Recently I read a new 6-star hotel is opening in Australia in 2018. 6-Stars, really? I remember when 5-star rating was synonymous with 1st Class, as opposed to 2nd Class. Now we have 0th Class. I stayed in a 6-star hotel once and couldn’t see the difference to a true 5-star hotel, in fact it wasn’t as good as the 5-star Royal Crescent Hotel in Bath UK, which I would have to say is the best hotel experience I have enjoyed (that includes The Plaza, Savoy & Peninsula). Truly sublime. So if ISO 31000 is the 5-star of the GRC field what would be 6-stars? I would put that as being Strategic Management, it’s what turns the Plan into reality.
When I am asked to “critique” (euphemism for praise) a large organisation’s Objective Management framework, I start by researching the company’s current performance thru Dunn & Bradstreet, including their comparative performance with their industry peers (D&B’s “Company 360” service is quite remarkable, worth a look). Invariably I find quite a disparity between their perception and the market reality.
Over the last few years, the appreciation of the quantum difference between OHS Risk and Corporate Risk, both in attitude and management (see How to Aggregate Risk in an ERM), has led to a focus on clearly defining corporate objectives. But having defining corporate objectives, like having a good “play book”, is no guarantee of results.
What is Strategic Management?
Miami University’s Centre for Business Excellence found: “All reputable frameworks emphasize that enterprise risk management is destined to fail without dedicated ownership by senior management and proper oversight by the Board”. By inference, to be successful, ERM requires a Strategic Management framework to provide Context and focus; otherwise it is Cinderella without a ball.
From ISO 31000 to the new ISO 9001:2015 & 14001 standards comes the realisation that for information, to be effective, must have Context. Understanding context leads to a strategic bias (a good thing) and when it can be combined with visualisation tools at operational levels can deliver objective oriented troubleshooting and decision making.
Linking of objectives, obligation and initiatives, with ERM, proactive KPI monitoring, corporate governance, and Board reporting, is what moves a Strategic Plan into noticeable results. Thru my 30 years working in GRC with the likes of Dept of Defence, Motorola, and Serco, I have learnt that to deliver ROI all business must be linked to strategic objectives and be aggregated both horizontally and vertically. Further this Context must be communicated, available, & monitored at all Operational levels i.e. a single living 2-way network connected throughout the organisation.
Despite its inference in many management systems, corporate objectives are not the “bull eye” of strategic planning, they are just the dart board. Boards, and management, are assessed by the quality of their Results not the quality of their Objectives. Without a comprehensive coordinated approach from vision to returns, a strategic plan it is just a wish list.
A Strategic Management Framework
As I proffered in my last article “Time to Revise ISO 31000”, I believe business has moved beyond ERM and is now looking at how to use it to deliver results. So in absence of a formal Strategic Management Framework being available, I put forward my view on what one should look like.
- Context – Vision, Mission & Stakeholder Charter
- Leadership & Culture – Style & Corporate Values
- Strategic Planning – Formulation, implementation & monitoring
- Objective Management – Strategic, tactical & aggregation
- Enterprise Risk Management – How multiple frameworks are integrated & feedback
- Decision Management – Systems, transparancy & guidelines
- Performance Management – From metrics to Board Reporting
- Communication – Two ways (up & down), both explicit & implicit
- Business Continuity & Resilience – see BS 65000
- Compliance Management – frameworks, scope & reporting
- Improvement & Innovation – see article “PDCA is NOT Best Practice”
This is a “Strategic” framework not an operational framework. It doesn’t include operation tasks and responsibilities. That’s why there is no mention of Process Management or IT. Leadership & Culture isn’t meant to include roles and responsibility (what a number of standards euphemistically refer to as leadership) but rather style and development. This is meant to be an Executive level big picture framework not a how-to guide. The ERM & Compliance components mandate the appropriate frameworks to be adopted, their scope and integration, not the detail.
6-Star GRC
There is not the scope here to detail each of the components in full as it would occupy a book (now there’s an idea), but just to put forward a structure to start thinking about. If 6-star is a step further then an integrated Strategic Management Framework, ensuring strategic plans and objectives come to fruition, is 6-star. But more likely, like to The Royal Crescent Hotel, it’s just a matter of putting it altogether sublimely.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.