Tag: ERM

ERM – Moving beyond enterprise risk assessments and risk heat maps

Enterprise risk heat map

Risk assessments and heat maps remain central components in most enterprise risk management (ERM) programs. Yet there is considerable debate about their effectiveness and both tools have no shortage of critics. In 2011 Howard Sklar, a Forbes contributor, outlined one of the most popular criticisms regarding companies that viewed risk assessments as a document instead of a risk management process. He noted, “Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know.

Similarly, others deride heat maps as nothing more than “colorful guesses.” Brian Priezkalns, in the not-too-subtly titled article, Why I hate Heat Maps, says “Heat maps are just a terrible terrible terrible way to understand, communicate about, and decide how to respond to risks. They either mess up what you already knew, or they hide the fact you are too ignorant to make a rational decision. Everything that can be done with heat maps would be done better with actual numbers.”

If these tools have such fierce critics, then why are they still central to most ERM programs? In this article, we’ll examine what drives the limitations, and the key missing ingredient that turns them into powerful assets. read more

GRC: Where to start? Productive healthcare ERM tools

Coordinated care in hospitals starts with the right GRC tools and ERM framework.

In November 2018, Baylor St. Luke’s Medical Center in Houston made two medical errors, the second of which lead to the death of a 75-year-old patient. After an investigation by the Houston Chronicle and ProPublica, the Centers for Medicare and Medicaid Services issued a report in early 2019 that outlined a pattern of blood labeling errors at the hospital. A ProPublica article on the report states:

Dr. Ashish Jha, an expert in hospital quality, reviewed the government’s findings and said it appeared St. Luke’s was struggling to meet basic care standards. The labeling mistakes, he said, seemed indicative of ‘a broader systemic problem.’… St. Luke’s appeared to miss warning signs in the months prior to the deadly mistake, according to the government report.

The “broader systemic problem” Dr. Jha mentions is, unfortunately, not unique to St. Luke’s. Many hospitals and healthcare systems face organization-wide, process-related issues, especially in a modern healthcare landscape that’s rife with change. Mergers, multiple technology platforms, and changing healthcare policies, to name just a few, contribute to widespread miscommunication and a lack of transparency. This, in turn, jeopardizes the overall quality of care within these organizations.

Hospitals can stem the scope of these issues by implementing a healthcare enterprise risk management (ERM) program. Healthcare ERM establishes a standardized framework for identifying risk across an organization, encourages cross-departmental collaboration, and shifts hospitals from a reactive clinical risk program to a proactive holistic risk management program. A straightforward process, along with the right technology the leverages healthcare analytics, can help to make this shift effective.

read more

Facing the challenge of reputation risk management in higher education

The Operation Varsity Blues scandal has heightened reputation management concerns across the higher education community. Seeing how quickly any college or university can suffer reputational damage, and how lasting that damage can be, underscores how valuable an institution’s reputation is, and how critical it is to safeguard it.

The book Reputation management: The key to successful public relations and corporate communication by New York University professors John Doorley and Helio Fred Garcia opens with a quote from Warren Buffet who addressed a group of Salomon Brothers managers in 1991 after the firm became mired in a high-profile trading scandal: “If you lose dollars for the firm by bad decisions, I will be very understanding. If you lose reputation for the firm, I will be ruthless.”

Although numerous surveys show that many leaders of higher education institutions place the same value on reputation as Buffet does, effectively managing these risks remains elusive. In fact, most cannot even define what reputation is.

