#64 – FROM ERM TO EXTENDED ERM – THE INSTITUTE OF RISK MANAGEMENT

irm-logoThe past decades have seen a transformation in the way that both private and public organizations operate.  Delivering a product, a project or service today is likely to involve multi-tiered, often global value chains, sub-contracted manufacturing, licensed intellectual property, outsourced back offices and complicated routes to market, including digital delivery, all under increased pressures of time.  In the public sector many governments are handing over service delivery to a network of private or third sector operators.

By collaborating and specializing we can achieve outcomes that individual organisations could never achieve on their own.  But it also means that no organisation today has direct control over every aspect of its operations or reputation – from the smallest startup purchasing web and IT support from a cloud-based supplier to the complex supply chains of the largest supermarkets.  Risk management for these vital, complex extended enterprises that we rely on so much in our modern economies may be uncoordinated or inadequate.

Up to 80% of operating costs today may originate from outside the organization.  Intangible assets including goodwill have become increasingly important in assessing the value of companies.  As the amount of physical assets owned directly has decreased, so the performance of extended enterprises in delivering that intangible value becomes more significant. New information and communications technologies have facilitated the expansion of extended enterprises but have also introduced new risks that must be understood, considered and managed (For more detail see www.theirm.org/knowledge-and-resources/thought-leadership/cyber-risk/)

The development of the discipline of risk management in recent years saw practitioners understandably starting close to home – by looking at what could be done within a single organization.  They began by bringing together individual activities associated with managing risk into a coherent enterprise risk management programme.  We now have a broad body of knowledge about the processes that should be in place and the frameworks and architecture necessary to achieve this.  ISO 31000, for example, sets out a systematic approach for identifying, analysing, evaluating and treating risk.

Notably, the first step in the ISO 31000 process is establishing the context.  And it is in this area that we are starting to explore the less predictable behavioral and cultural issues driving organizational performance.  IRM’s 2012 publication on Risk Culture started to look at this subject.  It is also here, in establishing the context for risk management, that the issue of complexity and extended enterprise arises.

Understanding our extended enterprises, managing the risks of the relationships that bind them and considering how our risk management approach should be adapted to deal with them is the purpose of this project.

IRM

Our project group has developed a number of models, tools and techniques to help understand and manage risk across our extended enterprises.  Our way of looking at how extended enterprises come together is as follows and is illustrated diagrammatically on the left.

Figure 1: Joint endeavour

Against a background of multiple economies in diverse societies many people and organizations will work together on a joint endeavour to achieve outcomes.  These could include manufacturing or distributing products, delivering public services like healthcare, education or defence, or achieving a large or small infrastructure or scientific project.   The network that comes together to achieve this includes not just direct suppliers and customers but will also have links to other parties, including regulators and the media, as well as a multiple-tiered supply chain.

Figure 2: Further interconnections

The picture is further complicated by other connections between the parties, for example within an industry sector, which could be either collaborative or competitive, and by all parties’ involvement in further multiple joint endeavours.

Some parts of this joint endeavor will have good risk management within their organisation, others less so.   But uncertainty multiplies within this web of complexity, with serious potential for ‘weak links’ to affect other parts of the network. More positively, alongside the risks, there is also significant potential for strong parts of the network to deliver benefits and opportunities for all in areas such as innovation.

Figure 3: Key dynamics

The likelihood of achieving the desired outcome for the joint endeavour will depend on the following four key dynamics:

  • the relative power of the participants
  • the incentives, monetary an  otherwise
  • relevant government or other regulations
  • whether there is a sense of shared values and ethics across the joint endeavour.

Bio:

(C) The IRM.
IRM is the leading professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance.  For further information, please visit:  www.theirm.org.

Leave a Reply

Your email address will not be published. Required fields are marked *