Risk Insider: Grace Crickette

ERM and the Art of War

By: | April 27, 2017 • 3 min read
Grace Crickette, a leader in enterprise risk management, is special administrator, Finance and Administration for San Francisco State University. She can be reached at [email protected]

This is the 11th post in a series from Risk Insider Grace Crickette on how to gracefully bring together traditional risk management, change management techniques and enterprise risk management concepts. The series is inspired by strategies devised by Sun Tzu, a Chinese military general and philosopher.

Make ERM, Not War

rainbow peace sign copy

Art of War Key Principle: The way to capitalize on the endless opportunities created by ever-changing conditions, is to become engaged as a part of a well thought out plan and be flexible in adapting tactics to those ever-changing conditions within the context of each pre-determined strategy.

Chapter V focuses us in on moving to the Creative or Energy mode, wherein the greatest amount of preparation and on-going effort takes place in implementing Enterprise Risk Management. From our menu of common elements of an ERM Program, let us move onto Measure, Monitor, and Report.

Advertisement




In my last post we covered forming multi-disciplinary groups and clearly providing these groups with a vision, communications, training, and forums, as well as leveraging actuarial services to support the vision and the groups.   To maintain the momentum and keep the groups energized you need to establish baselines and measure progress.

My methodology is to meet with various departments and disciplines and ask the questions:

How do you know if you are doing well? What data do you have to let you know how you are doing? 

I am looking to get the organization to clearly articulate objectives and then identify the risks that impact those objectives.  Then I want to know if we have the data for measuring and monitoring and if it is timely, or is it primarily ad hoc, annual and manual.  The information gathered through these meetings is critical for understanding and developing the key indicators (KIs) that become an important component of your Enterprise Risk Management program.

What is a Key Indicator?

 Key Performance Indicators: KPIs are derived from critical success factors and define these critical success factors into more meaningful criteria. For example, the critical success factor of “improve productivity” might have KPIs such as cost, service quality, cycle time, streamlining of processes, and reduced duplication and/or rework. Example: Net Promoter Score (NPS): Finding out your NPS is one of the best ways to indicate long-term company growth.  Send out surveys to your customers to see how likely it is that they’ll recommend your organization to someone they know. Establish a baseline with your first survey and then monitor change.

Key Risk Indicators: KRIs are derived from analyzing what could go wrong or has gone wrong relative to another metric.  For example, reviewing claims information relative to the size of the risk (i.e., number of patients treated) or calculating a recordable rate for employee injuries.

# of Injuries        =    Recordable Rate (retrospective)

Personal hours

Key Leading Indicators: KLIs are derived from analyzing data that is a predictor of what is about to happen.  For example a KLI that provides information on customer satisfaction could be used as a predictor for increased sales.  Another example would be a KLI that provides information on employee satisfaction could be a predictor of turnover.  The number of change orders on a construction project can be a predictor of the project not coming in on budget or on time.

# of Change Orders        =    Cost Overspend (predictor)

Project Budget

How often can Indicators be updated?  

Indicators can be updated as frequently as the data they are drawn from is updated. Some examples:

Claims Information … Daily

Payroll Information … Monthly

Construction Scheduling … Quarterly

How is change measured with an Indicator?

Change is typically measured by looking at ratios between time periods relative to the data

After you develop your portfolio of KIs, you need to establish regular reporting.  Whether you produce reports on KIs manually or with a business intelligence system, you need to provide timely, accurate and actionable information.  A common vocabulary supported by a data dictionary is useful.  Each data field must be defined, the original source identified, and the valuation date.  The data dictionary provides a common information infrastructure required to deliver a single version of truth.

Advertisement




It is common in the early stages of development that users find that their data source is not accurate, but this is actually a big benefit of implementing a reporting program because you improve your organizations understanding and management of data.  Do not wait for perfection though, rather communicate out that the reports when first reviewed may seem “incorrect” and that part of the benefit of your ERM program is to help the organization obtain and communicate better information. Expect also that a Key Indicator that you thought was going to be brilliant may end up not being that useful and you will need to make modifications or abandon that particular KI.

Key Takeaway: Implementing ERM takes Energy and Creativity; measuring, monitoring and reporting data is a key component of an ERM program.  Develop Key Indicators based on your organizations objectives and the risks that impact those objectives.  Deliver the information in a timely manner with a data dictionary that explains the data.  Be prepared to continuously update and improve your data and reporting.

Remember — It’s not Risk Management, its Change Management!

More from Risk & Insurance

More from Risk & Insurance

The Risk List: Presented by Travelers

6 Evolving Cyber Threats

Drag and drop the tiles below to arrange them in your prefered order of most concerning risk (#1) to least concerning risk (#6). Then press "Submit Rankings" to see the summary results.

1
Ransomware
2
Cloud Services
3
Rogue Employees
4
Hackers
5
Mobile Threats
6
Social Engineering