Unfortunately, organizations get locked into a static view of risk analysis and management.They are overly focused on heat maps generated from fairly static risk assessment processes. The era of SOX and control self-assessments has propagated this further.Organizations have often ended up with an enterprise risk management program that is nothing more than SOX and financial controls on steroids with little perspective of true enterprise risk management.
To manage and assess risk – whether at the enterprise level, or within specific business functions and processes – requires an individual to think outside of the box.There are ‘black swans’ (the completely unexpected) but there are many risks realized that should never be black swans and are just a failure in the organization to get a 360-degree perspective on risk.
When risk management becomes mundane and routine an organization ‘risks’ that their risk management may be ineffective.A simple two-dimensional view of risk (like that of a heat map) can easily lull an organization into thinking they are managing risk and be caught off guard.Particularly if the risk taxonomy and assessment process is static and does not provide for new inputs. Do not get me wrong – heat maps have their purpose but alone are not enough.
Look at the room around you.If you take a picture of the room you get one perspective.If you take a thermal image you get another.If you take an X-ray you get still another perspective.
Consider going to the doctor because something is ailing you.The doctor most likely will do a physical exam, might order some blood tests, and perhaps even do an MRI or some other investigatory procedure.
I remember evaluating a so-called ‘risk management’ platform from one of the leading software vendors in the industry and was shocked to find that it was a replacement for spreadsheets for risk questionnaires/assessments and nothing more.Specifically, it had no loss/event history.How does an organization begin to model risk and identify likelihood if it does not have any clue into the issues, events, incidents, losses, and investigations impacting the risk area?The vendor provided a beautiful heat map – but the information behind it was pure speculation from just a few inputs.
To manage risk effectively in an organization requires multiple inputs and methods of modeling and analyzing risks.This requires information gathering – risk intelligence – so that the organization can have a full perspective of risk and make ‘wise’ decisions (something more than just intelligence gathered from information overload delivers).
Effective risk management involves gathering multiple perspectives of risk information to enhance risk analysis.This includes gathering risk intelligence from the . . .
- External perspective.Monitoring the external environment for geo-political, environmental, competitive, economic, regulatory/legal and other risk intelligence sources.
- Internal perspective.Evaluating the internal environment of controls, audits, assessments, issues, events, incidents, corporate performance and risk indicators, and other internal data points.
Visualization of risk from multiple angles becomes important.Good risk management involves taking external and internal perspectives and modeling risk in relational diagrams, decision trees, heat maps, or even quantitative models involving monte carlo or value/capital at risk simulations.
As organizations build enterprise, operational, or other risk management programs it is important that they build this 360-degree multi-perspective risk analysis framework that allows an organization to think outside the box and look at risk from a variety of perspectives.