The four levels of Risk Management Integration

People waste a lot of time trying to define what is, and is not, good risk management. But reading someone else’s opinion seems largely irrelevant. Everyone views it through their own lens of experience.

Some view it through the lens of regulatory oversight. You know – ERM began when this law was passed. And it fundamentally changed when that regulation was implemented. Well, that’s true for some industries.

Others view it through the lens of their profession. ERM is all about managing investment risk. Or it’s all about eliminating financial reporting fraud. Or it’s about buying the right insurance. Or it’s primarily about environmental safety. Pick one.

I grant that these are all legitimate ways to look at risk when you’re operating at a low level of risk management integration. I argue, though, that it’s a waste of time to debate these issues at the top of the organization. These are discussions that should be addressed by subject matter experts further down — within the context of their specific needs and expertise. The top of the organization should not be trying to sort out the details of a good risk management design. They should be focused on moving up the maturity level for risk management skills and integration. Everything else will take care of itself.

The four levels of risk management integration.

I refer to the lowest level of integration as “Stakeholder Management.” At this level, the organization’s goal is not to manage risk, it’s managing stakeholder expectations. If the CEO says “Give me some kind of risk management to get those auditors off my back” you know you’re stuck in a Stakeholder Management scenario. It’s all about appeasing those damned regulators, or auditors, or outside directors, or bankers. No interest whatsoever in actually improving the organization’s ability to manage risk.

The next level up is “List Management.” Here the focus is on gathering a list of risks. Management wants to do something with risk management and lists seem to be a good place to start. Management may not be entirely sure how these lists are to be gathered, or why. The focus is on the list itself and the ability to share it with other stakeholders.

Another step up along the integration path is “Risk Management.” At this level management wants to recognize and take steps to lessen exposure to threats. There are often clear processes to handle operational risk, vendor risk, financial risk, environmental risk, etc. Ownership of certain risks may be assigned. They may have a risk appetite statement. Management has read the literature and is doing what the experts suggest.

The highest level of integration is “Opportunity Management.”I created this phrase and it has a very specific identity. With Opportunity Management, management recognizes that risk is synonymous with uncertainty. And uncertainty exists in every strategy and process. Therefore, risk management is something that the organization does. It is not the responsibility of this or that person. It is an integral part of the organization’s culture … every bit as integral as doing performance reviews or sending out a company news letter. At this level, business line leaders are concerned about third party vendors because they represent a clear uncertainty relative to a strategy that they own and for which they are accountable … not because the Senior Risk Officer says so. Threats will be identified, but it is all in the context of developing strategies and overseeing operations. It is all focused on managing uncertainty so that the organization can deliver more predictable future results. Everyone is trained about the role that risk plays within the organization and within their individual responsibilities. Everyone understands why it’s critical to explicitly recognize key assumptions that they may not be able to control, and how those key assumptions could affect future performance. At this level of risk management integration, employees recognize these thought processes as a normal part of their high performance culture.

Focus on moving to a higher level of integration

At a board or executive level, the greatest benefit does not come from developing a risk appetite statement. Or reviewing a list of threats across the entire organization. These things come about as a natural outgrowth of simply moving up the maturity scale to a higher level of integration. But so do many other benefits. When an organization reaches the Opportunity Management level, everything simply falls into place. Threats are aligned with strategic assumptions. These assumptions are discussed and considered before a strategy is ever approved. Management monitors these key assumptions and knows exactly what to do when one turns from green to yellow to red. Management knows that its goal is not to reward past success. Its goal is to assure future success.

So if you’re in an executive leadership role, ask how your organization is moving toward Opportunity Management.

For more information go to







The essence of strategy management

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about strategies.

Strategies are the foundation of risk management. That’s right – strategies, not risks. All so-called risk management is (or at least should be) performed within the context of strategy management. We don’t manage risk for its own sake. We do it to help us develop and execute strategies. So let’s put a different spin on risk management.

First, people own objectives and associated strategies. By “strategies” I simply mean the processes that we use, or steps that we take, to accomplish the objective. People own strategies, not risks. See my prior post on risk ownership for more explanation.

Here is why it makes much more sense to focus on strategies. No organization is in business in order to “manage risk”. It is in business in order to accomplish something. In our personal lives, we don’t design our day around “managing risk”. Instead, we have goals – things we want to accomplish. We develop a plan (strategy) either intuitively or explicitly to accomplish our goal.

So where does risk come in? Risk is the variability in that strategy. It is the potential that this strategy may not lead to the results that we want. We manage risk for only one reason – to improve the odds that our strategy will deliver a favorable result.

