Writing about risk management is like trying to have an intelligent conversation today about religion or politics.
Individuals in the risk management community have polarized views and if someone does not agree with you 100% you end up in the crosshairs of an attack. It is sad. Instead of intelligent discussion where we can come together and learn, there are many ready to pounce if you do not express their exact ideology. Some view risk management as purely top-down from objectives and strategy, others are risk professionals down in the bowels of the organization looking bottom-up. Some feel that risk registers, risk appetite, and other aspects of traditional risk management are meaningless, others see this as the core part of how they have managed risk. Some hate heat maps and qualitative approaches, others live by them. Some, I feel, are simply trying to relabel corporate performance management to be risk management, instead of seeing that risk management is a part of performance management.
While I feel there is objective truth when it comes to matters of religion/theology . . . what if that was not the case for risk management?
- What if the best approach to risk management brought together the top-down and the bottom-up?
- Used both quantitative and qualitative methods?
- Leverages risk registers but does not get locked into thinking only in their context?
- Knew the weaknesses of a heatmap and how to overcome them while still using them as a visualization tool?
My view of risk management is that all sides of the debate have something valid to bring to the table. To truly do enterprise risk management requires a 360° contextual awareness of risk in the context of performance, objectives, and strategy as well as day to day operations and hazards of the business. Organizations need both a top-down view of risk management in the context of strategy and objectives as well as a bottom-up view of risk down in the weeds of operations and hazards. Good risk management requires both.
My favorite approach to risk management I have encountered in my research was with Microsoft when Brad Jewett was the ERM Director there from 2003 to 2008 (I cannot speak to Microsoft today as I have not interacted with them recently, Brad is now the CFO of Corel Corporation). I have served with Brad as an OCEG Fellow over the years and have a deep respect for him as a risk management professional. Brad defined his approach to risk management at Micorosft as ‘The Rhythm of Risk.’ This he defined by his desire to integrate risk management into daily decision making that would follow the corporate calendar for key processes such as multi-year strategic planning, annual planning, mergers and acquisitions, audit planning, SEC reporting, investor communications, product and service roadmaps, etc. It an aspirational agenda but it set the tone and expectation that risk management was a priority that should Influence and be integrated into the way things get done every day. This included the strategic as well as the operational. The top-down as well as the bottom-up
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see the individual risk (the tree), as well as the interconnectedness of risk to strategy and objecrtives (the forest). Many organizations are asking for this to go even deeper, as they need to see the leaf and branch as it connects to the tree, and how it is part of the forest.
Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential, and sometimes chaotic, relationships and impacts in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system the effect is proportional with cause, in the non-linear world of business, risks are exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both top-down view of risk to objectives as well as a bottom-up view of risk within operations and processes. It can integrate internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling.
Successful risk management requires the organization to provide an integrated process and information architecture. This helps to identify, analyze, manage, and monitor risk, and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board that is not an unattached layer of oversight. It also involves bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk down in the depth of the business.
Organizations striving to increase risk management maturity in their organization need to be:
- Aware. They need to have a finger on the pulse of the business and watch for changes in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and shareable in every relevant direction.
- Aligned. They need to align performance and risk management to support and inform business objectives. This requires continuously aligning objectives and operations of risk management to the objectives and operations of the entity, and to give strategic consideration to information from the risk management capability to affect appropriate change.
- Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused on gaining greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions. This requires that the organization have a bottoms-up view of risk as well as the top-down.
- Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Mature risk management enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
- Resilient. The best-laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have the confidence necessary to rapidly adapt and respond to opportunities.
- Efficient. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to make the organization leaner overall with enhanced capability and related decisions about the application of resources.
My point is simple, there are many perspectives on risk management that brought together properly and in balance can really build an effective and mature risk management program. While there are issues with qualitative methods, heat maps, and risk registers, that does not mean they are useless. They need to be effectively used and their issues and weaknesses understood. The same goes for a complete top-down view of risk management that only focuses on objectives and misses the hazards and issues that lie in the depths of the weeds of the organization that can cause significant harm. The best world is one that brings the strengths of all of these together and avoided throwing the baby out with the bathwater.
I will be presenting my views on how risk management technology enables and mature risk management capabilities in the webinar tomorrow:
I will be presenting my views on how organizations can mature their risk management capability in the webinar this Wednesday:
GRC 20/20 also has the upcoming Risk Management by Design Workshops:
GRC 20/20 has also just updated it’s flagship research paper on this topic: