LEARN FROM EXPERTS THAT PIONEERED OBJECTIVE-CENTRIC RISK AND CERTAINTY MANAGEMENT #ORCM
CERTIFICATE in OBJECTIVE-CENTRIC RISK & CERTAINTY MANAGEMENT(CORCM)
Practical, step-by-step training to equip you/your risk function and/or internal audit department professionals to implement and maintain the newest generation of ERM and Internal audit – objective centric risk and certainty management. Earn CPE = 20
Whether you are a risk specialist or internal auditor there are clear signs that the future of both professions is objective centric risk and certainty management.
In 2017 COSO issued new ERM guidance. The title is “Enterprise Risk Management: Integrating with Strategy and Performance”. It calls on risk professionals to transition from risk centric/risk register based ERM to one that focuses on assessing the risk/certainty linked to top strategic/value creation and value preservation objectives and directly linking risk assessments with performance data.
ISO 31000 2018, the global risk management standard, defines risk as “effect of uncertainty on objectives”. The introduction opens with:
Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
In the internal audit space, the IIA issued Sawyer's Internal Auditing: Enhancing and Protecting Organizational Value, 7th Edition in 2019. The book chronicles an evolution in internal audit methods/thinking. The most modern evolved internal auditor that started to emerge in 2015 is coined “the Objective-Based Auditor”.
1. 1941 - the Internal/External Auditor
2. 1970 - the Internal Control Process Auditor
3. 1990 - the Risk-Based Auditor
4. 2000 - the Risk Management-Based Auditor
5. 2015 - the Objective-Based Auditor
Dan Clayton, one of the principal authors of this IIA Sawyer update, gave a progress report in February 2021 in a Linked In post. His conclusion was not encouraging: “Many internal auditors are still producing the original internal audit value from 1941.”
In 2020 the IIA updated the original THREE LINES of DEFENSE, a weak 1st LINE model, and issued the new THREE LINES MODEL. Even a quick scan of the overview diagram below makes it clear that 1st and 2nd “LINES” focus is “Actions (including managing risks) to achieve organizational objectives”. The focus of the 3rd LINE is defined as “Independent and objective assurance and advice on all matters related to the achievement of objectives”. The role of the “GOVERNING BODY” is “organizational oversight”. Given the roles defined for 1st/2nd/3rd lines, its clear the board’s job is to oversee risk/certainty top value creation and preservation objectives are achieved.
For Boards of Directors powerful institutional investors are escalating pressure on boards to demonstrate that they are effectively overseeing strategic planning and risk management. The International Corporate Governance Network (ICGN), a global not-for-profit representing companies with assets under management totalling over $26 trillion, calls on investors to start by focusing their attention on the boards of investee companies:
“The risk oversight process begins with the board. The unitary or supervisory board has an overarching responsibility for deciding the company’s strategy and business model and understanding and agreeing on the level of risk that goes with it. The board has the task of overseeing management’s implementation of strategic and operational risk management”.
Benefits of Objective-Centric Risk & Certainty Management
- All efforts are focused on increasing/managing the certainty of achieving top strategic/value creation and value preservation objectives, objectives key to a company’s long-term success.
- Accountability to assess/report on risk/certainty is positioned squarely with management most responsible for achievement of the objective(s) and reacting quickly when new risk information and opportunities emerge, and/or performance data indicates major problems.
- The focus of 2nd LINE is to help 1st line be the primary risk/certainty assessor/reporters. The 1st Line provides primary status data to the CEO and Board. The focus of the 3rd LINE is to assess and report opinions to the Board on the reliability of the risk/certainty status information the Board gets.
- The C-suite with Board oversight defines the top strategic/value creation and value preservation objectives they want risk/certainty information on. Risk management and Internal Audit move from being “supply driven” to “demand driven” by their customers. A much safer place to be.
- CEOs/Boards (RM/IA customers) specify the objectives important enough to warrant the cost of formal risk/certainty assessment and they specify the target level of risk/certainty assessment rigor. Risk/certainty assessment rigor options range from “intuitive/experiential” done by an Owner/Sponsor with or without facilitator assistance taking as little as an hour, to the most advanced risk/decision support methods available that may require many weeks, even months of time/effort.
- Professional taking this training are well positioned for future positions in 1st/2nd/3rd line groups in public and private sector organizations that buy the business case for objective centric risk and certainty management.
- All the LINES are focused on assessing/reporting on the risk/certainty of achieving the company’s most important objectives. The goal – better data to make important decisions. For the first time, all the LINES use a common taxonomy and method to assess and report on risk/certainty of achieving top objectives.
- Boards/companies are able to demonstrate to powerful institutional investors and regulators they are overseeing strategic planning, the effectiveness of the company’s risk management framework, and effectiveness of internal audit.
- The value added by risk functions and internal audit is increased exponentially per dollar of spend.
c-ORCM Certification Courses included:
- Strong 1st Line Objective Centric Risk & Certainty Management: The big picture, business case, and linkages to COSO ERM 2017, ISO 31000 2018 and IIA 2020 THREE LINES MODEL.
- Selling the business case and overcoming objections to strong 1st LINE/demand driven/objective centric risk and certainty management.
- Populating the Objectives Register: Methods to decide on/identify top strategic/value creation objectives and value preservation objectives and assign Owner/Sponsors, target risk/certainty assessment rigor, and target independent assurance.
- Identifying risks: introduction to 10 primary methods to identify risks to an objective and 30 to 40 more additional supplemental methods to identify/assess risks that effect certainty objectives will be achieved
- Methods to identify risk treatments available to mitigate risk/transfer risk/share risk/finance risk/avoid risk/accept risk. Methods include using a 9 category Risk Treatment Principles/100+ sub-element framework and other methods including research, benchmarking, facilitation prompts and many more.
- Creating a reliable picture of the current Residual Risk Status/Certainty linked to top objectives for decision makers, including best available performance data, impacts of non-achievement of the objective, impediment data, and accepted and unacceptable concerns/unmitigated risk situations. This step defines the an organization’s true “risk appetite/tolerance”.
- Reporting results to Owner/Sponsors/C-suites/Boards: Recommended reports and summary commentary from CROs/CAEs.
- 6 Level quality assurance framework: Ensuring that the C-Suite and Board are getting materially reliable information on current risk/certainty linked to top strategic/value creation objectives and value preservation objectives
- Selecting software to support OCRCM: Lessons learned since 1996 building and implementing objective centric software systems. Beware of vendors who say their software can be configured to do anything/everything.
- Using objective centric risk and certainty management for SOX 404/SOX like risk/control assessments to identify the balance sheet/income statement line items/XBRL codes with unacceptable residual risk/certainty