risk analysis thought- discipline
Risk Analysis is a skill and discipline that extends far beyond ERM, and exists even without a defined ERM program. Having the ability to understand and incorporate risk analysis is part of a critical thinking discipline that is essential for leaders at every stage of their careers.
Every ERM program needs a well-organized and documented process for completing risk analysis, including the following on elements of implementation, tracking, and reporting that come after the analysis is complete. As with all programs and systems, the basic formula for risk assessing includes iterative processes for identification, analysis, treatment and adjustment. The process we share here is one adapted for practical use, framed from a more action-oriented perspective with an emphasis on areas that we have found, through experience, to facilitate easier integration and collaboration within operations.
First, we define Context - the thing to be assessed which creates the boundaries of assumptions.
Second, we Investigate, learning all that we can based on available information.
Third, we Prioritize the findings of our investigation based on impact and relevance to the organization.
Fourth, we develop and implement a plan to Respond to the exposures identified and deemed critical to strategy and operations.
Weaving through every step is an interactive process of Collaboration and Observation, bringing in key stakeholders in every stage, and actively noting the results and impact in every step.
Context is about defining the scope and boundaries of the thing being assessed. Its purpose is to provide clarity into the process so that the process itself and its outcomes are well anticipated and understood. The art of defining the context in any given scenario may well be the most overlooked and misunderstood competency for managers in business. It is, however, a crucial skill set for problem-solving, and it is front and center in the risk assessment process.
As we’ve said before, risk is simply uncertainty, and uncertainty itself is a fluid concept. As a result, we must continually redefine the context of the problem or issue we are assessing. When we fail to pin down the assumptions and boundaries for an assessment, the process becomes quickly unwieldy, and the outcomes may not meet the expectations of the audience.
Regardless of the use, defining context involves both strategic (purpose, outputs, and goal) as well as tactical (performance objective, requirements, reality, and impact) elements – we call it POGPoRRI – and it captures the essence of best practice ISO in defining the context, scope, and criteria.
Purpose: What is the purpose of the assessment?
Outputs: What outputs are needed, required, or expected?
Goal: What are we working to achieve or support? (big picture)
Performance Objective: What is ideal performance?
Requirements: What are the applicable standards, regulations, or laws?
Reality: What really happens/happened? Are there other forces at play?
Impact: How do these things ultimately affect the Goal?
Developing context requires a good process and the discipline to take the time needed to get through the process. It is not so different from the adage of ‘measure twice and cut once’, except that you're never truly done measuring or cutting. Finally, developing good context requires a general knowledge of the organization, and so for the new or new-to-the-organization risk practitioner, gaining the insight and input of those with greater experience and broader perspective is key to success in this area.
Collaborate & Observe
There are two continuous processes that encompass the entirety of the risk assessment process, and which are second only to Context in their importance. ISO address this in two parts – Communication & Consultation and then Monitoring & Reporting, but we believe these are inherently connected efforts that create synergy when considered together.
To take the first piece, we need to differentiate between communication and collaboration. Communication can easily happen in a single direction, and while it's important that outputs of risk management process be regularly communicated, the more important element here is the cooperative 2-way dialogue. Collaboration means that there is a practitioner working alongside their operational counterparts on an ongoing basis where each side he's having a regular conversation about risk end mitigation and opportunity. Consultation fits in here whether it is the practitioner consulting with operational experts or operations folks consulting with the risk expert, but again if we focus more on building collaborative relationships versus a process, we ultimately create a much more integrated and seamless system.
On the back end of the process, we typically see monitoring and reporting, where once the assessments are done and recommendations made controls or mitigations, or other changes are put into effect which we then move forward and monitor for effectiveness. The concept of observation being used in place of monitoring and reporting again is intended to create a discipline of continual observation of all changes in the environment, not just recent ones implemented. Review reporting as being a natural output of the investigation process and beyond that, we would expect to be engaged in broad observation of the whole system. This ensures that we do not get tunnel vision and forget that the context used in any given assessment has likely changed by the time we have completed the cycle and would be in a reporting process.
The primary objective here is to recognize that risk is inherent across every function, activity, and segment of an operation and that to build truly effective risk management programs, much less strategic enterprise risk programs, conversations about risk mitigation and opportunity leveraging need to be a continual dialogue informed by engaged personnel.
