What does CRM stand for and where does it originate from? When I was first introduced to this new concept I had no idea what it was about. I was immediately very keen to obtain a better understanding of this concept. I only began to understand the concept after I started to research the Paper on Governance, Risk Management and Audit, prepared by A.J. Gallagher & Co. in 2013. CRM refers to Collaborative Risk Management and to ‘’jump the gun’’ the concept actually describes the process of integrating risk management in organisations and is also referred to as functional risk management.
My personal view is that the paper does not necessarily present new or ‘’wow’’ concepts but it is an excellent mechanism to benchmark risk management processes against. When I considered the definition of CRM my initial thought was to ascertain to which degree does the risk management process of the organisation that I work for align to the objectives or intent of the CRM definition, which states that –
· CRM is achieved when various efforts across the organisation unite
· Through overarching risk management initiatives
· To create a whole
· That is indeed greater than the sum of its individual parts.
This definition supported my opinion about the risk management process, namely that it is an excellent mechanism to break down silo’s, to optimise the use of scarce resources as well as to integrate risk management principles in our daily tasks.
Further understanding of the CRM definition and intent has affirmed that I am (hopefully) on the right track in that CRM involves:
1. Repackaging of PROVEN and LONG-ESTABLISHED principles.
2. Treating IRM as a process and not a project or ‘’band aid’’ (continuous vs once-off).
3. Highlighting the difference between organisations that have risk managers and those that manage risks.
4. Highlighting the difference between having a CRO and having an embedded risk culture that rewards risk ownership and builds risk assessments into every initiative on each level in the organisation.
5. Less exhaustive risk registers.
6. The incorporation of risk management in planning processes – it should thus be woven into the culture of the organisation - not by the efforts of the CRO only, but across the organisation by risk and action owners.
7. It is about creating risk consciousness that becomes an instinctive and systematic part of the culture at the organisation.
The next question I posed to myself was – How successful is my team and I in meeting the CRM attributes and perhaps this was the main contributing factor to a few sleepless nights. What alerted me more and which really contributed to ‘’adding oil on the fire’’ is the realisation of what is actually expected from a CRO. If we are honest in taking a ‘’dipstick reading’’, how would you gauge yourself against criteria such as: Do you -
- Inform your organisation how to manage risks at all levels?
- Submit reports that will enhance decision-making?
- Assist managers not only to address to adverse effects of uncertainty, but also to seize opportunities?
- Assist management to consider the cost of not seizing opportunities – ‘’carpe diem failures’’ (ERM currently focus more on cost of actions)?
- Assist your organisation with stratification of risks, i.e. Executive level, Tactical level, Operational level, etc?
- Assist your organisation to determine the risk altitude, i.e. which risks will be best managed at what level?
- Assist in cascading of risks across the organisation?
- Eradicate the scarce time spent on developing long risk registers that hampers management of risks to rather spent 80% on strategic thinking and 20% on risk assessment – the 80/20 problem?
- Focusing on the management of strategic risks to enhance resilience?
The above mentioned criteria could be the contributing factors to the different perceptions regarding risk management and it could also be the reason why various risk managers approaches risk management differently. The question that could also be asked is if the differences in professional judgement to the risk management process have created the perception amongst risk professionals that risk management is at a cross-road? By way of comparison, as described in a poem, the outcome of comments of blind men who were describing an elephant by touching the elephant’s body could be seen as a red flag when perceptions are being evaluated. E.g. some described the leg of the elephant as a pillar; the ear as a fan; the trunk as a pipe, a rope, a snake, etc. The poem ends with the words ‘’and so these men of Indostan disputed loud and long, each in his own opinion exceeding stiff and strong, though each was partly in the right and all were in the wrong!!’’
A pre-requisite for the implementation and maintenance of CRM is to move away from long/exhaustive risk registers. Another question that could be asked in an attempt to develop more concise risk registers is to ask ‘’when is a risk a risk’’, because as already alluded to, various perceptions or based on different professional judgements, a risk might not be a risk for everyone. E.g. a risk of water contamination might be a risk for the Water Department, but for the Health Department it might not be seen as a risk, but as a contributing factor to the risk of the outbreak of a particular disease.
Another aspect that should be considered to manage time optimally during workshops is to educate the organisation to differentiate between a risk (those aspects that could prevent a department/unit from achieving its objectives) and an ordinary day-to-day managerial issue. The latter should not be taken on a risk register, but should be managed through the normal ‘’run of the mill practices’’. Thus, the setting up of risk registers must not be done in such a way that it becomes a barrier that hampers the management of risks. If too much time is spent on setting up of risk registers with reference to the identification, evaluation and analysis of risks, it might be regarded by management as an unsupportable drain on time and resources. The challenge is to get the necessary buy-in from risk- and action owners to participate in the clean-up of risk registers to the point where it becomes a managerial tool to manage those risks that could prevent the achievement of objectives.
