Implementing Enterprise Risk Management

Editors: Fraser; Simkins and Narvaez

This 650-page book is intended to be a textbook / exercise book, which I believe can be used in a Bachelor’s program for Enterprise Risk Management. It consists of 35 chapters, actually 35 stories, each of which is completed with a questionnaire as a guide for a discussion by a team of students. It is accompanied by another book, namely “Enterprise Risk Management – today’s leading research and best practices for tomorrow’s executives”. The latter is the associated theory book.

Does this mean that you must have to read the theory book first? Not if you already have a good basic knowledge of ERM.

The following items from this book are most memorable to me:

  • The PAPA model of LEGO: Park, Adapt, Prepare and Act. The aim is to determine the overarching strategic response based on how quickly things change in a scenario with respect to the probability that a scenario occurs.
  • The determination of the Risk Appetite based on 7 questions:
  1. How much risk do we think we take now? (Risk perception)
  2. How much risk do we actually take? What evidence do we have? (Risk exposure)
  3. How much risk do we usually like to take? If this is less than under point 1. then we do not feel comfortable. (Risk propensity / culture)
  4. How much risk can we take on / safely? (Risk capacity) This must be greater than under points 1., 2. and 3.
  5. How much risk do we think we should take? (Risk attitude)
  6. How much risk do we actually want to take? (Risk appetite)
  7. How can we implement measures and limits within the processes, products and business units to ensure that our total risk appetite is not exceeded? (Risk limits)
  • What UW (University of Washington) decided about their ERM Model:

    • Assess the risks in the context of the strategic objectives, and identify the interrelation of risk factors throughout the institute, not just for each function exercised.
    • Handle all types of risks: compliance, financial, operational, and strategic.
    • Grow a general awareness that allows individuals to focus their attention on risks with a strategic impact.
    • Improve and reinforce UW’s culture of compliance, while protecting the decentralized, collaborative entrepreneurial orientation of the institute.

  • Three lines of defense of the TD Bank: 1) the business and the accountants, 2) setting standards and challenging business to improve their governance, as well as their risks and control groups their responsibilities and liabilities, and 3) a independent internal audit.
  • The ERM objectives of Zurich Insurance Group:

    •     Protect the basic capital so that the risks that are taken do not exceed the risk tolerance.
    •     Improve the value creation and contribute to an optimal risk / return profile.
    •     Support decision-makers with consistent, timely and correct information about the risks.
    •     Protecting the reputation and brand through a healthy culture of risk awareness and a disciplined and informed risk-taking.

This is just a small sample of the valuable examples that the book displays.

Business Continuity And The Pandemic Threat

Author: Robert A. Clark

With this book the author, Robert A. Clark, draws attention to an important issue that is on the border between BCM and Risk Management, but what is traditionally attributed to BCM, namely the pandemic threat. This threat is relevant because statistically it has manifested itself every 30 years on average over the last 300 years.

The book is divided into two parts: ‘Part I: Understanding the Threat’ and ‘Part II: Preparing for the Inevitable’

Part I talks extensively about micro-organisms, what a pandemic really is, dangers of germs in the hands of criminals and terrorists, a brief history of the most important known pandemics, and the danger of hospital bacteria (anti microbial resistance of AMR). In two separate chapters, he elaborates on the cases of SARS and the Spanish Flu of 1918-1919, which continue throughout the book as the classic examples. He concludes part I with a comparison between the two cases that are still extremes: the Spanish flu with 50,000,000 deaths and SARS with a good 1000 deaths and ‘only’ 8,000 infections worldwide.

Part II deals with the approach to pandemics. He starts from two positions: preparation and response. He talks about what can be done on a world, national, organizational and individual level. What is important in Part II is, in my opinion, the attention he gives to the important points for a pandemic plan. He does this however, without giving a concrete pandemic plan or template. This, however, he makes good by referring in the appendices to a website where a template can be found: But it does not stay there. He also describes what to do with it if there is no pandemic: practice and validate. He gives an overview of a number of types of exercises, ranging from very simple to very complex and extensive.

A limited part of the attention for the characteristics of a pandemic plan go to supply chain.

Meanwhile it was noted that the template is no longer available on the website. An example of a pandemic plan (in Dutch) can be found on this website: ‘’

A Risk identification method

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.

BCM – How to determine the criticality of a process in a BIA?

Authors: Joris Bouve and Manu Steens

In BCM there is a lot of talk about time-critical processes (TCP), essential processes (EP) and necessary processes (NP).

Typically one uses as definition:

  • TCP: those processes that have to be restarted within two working days;
  • EP: those processes that do not have to restart within two days, but within two weeks;
  • NP: those processes that do not have to restart within two weeks, but within two months.

How critical a process is, can also be approached in a different way: if the impact of a too long outage (eg > 2 days) of the process becomes too much to handle, then you have to quickly (eg in <2 days ) restart the process.

The question here is: how do you determine the criticality of a process?

Proceed as follows (see table below):

  • List the processes in the [process] column;
  • Determine the impact on your service if the process threatens to fall out in the following columns.
  1. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last for more than 2 days or if there is a legal provision that requires a restart within a period of 2 days, you describe that impact in the column. in. There is then a time-critical process. In the [process criticality] column, enter TCP.
  2. 2 dagen].”>when outage > 2 days]. You can also state here what measures you will take to minimize the effect or how you can still guarantee the intended service
  3. If the impact is of such a nature that the service is seriously compromised in the event of an outage that would last more than 2 weeks or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 weeks]. in. There is then an essential process. In the [process criticality] column, enter EP.
  4. If the impact is such that the service is seriously compromised in the event of an outage that would last for more than 2 months or if there is a legal provision that requires a restart within a period of 2 weeks, you describe that impact in the column 2 dagen].”>when outage > 2 months]. It is then a necessary process. In the [process criticality] column, enter NP.

