The workshop focus is on enterprise risk management. The workshop is delivered through lectures, class discussions, articles, case studies and exercises. The topics to be covered include: identifying, classifying, assessing and controlling operational risks, planning and implementing risk mitigation strategies for the identified risks.
The workshop will help participants to understand and to develop risk management skills, and to apply what they have learned to real-life ERM projects. Participants will learn how to implement enterprise and programmatic risk management in their organizations. Participants will learn why management is adopting and developing a portfolio view of multiple views of risk-controls within their organizations and into the supply stream. The workshop format is approximately 1/3 lecture, 1/3 exercise and 1/3 ‘lesson learned’ discussion.
What You Will Learn:
- Learn what is enterprise risk management and when to use it
- Learn how to implement ERM successfully
- Learn ISO 31000, COSO ERM, NIST 800-37 and additional ERM frameworks and standards
- Learn how to identify risk tolerance and appetite for operational decision making
- Learn and apply the operational risk management process
Key Terms and Definitions
- What is ERM? What is GRC?
- ERM Drivers, past and present
- Why does ERM fail? Succeed?
ERM Core Building Block: Decision-making
- What is a decision?
- Who are the ERM decision makers?
- Decision framing
- Risk appetite/tolerance/biases
- Key ingredient: principles, process, behavior and performance
- Quantification and qualification of risk
- Common decision techniques and pitfalls
- What makes a good decision?
- Creating level decision playing field
- Exercise: Understanding
Different Approaches to ERM
- ERM standards: COSO, NIST, FAA, ISO, NASA, etc.
- Strategic, operational, financial, insurable, social risks in an ERM context
- Linking strategic, operational and financial risks
- Adaptive management benefits/pitfalls
- Enterprise (entity level) risk, programmatic/project risk, transactional/product risk
- Exercise: Growth of ERM discussion in security (cyber & physical), Gulf oil spill, etc.
- Exercise: Services business case study
Introduction to ERM Frameworks
- COSO ERM explained
- ISO 31000 explained
- NIST 800-37 explained
- Common features of ERM frameworks
- Exercise: Enterprise Risk Management in companies and federal/state agencies
- Case study: Rockwell Collins ERM Approach
Elements of the COSO ERM Framework
- Discussion of the COSO ERM cube
- Eight risk management steps of framework
- Benefits/challenges of framework
- Exercise: COSO framework application
Elements of the ISO 31000 Risk Management Framework
- Discussion of the 31000 approach
- Risk definitions
- Relationships between the risk management principles, framework and process
- Benefits/challenges of framework
- Linking to ISO/IEEE Systems and Software Risk Management Standard 16085
- Case study: Similarities and differences between project risk management standards
NIST 800-37: Guide for Applying the Risk Management Framework for Federal Information Systems: Security Lifecycle Approach
- Integrated organization-wide risk management
- Information control allocation
- System develop life cycle
- Review of the life cycle process
- Exercise: Managing enterprise risk on a government project
ERM in the Real World
- Organizational risk culture
- Who owns ERM?
- Implementing ERM: top down, bottom up, middle out?
- Avoiding organizational risk conflicts
- Risk capability and maturity
- Case study: Various forms of enterprise (entity), programmatic/project and event based controls
- Exercise: Managing the risks in a supply chain
Your Next Steps
- Identify critical next steps for implementing ERM program
- Exercise: Discuss and evaluate ERM plans
IIE reserves the right to cancel a class up to 15 business days prior to the scheduled start date