ISO 31000 needs to address the understanding of the fundamental nature of risk if it hopes to advance the maturity of risk practices in business.
Risk Management is firmly entrenched in a world of re-active modelling and reporting that belies the goals of ISO 31000 and until there is an epiphany in the industry on understanding the nature of risk, it is unlikely that ISO 31000 will achieve anything more than a documentary role in corporate governance and business management. Risk Management must add value, and this means add Shareholder Value, if it is to be accepted as a part the strategic management of business.
The fundamental nature of risk is controlled by 2 basic laws of physics, the 2nd law of thermodynamics and Chaos theory. When looked at in relation to risk, you get a better understanding of the nature of uncertainty. Under the 2nd Law of Thermodynamics everything deteriorates over time whether it be rust, ware out, or old age. Due to tiny variations in the surrounding environment, or due to interaction with other things, the rate and effect of that deterioration cannot be predicted. Since the time of the dinosaurs man has tried to manage this by protecting themselves or by handling its fallout.
As history has shown on numerous occasions, progress does not come from policies of isolationism and appeasement but from taking the initiative and changing the environment to which we are subject, to the chicane of environmentalists. From the uncertainty of hunters and gatherers to a more consistent food source of domesticating cattle and sowing cornfields, man has only effectively mitigated risk by taking proactive actions to affect the cause of the risk, not by measuring and controlling its impact.
Current risk practices are firmly focused on the reactive methods of risk management. This is best highlighted by one of the latest ‘best practice’ innovations in risk, that of the Risk Burndown, or Waterfall chart, popular in those doyens of risk management, IT Project Management. Its proponents are inferring that by measuring and reporting the estimated’ probability on the ‘estimate’ work left in the project, then compared with the original ‘estimated’ project completion rate, that they have managed the project risk. With a track record of 40% failure in IT Projects and 70% failure in Business Intelligence (BI) projects, senior management needs to start taking a serious look at involving competent risk management into IT Project Management, if they want to stop ‘Burning’ cash.
I used IT Project Management to highlight the current reactive nature of risk management, but it is by no means just an IT issue. In general terms, it is referred to as managing Risk Exposure. Unfortunately measuring and reporting of the Risk Exposure will not alter its likelihood. Nor will Disaster Planning strategies and increasing leverage ratios and capital reserves.
ENVIRONMENTAL SCANNING
We need to change the focus to be on affecting the influences and drivers that are the causes of risks. The real ‘best practice’ in Risk Management is known as Environmental Scanning. This is a practice of continually monitoring Key Risk Indicators (KRI) attached to externally (and internally) facing influences and drivers that can affect the risks in an organisation.
With current 21st century technologies available today such as Big Data, Social Media, RSS (automatic subscription feeds), and predictive technologies, Environmental Scanning is not only possible but should be your first line of defence. It not only introduces Proactive Risk Management but also introduces Opportunity Management with its ability to identify both positive as well as negative trends, and thereby raises Risk Management to a Value-Adding business strategy.
Environmental Scanning is not a standalone answer to effective risk management, as you will need to change your current siloed risk profiles to integrated risk profiles, (like in the Fast Track Neural network) and step up from the 4×4 Risk Matrix to something like Bayesian mathematics to calculate risk.
If you are interested in reading more on the subject, Google: Environmental Scanning, Scenario Analysis, and Bayesian mathematics, or get a hold of my book Mastering 21st Century Enterprise Risk Management, or watch my webinar series (link below) on Mastering 21st Century Enterprise Risk Management. Also have a look at our fact sheet on the Fast Track Enterprise Risk Management product.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.