In the column [dependencies] you enter which expertise, logistic means, IT resources, … you need.
As described under point 2), you enter in column [criticality process] to which category the process belongs: time-critical, essential, or necessary

Process Impact when outage  > 2 days Impact when outage > 2 weeks Impact when outage > 2 months Dependencies criticity process
[name process] [Description] [Description] [Description] TCP/EP/NP


Two examples:

  • The crisis management process. If this starts only after an hour, serious reputational damage can already be caused by, for example, incorrect communication in the media. It must therefore certainly be started within two days. The 2 columns next to it need not be filled in anymore. With the dependencies, you put eg the expertises, the meeting room, laptops, smartphones, communication tools etc. In the last column you place the decision of the chosen type of process, in this case TCP.
  • Process X must be able to start up within 5 days in August, because otherwise a rule from the legislation can be violated, with corresponding fines and reputational damage. 2 dagen].”>when outage > 2 weeks’ and you choose the type of process ‘EP’. In dependencies you can, for example, write communication with the bank, the name of an an administrative employee and the right software program.

This choice of type of process (TCP, EP or NP) can then be adopted one by one in the Business Impact Analysis. The dependencies can also be taken over.


Risk management strictly spoken – Key Risk Indicators and risk intelligence

Author: Manu Steens

An important concept in strategic risk management is that of risk intelligence.

Risk intelligence is a “systematic process for gathering and analyzing information about the risks of the organization’s business, to be able to make strategic decisions based on this and then to do better as business in a competitive environment.” So it is a possible answer to competitive intelligence from potential opponents.

It is therefore more extensive than a classic risk analysis process with accompanying actions. It is all relevant information.

The organization must therefore be capable of providing for events and external impulses for changes. Furthermore, it must be a process because risks are changeable, and strategies must be able to be adjusted, and because new risks constantly arise.

One of the possible predictors are indicators: KPI and KRI (Key Performance Indicators and Key Risk Indicators). I discuss the KRI here. (Please note: the KRI provides information, the analysis of this information must still be done (to create knowledge) by the owners of the risk.)

KRI based on outcomes

Key Risk Indicators are often effect indicators. They measure whether the set objectives, the outcomes of the processes, have been met.

KRI on the basis of outcomes, are effect indicators. Conversely, impact indicators can be considered as a sub-class of the risk indicators. However, it is best to speak of effect indicators with regard to people who are averse to risk management as another topic that management adheres to.

But how do you achieve effect indicators?

Strictly spoken by determining the outcomes of the process, the project, the objective. A trick to determine these outcomes is not t take the output of the processes or projects as the final stage of the activity, but the purpose of the activity. This can be done by describing the process / project in one or only a few sentences, and ending this description with one or more completions after the words “in order to …” or “so that …”.

There you contrast criteria that you then periodically want to keep an eye on to see if they are exceeded, or show a tendency, or make a jump and the like.

An example here can create clarity.

In the operation of a BCM manager, there is a process that starts with each cycle. This cycle can be described in ISO 22301, but also in the GPG of

An example is for crisis communication: “Speaking to the media with a clear voice from the organization during the crisis”. This is an objective of the crisis management team, because the goal during a crisis is that the transfer of information is easily verifiable, just as fully as possible and in accordance with the requirements of the moment. The undesirable consequence that you are running is that a number of people wrongfully talked to the media with all the wrong information flows that can follow from them. You can therefore do a measurement as follows:

T = “Sum of (The number of people who (unjustly) speak to the media) of the crises that month.”

You can then illustrate the measurement with smileys as follows:

Green smiley: 0 people

Yellow smiley: youdo not use this one here

Red smiley: 1 or more people

Gray smiley: there was no need for communication to the media due to no crisis settlement that month.

KRI based on risk analysis

But there is also a second class of Key Risk Indicators, which do not base themselves on the outcomes or targets set, but which refer back to the risk analysis of the process, the project or the objective (s).

An explanation of the method can most easily be illustrated with the Bow-Tie risk analysis method.

In the Bow-Tie method one can predictively work by looking at the left side (preventive side) of the bow tie, where one has pierced through to the root causes of a desired or undesirable event.

Once the relevant causes have been inventoried, criteria must be established in which these causes occur. For example, (hypothetical) accidents among foresters peak when 15% of foresters have less than 1 year experience in the sector and their supervisors are younger than 30. Then one can draw up a KRI for HRM to find out what the age of the supervisors is. and the combination of the experience of their guests. When a new recruitment with this combination exceeds this criterion, for example, a reorganization of seniors and juniors can be implemented.

As one readily sees, these KRI are certainly important for their predictive power. They are predictive, where the KRI on the basis of outcomes show that something has gone wrong or something is going wrong.

That predictive indicators can make the difference between success and failure in the intended effect, and they are based on the results of the complete risk analysis, is a reason to carry out a complete risk analysis according to the American model.

The important thing about the KRI is that it is possible to adapt the existing strategies during the process. One can anticipate.