Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often become dislocated from the mainstream business processes. Instead of being integrated into the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process.
I notice a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cybersecurity is still often seen as a ‘thing that IT does’. Even though cybersecurity is effectively supply chain security (plus a lot more), it isn’t thought of that way.
One way to solve this conundrum is to think of a risk assessment like a P&L statement or balance sheet: it’s a data set that supports decision-making. And, taking that one step farther, you risk data can support the decision-makers if it’s linked to your overall objectives.
If you map out how threats or opportunities are linked to your objectives, you can link your assessment directly to what the organization is trying to achieve.
However, there’s not going to be a direct link between a threat and the objective in a lot of cases. Even if there is, it might not be specific enough to make a meaningful decision. So instead, need a middle step to identify the critical factors that enable you to reach your objectives.
Top-level objectives —> Factors for success —> Threat / opportunities
Moving from the strategic (objectives) to the operational (factors for success) to the details (individual threats) will help you link everything together.
Then, reverse the process and map the threats / opportunities to success factors before looking at how a risk might affect that objective.
Threat / opportunities —> Factors for success —> Top-level objectives
This makes it easier to link the risk data to your objectives and to make better, more informed decisions.
Here’s the whole thing sketched out
However, you have to keep in mind that the threat category might not always line up with the description
However, you have to keep in mind that the threat category might not always line up with the description for the objective.
For example, your top level objective is to deliver the highest quality of widgets in your industry. To do that, you need to recruit and retain the top talent which you class as a People item.
However, you face a Reputational risk because of the behavior of the previous CEO which makes attracting good people difficult.
So a Reputational threat causes a risk that affects your People success factor. This in turn affects your quality objective.
So get your stakeholders and decision-makers to start thinking about risk data as another data-source to help with decision-making. At the same time, ensure that what you produce is clear and tied to objectives: be effects-led, not threat-led.
This apparent simplification doesn’t mean that there’s still not a lot going on behind the scenes. This simplification requires a lot of work but that’s not unusual: just think about how many hours go into producing a one-page P&L statement for a big organization. However, you will be more effective if you present your results as clean, clear, useable data that directly link to what your organization is trying to do.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.
Leave a Reply