The next process step in the ISO structure is risk assessment, incorporating risk identification, analysis, and evaluation. Each of these steps has its own finite purpose, however, in practice, they are done in emerged fashion as part of a single fluid process. For that reason, we take a different approach to this by calling out what is primarily happening in two steps, which are Investigate and Prioritize. In this approach, we combine risk identification, analysis, and evaluation into a single effort that has a normal and anticipated outcome of the development of a summary and recommendations report.
Risk identification is exactly what it sounds like and is a practice of taking inventory of all potential risks that may come into play within the defined context of the assessment. Risk analysis involves developing an understanding of the risk, including the sources, impact, likelihood, and other relevant attributes. When we talk about traditional hazard loss risk, we are concerned with both Probability and Impact (or Severity). These measures can be quantitative, qualitative, or a combination of both depending on the type of risk assessed as well as the program maturity of the organization. Finally, risk evaluation takes into consideration the impact on the organization and the resulting recommendations for how to deal with the risk.
When we investigate a matter, it is intuitive that we gain all the details and background around the issue, identify all the potential causes and risks, weigh those for impact, and come to conclusions about the overall materiality of the event with the resulting deliverable of reporting out all that was learned, and conclusion reached. This process is no different in the business realm of risk analysis wherein we articulate a path forward, whether that is to do nothing or to take on significant effort to modify the business in response.
What is inferred within ISO and anticipated within the guidance of COSO, is the understanding that we have limited time energy, and resources to execute any course of action the entity chooses to take. Again, from feasibility and practical execution perspective we believe that prioritization is so crucial that we call it out as a specific element of the risk management process. One of the most critical gaps between traditional hazard loss risk management and enterprise risk is the lack of a mechanism to differentiate strategy impacting risk from all others. It is not that all risks within the organization are unimportant, it is more that there are certain types of risks, and more commonly connecting and cascading groups of risks that have the potential to severely impact the successful execution of top-level organization strategy.
This is not to say that strategic risk is not recognized nor understood at the top of the organization. What we are trying to point out is that there is a layer of often hidden risk that bubbles up from within the operation and Oregon trickles in from external assessments, that by themselves seem immaterial, but when they are connected can paint a whole new picture. What we are worried about most here is where we have significant risk to the execution of internal capabilities that are critical to achievement of high-level strategic objectives, and Oregon where seemingly unrelated threats have the potential to exacerbate internal weaknesses to the point of crisis. We also find in this space hidden strengths and capabilities that are sometimes overlooked in which otherwise could be leveraged and deployed in a whole new strategic way. For all these reasons, prioritization of risk is a critical component of ERM systems and is the key to bridging risk and strategy in most organizations. When we talk about this mechanism for prioritizing risk, it is a combination of what we call Mission Critical designators as well as identifying the Vitju (overlaps between purpose, growth, and evolution strategic imperatives) In strategic planning.
Mission Critical is any activity, asset, resource, service, or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives. Mission Critical will be different for every organization but will always be grounded in its strategic objectives. Before you can determine what is Mission Critical, you must first:
Have an understanding of Mission, Vision, and Strategy
Clearly understand all Strategic Objectives and their priority
Develop a definition (unique to the entity) of Mission Critical
Incorporate Mission Critical designators into risk assessing, reporting, and scoring systems
Moving on to the next element identified in the ISO structure we get to risk treatment and recording and reporting. As indicated above, we anticipate conclusions and recommendations to come out of the investigation stage, the difference in response is that those conclusions and recommendations have been vetted and a course of action has been directed at which point we are responding. Recording and reporting fall into this response layer because it is inherent with execution and implementation which is the focus of this step. It is important to recognize that response will inherently trigger ongoing processes of communication, implementation, change management, and adjustment. All these elements are continual in nature weather and actual risk assessment are on the table.
If there is one takeaway that we want to emphasize for this chapter it is that the process is just a framework, it is important, but it does not operate without humans. We have attempted to illustrate a more fluid system of activities that serve to not only produce high-quality risk analysis outcomes, but that well encourage practitioners to focus on engagement and collaboration versus an audit-style approach to risk management.