The CRM Paper addresses 4 essential risk management conditions to be addressed or eliminated in order to ensure an efficient, effective and sustainable risk management process. Although these essential conditions are familiar to most risk practitioners it needs to be reconfirmed, i.e.-
Essential risk management conditions:
- Absence of an appropriate tone at the top – if Executives are not leading the charge for risk management, it will stall/loose its momentum.
- Poor monitoring of emerging risks – no warning signal. The impact that emerging risks could have on the achievement of your organisation’s objectives is extremely important and therefore a time factor of at least 12-18 months in the future should be considered.
- Centralisation and/or lack of accountability and leadership – insufficient effort toward achieving objectives. The crux around this condition is to prevent centralising the responsibility to a Chief Risk Officer in a centralised office to take responsibility for the organisation’s risk. Risk management should be cascaded to all levels in the organisation and every employee should become a risk manager by taking responsibility for actions to mitigate barriers in order to achieve the relevant set objectives.
- Lack of effective communication and training – missing or weak risk management policies; poor training, etc. Effective risk management communication and consultation should be the first component in the risk management process. It should become a two way dialogue in order to create trust in the risk management process.
The CRM Paper highlighted a few hindrances to advanced risk management. It is essential for each risk department to benchmark against these hindrances to determine the potential existence of these hindrances and if prevalent it should be attended to immediately. The following questions should be asked-
1. Do we focus on the right risks, e.g. are we only focussing on financial risks or are risks assessed on an integrated basis; are the risk registers used by officials to ‘’air their dirty laundry’’; aren’t important risks being ‘’swept under the carpet’’ or their ratings manipulated; etc.?
2. Is risk management embedded as a habit in the organisation, or has it become a compliance exercise to tick the correct boxes?
3. Do we have an approved risk acceptance level (appetite) in place to be used for benchmarking purposes?
4. Is our risk assessment process w.r.t. risk identification, analysis and evaluation value-adding, in other words do we as risk practitioners ask relevant questions; are the actions measurable and practical; have we identified relevant risk and action owners and are they kept responsible for implementation and execution of strategies to mitigate risks with pre-set timelines; etc.?
5. Have we as risk practitioners developed and implemented relevant risk management policies, frameworks and implementation plans to inter alia advise our risk community about their roles and responsibilities, reporting lines, etc.?
6. Do we update and review our risk registers in accordance with the approved implementation plan?
7. Do we have the sufficient and appropriate resources to drive risk management in the organisation?
8. Is risk management engrained in our municipalities at all levels and how do we secure that it is maintained and furthered in the organisation?
The CRM Paper propagates the transition from a ‘’risk management’’ driven organisation to a maturity level of ‘’management of risks’’. If one could visualize a bar with measurements from 1 to 10 where 1 indicates ‘’risk management’’ and 10 indicates ‘’management of risks’’ – where would you peg your organisation on this bar? What should be strived for in our municipalities is not to monitor the organisation’s risks centrally by the CRO, but risk owners must take responsibility for risks within their domain at various ‘’altitudes’’ and to manage risks optimally to an acceptable level. The more advanced an organisation is with the institutionalisation of risk management (mind set change) the bigger the change to a synchronised transformation from a ‘’risk management’’ to a ‘’management of risk’’ scenario.
This ideal state of risk management will be facilitated through a common risk management language throughout the organisation with a clear understanding that risk management is not only addressing risks (or problems), but also the optimisation of opportunities. The management of risk scenario is also facilitated by the understanding that it is not a single or standalone event, but a continuous process to ensure the achievement of strategic objectives as described in the Integrated Development Plan of an organisation.
The CRM Paper highlighted criteria to be implemented to enhance the management of risks in municipalities. Whether you are the CRO in an organisation with a well-established risk management function or whether you are currently commencing to build such a function in your organisation, the following benchmarking criteria, which are not documented in any order of materiality, could be of great value, i.e.
1. There is an obligation on municipalities, from a legal perspective, to implement and maintain an efficient, effective and transparent system of risk management – do you comply with this legislative requirement?
2. Determine what guideline will suit the organisation best, e.g. PSRMF; ISO 31000; King Report; combination of various models; etc.
