James Lam discusses Health Care and Enterprise Risk Management on developing effective Key Risk Indicators (KRIs) and Executive/Board Risk Reports
.
Selected Podcast
Developing Effective Key Risk Indicators (KRIs) and Executive/Board Risk Reports
Featuring:
Previously he served as founder and president of ERisk, partner and global ERM practice leader at Oliver Wyman, and chief risk officer of Fidelity Investments. Mr. Lam was named to the NACD Directorship 100 in 2017 and 2018, Directors & Boards “Diversity Directors to Watch,” Treasury & Risk “100 Most Influential People in Finance” three times, and GARP inaugural “Risk Manager of the Year.” He is a best-selling author of three ERM books published by Wiley. Mr. Lam is certified by the Software Engineering Institute of Carnegie Mellon in Cybersecurity Oversight.
James Lam, MBA
James C. Lam is the president of James Lam & Associates, a boutique consulting firm focused singularly on ERM. James is widely recognized as the first-ever CRO and early advocate of ERM. He is a director of E*TRADE Financial, where he is Chair of the Risk Oversight Committee and a member of the Audit Committee. Lam is also an independent director of RiskLens, Inc., where he is Chair of the Audit Committee.Previously he served as founder and president of ERisk, partner and global ERM practice leader at Oliver Wyman, and chief risk officer of Fidelity Investments. Mr. Lam was named to the NACD Directorship 100 in 2017 and 2018, Directors & Boards “Diversity Directors to Watch,” Treasury & Risk “100 Most Influential People in Finance” three times, and GARP inaugural “Risk Manager of the Year.” He is a best-selling author of three ERM books published by Wiley. Mr. Lam is certified by the Software Engineering Institute of Carnegie Mellon in Cybersecurity Oversight.
Transcription:
Michael Carrese: Welcome to the ASHRM Podcast made possible by the American Society for Healthcare Risk Management to support efforts, to advance safe and trusted healthcare through enterprise risk management, visit ashrm.org/membership to learn more and become a national member. I'm Michael Carrese, and a key objective of enterprise risk management is to promote risk transparency throughout the organization, including providing key risk indicators and risk reports to executive leaders and board members. Today we'll be discussing the key attributes of effective KRIs and risk reports, that align with your organization's strategic objectives and top risks. And we couldn't have a better guide for this discussion than James Lam, a Corporate Director, Management Consultant, Bestselling Author, and Keynote Speaker. Who's widely recognized as the first ever chief risk officer. And he was an early advocate of enterprise risk management. He is now President of James Lam and Associates, a risk management consulting firm. He founded in early 2002. He also currently serves as chair of the Risk Oversight Committee on the Board of E-Trade Financial Corporation and as an independent director and chair of the Audit Committee of Risk Lens Incorporated. Thank you very much for being with us, Mr. Lam.
James Lam: Thank you Michael, for having me.
Host: So, if you could start by telling us a little bit more about your background, and I also want to get a, to set the table sort of your philosophy of risk management.
James Lam: So, I I've been in risk management my entire career, over 35 years. Part of that time I'd been a risk manager, so executing and implementing risk management programs within a company. Second part of my career has been in consulting and working with different companies across different industries, seeing what works, what doesn't work. And the third part of my career, as a board member providing oversight and governance in terms of serving on a board. And my general philosophy about risk management is that there's a hard side to risk management and a soft side and companies need to focus on both. So the hard side would include the policies, the systems and the reports, and the soft side would include the culture, the values, and the incentives. So as a company, you want to have a culture of compliance and a culture of transparency.
Host: And why is that so important? Particularly on the transparency side, because that's what we're focusing on today, making risk transparent throughout an organization.
James Lam: Yeah. So, you know, if this was a small fire, you want to know that as quickly as possible, right? So there's a risk or an issue that's brewing within the organization. If you make that visible, if you measure it, you report on it, you communicate it to the right people. I think the organization would respond appropriately, but if you let that small fire simmer and just the lack of transparency, then it could easily grow into a large crisis. So I think risk transparency through good metrics, good risk indicators, good reports should be a critical objective for any risk management program.
Host: So why do some risk managers hesitate about the transparency? What is the benefit that they see and not sharing everything?
James Lam: Well, it's a real challenge sometimes to get the right data and developing the right metrics. And if risk managers spent too much time on developing the risk register, doing qualitative risk assessments heat maps, and don't spend enough time on developing the right key risk indicators the risk appetite statement, the right reports, then it does become a challenge in terms of getting the right information to the decision makers in senior management and the board of directors.
