Author Archives: Steven Minsky

About Steven Minsky

Steven Minsky is CEO of LogicManager and co-author of the RIMS Risk Maturity Model for Enterprise Risk Management.
Immediate Vault Immediate Access

RIMS Risk Maturity Model: Root Cause Discipline

Posted on by

After the last article, which discussed the first two attributes of the RIMS Risk Maturity Model (RMM), ERM Based Approach and ERM Process Management; our focus here is on the third attribute, Root Cause Discipline.

Root Cause Approach

In Washington, D.C., officials tried, but were nearly helpless in stopping the deterioration of the Lincoln Memorial. Rather than address the damage with costly repairs, they instead traced the concern back to a root cause. Deterioration was caused by the high powered hoses needed to clean the building—which were necessary because the building was an attractive home for birds.

online pharmacy vidalista with best prices today in the USA

Birds were drawn to a very dense population of insects, which were attracted to the bright lights of the memorial.

online pharmacy amoxil with best prices today in the USA

So how do you stop the Lincoln Memorial from deteriorating? You dim the lights.

The root cause methodology provides clarity by identifying and evaluating the origin of the risk rather than the symptoms. Unveiling the triggers behind high level risk and loss events point to the foundation of where an organization is vulnerable.
buy eriacta online https://galenapharm.com/pharmacy/eriacta.html no prescription

Uncovering, identifying and linking risk back to the root causes from which they stem allows organizations to gather meaningful feedback, and move forward with accurate, targeted mitigation plans.

To illustrate an example in a business environment, consider the risk of inadequate training. Within an organization, there may be multiple departments experiencing risk regarding their training policies, procedures and documentation, yet each area is likely to be recording and recognizing this risk in its own way. The result is an extensive amount of information recorded in spreadsheets that requires time and energy to sort and sift through. By identifying the root cause, a risk manager can expose the underlying commonality between departments and their concerns, allowing more effective identification and mitigation of systemic risk.

Applying root cause to your current approach

To integrate this type of approach to an enterprise risk management (ERM) program, you must first identify the root cause foundation of your organization. The RMM is built on five root cause categories which cover all enterprise risks:

  • External – risk caused by third-party, outside entities or people that cannot be controlled by the organization
  • People – risks involving employees, executives, board members and all those who work for the organization
  • Process – risks that stem from the organizations business operations including transactions, policies and procedures
  • Relationships – risks caused by the organization’s connections and interactions with customers, vendors, stakeholders, regulators  or third parties
  • Systems – risks due to theft, piracy, failure, breakdown, or other disruption in technology, plant, equipment, facility, data or information assets

Understanding which core area of the organization a risk stems from provides the ability to effectively understand and mitigate the risk. For instance, theft from an external third party is very different than theft from an internal employee, and will thus have a very different response and mitigation strategy.

online pharmacy cymbalta with best prices today in the USA

One strategy would require an investment in IT or infrastructure, while the latter would need an HR policy change or new ethics program.

Looking for an example of root cause? Download our complimentary Risk Assessment Template.

RIMS Risk Maturity Model: ERM Approach and Process Management

Posted on by

Last week, we introduced the latest findings from studies of the RIMS Risk Maturity Model. In an effort to explain the model and results of the study more fully, it’s beneficial to break the RMM into each of its attributes. Here we’ll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.

ERM Based Approach

The emphasis of this attribute is to move organizations from an old, obsolete style of governance to a more holistic, integrated approach. Old-style governance is focused on regulatory compliance and silo specific risk management. The problem with this approach is it leaves the organization exposed to risk that isn’t governed by regulatory mandates, as well as cross functional risk that may be systemic to the company.

We see examples of failures in this approach all the time. West Virginia’s water contamination crisis, for example, was caused by a series of risks with inadequate controls—the chemical tank was not adequately surveyed, the employees were not directed to immediately report the leak, even the water filtration organization wrongly estimated that it could filter the chemicals out. None of these entities were at fault from a regulatory perspective, but they were still on the hook for millions in remediation (the chemical plant filed for Chapter 11 bankruptcy in January).

buy rybelsus online abucm.org/assets/jpg/rybelsus.html no prescription pharmacy

An ERM approach moves organizations past regulatory concerns, which are only a subset of the overall risk universe. This requires a number of activities that the Risk Maturity Model identifies as drivers of ERM Maturity—tone from the top, assimilation into front line activities, risk ownership—which when combined result in a more risk-aware enterprise.

RIMS Risk Maturity Model: ERM Process Management

With a new governance mindset in place, organizations can move to applying a risk-based process framework of Identify, Assess, Evaluate, Mitigate and Monitor within each business process.

The RMM assesses the degree to which these activities are pervasive inside business processes. Many executives misinterpret these processes as unique to ERM, when in fact the steps are iterative, constantly reoccurring within organizations but without any defined process or standardizations.

buy amaryl online abucm.org/assets/jpg/amaryl.html no prescription pharmacy

The key to ERM process management is to create a common language and structure so areas can better transfer knowledge to each other where beneficial.  This is done by integrating these framework steps into the business in a way that provides accountability, repeatability, and adequate reporting. A great example is the Vendor Management Governance function. Vendor management is frequently tasked with identifying critical vendors, assessing their risk (such as “due diligence”) and then managing through mitigation (contracts, insurance certificates) and monitoring (shipping times, order completion).

The problem is that vendor management, like other functions, is operating independently with too little information exchanged between vendor management and other governance functions.

Why is this important?

