• Module I  • Module II • Module III • Module IV • Module V

Module I: History of Risk Management and Evolution to Current Thinking

Part I: Development of Discipline from 1900 through 2000
Part II: Development of Discipline from 2000 through 2011

This module traces the history and evolution of the discipline over the prior century leading up to a deeper analysis of the events of the last decade. Particular attention will be paid to the current state of our risk management practices around the globe with respect to the role of the following:

• Managing risk across the range of business disciplines (reputation, talent management,
• Rating agencies
• Professional risk frameworks, internal control guidance and governance from leading countries such as Australia/New Zealand, Canada, United Kingdom and South Africa
• Financial/Governance scandals, e.g. Societe General, Stanford Financial, Tyco, UBS, Tokyo Electric Power, WorldCom, Lehman Brothers, Madoff Investments, News of the World, British Petroleum, Enron, and MF Global.
• Professional service firms: Big 4 and others
• Professional organizations: COSO, GARP, IIA, PRMIA, PRIMA, RIMS, SOA
• Regulatory Agencies: SEC, DOJ
• Sarbanes Oxley Act
• The US internal control/ risk management/governance model

Learning outcomes: At conclusion of this module participants will have a strong appreciation for the evolution of the risk management discipline and for the multiple areas in which risk management is being recognized as becoming increasingly important for business vitality. This background will serve as a springboard for future development in this subject matter.

Module II: Principles, Process and Framework for Managing Risk

This module will provide a comprehensive review of ISO 31000, IEC rule 73, ISO 31010 followed by insights into the ISO 31004 proposed implementation guide

Key areas of focus:

• Principles versus rules based thinking
• Overview as to how ISO was developed and adopted in November 2009
• Benefits to a company by using ISO 31000 using case studies as examples
• ISO Principles: the eleven ISO principles: what they mean and how they should be used
• ISO Process: the different pieces of the process including context, risk assessment (identification, analysis, evaluation), risk treatment, risk monitoring, communications
• ISO Framework: While unique to each company, we will focus on key things such as commitment and mandate, risk policies, risk committee, chief risk officer, assignment of responsibilities, as well as tools and techniques used to support the implementation process, including key risk indicators

Learning Outcomes: At conclusion of this module, participants will understand not only the evolution of risk that led up to the development of ISO 31000 but will have acquired knowledge on the key principles, process and framework. As a result, they will be in a well positioned to implement ISO in their respective companies

Module III: Analyzing and evaluating the adequacy of your company's risk management system

It is important to analyze and evaluate the adequacy of your company's risk management. Various parties are responsible to assess adequacy of a company's risk management system. We will identify such parties, the roles they should play and then discuss a best practice model framework for allowing us to assess adequacy of the system.

With that in mind, we will focus on the following areas within such evaluation:

• Board mandate and commitment
• Roles/ responsibilities and inculcation into performance management
• Risk identification
• Risk prioritization
• Risk mitigation
• Risk reporting
• Risk monitoring
• Culture and embedding
• Communication

Such assessment is critical for two reasons. First, it would be impossible to successfully implement a robust risk management program unless there is a comprehensive understanding of the existing situation. Second, at end of the year, the Board and other stakeholders in the company are entitled/obligated to know what the overall condition is of the risk management program and such assessment will provide them with this information.

Learning Outcomes: At conclusion of this module, participants will comprehensively understand how to assess the adequacy of the risk management system.

Module IV: Understanding the Behavioral Component of Managing Risk

This module will introduce the participant to a collection of best-in-class material from key thinkers in behavioral economics and psychology. Under the instructor's tutelage, reviews, analyses, and discussion will take place examining the role that these factors play in managing risk. Topics covered will include:

• How biases affect our thinking with specific examples/the different fallacies
• The role of luck in risk management in contributing to our success
• Trying to gain an understanding of how our minds work- how we think and react

The material covered will be constantly evolving to ensure it remains relevant and will commence with excerpts from classic sources such as:

Akerlof, George, and Shiller, Robert, Animal Spirits, Princeton University Press, Princeton 2009
Ariely, Dan, Predictably Irrational, Harper Collins, New York 2008
Ariely, Dan, The Upside of Irrationality, Harper Collins, New York 2010
Glieck, James, The Information, Pantheon, New York 2011
Kahneman, Daniel, Slovic, Paul and Tversky, Amos, Judgment Under Uncertainty:Heuristics and Biases, Cambridge University Press, Cambridge 1982
Kahneman, Daniel, Thinking, Fast and Slow, Farrar, Straus & Giroux, New York 2011
Koen, Billy Vaughn, Discussion of the Method, Oxford University Press, Oxford 2003
Lloyd's of London, Behaviour: Bear, Bull or Lemming, London 2010
Mandelbrot, Benoit and Hudson, Richard, The (Mis) Behavior of Markets, Basic Books,New York 2004
Mlodinow, Leonard, The Drunkard's Walk: How Randomness Rules Our Lives, Pantheon Books, New York 2008
Schwartz, Peter, Inevitable Surprises, Gotham Books, New York 2003
Shermer, Michael, The Believing Brain, Times Books, New York 2011
Shiller, Robert, Irrational Exuberance, Princeton University Press, Princeton 2000
Slovic, Paul, The Perception of Risk, Earthscan, London 2000
Taleb, Nassim Nicholas, The Black Swan, Random House, New York 2007
Thaler, Richard and Sunstein, Cass, Nudge, Yale University Press, New Haven 2008
Watts, Duncan, Everything Is Obvious, *Once You Know the Answer, Crown Business, New York 2011

Learning Outcomes: Upon completion of this module the participant will have developed a keen awareness of and sensitivity to the behavioral component of how individuals think and act, and how critical the human dimension is to the decision making process and the overall success of a risk management implementation.

Module V: Role of the Board in Managing Risk

The Board plays a critical role in managing risk for the company because it is "the last stop" in the company. Without a discernible commitment from the board that permeates throughout the organization, any risk management system is doomed to failure. In fact, respondents to a Summer 2011 survey overwhelmingly cited "tone at the top" — the degree of support from the board and the C-suite — as critical to establishing effective ERM. "You can't do anything without it," said the head of risk management and business assurance at a global mining company. [1]

This module will focus on the following three key areas:

Commitment and mandate

This will entail understanding what it means to have the board commit to implement such a program. This is much more encompassing than just getting a signature on a piece of paper. Without such a commitment and mandate, trying to implement a comprehensive risk management will be meaningless. Therefore we will explore the different components of this area including proper internal and external communications and budget setting

Setting of risk criteria

Risk criteria are similar to risk appetite. Unless you set this according to the values of the company with consideration of the overall strategic objectives, you will have no basis on which to compare the risks against and thus no mechanisms to determine whether risk treatment is in order. It is the Boards and Executive Management's job to set risk criteria for the company. We will discuss a best practices model for setting of such criteria

Comprehensive understanding of the business risks and that the company is operating within the risk criteria which it has set

The Board is responsible for knowing what the current risk profile looks like and whether the company is operating within this profile. We will discuss and demonstrate by example the kinds of things necessary to demonstrate an understanding of the risk portfolio and whether such understanding encompasses knowing whether the company is operating within the set risk criteria.

Learning Outcomes:

Although this module will be taught from perspective of the Board, unless the people who interact with the board fully understand the board's perspective there can be no meaningful communication. Participants will learn how to communicate with Board in "its language" and how to "manage" the board when required.

[1] Risk Management in a Time of Global Uncertainty. Harvard Business Review Analytic Services Report, January 2012.