risk management, strictly speaking – success factors of support

Author: Manu Steens

An organizational structure , a decree or law, (a) (some) measure (s), … must be supported to succeed. To be supported, they must be recognized. (I have no criterion to say in which cases this model is all relevant, for that a study should be done of successful and failed business in hindsight.)

Recognition in itself, however, is based on four success factors:

  • legitimacy,
  • cohesion of the target group due to proximity with civilians / the employees of the organisation,
  • effectiveness with purpose and perseverance,
  • authority.

These four pillars are interdependent. If you remove one leg from the table, the other legs will come along and the table will fall. So you cannot actually view them as independent. For the sake of the further discussion, I do that here anyway.

One thing that seems to be clearly supported is the EU regulation of the GDPR. Something that does not seem to be supported is the Brexit . Let us therefore illustrate these two things with this idea.

Success factors of support applied to the GDPR.

  • Legitimacy: The GDPR legislation was imposed by the EU and applies to all EU countries for implementation
  • Cohesion of the target group through proximity : The EU countries are interdependent because they are related to the EU, but also because they have free movement of people, which implicates that they can enjoy similar legislation despite traveling in the EU. At the same time, the EU is for the most part a coherent whole, as a result of which the countries are coherent in terms of supporting the legislation. Proximity is perhaps best illustrated by the fact that EU citizens have recognized the legislation as something that concerns them very much. It belonged very quickly to the
  • Effectiveness: A true barnum advertising has been conducted for the GDPR, pointing out that this legislation applies to the citizen. This was so effective that the people of the EU and the organizations are aware of their rights. And in the very short term jobs have been created: eg. lawyers specializing in GDPR but also DPOs, courses, …
  • Authority: There is also a place in the legislation itself for punitive measures in case of non-application of the law by the organizations in the EU. Also, auditing capabilities were provided. Partly as a result of the possible effect of the hammer, many organizations applied the law, and there was a great sense of “doing something about it”.

Conclusion: due to the barnum advertising, this legislation was strongly founded on these four success factors, so that it could actually only succeed.

Success factors of support applied to the Brexit .

  • Legitimacy: It came about through an unclear referendum with a majority “behind the comma”. There is total division within and across the political parties and within the people. The British Prime Minister was therefore completely in a gap of uncertainty. None of the proposals from the EU or the British themselves was accepted by a clear majority.
  • Cohesion: The British are divided. The votes for and against are neatly divided and without clear coherence. Many people, together with their politics, attach great importance to their sovereignty. Others opt for the possibilities that a cohesive Europe together with the British could mean. The connection is lost. The division is down to the granular level of the population.
  • Effectiveness: Due to a great deal of uncertainty, all proposals about the Brexit in a reasonable manner were As a result, it is regularly postponed. As a result of that, it is unclear how, if and when the Brexit will be a fact.
  • Authority : The Brexit could turn out differently from day to day in a new referendum. There is also a difference of opinion between, for example, the Scots and the rest of the British. In addition, the British regularly state the historic words of Churchill that “GB is with the EU but not of the EU”.

Conclusion: The Brexit cannot be called a success .

Exponential Organizations

Authors: Salim Ismail; Michael S. Malone; Yuri Van Geest

Humanity has been busy with productivity since time immemorial. Production provided people with scarce resources that were / are worth a lot due to their scarcity. In the last decade, the Internet has come to the forefront, including the concept of “Creative Destruction” and “disruptive technology”. The big companies usually thought about the Internet 15 years ago as “something that is a phenomenon of time”. Nowadays, after an explanation about exponential organizations, they realize that the internet is a phenomenon that is the beginning of everything.

But what are they, those “Exponential organizations”?

It is usually small organizations that make use of the latest technology to come up with new solutions for market demands, for which solutions sometimes already exist. Through the new application they conquer the market in a very short time, in an exponential way. Examples include smartphones and tablets, which have given the photography and the paper newspaper world a problem.

The “nice thing” about this phenomenon is that because technology has become common good, an adolescent in a garage can do an invention that can turn the world of a gigantic company with thousands of employees upside down in a very short time.

That is why it is important that all organizations transform themselves into exponential organizations and tackle themselves disruptively. Because if they do not do it themselves, someone else will. Hence disruption as a means to do risk management and business continuity.

In the book, which is the result of a study by SU (Singularity University), the authors give a number of points of interest. These are given by the mnemonics MTP, SCALE and IDEAS.

Very important is that in contrast to large monoliths the small ExOs are very Lean and Mean organized. The book does not go very deep on this, but large monoliths can also benefit from their advantages by collaborating with existing ExOs or by creating ExOs at the borders of their organization.

Explorations in Monte Carlo Methods

Undergraduate texts in mathematics.

Authors: Ronald W. Shonkwiler and Franklin Mendivil.

The Monte Carlo method is a technique for analyzing phenomena by means of computer algorithms that use random numbers. This method basically owes its existence to the existence of computers.

In this book the authors give an introduction. It is a book of examples, with every step that is made in theory. In their book, they use the Matlab product to develop program examples, although other programming languages ​​(C, C ++, Pascal, Delphi) can be called just as suitable or more suitable. This approach with program examples makes it very tangible for exact scientists.

Monte Carlo techniques are useful in a wide variety of domains: from estimates of the number Pi, on calculations of mutations in cells, to the running of financial risks when playing in casinos or the evolution of the market.