Strategic imperatives are by nature cross-functional, but are rarely linked to processes and activities on the front line. When not linked, risks to corporate objectives are either not addressed or treated differently by the business processes. This alignment is a critical driver of ERM maturity. Organizations that can effectively communicate goals—not just at the corporate level, but down to the front lines—are better equipped to achieve results and elevate concerns.

buy lasix online abucm.org/assets/jpg/lasix.html no prescription pharmacy

Interested in seeing how this approach differs from traditional governance? Watch our short video on Strategic Risk Management.

How the RIMS Risk Maturity Model Works

Posted on by

Hack Wilson was an MLB star in the 1920’s, but he had a drinking problem. Realizing his potential, Hack’s manager pulled him into the dugout and said, “If I drop a worm into a glass of water, it swims around fine. If I drop it into a glass of whiskey, it immediately dies. What does this prove?”

Hack responded, “If you drink whiskey, you’ll never get worms.”

Hack’s observation, while misguided, provides a lesson in the difficulty of training and educating employees. Over the next several weeks, I hope to provide a step by step walk through of the RIMS Risk Maturity Model (RMM) for enterprise risk management (ERM), and while doing so provide a framework that can be used to educate, implement, and enhance the ERM program at your own organization.

Recently the target of a third party study of ERM programs, enterprise risk management maturity as measured by the RIMS Risk Maturity Model, is proven to add 25% to a corporation’s bottom line value, but how is that value achieved? What is it about ERM that makes these organizations more efficient, better operating, and ultimately more successful?

The answer is that the RIMS RMM is a step-by-step guide on how to implement, improve and measure the adoption of the best practices of ERM defined by ISO, COSO and other ERM standards. The RMM is broken down into seven attributes, and the resulting culture, processes, tools, and structure that allow organizations to realize potential opportunities while managing adverse events and surprises. As outlined by the RMM, enterprise risk management is particularly effective in addressing cross functional or silo specific challenges and gaps by providing a common framework.

buy naprosyn online meadowcrestdental.com/wp-content/uploads/2023/10/jpg/naprosyn.html no prescription pharmacy

That’s a loaded response, and as shown above, educating process owners, risk managers and even executives about the value of ERM can be tricky.

That’s the value of the RMM—it breaks down ERM into practical requirements, allowing organizations to assess their current capabilities, while providing concrete guidance for a pathway forward.

The seven core attributes are:

ORM-based approach—Executive support within the corporate culture

Risk appetite management—Accountability within leadership and policy to guide decision-making.

Root cause discipline—Binding events with their process sources.

Uncovering risks—Risk assessments to document risks and opportunities.

Performance management—Executing vision and strategy utilizing balanced scorecard.

Business resiliency and sustainability—Integration into operational planning.

In a few upcoming posts, we’ll cover more fully what a mature ERM program looks like from the perspective of one of our seven attributes. The goal is to improve your organization’s ability to manage risk, while exploring the correlation between business value and ERM maturity.

buy renova online meadowcrestdental.com/wp-content/uploads/2023/10/jpg/renova.html no prescription pharmacy

For an introduction to the RIMS approach to ERM, click here to watch LogicManager’s video on Getting Started with ERM.

RMORSA Part 5: Risk Reporting & Communication

Posted on by

Having standardized risk assessments and well documented mitigation and monitoring activities will equip your organization with a lot of risk intelligence. The question becomes: how do you report all of this information to your board and communicate it to your commissioner in a way that demonstrates the value of your ERM program? First, risk managers must be able to demonstrate how risks across the organization roll-up to impact the board’s strategic objectives; and second, ERM functions must track key metrics to validate the effectiveness of a formalized risk management approach.

Reporting on Critical Risks

Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business process activities relate to the objectives that senior leadership and the board require.  However, a common risk taxonomy allows organizations to gather risk intelligence at the business process level, and aggregate it to a high level for senior leadership.

For the top risks across the organization, often risk managers must provide the more detailed underlying data, such as which business areas are involved, their individual profile of the risk, their mitigation strategy and how the risk is being monitored.

The most commonly used method to determine top key risks is to rank risks based on the score from their assessment. This aggregate will depict which risks pose the most immediate danger to the enterprise, and should be reported on regularly. The second method uses your common language, root cause library to identify systemic risks. These are risks that have been identified by multiple departments, and may be more easily addressed with corporate wide policies or procedures rather than point solutions. And now that you have a complete and transparent mitigation library, you can publish effective controls from one department to another, reducing overlapping activities in your organization and leveraging the practices in departments that are the most effective in managing risk.

The State of ERM

When demonstrating the value of your ERM program, take a step back to evaluate just how many risks have been identified, and how well risks are being evaluated and mitigated. The common standards established by an ERM program will significantly enhance your risk identification process by allowing you to prioritize efforts to the most important risks that have the least assurance of control effectiveness. You might find that over the past several quarters, the gap between the number of risks identified and those that have been addressed has grown. This isn’t a concern, but rather a sign that your organization has a clear path forward and is beginning to understand its entire risk universe.

You can also track your progress with the ERM guidelines outlined in the RIMS Risk Maturity Model. Providing your executives, board or commissioner with a bi-annual report on the maturity of your ERM program will show which areas you’ve improved upon and what areas need focus going forward. The model provides a repeatable process that enables internal audit to validate its quality and effectiveness. This same model also has the benefit of enabling you to benchmark your program against others in your industry, providing a transparent, third party evaluation of where your organization stands.

This concludes Steven’s series on ORSA Compliance. Looking for more ERM best practices and the latest industry trends? Subscribe to Steve’s Blog or visit www.logicmanager.com.