Enterprise Risk Management and PMBOK

Corporate Risk Management is an expression used by the organization to handle intelligently managed risks and opportunities in order to create a maximum value for shareholders. The approach is based on coordinating the goals and goals of risk management and opportunities of the organization. One of the keys to this alignment is the term "Risk appetite", which includes a statement that directs the management of the board to manage risk management methods. The statement should generally define the risks that the organization can take and not. This statement plus the organization's goals and goals will guide the management of selecting the projects the organization undertakes. The statement guides the management in determining the level of risk tolerance and determines which risks are acceptable and mitigated.

This article attempts to review Enterprise Risk Management (ERM) and PMBOK® (Issue 4). Most of the information on ERM comes from a study by the sponsoring organizations (COSO), sponsored by the Treadway Commission, published in 2004. The Treadway commission is made up of representatives of the American Central Auditors' Institute (AICPA) and COSO, representing five different accounting supervisory groups, and North Carolina State University, EI, Dupont, Motorola, American Express, Protective Life Corporation, Community Trust Bancorp and Brigham Young University. The study was written by PriceWaterhouseCoopers. The Committee of Supervisors and the list of authors are to prove the influence of the insurance and financial sectors on the study.

The approach proposed by the study, which is probably the most valuable source of ERM information, is very similar to approaches to managing quality in the organization as it highlights the responsibility of top management to support ERM efforts and provide guidance. The difference here is that while quality methodologies, such as CMM or CMMI, place management's responsibility on formulating and implementing quality policies, ERM takes responsibility for the board.

Let's go through the study recommendations for those processes recommended in PMBOK. To update memories, these processes are as follows:

  • Risk Management Planning
  • Risk Identification
  • Implementing Quality Risk Analysis
  • Implementing Quantitative Risk Analysis
  • Risk Risk Monitoring
  • Monitoring and Control Risks

The ERM starts with the categorization of goals and objectives into four groups: strategic, operational, reporting and compliance. In managing projects, we do not have to address operational risks. Our projects can support the implementation of reports, and our projects may be restricted by the need to comply with organizational or government guidelines, standards, or directives. Projects in the construction sector are constrained by the need to comply with applicable safety laws on the site. Financial, oil and gas, defense and pharmaceutical projects also have to comply with governmental laws and standards. Even software development projects may require them to comply with standards accepted by the organization, such as quality standards. Projects are key tools for achieving strategic goals, so the Group's goals are usually applied to our projects

The study suggests 7 components:

  • Internal Environment The most important component "Risk Appetite" Statement by the Board of Directors. The environment includes the behavior of the organization, its ethical values ​​and the environment in which it operates
    PMBOK® alignment The description in the study is actually very close to describing Enterprise environmental factors. Corporate environmental factors contribute to the risk management process of the plan. PMBOK also mentions corporate risk appetite in describing corporate environmental factors as well as risk attitudes

  • Goal Setting The management is responsible for defining goals to support the organization's mission, goals and objectives. At this level, objective adjustments must also be consistent with the organization's willingness to take risks. The object discussed here may refer to the objective setting of the project and to any of the other 4 groups.
    PMBOK® alignment Goals and objectives include those that address risk management. Enter the project's cost and schedule management plans into the risk management process of the plan. These documents must include a description of the objectives and objectives set out in each area. These goals and objectives can identify risk categorization (identify risks), prioritize (implement a qualified risk analysis) and respond to (plan for risk management)

  • Event Identification Events that pose a threat to the organization's goals and identify goals events that offer the organization the achievement of goals and activities (or unidentified goals and goals). Options can be returned to your organization's strategy or object-setting processes.
    PMBOK® alignment This component fits exactly with PMBOK identification risk process. The only major difference here is the recommendation that the opportunities should be brought back to the organization's strategy for objective adjustment processes. PMBOK does not provide guidance here, but this component can be easily supported by opportunities not identified by existing project objectives or objectives, against the project sponsor.

