September 22, 2009: the OMG has issued a new RFP, “Management of Regulation and Compliance” (MRC), developed by the Regulatory Compliance DSIG and sponsored by the Business Modeling and Integration (BMI) Task Force.

For details see MRC page

[Henk de Man - Jan 14] Just a few draft bullets to start:

1. Enterprise risk relates to Enterprise Governance. Enterprise Governance is about steering an enterprise into good direction. Enterprise Governance is about business drivers (and issues), objectives (and/or goals), rules (or directives), transformation initiatives (or courses of action) and changes, etc. etc. Typically BMM context, but elaborated further.
2. From a performance perspective it is common to talk about “business drivers”, “Objectives” and “rules/directives”, and there counterparts from conformance (or compliance) perspective: Regulations, control objectives and (internal) controls.
3. Enterprise Governance is “driven” from multiple sides: At strategic level, assessment of external business drivers leads to formulating goals or strategic/tactical objectives, and to meet these, tranformation initiatives are suggested, and balanced in a portfolio of initiatives. Etc. At operational level, where issues show up, continuous improvement activities are conducted. And from here, transformation initiatives can be suggested/requested as well, and added to the portfolio. When initiatives are selected for execution, analysis has to take place (as is, to be, etc.). What has recently been suggested as “SOA value chain”, “Robust Value chain” or “Value Delivery Model” will be an excellent first-order analysis model in this context. Analysis will lead to suggested/proposed changes (possibly accompanied by “operational” rules/directives), which are to be implemented in the operations. At operational level, monotoring will take place, which might lead to detecting new issues, etc. (…. and here the cycle starts again …).
4. Risk relates to both performance and conformance aspects. E.g. undertaking initiatives (or “courses of action”) to meet performance objectives (or maybe deciding to not undertake them) might lead to risk. Undertaking initiatives to meet “control” objectives might decrease risk. Deciding to not undertake them might lead to risk. Sometimes people might intentionally take risk.

- As performance aspects (cost, time, quality, availability) can be analyzed based on value delivery model, probably elements of “conformance” and “risk” can be analysed based on such a model as well.

1. Risk has to be definable and measurable (like also performance is). Risk indicators might have some analogy with performance indicators (KPIs). (… not sure …)
2. Risk is mitigated by implementation of controls (“internal controls”). Controls can be implemented in many ways, including web-services (maybe implemented as processes), business rules, etc.) There should be relationships all the way down: driver/regulation ⇒ objective ⇒ rule/directive and implented controls.
3. Monitoring is required to detect non-conformance events, or any issue (that relates to risk), which might be analyzed on root-cause, etc. Monitoring can be done at multiple levels: real-time events (possibly complex events), as well as “KPI”-like measures.
4. From the above it is clear that “conformance” and “risk” are “red threads” throughout the entire Enterprise Governance framework. This also relates to many elements of business modeling. From BMM+ down to Process, webservices, etc.

[Jeremiah Albrant - 29 Jan]

1. ISO31000 (Draft) is expected to be published this year, it covers risk management, we should be aligned with it and not duplicating work.
2. assess_manage_and_model_risk is Nick's whitepaper on the subject, includes a data model mapped to RASIC chart.

Powerpoint presentation from Fred Cummins [posted by John Hall 13 February 2009]

Measurement of the probable impact on an enterprise of changes in circumstances.

• Includes threats and opportunities
• Expressed in terms of probability X potential loss
• Addresses specific risks as well as composite risk
• Exposes risks of coincident circumstances

Define a framework for computation and reporting of risk for

• Governance
• Stakeholders
• Mitigation

Define a standard for the aggregation of risk to create an enterprise risk profile

Probability of occurrence X cost of consequences

Obsolescence

Industry leadership

Operational failure

Market value

Resources

Marketplace

Operations

Projects

Intellectual capital

Confidential information

Terrorism/sabotage

Human error

Lost production

Lost sales

Lost reputation

Legal liability

Lost assets

Propagation of effect

Feedback, synergy (co-occurrence)

Time to recover

Risks may be modeled and computed in different ways in different contexts

The results of specific risk assessments should be incorporated in an enterprise risk measure or profile

Composite risk should reflect

• The occurrence of different risks as a result of a common event
• The net effect of similar effects caused by coincident events

Risk metrics should reflect mitigation

• Reduce likelihood/potential loss
  • Alternative sources of resources
  • Diverse markets/product portfolio
  • Redundant operational capabilities
• Reduce impact
  • Stockpile resources
  • Minimize fixed costs
  • Maintain reserve operational capability
• Reduce positive feedback
• Countermeasures

Risk is mitigated or amplified as a result of feedback or common underlying causes

• Business growth or decline
• Feedback mechanisms that impact stability
• Market reactions to enterprise effects

Analysis of assumptions

Acceptable limits on variables

Variance of outcomes

Ecosystem disruptions

Taxonomy of risk factors to consider

Probabilities of occurrence of external factors

Model to capture risk factors, their impact and dependencies

Technique for analysis of enterprise stability and agility

Henk de Man's response (12 Feb 2009)

Fred,

I think we can proceed with your input as a core piece. I have some questions/suggestions here. Can you (and the others) give your opinion on them.

