Last week we explored where third-party risk management strategy and technology fail, this week we turn our attention to where enterprise/operational/integrated risk management strategies and technologies fail. Yes, that world of ERM, ORM, IRM which is fraught with misconceptions, complexities, and too often solutions that create blind spots on risk.
The modern organization demands that organizations not only be resilient, but also agile. Resilience is the capacity to recover from a risk event. Agility is the capability to see what is coming at the organization, what is developing on the horizon, and what are the scenarios it can play out on the organization. This allows the organization to use risk as a tool, not only to avoid hazard and harm but to leverage risk for greater gain to the organization.
The issue is that too many organizations have immature ERM/ORM/IRM functions. The failures in risk management strategy, process, and particularly technology is often:
- Performance and objectives. I see too many risk management solutions that seem to identify, manage, and monitor risk in a vacuum that has no business context. We do not just wake up in the morning and state, “I feel like doing a risk assessment.” Risk is always set in a business context. That context starts with the performance and objectives of the organization. What is the organization trying to achieve? These can be entity level objectives, division, department, process, or even asset level objectives. ISO 31000 defines risk as the effect of uncertainty on objectives. Risk is managed in the context of measuring the uncertainty in achieving objectives.
- Silos of risk management. Too often organizations think they are approaching an enterprise view of risk when they are really trapped in a silo. Good risk management requires the ability to see complex relationships of risk management and in that context complex relationships of risk on objectives. What starts off with a health and safety risk then impacts objectives, culture of the organization, performance, continuity, security, privacy, conduct risk, bribery and corruption risk, modern slavery risk and more . . . that was COVID-19. It is an integrated risk environment, and it requires a full spectrum of understanding risk and objectives of the organization.
- Quantification. In order for the business to understand risk it is necessary that it be quantified. What is the business impact. Organizations need to mature their approach to risk management by providing more advanced risk quantification capabilities. Too often I see quantification being done as guess work and ranges that lack any statistical modeling.
- Heatmaps. I am not a big fan of heatmaps. I think they are overused and misleading. Too often this is the primary view into risk, and it fails the organization. If you have a lot of risks trending in the upper right, that is too often fiction. The organization is most often not seeing a regular cadence of major loss events. The most significant risks, according to history, are high-impact and low-likelihood events, those destroy companies, but they are often coded a yellow and not a red. And having a risk in the lower right might not be telling you the whole picture, that risk in the green area might be over controlled. Heatmaps provide a view into risk, but it should not be the sole view and depended on. I would rather do without them.
- Stuck in the left-brain. The world of risk management is navigating chaos. There is so much changing and risks cascade like dominos and impact performance and objectives in unforeseen ways. What is often a little thing cascades into a huge risk event, like chaos theory and the butterfly effect. Good risk management requires that we use the right-brain in addition to the left-brain. The left-brain is the logical and structured thinking of risk, that is where we have risk models. But models are imperfect and never accurately represent the real world. Today’s organization needs good right brain thinking on risk, the outside the box thinking that can look at risk from different perspectives and see things that are models are not telling us. I am a fan of visual risk analysis techniques like bow-tie risk assessments. These are great to use in risk facilitation workshops.
- Lack of risk normalization and aggregation. Enterprise risk management is complex. One department’s high risk might be another department’s medium risk when quantified. I have seen too many failures where there is no, or broken, risk normalization and aggregation as risk rolls up in the enterprise. Projects and departments need a legitimate measurement of high, medium, low risks (of course quantified and not just qualitative) but as this gets compiled into an enterprise view of risk there must be risk normalization and aggregation.
- Risk ownership and accountability. Back-office functions of risk management do not own the risk of the organization. Executives down into operational management own risk. Risk processes and technology fail when they do not engage the real risk owners and help them monitor the risk they own and do not provide structured processes for risk accountability.
I can go on in the need for good scenario analysis and the integration of resilience and continuity into risk management. What is the key takeaway is that organizations need to manage risk in the context of the business, performance, and objectives. It needs to do this in a way that sees the complexities and interrelationships of risks and thus needs to engage both the left and right-brains to manage risk logically as well as creatively. Risk needs to be quantified and understood in a business context that empowers first-line functions that are the real risk owners with structured accountability for risk.
The issue is that there are many risk solutions on the market, but not many really deliver on these points I have brought out to equip, enable, and deliver value to a true GRC, ERM, ORM, or IRM program. Ask GRC 20/20 about our market research and coverage of risk solutions in the market and what differentiates them and fits particular needs . . .