This article is excerpted from my upcoming book Agile Enterprise Risk Management: Risk-Based Thinking, Multi-Disciplinary Management and Digital Transformation. The book provides a framework for evolving your Risk Management function to make it operate in a nearly-continuous fashion, which will allow it to keep pace with the rate of change required to remain competitive today.
We are advocating for your transformation to a more agile organization. In all likelihood, you’ve already begun—created internal collaboration capabilities and customer-facing, web-enabled services. But you probably have a long, long way to go before you have reached an optimal level of business agility.
Wherever you are in the evolutionary process, ERM must evolve and become more agile at the same time or you can impair your ability to recognize and manage risks as they are created or transformed by your evolving business.
The disciplines mentioned earlier—Enterprise and Business Architecture, Business Process Management, Transformation Portfolio, Program and Project Management—as well as Scenario Analysis, Strategic Planning and Transformation Roadmapping, are intrinsic to your managing your company. There are, or should be, planning, operating, quality-controlling, monitoring and performance management processes and practices associated with each of them. In addition to informing, guiding and governing how you do what your company does, you collect a great deal of valuable, raw information in the course of executing them.
Enterprise Risk Management is an information-intensive discipline; if you cannot see things that should be addressed, you will not address them. Sitting in a conference room trying to build an inventory of these things is a sure way to miss some of them. Extracting what is passively generated from your governance processes and your day-to-day activities and experiences is a good way to be more comprehensive. You’re already doing it, more or less, but you need to develop a focus on root sources of risks, which may not be obvious to you. So, looking at your company through the lens of each of the disciplines you use to run it will provide perspective that can enable you to put together a (more) complete and deeply-nuanced picture of where you should focus your risk management efforts.
Risks arise from decisions you make and actions you take. Ideally, actions you take—execution of Business as Usual (BAU) operations, have had their risks addressed via policies, practices, processes and procedures. It should be OK, once these are running smoothly to lower the scrutiny level. Decisions, other than those integrated and embodied in BAU operational processes, may occur regularly or irregularly and your risk management team must be present for you to manage the risks associated with them.
In the case of higher-level decisions, such as an acquisition, you would expect risk management to be an intrinsic component of the analytical process and it probably is, up to a point. In such a case, due diligence is an important risk management tool, perhaps your only opportunity to identify and assess non-obvious risks that don’t appear in the acquisition target’s financial statements or that may involve differences in governance or operational processes or culture. One important lens that you can apply to focus due diligence is a taxonomy or ontology that you apply to the risks that you identify, analyze and treat. Taxonomies and Ontologies are classification schemes that you use to qualify types of risks so that you can better understand and work to manage them. What you see as a risk, with a presumed cause or source, your acquisition target may view as something entirely different, something which doesn’t rate mentioning to you or a prescriptive treatment in the course of their operations.
In the case of BAU-related risks, decisions crop up when (a) a case arises for which there is no prescribed action or (b) when there is a need to revise the business process. If your risk management team is not integrated to the degree necessary to recognize and respond to either of these events, then your risk management comprehensiveness will slip, just that little bit. Obviously, if you amass enough of these cases, your control over your risks can be seriously compromised.
Depending on a periodic review process to identify new or morphed risks is a bit like driving while looking in the rear view mirror. It’s OK for a few seconds while you are on a straight road but fails spectacularly when a curve comes along. The process you will go through while you compile your starting risk inventory, which may be pretty well stocked with risks from your existing risk register, will hopefully be a one-time thing. However, many existing risk inventories are structured around avoiding undesirable outcomes more than they are identifying root causes. Revisiting the risks in the register to refocus on source-of-risk and risk/reward analysis is an important task and crucial to reorienting your risk management posture. Once you have refocused and developed intuition about risk sources, you can apply continuous risk management best by integrating your risk team in tight collaboration with operating units whenever decisions are being made.