, the author explains what crisis communication is about. Everyone knows

  • We Know;
  • We Care;
  • We Do;
  • We’ll be Back.

But if it stays there you miss a lot. Note: We know, care, do, be back is already a good start if you are just in crisis. The problem originates when you put in too many stereotypical phrases. Then the crowd reacts with ‘Yeah, right!’. This also happens if you want to say ‘We’re sorry’ and give it a wrong turn.

Communication is so much more, and pay attention, not everyone can do it. But some positions in the organization (CEOs often) have to show up under certain circumstances. The pitfall of ‘No comment!’ and the like is often there then. The book therefore starts with an example of how it should not be: “I’d like my life back”. The author writes this book with a lot of examples from his practice. He then also goes into what the CEO of BP should have said and done.

But there are many more lessons to be learned from the book. I will pick up a few things here that have stayed with me.

The first thing is: how do you recognize a spokesman? This white raven has the following characteristics:

  • He / she wants to do it;
  • He / she is credible;
  • He / she speaks intelligibly (without jargon) and understandably (clearly);
  • He / she has sympathy;
  • He / she has a good cuddling factor;
  • He / she has knowledge of the matter;
  • He / she is not easily influenced.

He / she also has a good intuitive approach to the following issues:

  • What do you do with an aggressive reporter who interrupts you with a new question?
  • Do you always answer the question asked?
  • If there are several camera crews, do you know where to look?
  • What if many questions are asked at once?

A second thing that remains is the phenomenon of ‘lawyers’. They often want to hear ‘no comment’ in order not to have a (false?) appearance of guilt if you show empathy (We Care, We’re sorry) because that gives a lot of extra work in the courtroom. So you speak to them, you consult with them, but ‘no comment’ is not an option.

In addition, Mark Twain’s quote sticks: “Always tell the truth, that way you do not have anything to remember.” But remember: telling the whole truth is only for in court. What is strongly associated with this is the reputation of the organization and the amount of goodwill it receives from the customers.

One of the most difficult things is communication when victims have fallen. Then the audience wants to know 3 things:

  • What happened? Tell the facts.
  • How did it happen? You should not just go into this. Say you are investigating it. And that is true. This is only definitively known after the judicial investigation.
  • What are you doing? Do not say that it will never happen again, you can not promise that. Rather say that there is an ongoing investigation and that you will give more information the moment results become available.

Sometimes you have to say sorry. This is best done on your own initiative and first. It steals the ‘thunder’.

You also need to know what your crisis is and what is not. You solve your crisis, the rest is done by the police and the court. You must therefore first recognize, identify and isolate your own crisis.

Furthermore, there are crisis communication strategies. You have to be able to tackle some common issues.

  • Who will you communicate with?
  • How will you do this?
  • Who speaks with the discussion partners?
  • Is the government at your side?
  • What is the ‘key message’?
  • How can you keep coming back to that?
  • Which questions should you anticipate?
  • Keep the message specific.
  • Stay understandable, do not escape in jargon!
  • Be honest and take care of evidence.
  • Determine the ‘take away message’.
  • Use examples and metaphors that people can understand.
  • And last but not least: determine what you will do if you yourself are the crisis.

And then of course as icing on the cake: how do you build a defensible decision?

The book reads smoothly, is lavishly upholstered with practical examples of how things should and should not be done. The book does not guarantee that you will be a crisis communicator after reading it. But it is a good start to practice, practice, and practice again.

Implementing Enterprise Risk Management

admin

Editors: Fraser; Simkins and Narvaez

This 650-page book is intended to be a textbook / exercise book, which I believe can be used in a Bachelor’s program for Enterprise Risk Management. It consists of 35 chapters, actually 35 stories, each of which is completed with a questionnaire as a guide for a discussion by a team of students. It is accompanied by another book, namely “Enterprise Risk Management – today’s leading research and best practices for tomorrow’s executives”. The latter is the associated theory book.

