Are You Headed to a Risk Management Clusterf***?
Yes, you read that correctly. Anyone that knows me knows that I am not inclined to use profanity casually. The reality is that this term, clusterf***, is a technical term.
The term has its roots stemming from the Vietnam War, perhaps earlier. It defines a situation where there is a lot of top-down strategy (high-level officers/brass) but not enough on-the-ground information. Things look good from a strategic plan on paper, but the realities in on-the-ground operations are not appropriately considered.
Clusterf*** describes a concern I have for the trajectory of risk management strategies in organizations today. The past has had various departments of on-the-ground risk management doing their different things without any strategic direction. In the last few years, we have seen a shift of focus, propelled by some leading risk luminaries, to a top-down strategic planning view of risk in the context of performance, objectives, and strategy. This is a good thing, but I feel organizations may overcorrect and shift the pendulum too far and adopt a top-down view of risk at the cost of neglecting an understanding of risk down in the organization’s operations.
Focusing just on the top-down view of risk can lead us to disaster. It is like the butterfly effect in chaos theory, where the flutter of the butterfly’s wings in The Netherlands makes tiny atmospheric changes that can influence the development and path of a hurricane in the Gulf of Mexico. The lesson is that the little things matter as much as the strategic things.
While some of my peers seem to argue for a complete top-down view of risk . . . I state we are then headed for a risk management clusterf***. What is needed is a balance that brings both a top-down view of risk in the context of performance, objectives, and strategy management that aligns with a more traditional view of operational risk management down in the bowels, behavior, transactions, processes, and relationships of the organization.
Semantically, this is how I differentiate ERM (enterprise risk management) and ORM (operational risk management). ERM is about the top-down strategic view of risk aligned with the organization’s performance, objectives, and strategy. ORM is focused on risk in the operations, processes, and activities of the organization. ORM is part of ERM, but ERM includes strategic risk management, capital/liquidity/finance risk management, as well as operational risk management.
Good risk management will understand risk from a top-down view aligned and integrated, a part of performance and objectives. But it will also include a bottom-up view of risk in the processes and operations of the organization. We need a balance of both to avoid a risk management clusterf***.
Aligning Risk & Performance Management will be the discussion we will have this week on The GRC Red Flag Series where I will be interviewing executives from Corporater as well Soenke Thun, the Vice President Group Risk Governance at Deutsche Telekom, on how to align risk management with performance management while also maintaining a strong view of risk down in the operations of the organization.
4