  • Risk Assessment Risks are assessed based on probability and scoring. Risks should be assessed on "hidden and residual" basis. This simply means that after the risk mitigation strategy has been defined, its effectiveness is determined on the basis of a probability score on the site of the risk reduction strategy. This score is referred to as the remaining risk.
    PMBOK® alignment This component is closely aligned with the implementation of the Qualified Risk Analysis Process. This process ensures the likelihood and impact of the identified risks. Monitor and control risks also support this component. This is the process that measures the effectiveness of mitigating strategies. This process defines the remaining risks

  • Control activities Policies and procedures designed to ensure the effective implementation of risk responses
    PMBOK® alignment This component is supported by the Risk Management Process plan. The output of the process is a risk management plan that describes the risk management procedures followed by the project. Keep in mind that Control Activities are wider than Plan Risk Management, the plan only contains project procedures. Monitor and control risks also support this component. This process ensures that the procedures defined in the plan are implemented and effective

  • Information and Communication This section describes how to identify, record, and communicate risk and risk management information throughout the organization
    . ] PMBOK® alignment This component is actually supported in the field of communication management knowledge. The processes in this area handle all project communications. The risk management plan defines the information, how it is recorded and how it is maintained. The communication plan describes who, when and how the information should be transmitted.

  • Monitoring Specifies that ERM is monitored and modified as necessary. Supervision and change are implemented in two ways: continuous management activities and auditing.
    PMBOK® alignment Supervisory and control risks support this component. This process supervises risk management activities and ensures that the activities meet the objectives and goals of the project. Risk analysis, variability and trend analysis, reserve analysis and statistical meetings are used. This process describes the controls as a technique that determines the implementation and effectiveness of the planned activities. One of the outcomes of this process is updating the Risk Management Plan if the activities do not effectively influence risk control. Preventive and corrective measures are also proposed to address cases where activities are not performed or improperly performed.

ERM provides assurance that it has been effective for all seven components of ERM in all four categories of organizational goals and goals. Project management will not cover all areas of each element of each category, but the organizational goals and objectives supported by the project as well as all reporting and matching goals and objectives for the project.

The internal control of ERM is the COSO document required by the guidelines described in the Internal Controls – Integrated Framework Document. We will not describe these guidelines in detail, but we will treat them in a summarized way. The ERM study is aligned with the guidelines and references the reader to the document on compliance details. The details of compliance would apply to an ERM executing body, but it should be initiated by the Board of Directors and would only affect one Project Manager if it was responsible for the ERM implementation project. The guidelines deal with risk management with other internal audits of the organization (keep in mind that these guidelines are insurance and financial). The guidelines provide for the appointment of responsibilities to 3 organizational roles: the Chief Financial Officer, the Chief Information Officer and the Risk Manager. The Chief Chief Officer is replaced by a Senior Risk Officer. The CFO is responsible for overseeing the internal auditing of financial reporting, the CIO is responsible for tracking internal control of IT systems and is responsible for internal auditing of compliance with laws, standards and regulations. The guidelines repeatedly state that risk management sounds from the top of the organization as evidenced by corporate officials responsible for oversight.

Internal Control – Integrated Framework also recognizes that control and control are prone to human error and that not all procedures are of equal importance. These are key to identifying key processes using "key-control analysis". Key-driven analysis determines whether control procedures and processes are effective. The Guidelines also seek to provide guidance on identifying preventive or corrective measures to improve internal controls. This is done by evaluating information that measures the efficiency. Only if the information is "persuasive". The guidelines provide for internal control of internal control procedures, but recognizes that each organization is not large enough to guarantee this role and that external controls are in place in internal controls.

Most of the reports are responsible for the project manager because the guidelines correspond to "internal" concepts, meaning that the reports will only be readable by the driver. In some cases, reports can be read by external third-party organizations. The risk management report of project manager projects may form part of the information provided outside the project, but the project manager is not responsible for external reporting.

The guidelines provide for the size of the framework to be scaled up and the complexity of the organization it organizes. Scalability requires the organization to identify who will be responsible for a given activity. For example, an organization may not have a senior risk officer, in which case the responsibility for compliance must be different. This responsibility is transferred to the project manager when compliance objectives are part of the project's objectives.

The purpose of ERM is to serve the financial and insurance sectors, and certain aspects are specific to these industries. Some, indeed, most of the components are good for the industry. Keep in mind that they were participants in studies from universities, electronics (Motorola) and chemicals (E.I. Dupont). The best project management practices described in PMBOK® support very well ERM with little modification. The trick is to identify project risk management activities that coordinate and support ERM. After doing this, ERM implementation with your project becomes simpler.

Source by sbobet

Leave a Reply

Your email address will not be published. Required fields are marked *