• Is risk a new artifact to model, in addition to the standards we have or aim to have ?
  • [FAC] I think so. It is a view of the enterprise. Certainly it is related to other aspects of the enterprise as our other models are, and should, in the long term, be part of an integrated model of the enterprise.
  • [HdM] Agreed. But I guess it might go further. If there is a risk, you might define an objective to tackle or mitigate it. Also: when you have an objective (e.g. measurable objective, wrt a certain line of business), you might introduce new risk or increase risk by it. In both cases you would probably like relationship between the risk and the objective. Next to objectives there are also directives. Some of which might be “controls” that also relate to an identified risk. Courses-of-action (or initiatives) might be defined in relation to all this, etc. When there is risk that relates to objectives, you may want to decide to mitigate the risk, or to “take” it. This is about decision management. Which is about the DNA of governance, and we need to think about that as well. Etc. Etc. So, probably “risk analysis/management” is a “view” on enterprise governance. It is probably an integrated “aspect”. In terms of BMI roadmap graphics, “Risk analysis” could be another “oval”. But we need to define the interiors of the oval, as well as the relationships to the other pieces. And probably it is very much related/integrated.

• What are differences/similarities between business risk indicators and business performance indicators? In terms of business modeling we need both. As of today, we have neither of them.
  • [FAC] Certainly they are related through the risk of not meeting performance expectations, but there are risks that are only indirectly related to performance such as not being able to borrow money or a new technology that makes your products obsolete, or…
  • [HdM] Functionally, risk indicators and performance indicators are indeed different, though they can be related to each other, as you say. But they have much in common on other aspects, like: there are underlying business data sources from which to abstract and calculate (either performance or risk, or both). Like performance indicators, also risk indicators might be “basic” (e.g. based on query) or “composite” (e.g. based on formula). Visualization of performance and risk might be similar as well. Also other aspects might be common, like benchmarks, etc. When I am drawing a meta-model in my mind to support Rummler-brache type of performance analysis/management, I feel that a meta-model for risk analysis might probably not be very much different. Contextual relationships might also be very similar (e.g. product, customer/market, or value chain, etc.). I also feel that executives (and associates) when they would like to see analysis of their business or line of business, they would like to see combination of performance and risk factors. Maybe not just risk. Or not just performance.

• How does risk relate to “BMM-like” concepts such as influencers/drivers, goals/objectives, etc.
  • [FAC] Risk is most closely related to Threats and Opportunities. In my book, I associated risk assessment with SWOT.
  • [HdM] Agreed. But I guess it might go further. If there is a risk, you might define an objective to tackle or mitigate it. Also: when you have an objective (e.g. measurable objective, wrt a certain line of business), you might introduce new risk or increase risk by it. In both cases you would probably like relationship between the risk and the objective. Next to objectives there are also directives. Some of which might be “controls” that also relate to an identified risk. Courses-of-action (or initiatives) might be defined in relation to all this, etc. When there is risk that relates to objectives, you may want to decide to mitigate the risk, or to “take” it. This is about decision management. Which is about the DNA of governance, and we need to think about that as well. Etc. Etc. So, probably “risk analysis/management” is a “view” on enterprise governance. It is probably an integrated “aspect”. In terms of BMI roadmap graphics, “Risk analysis” could be another “oval”. But we need to define the interiors of the oval, as well as the relationships to the other pieces. And probably it is very much related/integrated.

• How do we locate risk in the enterprise. E.g. in relation to certain lines of business (“value chains”). In particular: how would we relate risk
  • [FAC] In my book, I took the approach of identifying assumptions and considering the consequences when the assumptions are broken. This could be for example the assumption that the “happy path” is not interrupted, or at least the happy path and the exceptions for which we've programmed actions.
  • [[HdM] But if all the activities of the enterprise can be captured in value chains (not just the operational lines-of-business, but also supporting ones), I would think that most risks - if not all - would relate to steps in the value chains. Sometimes the source of risk is in a value chain. Sometimes the source of risk is elsewhere, but the impact is in a value chain. Example: Not able to get loans anymore. Source is outside. But impact is in lines of business. Other example: Setting up value chain for Boeing Dreamliner, whereby most of activity is put on external partners, and these partners subcontract to theirs, etc. Major risk. Source and impact are both in Dreamliner value chain.