Defining Reputational Risk

In the article How to Manage Reputation Risk, Nir Kossovsky addresses the definitional ambiguity directly. “From your boardroom and C-suite to the SEC and Office of the Comptroller of the Currency, everyone agrees reputation risk exists, yet few can describe it. However, this isn’t as difficult as it seems.” Kossovsky defines reputation as the expectation of behavior that is set by stakeholders. “Customers have expectations when they buy products or services, employees have them when they accept jobs, vendors have them when they partner, creditors and investors have them, and even regulators have them.” For colleges and universities, this extends to the communities that house them, the potential pool of students and parents considering attendance, research partners, and the other organizations that interact with them.

read more

How ERM technology helps financial institutions address Matters Requiring Attention (MRAs)

Complying with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations is a major challenge for financial institutions. Those found with deficient practices are subject to receive a Matter Requiring Attention (MRA) notification. The Office of the Comptroller of the Currency (OCC) states, “MRAs communicate specific supervisory concerns identified during examinations in writing to boards and management teams of regulated institutions. MRAs must receive timely and effective corrective action by bank management and follow-up by OCC examiners.”

This combined requirement of timeliness and proof of effectiveness makes delivering an acceptable response particularly challenging. Unfortunately, MRAs are not uncommon. The article Get to Know the “5 Cs” — BSA Matters Requiring Attention notes, “Most banks receive some sort of finding or ‘Matter Requiring Attention’ (MRA) or ‘Matter Requiring Immediate Attention’ (MRIA) regarding their BSA Program during a BSA exam.” Given the likelihood of receiving an MRA, and the burden associated with the response, developing a robust process to handle them is essential.

This post will examine how the right Enterprise Risk Management (ERM) system is uniquely suited to not only help efficiently and effectively respond to the challenges associated with MRAs, but also (when properly configured) help minimize them.

To understand how this is possible it is useful to “learn from the mistakes of others.”

read more

Looking to launch an ERM program? Borrow ideas from startups

Implementing an enterprise risk management (ERM) program can be a daunting, intimidating project. Trying to introduce new frameworks and controls across the organization, roll up risk reporting from the unit to enterprise level, and initiate discussions with the board that lead to action can be overwhelming. Using techniques proven to work with startups, however, can make the process far more manageable and increase the odds for success.

Startup incubators often promote a few common themes:

  • Let customers/market dictate the product
  • Scale it down – start small and go live fast
  • Do the research and learn about the market
  • Get feedback as quickly as possible
  • Fail silently – incorporate lessons learned without dragging the whole effort down

These techniques suggest that the traditional high-profile, enterprise-wide rollout of a new ERM program may not always be the best way to launch. Instead, focusing on the smallest scale project—one with the potential to yield meaningful results—and relying on a customer-driven approach may be the key to creating a sustainable, effective ERM program.

read more

Partner with legal when selecting RMIS and GRC technology

The responses to a recent Deloitte-commissioned survey of 300 in-house legal executives contain good news for those working closely with in-house legal departments on risk management and compliance-related issues. An executive summary of survey results, Going beyond risk and compliance: Enabling the Legal function to embrace digital transformation, indicates that a majority of respondents feel that in-house legal departments are aware of and open to the use of technology in efforts to make risk management and compliance more efficient and cost-effective.

While there is a willingness to move forward with the use of technology to automate repetitive tasks, improve collaboration, and proactively contribute to the overall strategy of their organizations, there is still work to be done. “Despite encouraging levels of awareness and signs of adaptability, survey respondents have revealed that there is still progress needed before the Legal function fully embraces digital opportunities,” write the study authors. “When they do this, Legal will be able to revamp its approach to risk management and compliance, thus becoming more agile, more integrated and more value-driven, playing an integral role in the delivery of corporate strategy.”

read more

Looking back at 2018 — Five RMIS trends

The risk management industry certainly had an eventful 2018. As the calendar closes out another year, we’ve picked five prominent trends that may impact your organization in the upcoming year.

1. Increasing Damage from Natural Disasters and Extreme Weather

The 2018 list of major natural disasters is notable for its scope and intensity. From Japan’s flooding and mudslides to California’s wildfires to an unprecedented global heatwave, records for severity and damage were shattered throughout the year. One article noted that, “Nationwide, 8.5 million acres, an area larger than Maryland, have burned this year to date.” Unfortunately, extreme weather and increased natural disasters are becoming more commonplace.