Host: So, let's talk about the elements that go into, you know, effective reports and information for those senior leaders, key risk indicators. What are the main characteristics of those?
James Lam: Well, I think it's really important that key risk indicators don't start with the risk. So don't start with strategic risk, operational risk or financial risk. It's very important to start with the business objectives of the company or the business objectives of the function or unit within that company. And if we start off with business objectives now that would be kind of step one, defining what your critical objectives are. Step two would be to develop key performance indicators, KPIs, that would measure whether or not you're achieving those objectives. Step three would be to define and assess the risks that could drive that performance for better or for worse step four would be to develop the key risk indicators that would measure that direction and exposure and level of those risks. And the final step, step five is to develop integrated reporting, integrated strategies to mitigate or optimize those risks. So I think that it's important to start with the business objectives as opposed to starting with the risk.
Host: Yeah. You have to have that framework to start with sounds like to make it all line up and serve its purpose.
James Lam: Yeah. And I would say, some companies that think about performance, and objective separate way from the risk and the metrics and that's not good. That's not healthy. Having an integrated perspective of business performance and risk management, I think is really, really important
Host: Now with the KRIs, as you mentioned, direction and exposure, can you go into a little bit more detail about what you mean by that?
James Lam: I mentioned earlier that risk managers should not rely too much on qualitative risk assessment. So an example would be, you know, if you went to the doctors and the doctor says, you know, I think your health is a yellow, you know, in kind of red, yellow, green light kind of analogy, and not give you specific metrics in terms of your BMI, your weight, your cholesterol levels. That's not a very productive conversation, right. But if it gives you specific metrics that would show you the level of the direction of your health, then you could do something about it. Then you could make better decisions about your diet and exercise. And I think that's really important when it comes to risk metrics.
Host: So, if risk metrics are done well, these reports and the KRIs, what are you hoping that they accomplish?
James Lam: Well, one thing that is should accomplish is to bring people from different organizational units together and be able to collaborate more effectively because now you're looking at the same metrics in terms of performance indicators, risk indicators, the same metrics when it comes to risk appetite and tolerance. And you're really pursuing a common goal in terms of achieving those objectives, driving performance and mitigating the risk. If you don't have clear metrics and reports, then people might be looking at risk in different ways. And you don't have the level of teamwork or collaboration that you want.
Host: So really getting everybody on the same page as it were.
James Lam: Yeah. Absolutely.
Host: And that also must be critically important for the senior leaders and board members to be making the best-informed decisions and being able to execute because they need everybody on the same wavelength to follow through on whatever comes out of this process. Right?
James Lam: Yep. I think that that's really important to not only break down the silos within the company but communicate from the line management to corporate management, to the board of directors. Making sure that we are looking at the same, you know, the same things and driving the organization toward these common goals.
Host: Let me just jump in here quickly and remind folks that are listening to the ASHRM Podcast, which is made possible by the American Society for Healthcare Risk Management to support efforts, to advance safe and trusted health care through enterprise risk management, visit astram.org/membership to learn more and become an ASHRM member. Do any examples come to mind, either with companies you've consulted with, or not, about the impact of a really effective risk reporting, risk transparency set up and the converse of that one that just is not serving the company's objectives well?
James Lam: Well, yeah, I would say in terms of attributes, if you have too much information or too much data that gets presented, then you could really, you know, it would be really hard to see the forest from the trees, right? So, so if I could contrast good reporting and bad reporting, I would say bad reporting is when there's too much data. And that, that data is backward looking, is inside out, and it's not leading to critical decisions and actions, whereas a good reporting would be more forward looking, outside in. So, you understand your risk within the business environment that you operate and it supports critical decisions and actions at the board and management level. And I would also say that ASHRM has done a really good job in updating its ERM handbook. And there's a section there on developing key risk indicators. So I think people should look at, and I would also have an, you know, give you an example of how having good metrics drive the right behavior. And the outcomes that we want. I remember many years ago hospitals didn't monitor, or they did monitor, they didn't report on hospital infections.
So, there was a lack of transparency. And this probably goes back to the nineties and so that there was a lack of transparency in terms of hospital infections and patients were getting sick and dying from it. And there was an industry wide initiative, a federal initiative to make sure that hospitals monitor and publicly share their infection rate. So by having a good metric and having transparency and reporting, it really drove down the infections across all hospitals because now they have to monitor it. They have to report, they have to mitigate the risk. One interesting outcome that they discovered, you know, not only do you need to wash your hands, you know, for 20 seconds, but one of the sources of hospital infections were the ties that the doctors wore, because they didn't wash them regularly, it was just, you know, causing all kinds of infections. So that was like a surprising outcome. But I think it all started with having good metrics and reporting.