This book is a very general book for the introduction to Monte Carlo, in the sense that it gives no advantage to a certain type of subject. Although it is a very good book to have a general idea of ​​how Monte Carlo can be used in all kinds of fields, it is not a book that you immediately benefit from as a risk manager. The application of Monte Carlo in the case of machine breakdown, or in financial decisions at a high level is not discussed. This requires more specialized literature.

But as didactic introductory mathematical work to know exactly what Monte Carlo techniques are capable of, it is definitely recommended. If you pass through this book, you are still more layman than specialist, but you are no longer an absolute beginner. You get an idea of ​​the importance of the central limit theorem, and of the Markov chains, and a whole bunch of other things.

For managers who have not enjoyed mathematics for a long time, I have the following advice: try it, your experts might even appreciate it. But if you are lost: no worries, there are still mathematicians out there who are happy to look after your case.

Implementing Enterprise Risk Management

Editors: Fraser; Simkins and Narvaez

This 650-page book is intended to be a textbook / exercise book, which I believe can be used in a Bachelor’s program for Enterprise Risk Management. It consists of 35 chapters, actually 35 stories, each of which is completed with a questionnaire as a guide for a discussion by a team of students. It is accompanied by another book, namely “Enterprise Risk Management – today’s leading research and best practices for tomorrow’s executives”. The latter is the associated theory book.

Does this mean that you must have to read the theory book first? Not if you already have a good basic knowledge of ERM.

The following items from this book are most memorable to me:

  • The PAPA model of LEGO: Park, Adapt, Prepare and Act. The aim is to determine the overarching strategic response based on how quickly things change in a scenario with respect to the probability that a scenario occurs.
  • The determination of the Risk Appetite based on 7 questions:
  1. How much risk do we think we take now? (Risk perception)
  2. How much risk do we actually take? What evidence do we have? (Risk exposure)
  3. How much risk do we usually like to take? If this is less than under point 1. then we do not feel comfortable. (Risk propensity / culture)
  4. How much risk can we take on / safely? (Risk capacity) This must be greater than under points 1., 2. and 3.
  5. How much risk do we think we should take? (Risk attitude)
  6. How much risk do we actually want to take? (Risk appetite)
  7. How can we implement measures and limits within the processes, products and business units to ensure that our total risk appetite is not exceeded? (Risk limits)
  • What UW (University of Washington) decided about their ERM Model:

    • Assess the risks in the context of the strategic objectives, and identify the interrelation of risk factors throughout the institute, not just for each function exercised.
    • Handle all types of risks: compliance, financial, operational, and strategic.
    • Grow a general awareness that allows individuals to focus their attention on risks with a strategic impact.
    • Improve and reinforce UW’s culture of compliance, while protecting the decentralized, collaborative entrepreneurial orientation of the institute.

  • Three lines of defense of the TD Bank: 1) the business and the accountants, 2) setting standards and challenging business to improve their governance, as well as their risks and control groups their responsibilities and liabilities, and 3) a independent internal audit.
  • The ERM objectives of Zurich Insurance Group:

    •     Protect the basic capital so that the risks that are taken do not exceed the risk tolerance.
    •     Improve the value creation and contribute to an optimal risk / return profile.
    •     Support decision-makers with consistent, timely and correct information about the risks.
    •     Protecting the reputation and brand through a healthy culture of risk awareness and a disciplined and informed risk-taking.

This is just a small sample of the valuable examples that the book displays.

A Risk identification method

Author: Manu Steens

This method is in line with the COSO-ERM approach when it comes to setting the objectives of the company and identifying both static and dynamic risks throughout the entity.

The structure is a matrix that is shaped by, on the one hand, the objectives (Strategic and operational objectives) and, on the other hand, possible internal and external factors, the quick scan.

This matrix approach promotes the completeness of the risk identification and provides a structure for the organization of the risks.

More specifically, this ‘risk matrix’ looks like the one shown below:

nr Aspects Quick Scan findings Risks: mention the incidents, their probability, cause and consequence
Strategic goals SG1 SG2
Operational goals OG1-1 OG1-2 OG2-1 OG2-2
1 Proces management
2 stakeholders management
3 Monitoring
4 Organisation structure
5 Human Resources Management
6 Organization culture
7 Information and communication
8 Financial management
9 Facility management
10 Information and communication technology
11 External factors

By filling in this matrix, the CRO answers three essential questions:

  1. Which objectives of the entity are subject to research?
  2. Which parts / aspects of the organization are the subject of research?
  3. In which risks is further insight required?

In a first step, the potential risks to which the entity is exposed are examined on the basis of a quick scan.

As a second step, the CRO will have to systematically check with the business which of the risk problem fields identified in the quick scan occur in its company and which require further investigation. For this he must question the internal and external experts and the management team in question.

The development of a quick scan can usually be done by conducting a survey with the experts, which they generally view as realistic risks in relation to the aspects of the guideline. This can be supplemented with a desk research using annual reports, audit reports, risk inventories of occupational safety, fire prevention plans, continuity plans, incident registrations, damage history including registration of near damage.

Afterwards the matrix is ​​”weighted” with regard to the quick scan in step 2, whereby it must be clearly chosen which risks have a grip on which strategic and operational objectives. In periodic interviews with the management team, the company then asks which risks they see, how these risks affect the organization and what is done to control them. An approach of existing control measures can already be included in the quick scan.