Does this mean that you must have to read the theory book first? Not if you already have a good basic knowledge of ERM.

The following items from this book are most memorable to me:

  • The PAPA model of LEGO: Park, Adapt, Prepare and Act. The aim is to determine the overarching strategic response based on how quickly things change in a scenario with respect to the probability that a scenario occurs.
  • The determination of the Risk Appetite based on 7 questions:
  1. How much risk do we think we take now? (Risk perception)
  2. How much risk do we actually take? What evidence do we have? (Risk exposure)
  3. How much risk do we usually like to take? If this is less than under point 1. then we do not feel comfortable. (Risk propensity / culture)
  4. How much risk can we take on / safely? (Risk capacity) This must be greater than under points 1., 2. and 3.
  5. How much risk do we think we should take? (Risk attitude)
  6. How much risk do we actually want to take? (Risk appetite)
  7. How can we implement measures and limits within the processes, products and business units to ensure that our total risk appetite is not exceeded? (Risk limits)
  • What UW (University of Washington) decided about their ERM Model:

    • Assess the risks in the context of the strategic objectives, and identify the interrelation of risk factors throughout the institute, not just for each function exercised.
    • Handle all types of risks: compliance, financial, operational, and strategic.
    • Grow a general awareness that allows individuals to focus their attention on risks with a strategic impact.
    • Improve and reinforce UW’s culture of compliance, while protecting the decentralized, collaborative entrepreneurial orientation of the institute.

  • Three lines of defense of the TD Bank: 1) the business and the accountants, 2) setting standards and challenging business to improve their governance, as well as their risks and control groups their responsibilities and liabilities, and 3) a independent internal audit.
  • The ERM objectives of Zurich Insurance Group:

    •     Protect the basic capital so that the risks that are taken do not exceed the risk tolerance.
    •     Improve the value creation and contribute to an optimal risk / return profile.
    •     Support decision-makers with consistent, timely and correct information about the risks.
    •     Protecting the reputation and brand through a healthy culture of risk awareness and a disciplined and informed risk-taking.

This is just a small sample of the valuable examples that the book displays.

Business Continuity And The Pandemic Threat

admin

Author: Robert A. Clark

With this book the author, Robert A. Clark, draws attention to an important issue that is on the border between BCM and Risk Management, but what is traditionally attributed to BCM, namely the pandemic threat. This threat is relevant because statistically it has manifested itself every 30 years on average over the last 300 years.

The book is divided into two parts: ‘Part I: Understanding the Threat’ and ‘Part II: Preparing for the Inevitable’

Part I talks extensively about micro-organisms, what a pandemic really is, dangers of germs in the hands of criminals and terrorists, a brief history of the most important known pandemics, and the danger of hospital bacteria (anti microbial resistance of AMR). In two separate chapters, he elaborates on the cases of SARS and the Spanish Flu of 1918-1919, which continue throughout the book as the classic examples. He concludes part I with a comparison between the two cases that are still extremes: the Spanish flu with 50,000,000 deaths and SARS with a good 1000 deaths and ‘only’ 8,000 infections worldwide.

Part II deals with the approach to pandemics. He starts from two positions: preparation and response. He talks about what can be done on a world, national, organizational and individual level. What is important in Part II is, in my opinion, the attention he gives to the important points for a pandemic plan. He does this however, without giving a concrete pandemic plan or template. This, however, he makes good by referring in the appendices to a website where a template can be found: www.bcm-consultancy.com/pandemicthreat. But it does not stay there. He also describes what to do with it if there is no pandemic: practice and validate. He gives an overview of a number of types of exercises, ranging from very simple to very complex and extensive.

A limited part of the attention for the characteristics of a pandemic plan go to supply chain.

Meanwhile it was noted that the template is no longer available on the website. An example of a pandemic plan (in Dutch) can be found on this website: ‘http://www.emannuel.eu/uncategorized/pandemieplan/’