Host: Yeah, well, right. They were under the microscope, so they started looking at every possible cause of infections, right?
James Lam: Yeah. Yeah. And then when you get the right metrics, it drives the right actions and behavior.
Host: So, one of the pieces of this, I wanted to ask you about, because you sit on so many boards yourself, you know, a piece of this, obviously it's got to be about communicating all of this. You can put a report in front of the C suite folks and the board, but do you have any advice for people about how to communicate all of this complex information?
James Lam: Yeah. I could tell you what not to do. And then tell you what would be helpful. What is not helpful, when a risk manager present to corporate management or the board is to drag them through all the good work that you've done, you know, in terms of the processes, the action plans, and whether you're on target or not on target and, basically a compliance checklist. And I would say the board and senior management pretty much assume you're doing a good job. So, they don't really need to hear all the steps that you've taken to do your work. They really want to know the insight and the, so what, in terms of your work products. So if you could relate your work to their decisions and actions, things that they really need to work on, that's much better. So, another way of putting that is some risk managers start from the bottom up, right? That they look at the data and then they do some analysis around that data.
Then they put together some reports based on that analysis. Then they give those reports to the decision makers and hopefully it will support their decisions. I think it's much better to reverse engineer that and do a top down, start with thinking about the decisions that the audience has to make, whether it's the board level or the corporate management level, what kind of decisions do they need to make in terms of accepting or mitigating a risk? What kind of decisions do they need to make in terms of capital allocation, risk transfer, and other decisions, then you go backwards and say, well, how do I customize it? My reports to serve these decision makers. And then now what kind of analysis do I need to do to populate those reports and what kind of data do I need to collect? So instead of going bottom up, I think it's much more productive to go top down.
Host: Yeah. And you've got a better chance of keeping their attention if you make it relevant to them from the beginning. Right?
James Lam: Absolutely. So one of the things I like to say is if you produce a good report, the feedback that you want to get is not, Oh, that was interesting. Or even, you know, informative that's not your go, is wow, that's really useful and actionable, right? Cause then you know your work is making a difference, right? That striving actions and decisions for the corporate executives and board members, so strive toward useful and actionable and not interesting and informative.
Host: That's a really great piece of advice. And that could apply to well beyond risk management I would argue. Listen, I'm afraid to say we're out of time, but I want to thank you very much for joining us today, Mr. Lam.
James Lam: It was my pleasure. Thank you. Michael.
Host: James Lam is President of James Lam and Associates and a pioneer in enterprise risk management. And a reminder, Mr. Lam mentioned the ASHRM playbook on ERM, it's going to be updated, a new version coming out soon. So you can check that out at ashram.org/pubs, to see what it's all about and purchase some great risk management resources. This podcast is made possible by the American Society for Healthcare Risk Management, to support efforts, to advance safe and trusted healthcare through enterprise risk management, visit ASHRM.org/membership to learn more and become a national member. I'm Michael Carrese. Thanks for listening.
Michael Carrese: Welcome to the ASHRM Podcast made possible by the American Society for Healthcare Risk Management to support efforts, to advance safe and trusted healthcare through enterprise risk management, visit ashrm.org/membership to learn more and become a national member. I'm Michael Carrese, and a key objective of enterprise risk management is to promote risk transparency throughout the organization, including providing key risk indicators and risk reports to executive leaders and board members. Today we'll be discussing the key attributes of effective KRIs and risk reports, that align with your organization's strategic objectives and top risks. And we couldn't have a better guide for this discussion than James Lam, a Corporate Director, Management Consultant, Bestselling Author, and Keynote Speaker. Who's widely recognized as the first ever chief risk officer. And he was an early advocate of enterprise risk management. He is now President of James Lam and Associates, a risk management consulting firm. He founded in early 2002. He also currently serves as chair of the Risk Oversight Committee on the Board of E-Trade Financial Corporation and as an independent director and chair of the Audit Committee of Risk Lens Incorporated. Thank you very much for being with us, Mr. Lam.
James Lam: Thank you Michael, for having me.
Host: So, if you could start by telling us a little bit more about your background, and I also want to get a, to set the table sort of your philosophy of risk management.
