Sounds easy. Few get it right. There are many ways to think about the business model. My experience after watching very high level executives on this subject is know your audience and use the tool that works for them.

Value Chain is one tool. Some find this approach better because of the insights gained on the process and the linearity.

Business Model Canvas is another tool. Some find this approach valuable because of the focus on key concepts such as the value proposition, channels, relationships.

Also consider Agile. Specifically, consider a combination of speed, direction, and the ability to pivot, adapt, and accelerate. How does the value chain or business model get changed if we have to pivot, adapt, or accelerate?

Okay, maybe that’s not the best title but use tools such as an implications wheel or a mind map. These will help you understand how the drivers might further impact your business. My grad ERM students are good at this so hire them (yes, i’m always fighting for my students).

Start the dialogue about the future drivers and what the new normal might look like. My best guess - it is no where near what we used to be. As an example, work-from-home will likely rise and become permanent. Same thing for online learning. The key is to consider all these and other future drivers. Get the drivers on the table and get the conversation going. Include the right players (stakeholders, creative folks, business leaders, supply chain, technology, etc.).

Once you’ve got the drivers, you can apply scenario analysis to these drivers. Most of us have done that and it can be valuable. Lots of good reading on that. More on that and other tools coming up. However, instead of thinking in 2 x 2 scenarios, think of levels. L1 to Level 6. Level 6 means you really have no idea how things will turn out. McKinsey has a great older article on levels and it is worth reading.

If you’re not agile, you better be resilient. Stuff happens.

The Center for Excellence in ERM is releasing the latest white paper on “Embedding ERM into the Organization.” Some highlights include:

• Senior management and the board are highly risk aware. Others in the organizations need to step it up to get on the same page.

• Senior management, management, and strategy are the three areas most likely to see the upside of ERM. ERM leaders should partner with them in developing the value proposition.

• The top ways ERM supports the organization are assessments, workshops, guidance, identifying and building ERM, and risk monitoring. There are many other tools in the ERM toolbox. ERM leaders should choose the tool that best fits their organizational needs and culture.

• New risks are being considered more and more, with major decisions, new strategies, and new partners showing up at the top.

• Silo risk management is still a problem and a significant barrier to overcome. Several techniques for improving the integrated risk conversation were identified.

I gave a talk on managing risk in a time of disruption and had a chance to get some survey data from a large financial executive audience. The questions and responses are as follows:

COVID is not #1:

The largest risks facing my organization are:

• 22% - from COVID 19

• 40% - from a likely recession

• 29% - from business model changes as a result of the above

• 9% - from risks that existed before COVID 19

The lesson? It’s not COVID that’s now the risk but the recession and the change in the business model.

The key to getting through:

The key to getting through strategy disruption is:

• 12% - seeing it before others

• 6% - understanding the speed

• 34% - being resilient

• 17% - interpreting the disruption

• 32% - linking the disruption to the business model

The lesson? First, try to get through but a close second is to figure out what the new business model will look like. Not a lot of strategy books talk about resilience but there are many that can help us think through the business model and how it might be impacted.

Years ago COSO published a risk assessment document that had a MARCI chart in it. That chart seems more and more like a good idea these days. Since we are not the best at estimating probability then we should periodically look at our risks from a MARCI chart view. That is, plot your known risks on Impact and Vulnerability. Add Velocity.

The result will show you which large risks could seriously hurt the organization and how fast you think those are moving. Anything that pops up as high impact, high vulnerability, and high velocity needs to be tested and thoroughly analyzed.

Graduate school ERM readings/handouts on the subject.

Rediscovered this in some of my earlier writings:

The limitation that ERM faces is captured in the following statement: "There are knowns, known unknowns, and unknown unknowns." (Author unknown.) Former Secretary of Defense Donald Rumsfeld changed this quote as follows: "The message is that there are known knowns—there are things that we know that we know. There are known unknowns—that is to say, there are things that we now know we don't know. But there are unknown unknowns—there are things we do not know we don't know. And each year we discover a few more of those unknown unknowns." (From a briefing by former Secretary of Defense Donald Rumsfeld, as reported in the Daily Telegraph (London), March 12, 2003, at 14.)

Attached are recent ERM reporting lines based on 2019 data from our ERM Summit.

Although 30% report through finance there is quite a bit of variation.

At a recent St. John’s Center for Excellence in ERM Summit ERM leaders reported the top ERM ways they support their organizations. One ERM leader noted that they provide gap/risk assessments to business units before new systems and programs are deployed. Another ERM leader stated they do pre-business partner risk assessments, and another has ERM get involved in projects above a dollar threshold. As seen in the numbers below, around 60 percent or more of ERM leaders provide definitions, tools, deep dives, and bring in external thought leaders. Others help with monitoring, building ERM, and offering risk guidance, risk workshops, and risk assessments. ERM has clearly become a busy job with many tasks and an expanding job description. Gone are the days of the annual survey being the only thing some ERM leaders achieved. 

