Modernised Risk Management
“The harsh realities of the new world in which we all now live and work are such that we can no longer accommodate inefficiencies in our critical functions and processes. An integrated and more coordinated approach to managing governance, risk and compliance provides a way of achieving this.” (Robert Toogood. The Risk Management Handbook.)
If the causes of a loss can be seen in hindsight, we should be able to see the warning signs before the event. We call this ‘Prior Hindsight'. RiskIQ
Objective: To have a risk management system that deals with known risks efficiently and can respond to complex, hidden risks effectively.
How: Ensure that existing enterprise risk management systems are compliant and efficient (with less ‘red tape’ and ‘box ticking’) and are capable of appropriate responses to anything that is too complex to predict. It puts risk management in the boardroom helps you make decisions that stand scrutiny.
Key Points to Understand
• Enterprise-wide Risk Management (E-wRM) must provide the intelligence for strategic decision making.
• E-wRM is a necessary precursor to effective and efficient Governance, Risk and Compliance.
• If the causes of a loss can be seen in hindsight, we should be able to see the warning signs before the event. We call this 'Prior Hindsight'.
• The ‘flip side” of prior hindsight is acute foresight – where do the opportunities for improvement lie?
• Very often, executives think that they are ‘covered’ by having what appears to be a ‘state of the art’ risk management system; the problem is that in most cases, these do not cover hidden risks which affect the whole organisation.
We use the term “Enterprise-wide Risk Management” (E-wRM) to describe a way of understanding risks across the entire organisation and its capability to deal with them over time. It is closely linked to the idea of “Governance, Risk and Compliance” (GRC). Taken together, the result should be a capability to take strategic decisions about performance secure in the knowledge that the organisation is compliant and resilient. We distinguish E-wRM” from Enterprise Risk Management (ERM) which usually refers to the system, usually an IT system, used to record data and put processes in place.
In our experience, when an organisation has a risk management process or system in place, particularly if it a sophisticated ‘Enterprise Risk Management” (ERM) system, they believe they are somehow ‘covered’. This may be true for assets, supply chains, IT systems, occupational health and safety, projects and programs and there may well be a business continuity program in place. However, the problem remains that in our view this does not cover all the circumstances which need to be part of what we describe as a modernised enterprise-wide risk AND Response management capability. For example, how can you create an entry in a risk register which sets out the likelihood and impact of something you don’t know about, or hasn’t happened yet?
Managing and responding to all risks in all circumstances across the entire organisation can be thought of as being efficient in how one deals with the routine risk management processes, being effective in responding to complex strategic issues and making sure that people understand the difference.
This is not to say an ERM system is not useful. Very clearly and very obviously they are and they deal with the need to be complaint with a standard such as ISO 31000; however, by building on these existing systems, it is possible to build a response capability to the unknown. This will require a change of mindset, an understanding of how to enable responses to complex, interrelated, emergent and hidden risks and a set of tools to discover and map these. (See systemic risk inquiry and analysis and systems design). It also involves educating, training, mentoring to help people navigate complexity successfully.
To understand how to build on existing systems, how ISO 31000 limits effectiveness and how to create a modern risk and response capability in your organisation, email us at firstname.lastname@example.org or call Jeremy Kidner on 0404 420 655.