Guest Post by Greg Caroll (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
The 2009 release of ISO 31000 was the first step across the threshold into 21st century risk management. Unfortunately the industry that has developed around it has firmly grabbed the doorway and won’t let go. Although the latest revisions make references to decision making and integration into functional purpose, it totally misses the point of risk management, which is to assist navigating a complex world.
Enterprise Risk Management by definition is the integration of an organisation’s risks for the purpose of assisting it achieve its mission. Linking risk registers to objectives does little more than focus management’s thinking on the outcomes of their decisions. As mentioned in the previous article “Risk 2018 & the missed opportunities of 2017“, implementing Controls is an expected compliance activity, not risk management. A ships’ pilot heeds channel markers, but it’s their skill is in reading the water and weather in choosing the most effective course, that decides winners and losers. And even the most sophistication GPS navigation systems have yet to replace the navigator on a Volvo Ocean Race yacht.
I started this article by detailing the failure of current risk methodologies but then realized I was one of my pet hates of focusing on the problem (like current risk management), not the solution. After a severe talking to myself I drafted out my vision of what risk management should look like in the 21st century. This goes beyond what I listed in my 2013 book “Mastering 21st Century Risk Management” which obviously needs to be updated.
Why we need to rethink Risk Management
The World Economy Forum’s 2018 Global Risks Report it succinctly observed:
“Humanity has become remarkably adept at understanding how to mitigate conventional risks that can be relatively easily isolated and managed with standard risk-management approaches. But we are much less competent when it comes to dealing with complex risks in the interconnected systems that underpin our world, such as organizations, economies, societies and the environment. There are signs of strain in many of these systems: our accelerating pace of change is testing the absorptive capacities of institutions, communities and individuals.
In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns.”
Further, in one of the best insightful articles l’ve read in years, Oxford fellow Roland Kupers’ “Resilience in complex organizations” identifies the central issue that:
“In a deeply interconnected world, stresses and shocks propagate across systems in ways that evade forecasting. Climate change is linked to the Syrian civil war, which is connected to heightened concern over immigration, which precipitated Brexit.”
And the WEF report concludes:
“One of the aims of the Global Risks Report is to encourage individuals and organizations to think critically and creatively about how they can respond to a rapidly evolving risks landscape.”
The purpose of Risk Management in 2020’s
From these comments we can acknowledge that:
- Acute risks evade forecasting
- We need to be able to identify evolving risks
- We need to be able to relate them to other areas of risk
- The purpose of Risk Management is identifying how to respond rapidly to evolving risks
- Critically and creatively responses require operational decision making
- We need systems to enable rapid response to complex situations i.e. AI – Artificial Intelligence
This leads to the inevitable conclusion that risk management can only be Enterprise Risk Management since all risks interact with each other to alter their status. This makes a mockery of the concept of static risk registers and risk matrix ratings. This form of forecasting, in addition to being subjective (a guess), is out of date by the time it is recorded.
If the purpose of risk management is to enable the rapid response to evolving risks, we need real-time systems for identifying and assessing risks, not periodic risk reviews. Being rapidly evolving, but the time a risk control is developed and implemented the risk has most likely become an operational incident. You are better served by providing operational management with a range of 5 possible scenarios that will assist them with identifying both the direction of the risk evolving and possible courses of action.
It should be self-evident that with the complexity of today’s business environment risk management needs to sit firmly in operational decision making. If you accept this is the case then the only solution is to implement AI – Artificial Intelligence computer solutions that can advise operational management in real-time on cause and effect of changes in the physical, social and business environments.
The Role of Risk Management Units
In this new paradigm the role of Risk Management Units in organization should be the creation, evolution, calibration, and auditing of scenarios and decision making models, identifying and creating systems to monitor risk influences and drivers (which includes behaviour), and training operational management in modern decision making tools and framework (including bias and games theory). In the 21st century, risk registers, use of arbitrary heat-maps, and devising impractical or unrequired risk controls to ward off threats, smacks of superstitious witch doctor hocus pocus.
In upcoming articles I will go into the practical ways of applying modern technologies to achieve these 21st century risk management tenets, covering how to:
- Setup scenario analysis systems to provide operational management with decision marking collateral,
- Using Big Data to identify trends and evolving risk,
- Create Neural Networks to identify and map interrelationships,
- Implement IoT to monitor changes in environmental factors in real-time,
- Exploit Machine Learning to monitor customer and staff sentiment, etc.,
- Use predictive analytics to set up threat management & preventive action programs,
- Explore how Blockchain trust systems could be used to obsolete Cybersecurity & Supply Chain risk
- Harnessing Virtual Reality to gain a quantum leap in staff training and awareness,
- Replace laborious and inaccurate risk assessments & risk reviews with Automated Processes.
This will be the shape of risk management in the 2020s!
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
His book “Mastering 21st Century Risk Management” is available from the www.fasttrack365.com website.
johfert Bristomm says
I really appreciated your article related to enterprise risk management and what are the benefits and what the purpose of enterprise risk management is so well to explain.
Compliance management in Pakistan
Greg Hutchins says
Good day. Thank you for the kind words. We appreciate them.
ERM is becoming a common element of ‘good to great’ management.
We hear that Aga Khan Hospital has a good/great ERM program. Check them out.