One ERM leader highlighted that the tools not only enable ERM but they also change the culture, specifically noting that the tool helps them drive focus and message and also help communicate risks. Another ERM leader shared the importance of a risk taxonomy and how it can be used to create transparency across processes, thereby furthering ERM integration. Other interesting ERM offerings include independent review/challenge, quantitative assessments, and linking risks to other risks (emphasized in the new COSO 2017 Framework). 

Independent review & challenge

2%

Quantitative risk assessments

36%

Development of risk training and videos

43%

Policies

45%

Risk consulting

50%

Linking risks to other risks

55%

Definitions

61%

ERM tools

61%

Risk deep dives

64%

Bringing in external risk thought leadership

66%

Risk monitoring

68%

How to identify and build an ERM approach

68%

Risk guidance

70%

Risk workshops

70%

Risk assessments

89%

The Center for Excellence in ERM Fall 2019 Summit focused on embedding ERM into the organization. One key that came out of that Summit was shared perspectives on how to embed it more. Suggestions from ERM leaders included:

Boards voicing  ERM support

Improving overall culture

ERM awareness initiatives

Face-to-face discussions

Collaborative workshops

Training ERM ambassadors

Showing the bus model risk to management

Integrating ERM  into the organizational units

Incorporating ERM into goals

Having clear ownership of risks

Becoming partners with the business units

Executives voicing ERM support

Building ERM into strategy

Boardroom advice for handling disruptive risks

Great coverage in the WSJ on ERM and St. John’s.

While some spend time trying to define and identify exactly what is happening... one thing is clear: this digital disruption and transformation risk is real and it is important. Companies and leaders sense the risk and are reacting. What makes it difficult is distinguishing the hype from reality. Making that even more difficult is the fact that so much angel investor type money has moved earlier in the process, seeking companies and ideas before they ever go public. The result is that executives seeking to learn what others are doing must look elsewhere (other than public filings and public information). ERM leaders gathered at the Center for Excellence in ERM Fall 2018 ERM Summit to discuss what others are seeing, the impact of these disruptions, the associated risks, business changes, expectations, and how companies are responding. The white paper can be dowloaded here.

Attended the Lean Startup Summit in Berlin this past February. In my view, ERM needs to play a bigger role because the risks must be identified and managed in innovation just as in daily objectives. One thought at the conference that got discussed was that the really big strategic risk is related to different dimensions. Those dimensions are revenue (not new) but also how the new idea/project/innovation might transform the organization. See the map here. Organizations feeling more disruption might want to map their projects using a similar approach. The most important place is probably location 1. This perspective can help organizations consider which projects to prioritize.

Once we’ve got the risk risk identified, a key question for leadership and the board is do we have the right talent to manage this risk?

Collin’s “Good to Great” highlighted the importance of getting the right people. The same thing applies in managing risks. I’ve seen this show up in several companies and know of others who have closed this loop. A few example questions:

• If your organization is facing massive disruption and digital changes and no one on the board or in leadership has a good understanding of this then the risk could be higher.

• If your organization plans on opening new locations but hasn’t thought through the implications of not having the talent already in place and trained, then the likelihood of not meeting the objectives goes up.

Our current and preliminary data analysis in the tech industry shows:

• half of value killers are strategic setting

• half of value killers are strategic execution.

The big ones:

• Almost 90% of big value killers are strategic setting

The agility link:

• the strategic setting mistakes and losses take 2.5 times longer to recover.

One lesson:

• ERM around strategic setting risk can pay off in big ways.

I’ve seen all those studies and slides from so many organizations and consultants that state that strategic risk is the most important risk out there that leads to lost value. I don’t think anyone disagrees with those general findings.

My academic brain keeps wanting to know more. If COSO has strategic risk in 3 dimensions is it possible for us to know which of those is the problem? In other words, is the lost value because of strategy setting, strategy alignment, or strategic execution? To me, that’s the bigger question.

Well, i’ve got this one bright graduate student helping me trying to answer this question.

Very very preliminary but the interesting finding (so far…) is:

• most value killers that are small are strategic execution related.

• the largest value killers? they are primarily strategy setting.

If we want to really help our organizations with strategic risks then we must get involved in the questions around whether we have the right strategy set!

I heard a talk in Berlin recently that inspired me to think of risk in new projects this way. Take all the disruption or new projects and map them as follows:

Vertical axis is new growth

Horizontal axis should include transformational/blue ocean dimensions like:

• improved relationships with customers

• new customers

• future new business model to make you more competitive

High growth projects with high transformational / blue ocean possibilities are the key in a disruptive / ultra competitive world. That doesn’t mean we don’t identify the risks in those projects - we still should do that because it may be even more important. But here’s a lesson from long ago in my career. Identifying the risks takes serious thought and the most important risks come up at the end, not in the first 5 minutes. It takes deep thinking.