In the article Step up your disaster preparedness, don’t wait for the news report, we discussed how to combine audit technology with weather alerts to develop a preparedness solution that works in real-time and ensures your organization is tested and ready when the next emergency hits.

2. Telematics Emerging in Fleet Management

Consumer adoption of telematics continued at a strong pace, particularly with drivers in the youngest age range, where some studies estimate four in five drivers have telematic-based policies. While the use of telematics to enhance fleet management programs has been underway for some time, the value of this data is becoming more clear.

read more

Industry Spotlight: Healthcare Risk Management

A healthcare risk manager can benefit from a risk management system.

Risk management in healthcare is a topic that is gaining increasing importance. A large driver of this attention is the shift from fee-for-service to value and outcome-based models. An article in the New England Journal of Medicine’s (NEJM) Catalyst blog notes, “For these reasons, hospitals and other healthcare systems are expanding their risk management programs from ones that are primarily reactive and promote patient safety and prevent legal exposure, to ones that are increasingly proactive and view risk through the much broader lens of the entire healthcare ecosystem.”

This demand for an expanded view of healthcare risks has fueled the demand for Enterprise Risk Management (ERM) solutions. The road to fully functional ERM programs, however, has proven to be a challenging one for most healthcare organizations. The NEJM Catalyst article cites a report from Healthcare Financial Management Association (HFMA) that states, “Despite the growing importance of programs today, and the raised awareness of their importance, many healthcare providers have been slow to adopt a more sophisticated approach… The current state for most providers falls between ‘basic’ and ‘evolving’ maturities for ERM programs.” read more

The data-driven risk manager

Despite the widespread ambition of organizations to create a data-driven culture, few seem to make the transition successfully. In the article Big Companies Are Embracing Analytics, But Most Still Don’t Have a Data-Driven Culture, the authors cite the results of this year’s annual New Vantage Partners survey on data issues. “Virtually all respondents (99%) say their firms are trying to move in that direction, but only about one-third have succeeded at this objective. This gap appears every year in the surveys, and the level of success hasn’t improved much over time.”

According to a Gartner study, a similar disconnect is found: 80% of CEOs claim to accept the concept of data as an asset, yet only 10% say their organization treats it that way. Given the fairly daunting odds, why are so many organizations still fighting the uphill battle to establish a data-driven culture? Because, as a TechCrunch article notes, “Being data-driven pays!” As proof, the authors cite an MIT study finding a 5-6% higher output in data-driven organizations and other research indicating a more than $13 payback for every dollar spent on analytics.

The importance of the risk manager

Given the potential payoff of a data-driven culture, the analysis-based role of a risk manager can be a linchpin in the effort to elevate the role of data in strategic decision-making across the organization. To make this transition, risk managers need to adopt an enterprise risk management (ERM) mindset, regardless of whether the organization actually has an ERM program in place. The core of this mindset relies on using data to influence decisions and direct actions.

read more

ERM — Rethinking the vendor management process

The vendor management process is becoming an area of increased focus for risk managers. The operational, financial, and regulatory risks third-party vendors and contractors pose to an organization continue to expand unabated. Despite the magnitude of the threat posed from lax vendor management programs, many risk managers do not feel their organizations have the technology and capabilities in place to properly face the challenge.

A Deloitte study notes that 94% of responding executives have only low to moderate levels of confidence in the tools and technology they use to manage third-party risk. Nearly 90% have similar lack of confidence in the quality of the underlying risk management process. Armed with dubious solutions and processes, risk managers fighting for effective vendor management assessment may find it an uphill battle.

The status quo may not hold

Recent New York Times coverage of the dire supply chain effects Hurricane Maria had on the availability of critical prescriptions in the U.S. illustrates how quickly vendor management issues can escalate. The article notes, “Federal officials and major drugmakers are scrambling to prevent national shortages of critical drugs for treating cancer, diabetes and heart disease, as well as medical devices and supplies, that are manufactured at 80 plants in hurricane-ravaged Puerto Rico.”

read more