Following is excerpted from Mastering 21st Century Enterprise Risk Management (forthcoming October 2013):
THE NATURE OF RISK
Most systems masquerading as enterprise risk management are re-jigged workplace health-and-safety risk platforms that attempt to apply a predefined standardized methodology. A one-size-fits-all assessment program cannot be imposed on everyone and achieve any useful results. Risk-assessment must be relevant to their field if people are to take it seriously. It must provide meaningful value to them. It also must go through continual review as the nature of risk changes and evolves.
Here it is important to understand differences in the nature of risk. Often confused with ‘type of risk’, the nature of risk is a higher level of classification that groups risk conceptually, how it is presents itself and how it is managed.
Although this is not meant to be an exhaustive list, here the four major natures of risk, each with very different characteristics:
Technical Risks
Technical risks are the broad group of risks whose state can be measured discretely and against which quantitative limits can be set and monitored. This group includes financial risks, credit risks, medical risks, and engineering stress. They are caused by variations that affect the system, as referred to in Chaos Theory above, and are managed through use of mathematical models.
Operational Risks
Operational risks are risk around the internal operations of a business, predominantly dealing with people, processes and systems and what most people think of in enterprise risk management. This group includes regulatory risk, safety risk, process and project risks. Qualitative by nature, they tend to be caused by changes to organisation or behaviour, and are managed though process management.
Black Swan Events
Black Swan events are events in human history that were unprecedented and unexpected at the time they occurred. These once-in-a-lifetime events are unpredictable, occur abruptly and catastrophic in nature, such as the global financial crisis, pandemics, widespread natural disasters, and economic or social collapse. Being unpredictable and occurring abruptly, the risk itself cannot be managed in a traditional sense, so we have to manage its effects using such methods as disaster planning and relief strategies.
Security Risks
Security risks are aggressive actions. They are intentional in nature, as opposed to other categories which are consequential in nature. This group of risks includes fraud, cyber-security, and terrorism. They are premeditated attacks which are managed proactively through surveillance and defensively though multi-layered safeguards commonly refer to as ‘defence-in-depth’.
The importance of understanding the differing ‘nature of risk’ becomes critical when considering structural frameworks to manage them and how to react when they fail.
This leads us on to the problem with the current approach to enterprise risk management.
A true enterprise risk management system not only allows consolidation of risk profiles but also aggregate risks horizontally between separate parts of the business. What do I mean ‘aggregate risks horizontally’? Take the failure of Ansett Airlines as an example.
ANSETT AIRLINES’ CORPORATE COLLAPSE
Ansett was one of Australia’s largest and oldest airlines, equal to Qantas. In 2001, a failure of IT data governance (IT risk) resulted in poor maintenance record keeping that lead to the Civil Aviation Safety Authority grounding some Ansett aircraft (regulatory risk) until they could be re-inspected and the verified records re-logged.
Although the grounding was only short lived, the loss of consumer confidence (strategic risk), from having a ‘safety issue’ eventually lead to the airline’s corporate collapse. That is, an IT risk failure led to a regulatory risk failure, which caused a strategic risk failure and ultimately the corporate collapse of Ansett. Risk management must be inter-connected if the various areas are to be reactive to events.
GETTING TO THE ROOT CAUSE
Leveraging an effective enterprise risk management system enables managers to identify process deficiencies, inefficiencies, and breakdowns in communications, which invariably lead to multiple handling, rework and reduced production time. As a result managers can get to the root of the problem, and produce bottom line cost savings through the following:
- Neural network architecture, which allows horizontal as well as vertical hierarchies, which provides a powerful problem-solving tool for management.
- Coordination and automation of governance, risk, and compliance (GRC) activities, which eliminate duplication of both governance effort and operational overhead
- Cause analysis reporting of problems, which highlights areas for action.
- A risk assessment calculator, which provides objective prioritizing and allocation of time and resources.
- Greater electronic access to GRC data and task management, which means less reliance on physical travel for audit and inspections activities.
- Resource management including rostering and resource availability, which reduces tasking conflicts and availability.
UNREPRESENTATIVE RISK MODELING
The next cause of failure of risk management in the 20th century was un-representative risk modelling used to evaluate risk exposure. They were essentially designed for their ease of use, not their effectiveness.
Let’s return to the three key findings cited earlier in the Milliman 2013 research report ‘Operational Risk Modelling Frameworks’:
- Operational risk is one of the major causes of organisational failure and destruction of shareholder value.
- Basic indicators and standard formula are simple and ultimately very blunt tools.
- Structural or causal-based models are the leading emerging best practices.
The first point is a given, but the second echoes the sentiments of the 15th annual OpRisk Europe conference held in London this year, that the risk management landscape has vastly changed over the last 10 years, and operational risk models need to keep pace.
The second point, that “basic indicators and standard formula are simple and ultimately very blunt tools” refers to the current common practice of rating risk characteristics with a two-dimensional probability-consequences risk matrix. To consolidate, within the ERM system, they then aggregated the results to produce what is close to a meaningless value for the business. Although better than nothing, it has little relation to the real world risk.
Although Milliman politely refers to these 20th century techniques, promoted by most ERM software vendors, as a “very blunt” model, in 2013 it is the equivalent of using a 1990s mobile phone. The problem with most software vendors is that they don’t understand the nature of risk management, and are approaching it from ‘box-ticking’ mentality as used to implement accounting and billing systems. Purely from a perspective of managing risk, most enterprise risk management software out there today (except Fast Track of course) is not worth the paper it’s printed on (my apologies to Samuel Goldwyn).
As stated at OpRisk Europe, hanging onto the old models creates a false sense of security among senior management and increases the risk of NOT managing risk. As cited earlier, Michael J. Nolan’s statement bears repeating, “…a case of out-dated thinking being applied to a new world economy. Corporations have to rethink their approach to risk from every aspect of their business.”
Not mapping complex interrelationships
The third point — ‘structural or causal-based modelling’ in quantifying risk — is about linking operational outcomes to causal drivers and account for their complex interrelationships. This is similar to the neural data model architecture previously mentioned.
In the traditional risk silos model, each area does their own thing, in isolation to one another, unaware of any events, or risk escalations, other than those that report to them. Although this fulfills the requirement to ‘aggregate risk profiles’, it leaves the organisation exposed to abrupt incursions into other parts of organisation that could have been prevented.
The Milliman approach is along the lines of a neural data model which allows multiple connections. Everything is related to everything else. This allows information to flow in both directions, enabling the ‘robust determination of operational risk limits.’
Under the traditional model everything only consolidates up to the top, while under the neural model information flows, and is reactive, in both directions. When considered in this light, it is quite apparent that the tradition modelling method is ‘inappropriately focused’. Had Ford or Ansett employ this method of modelling their story today may have been vastly different.
The extensive Milliman report (100 pages) covers a number of additional recommendations including loss data collection. It’s well worth the read, including its coverage of “Scenario and statistical modelling” and an introduction to “Phylogenetic techniques for assessing operational risk”.
However, the primary take-away of both the conference and the report is the need for risk managers to move from what they were taught years ago at university to the 21st century application of risk management techniques.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.