This week I thought I'd re-print an extract from an interview with Greg Carroll by Greg Hutchins from US based Certified Enterprise Risk Manager® (CERM) Academy, on my upcoming book "Mastering 21st Century Enterprise Risk Management".
• Developed Department of Homeland Security certified risk methodologies.
About CERM® Academy:
Quality + Engineering (Q+E) developed the Certified Enterprise Risk Manager® certificate program to provide training to engineering, technology and operational professionals. Quality + Engineering has taken the global lead on operational enterprise risk management (ERM).
[Greg Hutchins]: Can you provide the readers a little background on who you are and your new book Mastering 21st Century ERM?
[Greg Carroll]: My working career started at Cooper Lybrand’s Management Consulting Services in the mid 1970’s working in their Financial Modelling area. This led me to do a Graduate Diploma in Computer Simulation in the late 1970s. This was predominantly to do with using mathematical modelling in decision making, an area of mathematics known today as operational research. In 1981 I started what today is Fast Track implementing software for Compliance and Risk solutions. Focusing mainly on regulatory compliance in safety critical environments such as Aviation, Health and Utilities, clients include Dept of Defence, Dept of Heath, and SA Water as well as corporate clients like Serco, Fosters and Motorola.
[Greg Hutchins]: Why do you think that RM and/or ERM is not working?
Thru general discussion with C-Level executives I have detected a wide spread view that RM is a bureaucratic necessity for regulatory bodies but of little real value and ERM is just a management fad. This was supported by a number of formal research findings this year including KPMG and Milliman.
I believe current practices are not only out of date but not applicable to today’s business environment. Unlike 10 years ago, today business is highly volatile and paradigm shifts are not only common but occur a light speed. We need 21st century management systems and tools capable or reacting to events quickly. Periodic reviews no longer cut it. In my book I compare it to the change from the Wild West of the 1890 to the Roaring 20s, where to wagon and cowboy were long forgotten, so I see the change from 1990’s to 2020s.
[Greg Hutchins]: What do you propose as a solution for 21st century ERM?
None of what I am proposing is new or ground breaking. Operational research I studied 30 years ago and Bayesian modelling has been around for 250 years. The key issue is we need a paradigm shift in risk managers. Instead of risk adverse, they need to be focused on developing opportunities, and be formally schooled in basic decision modelling and probability mathematics. I believe a large number of those practicing risk today are not suitable for their role in the 21st century.
[Greg Hutchins]: What is a neural risk model and how does it work?
A neural risk model interrelates all risks, causes and drivers, allowing for both vertical and horizontal aggregation in all directions. Any single item can be a risk, a cause or a driver under different conditions. The traditional view a risk having a specific value is not reflected in the real world. Operational risks are connected to financial risk which are both related to reputational risk. All 3 need to be managed differently but need to affect one another in real time. Using environmental monitoring (including from Big Data) with triggers to fire re-evaluation of effects across the entire enterprise is what is needed to meet board level expectations for ERM.
[Greg Hutchins]: How do you see QMS or quality fitting into 21st century ERM?
I see QMS inextricably tied to ERM. You cannot have one without the other. ERM must be focused on increasing shareholder value, which in turn requires a delivery vehicle which QMS provides. ERM is your intelligence unit and QMS your field commander.
[Greg Hutchins]: What do you see is the future of ERM in a. ISO 9001 (2015); b. GRC; and 3. Management systems?
I do not hold to a number of the current arcane debates on definitions and boundaries of management systems. I believe in a single integrated management system for GRC, with not one framework, but multiple frameworks applicable to each specific area of need. I am still hopeful that there will be a convergence of ISO9001, ISO31000 and GRC but with the political nature that has developed around these groups I fear they are just designing a better horse