3. Determine the risk appetite or risk acceptance level (RAL).
4. Develop a risk management policy, framework and implementation plan. E.g. with regards to the latter determine the number of risk management assessment sessions to be conducted per annum, e.g. 1 complete update with 2 monitor and review sessions per annum.
5. Align risks to an appropriate IDP objective(s).
6. Develop actions to mitigate each contributing factor/root cause to a risk.
7. Obtain support from the top echelon – Identify Executive Director as champion to drive risk management on Executive (EMT) level.
8. Obtain Council approval for risk management policy, framework and implementation plan.
9. Obtain political buy-in, e.g. high risks to be discussed with relevant Mayco member.
10. Establish a committee to attend to risk management issues, e.g. RiskCo; Audit/Risk Committee; etc.
11. Each Directorate in the organisation to identify at least one risk champion with risk co-ordinators for each Department to drive action implementation.
12. Update policy, framework and implementation plan ‘’regularly’’ or at least once during political term of office.
13. Consider opportunities (upside risks) and not only threats (downside risks). The cost-of-lost opportunities (whether in monetary or reputational terms) should be considered.
14. Communicate and consult with stakeholders what CRM is about, e.g. develop pre-reading material to focus workshop attendees on the objective of risk related workshops; implement regular newsletters to keep stakeholders informed about risk related matters; etc.
15. Conduct research and inform RiskCo members and the risk community about developments w.r.t. risk management, etc.
16. Refrain from developing ‘’huge’’ risk registers – apply the pareto principle, which implies that management of the top 20% of key risks could result in the remaining 80% to be rated below the RAL.
17. Develop, implement and maintain prompt lists, e.g. to determine cross cutting issues to be used with each assessment of risks.
18. Develop, implement and maintain an emerging risk register and prompt stakeholders with each risk assessment intervention to determine currency of emerging risks.
19. Assign appropriate stratification of risks or the altitude/level to manage risks.
20. Consider the escalation of risks above RAL keeping ‘’safety net’’ concept in mind.
21. Identify cross cutting actions and co-ordinate responses of various action/risk owners to implement remedial steps in a cost effective/value added manner.
22. Develop reports/dashboards in order for RiskCo members to take informed decisions, e.g. Top 10 risks; risks above RAL per Directorate and Department; High Impact and Low Likelihood reports; High Likelihood and High Control Effectiveness reports; action status reports; etc.
The CRM Paper did not address two topical issues in the risk management domain, which in my mind at least needs mentioning to start and stimulate debate in this regard. These two topics are Business Continuity Management (BCM) and Combined Assurance (CA).
BCM currently seems to be implemented ‘’in pockets’’ in most municipalities and I do get the impression that it is subconsciously applied to a large extent, but unfortunately not properly documented. This opinion is based on the compliance with numerous pieces of legislation that is applicable to local government. Intense debate is currently taking place around who should be responsible for this function in an organisation, e.g. should it be a risk management function; should it be a stand-alone function; should it be integrated in existing functions in Departments/units; etc. However, without certainty on who should take responsibility for BCM a starting point (from a risk management perspective) that could be considered is to prompt risk owners on the Single Point of Failures (SPF’s) in activities under their control – the question that should be answered is if risk owners are satisfied that existing controls are effective in order to ensure that a failure in a specific activity won’t halt an entire process. Potential SPF’s should be identified via the risk assessment process and ranked to determine the criticality of a SPF. Risk owners should understand that the criticality of a failure is inter alia determined by the impact of the failure, e.g. domino effect or more than one incidents with a high impact happens simultaneously; the maximum acceptable outage that could be tolerated after a failure as well as the time that it would take to recover the business to such an extent that services are optimised; as well as to what degree back-up information, resources, etc. are available.
With regards to CA it appears from recent research that relatively speaking, consensus do exist around the responsibility and oversight role for CA, i.e. the risk management department and the Audit Committee respectively. It seems, based on my personal experience and research, that the most effective, efficient and sustainable model or criteria that should be used to base CA on is still debateable. What should give me as risk officer peace of mind is to engage with critical role players in this regard, being IA and AG, with the view to obtain mutual agreement on the model to be applied. A further bit of advice is to implement CA on a pilot basis purely because CA appears not to be a ‘’seasoned’’ function in municipalities globally.
I trust that this paper will be value adding with specific reference to benchmarking risk management processes as applied by municipalities. As per the definition of CRM in this paper I want to wish all risk practitioners within the municipal sphere success with the institutionalisation of risk practices to achieve the optimum utilisation of scarce resources in order to maximise service delivery.
Article composed by L. Geldenhuys, CRO, City of Cape Town, March 2014.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy, position or views of the City of Cape Town.