James Lam: So, I I've been in risk management my entire career, over 35 years. Part of that time I'd been a risk manager, so executing and implementing risk management programs within a company. Second part of my career has been in consulting and working with different companies across different industries, seeing what works, what doesn't work. And the third part of my career, as a board member providing oversight and governance in terms of serving on a board. And my general philosophy about risk management is that there's a hard side to risk management and a soft side and companies need to focus on both. So the hard side would include the policies, the systems and the reports, and the soft side would include the culture, the values, and the incentives. So as a company, you want to have a culture of compliance and a culture of transparency.
Host: And why is that so important? Particularly on the transparency side, because that's what we're focusing on today, making risk transparent throughout an organization.
James Lam: Yeah. So, you know, if this was a small fire, you want to know that as quickly as possible, right? So there's a risk or an issue that's brewing within the organization. If you make that visible, if you measure it, you report on it, you communicate it to the right people. I think the organization would respond appropriately, but if you let that small fire simmer and just the lack of transparency, then it could easily grow into a large crisis. So I think risk transparency through good metrics, good risk indicators, good reports should be a critical objective for any risk management program.
Host: So why do some risk managers hesitate about the transparency? What is the benefit that they see and not sharing everything?
James Lam: Well, it's a real challenge sometimes to get the right data and developing the right metrics. And if risk managers spent too much time on developing the risk register, doing qualitative risk assessments heat maps, and don't spend enough time on developing the right key risk indicators the risk appetite statement, the right reports, then it does become a challenge in terms of getting the right information to the decision makers in senior management and the board of directors.
Host: So, let's talk about the elements that go into, you know, effective reports and information for those senior leaders, key risk indicators. What are the main characteristics of those?
James Lam: Well, I think it's really important that key risk indicators don't start with the risk. So don't start with strategic risk, operational risk or financial risk. It's very important to start with the business objectives of the company or the business objectives of the function or unit within that company. And if we start off with business objectives now that would be kind of step one, defining what your critical objectives are. Step two would be to develop key performance indicators, KPIs, that would measure whether or not you're achieving those objectives. Step three would be to define and assess the risks that could drive that performance for better or for worse step four would be to develop the key risk indicators that would measure that direction and exposure and level of those risks. And the final step, step five is to develop integrated reporting, integrated strategies to mitigate or optimize those risks. So I think that it's important to start with the business objectives as opposed to starting with the risk.
Host: Yeah. You have to have that framework to start with sounds like to make it all line up and serve its purpose.
James Lam: Yeah. And I would say, some companies that think about performance, and objective separate way from the risk and the metrics and that's not good. That's not healthy. Having an integrated perspective of business performance and risk management, I think is really, really important
Host: Now with the KRIs, as you mentioned, direction and exposure, can you go into a little bit more detail about what you mean by that?
James Lam: I mentioned earlier that risk managers should not rely too much on qualitative risk assessment. So an example would be, you know, if you went to the doctors and the doctor says, you know, I think your health is a yellow, you know, in kind of red, yellow, green light kind of analogy, and not give you specific metrics in terms of your BMI, your weight, your cholesterol levels. That's not a very productive conversation, right. But if it gives you specific metrics that would show you the level of the direction of your health, then you could do something about it. Then you could make better decisions about your diet and exercise. And I think that's really important when it comes to risk metrics.
Host: So, if risk metrics are done well, these reports and the KRIs, what are you hoping that they accomplish?
James Lam: Well, one thing that is should accomplish is to bring people from different organizational units together and be able to collaborate more effectively because now you're looking at the same metrics in terms of performance indicators, risk indicators, the same metrics when it comes to risk appetite and tolerance. And you're really pursuing a common goal in terms of achieving those objectives, driving performance and mitigating the risk. If you don't have clear metrics and reports, then people might be looking at risk in different ways. And you don't have the level of teamwork or collaboration that you want.
Host: So really getting everybody on the same page as it were.
James Lam: Yeah. Absolutely.
Host: And that also must be critically important for the senior leaders and board members to be making the best-informed decisions and being able to execute because they need everybody on the same wavelength to follow through on whatever comes out of this process. Right?
James Lam: Yep. I think that that's really important to not only break down the silos within the company but communicate from the line management to corporate management, to the board of directors. Making sure that we are looking at the same, you know, the same things and driving the organization toward these common goals.
Host: Let me just jump in here quickly and remind folks that are listening to the ASHRM Podcast, which is made possible by the American Society for Healthcare Risk Management to support efforts, to advance safe and trusted health care through enterprise risk management, visit astram.org/membership to learn more and become an ASHRM member. Do any examples come to mind, either with companies you've consulted with, or not, about the impact of a really effective risk reporting, risk transparency set up and the converse of that one that just is not serving the company's objectives well?
