IRM – Surprise! But it its not what you think. I have not changed my stance on Gartner’s misaligned Integrated Risk Management. This is the Institute of Risk Management, the real IRM in which I am a Global Ambassador of Risk Management as well as an Honorary Life Member. They published a great report on IRM Risk Predictions 2022 in which I contributed an article. Below is my article, but I encourage you to download the whole report and give it a good read . . .
Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.
There has been a lot of focus on resiliency in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. Resiliency is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event. This is critical and I see a lot of organisations moving to bring together risk management and business continuity management into what is now defined as risk and resiliency management. Business continuity management as a separate function in the organization is outdated and over the next two-to -three years we will see a mass migration to an integrated operational risk and resiliency program.
Resiliency is NOT enough though. I am seeing a lot of organisations in 2022 to see how their risk and resiliency programs can make them more agile as well.
Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360 situational awareness to be agile.
To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.
Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.
So, the organisation in 2022 needs enterprise risk and agility that is also supported by operational risk and resiliency. There is a symbiotic relationship between enterprise risk and agility with operational risk and resiliency that organisations need to develop in today’s dynamic, distributed, and disrupted business.
To be agile and resilient, organisations also need to think creatively and not just logically about risk management in 2022 and beyond.
When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.
Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analyses. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated: “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.”
I argue that this is not enough to be agile and resilient in 2022. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic.
There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organisation. That requires creatively thinking about risk and risk event scenarios. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler: “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”
Creatively thinking about risk, to be agile and resilient, requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.