• We also need to consider enterprise governance. Which relates with and overlaps with the things mentioned above. Risk management is not a separate thing, but need to be woven into that. Being an integral part of it. How will we consider that ?
  • [FAC] I think it can tie into BMM nicely, but the broader issue is the mechanism by which you aggregate risks from throughout the enterprise. Somewhat like aggregating the budget, but more complicated.
  • [HdM] As tentatively suggested above such aggregation sounds very similar to aggregation of performance data, throughout the enterprise. Is that true? Performance indicators should play major role in enterprise governance. E.g. objectives, courses-of-action (initiatives) and balancing/prioritizing them, value analysis, change prioritization, etc. etc. are to be based on performance indicator impact/correlation. My intuition says that similar applies to risk indicators. When setting objectives, defining initiatives, analyzing value chains, prioritizing changes, etc. one should not only decide based on impact on business performance, but also on business risk. Therefore, I think that a good regime of enterprise governance is based on combination of performance & risk evaluation. And this includes the compliance stuff. When I would think of a framework of enterprise governance (with strategic, tactical and operational levels), there are many important decision points. And performance as well as risk factors should probably hook into most of them.

• Do we need to focus on mitigation as well? But then we also need to relate risks to “controls” and model “controls”. Possibly also to business events. Or generally: next to risk we also might need to model “issues” ? Because “risks” manifest themselves as “issues”. When issues are observed you need “course of action” to correct and prevent them. This is part of governance. From objectives, some of which maybe be there to mitigate (or even take) certain risks, you also need courses of action to meet the objectives. Etc. Here we are again in the enterprise governance arena.
  • [FAC] I would limit our (current) consideration of mitigation to the effects on the risk assessment. So when a high risk is identified and mitigated, the assessment should reflect the reduced risk as a result of the mitigation. Tnat does not mean you need to model the mitigation, per se, but only the impact it has on the associated risk. Generally, all risks will be mitigated to some extent in the normal course of business–the mitigation you raise is more likely the things you do to reduce risks when you decide they are not tolerable.

• So, how can we envisage risk analysis/management/mitigation in such a way, that we don't get a “risk xyz silo”, but where generic things are taken generically, in the broader and potential business modeling/enterprise governance framework.
  • [FAC] The model needs to capture the relationships between risks including risks that occur as a result of the same event, and risks that are dependent in some way so that the either compound each other or mitigate each other. For example, if the production line goes down due to a problem, another problem will not make it worse except that it may take additional time and resource to resolve it. Or the power goes down, so all production lines stop (single precipitating event).

[HdM 13 February] One more general comment: there seem to be three overlapping circles: “Enterprise risk xyz”, “Enterprise Governance” and ”(Corporate) Compliance”. We might need to come up with a conceptual model that focuses on the intersection of all three.

[John Hall 13 February 2009]

Risks can be characterized with two kinds of measure:

• “How likely?”, measured by the probabilities that a particular kind of undesirable situation will occur.
• “How much?”, estimates of the impact of the undesirable situation on your business, in as many dimensions as are relevant – direct financial costs, disruption, legal penalties etc. Some may be unfavorable in some dimensions but favorable in others.

Risk modeling is about:

• Identifying the kinds of undesirable situation that could affect your business (to the etent that you need to protect against them) and the probabilities that they will occur
• Estimating their impact on your business
• Creating categorization schemes so that types of undesirable situation can be grouped and analyzed, compared, reviewed, etc.
• Identifying relationships between identified types of undesirable situation, e.g. “If one of these occurred, which others would be affected?” – for example, have increased or reduced probabilities
• Monitoring the actual occurrences of the undesirable situations (inside your business and - if possible - in wider contexts) and refining the measures

Risk management is about:

• Adopting courses of action in your business that will:
  • Reduce the probability of occurrence of the identified types of undesirable situation
  • Reduce the severity of unfavorable impacts
• Defining quantified goals for the courses of action
• Developing and adopting policies for resolving conflicts between courses of action
• Monitoring and measuring what actually happens and:
  • If the courses of action and policies are effective and goals are being reached, assessing whether they can be made more effective
  • If the courses of action or policies are not as effective as expected or goals are not being reached, assessing why, and deciding how they can be improved

The Business Motivation Model (BMM) provides a good framework for this.