James Lam: Well, yeah, I would say in terms of attributes, if you have too much information or too much data that gets presented, then you could really, you know, it would be really hard to see the forest from the trees, right? So, so if I could contrast good reporting and bad reporting, I would say bad reporting is when there's too much data. And that, that data is backward looking, is inside out, and it's not leading to critical decisions and actions, whereas a good reporting would be more forward looking, outside in. So, you understand your risk within the business environment that you operate and it supports critical decisions and actions at the board and management level. And I would also say that ASHRM has done a really good job in updating its ERM handbook. And there's a section there on developing key risk indicators. So I think people should look at, and I would also have an, you know, give you an example of how having good metrics drive the right behavior. And the outcomes that we want. I remember many years ago hospitals didn't monitor, or they did monitor, they didn't report on hospital infections.
So, there was a lack of transparency. And this probably goes back to the nineties and so that there was a lack of transparency in terms of hospital infections and patients were getting sick and dying from it. And there was an industry wide initiative, a federal initiative to make sure that hospitals monitor and publicly share their infection rate. So by having a good metric and having transparency and reporting, it really drove down the infections across all hospitals because now they have to monitor it. They have to report, they have to mitigate the risk. One interesting outcome that they discovered, you know, not only do you need to wash your hands, you know, for 20 seconds, but one of the sources of hospital infections were the ties that the doctors wore, because they didn't wash them regularly, it was just, you know, causing all kinds of infections. So that was like a surprising outcome. But I think it all started with having good metrics and reporting.
Host: Yeah, well, right. They were under the microscope, so they started looking at every possible cause of infections, right?
James Lam: Yeah. Yeah. And then when you get the right metrics, it drives the right actions and behavior.
Host: So, one of the pieces of this, I wanted to ask you about, because you sit on so many boards yourself, you know, a piece of this, obviously it's got to be about communicating all of this. You can put a report in front of the C suite folks and the board, but do you have any advice for people about how to communicate all of this complex information?
James Lam: Yeah. I could tell you what not to do. And then tell you what would be helpful. What is not helpful, when a risk manager present to corporate management or the board is to drag them through all the good work that you've done, you know, in terms of the processes, the action plans, and whether you're on target or not on target and, basically a compliance checklist. And I would say the board and senior management pretty much assume you're doing a good job. So, they don't really need to hear all the steps that you've taken to do your work. They really want to know the insight and the, so what, in terms of your work products. So if you could relate your work to their decisions and actions, things that they really need to work on, that's much better. So, another way of putting that is some risk managers start from the bottom up, right? That they look at the data and then they do some analysis around that data.
Then they put together some reports based on that analysis. Then they give those reports to the decision makers and hopefully it will support their decisions. I think it's much better to reverse engineer that and do a top down, start with thinking about the decisions that the audience has to make, whether it's the board level or the corporate management level, what kind of decisions do they need to make in terms of accepting or mitigating a risk? What kind of decisions do they need to make in terms of capital allocation, risk transfer, and other decisions, then you go backwards and say, well, how do I customize it? My reports to serve these decision makers. And then now what kind of analysis do I need to do to populate those reports and what kind of data do I need to collect? So instead of going bottom up, I think it's much more productive to go top down.
Host: Yeah. And you've got a better chance of keeping their attention if you make it relevant to them from the beginning. Right?
James Lam: Absolutely. So one of the things I like to say is if you produce a good report, the feedback that you want to get is not, Oh, that was interesting. Or even, you know, informative that's not your go, is wow, that's really useful and actionable, right? Cause then you know your work is making a difference, right? That striving actions and decisions for the corporate executives and board members, so strive toward useful and actionable and not interesting and informative.
Host: That's a really great piece of advice. And that could apply to well beyond risk management I would argue. Listen, I'm afraid to say we're out of time, but I want to thank you very much for joining us today, Mr. Lam.
James Lam: It was my pleasure. Thank you. Michael.
Host: James Lam is President of James Lam and Associates and a pioneer in enterprise risk management. And a reminder, Mr. Lam mentioned the ASHRM playbook on ERM, it's going to be updated, a new version coming out soon. So you can check that out at ashram.org/pubs, to see what it's all about and purchase some great risk management resources. This podcast is made possible by the American Society for Healthcare Risk Management, to support efforts, to advance safe and trusted healthcare through enterprise risk management, visit ASHRM.org/membership to learn more and become a national member. I'm Michael Carrese. Thanks for listening.