Virtually any strategy has some set of potential risk events that could cause problems. Risk management is the process of understanding and addressing those potential risk events. There are two types:

  1. Controllable: Some risk events can be controlled if we choose to invest appropriate time, money, and energy. We can put additional procedures in place (internal controls), we can buy insurance, we can create and test prototypes, or any number of other potential options. These are all ways that we can prevent potential risk events from derailing our strategy by investing additional time, money, or energy. Now it becomes a strategy decision – do we  want to strengthen our strategy by investing the time, money, and energy to make it a bit more predictable?
  2. Uncontrollable: Some risk events we cannot control. The economy could falter. New unforeseen regulations could be harmful. Weather patterns could change, impacting company logistics. One way to address this is by thinking of these as “strategic assumptions”. Simply put, what assumptions are we making as a foundation for this strategy? What operational, financial, legal, compliance, etc. assumptions are we making? Although we may not be able to control these assumptions, we can typically monitor their potential existence. We can set up a Key Risk Indicator that monitors the economy. If the economy declines, it turns our “KRI” from green to yellow to red. Now we know that we need to revisit any and all strategies that were based on those economic assumptions. Simply put, those assumptions are no longer valid so the strategy is no longer optimal.

The essence of strategy management is to recognize it as the focus of risk management. Strategy management is the sole reason that we spend any time or energy focusing on risks. Keep “risk management” in that perspective.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (

The essence of risk ownership

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk ownership.

Many organizations try to implement risk management in a way that includes the idea that individuals own risks. Examples that I’ve seen include the CFO owning “Financial Statement Reporting Risk” or the Chief Counsel owning “Compliance Risk”.

This concept of risk ownership is based a weak foundation. People really don’t understand what it means to “own” a risk.

When you say that someone owns a risk, you’re really implying that the person owns an objective. The CFO owns the objective of issuing financial statements according to professional standards. The Chief Counsel owns the objective of reasonably complying with laws and regulations. From a purely psychological sense, most people are more comfortable with the concept of owning an objective rather than owning a risk. We know how to own and embrace an objective.

Another problem with the concept of risk ownership is that real risks, rather than broad generalities, are often obviously outside the control of an individual. That’s what makes them “risks”.

For example, if an organization is planning on expanding into a new service line the strategy may depend on hiring experienced staff – a reasonable assumption. The clear risk is that it may not be possible to hire enough experienced people with a required skill set. How does the concept of “ownership” fit in here? Someone owns the objective of expanding into the new service line. That person also owns the strategy that will attempt to deliver that goal by hiring experienced staff. The risk that there might not be experienced staff to hire is simply an inherent part of the strategy; it is one of the things that can go wrong with this strategy. If the risk materializes, the strategy may need to be revisited and modified to incorporate the new, more complete, set of facts.

Here’s another illustration. Using the prior example, another risk might be that the economy will decline over the next 2 years. That would clearly impact the strategy associated with moving into the new product line. But, this same risk would also impact other strategies – perhaps dozens of other strategies. It might impact a plant expansion strategy. It might impact a compensation strategy. So – who would “own” the risk of an economic decline?

The essence of risk ownership is that no one can own a risk. People can own objectives and strategies. Risks are the things that you are not controlling within your strategy. Don’t waste your time identifying (and often negotiating) ownership of broad, general risk categories. In the end, it’s simply not actionable. Instead, spend that effort identifying which strategies are dependent upon outside factors that either you cannot, or choose not to, control – like the ability to hire experienced staff or a continuing improvement in economic conditions. Then, put a system in place to to alert you when those uncontrolled risks are taking a turn for the worse. This allows you to quickly attend to the strategies that need to be revisited and reconsidered.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (




The essence of key risk indicators

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about key risk indicators.

There are two common types of metrics that management might use. One is the key risk indicator (KRI) and the other is the key performance indicator (KPI).

Key performance indicators are intended to establish performance goals and then help management focus on those processes that are not delivering desired results. As an example, management might establish a KPI to limit waste materials to <.31% in a particular phase of production. Then, actual waste is periodically measured and compared to this goal. If actual measurements consistently fail to meet the KPI, then the process should be reviewed and corrected. It is intended to be a historical measurement.

Key risk indicators, on the other hand, are intended to warn management if risk levels are increasing. COSO published a thought leadership paper in 2010 on key risk indicators. It’s a pretty good document and I recommend it.

