In GRC 20/20’s upcoming 2022 State of the GRC Market Research Briefing, one of the changes I am doing to my market models is the integration of the former Business Continuity Management segment into the Risk Management segment to become Risk & Resiliency Management. This is further referenced in the recent GRC 20/20 Research paper – Risk & Resiliency Management Maturity Model: A New Paradigm on Risk, Resiliency & Continuity Integration – and the forthcoming paper on Risk & Resiliency Management by Design paper.
I have been stating for nearly 20 years, “Why does business continuity operate in a tactical function, too often buried in the bowels of the organization, and not as part of enterprise and operational risk management?” The two symbiotically support each other. The pandemic and regulators are finally changing this. The Office of the Comptroller of the Currency (OCC) in the USA states, “Operational resilience is . . . the outcome of effective operational risk management.”
However, resilience is not enough. We also need to be agile. The ability to see what is coming at us and navigate the organization to seize opportunities as well as avoid/mitigate the hazards and harms. That is true risk management. U.S. President Teddy Roosevelt stated, “Risk is like fire, if controlled it will help you if uncontrolled it will rise up and destroy you.” Judge Mervyn King of South Africa (King 1, 2, 3, and 4 reports on corporate governance) stated, “Enterprise is the undertaking of risk for reward.” Risk management is a strategic enabler and tool of the organization to navigate the chaos of the modern world and leverage it for greater return and performance while navigating the organization to also avoid and minimize the hazards, harms, losses.
How are you doing risk management in your organization? Is it a strategic enabler? Is it delivering resiliency? Have you gone beyond this to Level 5 in the maturity model to be agile?
Now let’s get to a tactical frustration of mine that impacts, trips, and causes issues in risk management. There is so much we can talk about today, but one point of contention is heat maps.
I have not been a big fan of heat maps for a long time. Over 15 years back I published a critique of them in my Forrester days. You cannot plot risk on a two-dimensional map as a single point. Risk is a distribution and involves a lot of scenarios (I am primarily discussing this as risk as a negative outcome as this is how these are used, with full acknowledgment that this is just one side of risk management). If you are plotting a human virus risk, like COVID-19, on a heatmap there are risks of a virus that is localized, global, endemic, pandemic, or even a plague. There is a distribution of this risk with different impacts on the organization and its objectives (and even potential opportunities for the organization in the face of this event). Same thing with a computer virus. It could be an incident that takes out one laptop, an office, a data center, the whole organization, or multiple organizations and critical infrastructure.
The other issue with heatmaps is the plotting is often subjective and not objective. Are you guessing, or do you have quantifiable data to back up where risk is plotted?
If organizations have risks plotted in the upper right of a heatmap, I question it. Organizations do not have a lot of high impact and high likelihood events, that means they are out of business. And some of the most significant risks to bring down organizations are high impact and low likelihood events. These are often not plotted red on the colors of a heatmap and do not get a lot of attention, but those are the ones that destroy organizations.
Three things organizations need to improve risk management . . .
- First, we need to manage risk in the context of the objectives, performance, and strategy of the organization. Risk management done right is a tool to be agile, and not just resilient (level 5 on the maturity model). This allows the organization to do horizon scanning, have full situational awareness of risk, make the right decisions for greater performance of the organization, and navigate the environment to avoid and mitigate the downside of risk.
- Second, scenario analysis is critical. To be resilient and agile requires modeling scenarios of risk and the impact on the organization. Risk is a distribution of potential impacts, and the organization needs to understand this. We need to get past ridiculous heatmaps that bring misconceptions of risk to good scenario analysis. This is where business continuity moving into risk management provides value in being able to define scenarios, and even do things such as table-top exercises of risk. And risk management adds value through doing quantifiable analysis of risk to these scenarios as with monte carlo analysis and other risk modeling techniques.
- Third, we need to think creatively and not just logically about risk management. Good risk management involves both left-brain and right-brain thinking. Left-brain risk thinking involves defining risk models and potential scenarios, distribution, and quantification of risk. Right-brain risk thinking knows that models never accurately represent the real world as there are too many variables and inputs, it is here that we think about what is wrong with risk models and what can happen that they do not anticipate. Too often risk management has been stuck with left-brain risk thinkers and needs a good balance of right-brain risk thinkers. We need the ability to think inside the box (left-brain models) as well as outside the box (right-brain creative and intuition).
So where is your risk management program? Are you stuck in heat maps and a tick-box compliance exercise of risk management? Or are you using risk management as an effective enabler to strategic decision-making and operations to reliably achieve objectives while managing uncertainty (risk)?
BTW . . . this is the topic of the next GRC Red Flag Series: Moving Beyond Risk Resiliency to Agility.