What I want to address here is how to actually put this concept into use. A challenge that I’ve run into is that management is not naturally attuned to focus on risk events. When asked to come up with a list of risk events that might impact some activity, management often responds with “Well, um, I suppose that (this or that) could happen.” You need to identify these risk events in order to then identify leading indicators (KRI) that might give advance warning of the risk event. The problem is that you’re asking management to poke holes in their own strategies. That’s not something that anyone readily wants to do.

Instead, consider asking management about the key assumptions (rather than the potential risk events) in their strategy.  I have had great success here. Management is usually much more able to talk about these assumptions. Given a few minutes of thought, they might identify assumptions like the ability to hire adequate staff for the new production facility or the general growth in consumer demand. Further, it is easy to get management to agree that these assumptions, while valid and reasonable at the moment, could decline or fail to materialize over time. We can’t be 100% sure. That’s the nature of assumptions – they are often outside of our immediate control. Management can relate to this concept.

So we turn these assumptions into KRI. We track these assumptions over time. If any significant assumption declines or fails to materialize then any strategy that relied on this assumption should be reevaluated. Management is, in essence, receiving advanced warning that the risk level (the unpredictability) of that particular strategy is increasing because the assumptions on which the strategy is based are no longer valid.

Focusing on key assumptions is attractive because management can relate to it. It’s also very transparent. The assumptions can be discussed and agreed-upon in advance of the strategy’s execution. If the external assumptions fail to materialize it’s no one’s fault – everyone had already agreed that the assumptions had been valid at the time. There is no incentive to hide the problem. Just go back and adjust the strategy to take advantage of knowledge that simply didn’t exist before. And establish newly revised assumptions that you will once again monitor.

The essence is that key risk indicators are most easily understood when tied to strategic assumptions. Keep it simple and link this concept to strategy setting in a way that is transparent and non-threatening.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (

The essence of risk and opportunities

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk and opportunities.

I often hear that risk management should help an organization find opportunities as much as control potential problems. COSO says that part of risk management is the identification of events which could have a positive impact, a negative impact, or both. This concept does not work for me on multiple levels. In a future post I’ll write more about the idea of event identification. In this post I want to address a more practical strategic problem with this approach.

One of the toughest hurdles in risk management is explaining it in a way that makes it relevant to executive management. You need their support. The more that you ask executive leadership to accept concepts that are not intuitive to them, the tougher the sell. I normally describe risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable. This usually resonates well with executive leadership. It fits their existing notion of risk management. When you start talking about risk management also being a source of strategic opportunities, I’ve found that executives start looking at you with a skeptical eye. It sounds like a salesman promising benefits that everyone knows he can’t deliver. I recommend staying away from this approach. There are other executives who are paid to identify and exploit opportunities. Maybe later you can help, but for now stay off their turf.

The essence is that linking a risk management function with the identification of strategic opportunities is a tough sell. It is hard enough to get executive management excited about risk management at its most easily understood and intuitive level. Don’t confuse the basic message with unproven claims that your executive team may find counter-intuitive.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (

The essence of operational risk and reward

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about operational risk and reward.

It’s a common understanding that you need to take on more risk in order to get greater rewards. The common context for this risk/reward tradeoff is when you’re managing a financial portfolio of investments. Highly conservative investments tend to deliver lower returns over the long run when compared to those investments that might have more risk. However, risk/reward also applies in other ways. It impacts how you manage your organization and deliver operational results.

Imagine a common operational scenario. You’re assigned a goal and you need to develop an appropriate strategy to deliver that goal. If you choose a conservative strategy you’ll get highly predictable results. It’s tried-and-true. If your assigned goal falls into the predictable results that your conservative strategy will deliver, by all means use that conservative strategy and pat yourself on the back for being eminently practical.

Conversely, if you’re handed a stretch goal then that tried-and-true strategy will not deliver it. In that situation, you need a new or revised strategy that has, at least, the potential to deliver the desired results because the conservative strategy absolutely has no chance. You must select a strategy that takes on some uncertainty; you must take on more risk. To be clear – simply taking on more risk does not in any way imply that you will automatically get greater rewards. It only means greater uncertainty. But without that uncertainty you may stand no chance of delivering desired results.

The essence is that risk and reward are definitely related. Conservative strategies deliver predictable results. If you need to provide more aggressive results, you need a less conservative strategy that has the potential to deliver those results.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (


The essence of risk appetite

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.

The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.

I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.

Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.

Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.

On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.

The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?

You can read more about Performance Risk Management at Risk Leader (