Tag Archives: Greg Carroll

Why Don’t Most ERM Systems Work?

So why don’t most Enterprise Risk Management system work?  Simply, they don’t “manage” risk, they just record it.  Manage is a verb not a noun. It is activity not an item.  Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.

They don’t manage threats

To manage threats you need to actively monitor risk drivers and influences thru lead and lag KRIs in real time.  Reporting systems aren’t much use if they’re telling you after the event. By the time it shows up on a heat map it’s not a risk, it’s an incident.  Simply moving your risk management from spreadsheets to a cloud risk register does nothing to pursue an active defence against threats.

To create a workable system, you need to take your risk registers, work out what causes those risks to worsen (drivers and influences), and what lead/lag KRI to use to monitor the movement of those drivers and influences.  You then need to set up a real-time system for collecting those KRIs and alerting the appropriate people who can act on the threats immediately.

They don’t tell you HOW it will affect Objectives

The common practice of recording what objectives might be affected by a risk does nothing to assist in achieving or optimizing those objectives.  The real purpose of risk management is to navigate the myriad of influences on the objective’s outcome as they occur, i.e. it is an interactive real-time activity.

Risk Management’s primary purpose in the strategic and tactical planning phase is to identify the best course to market and thereby optimize resources (time and capital).  This requires specifying HOW risks and actions interrelate and compound effect on one another.  This highlights two things.  For ERM to work it must integrate both risk and actions, and it must know HOW variations in either compound effect.

Once these are in place they can easily be used to monitor progress in achieving objectives. Workflows and Issue reporting become inputs to risk drivers and influences which in turn automatically update risks. With a real-time aggregation of risks (roll-up), alerts can be sent to interested parties when the risk threshold of any objective is threatened.

See also: The Current State of Risk Management  

They don’t improve the quality of decision making

By definition complex systems (the business world) are chaotic (see Chaos Theory), where small variations alter outcomes, like the weather and the winner of the Melbourne Cup.  But risk management was never about predicting the future. It’s about providing advice on the effects of possible decision outcomes and being prepare for any adverse effects.

But here’s the real rub.  For ERM to be useful it has to employ Predictive Analytics and machine intelligence.  In my defence, Predictive Analytics doesn’t actually predict the future, it just highlights obscure facts. It provides true decision making collateral on possible opportunities and threats in any scenario, from which “informed decisions” can be made, instead of “gut feel” guesses.  It helps mitigate decision bias and raise ramifications sometimes overlooked in the heat of a problem.

Obviously many ERM systems have numerous other failing, such as a single hierarchy for aggregating or “rolling-up” risks (wouldn’t it be nice if the world was that simple), and not including Incident Management in ERM to create a closed feedback loop, which drives evolution and effectiveness.  But the single most important thing is to use your risk collateral as part of the day-to-day operational decision making and not to just let it stagnate in risk registers being reviewed annually.

Future of Digital Transformation

Senior management have to come to grips with the fact that digital transformation is not an event but rather the operating environment of 21st century business.

Like music, photos, TV, and data, once something becomes digital it becomes a consumable and moves from the domain of the specialized expert to a public commodity. As with Blockbuster, Borders, Capital Records and newspapers, businesses based on non-digital product are the hand-crafted hobbies of the 21st century.  Craft markets will exist into the future, but they are generally not profitable and rather a labor of love.

Changing the way we work

Here’s the kicker. Digital transformation is now looking at not just the things we sell, which includes services, by the way, but how we do business. From crowd funding to network marketing to blockchain (how Bitcoin works), the basic principles of how we have traditionally gone about business are changing.

Crowd funding, where a population at large is directly involved in the creation of products, also has ramifications for invention and design. Brainstorming on steroids. Network marketing has wiped out traditional sales channels from cold calling and direct mail to bricks and mortar retailing. And blockchain has the capability to render capital-intensive industries obsolete. What Bitcoin did to money, people are now looking to use to undermine energy, insurance and infrastructure oligarchies. One day, blockchain may even be capable of fixing our political system.

See also: 4 Rules for Digital Transformation  

Understanding Digital Transformation

What really is digital transformation? Gartner, a leading authority on such things, defines digital transformation as “to leverage digital technologies that enable the innovation of their entire business or elements of their business and operating models.

So innovating is not just what we do, but how we do it, our “operating models.” In my last article, “Misunderstanding Innovation,” I wrote on how innovation is not invention but rather the application of invention as a solution to a practical need. As such, innovation is the backbone of digital transformation, just as audit is to compliance or controls are to risk.

Digital Transformation as an Operating Model

Back to my opening statement that digital transformation should not be thought of as an event but rather an operating environment, just as industrialization in the 18th century was not a single event but a period of continual transformation. From the introduction of the weaving loom through production lines to mass production, the transformation fed change that has continued for 200 years.

Senior management have to stop thinking of digital transformation as a passing fad, and embrace the fact that the world has changed.  As in the 18th and 19th centuries, change will drive change, and as the management in those times developed process management models (see, PDCA is NOT Best Practice) to drive the development of automated production, so, too, managers now have to develop transformation models to take account that disruption and innovation will drive further disruption and innovation.

Transformation as a Lifestyle Choice

The fact that you have transformed your operation today is only a temporary reprieve. You need to redefine your business model to be an agile platform continually identifying and innovating to improve end-customer quality of life: That’s your customer’s customer.

Women as the Mothers of Innovation

The current beat-up of getting more women involved in STEM (science, technology, engineering, math) misses the understanding that innovation has at its root, a deep empathy for the quality of life of others. Developing and elevating women’s inherent intuition as to the plight of others will do more to foster innovation than a plethora of inventions. Hundreds of inventions never see the light of day, yet a handful of innovations have changed the world. Again, please re-read my previous article on Misunderstanding Innovation.

If Malcolm Turnbull truly wants Australia to develop an innovative culture, we should be promoting more people into psychology, sociology, anthropology and statistics. These are the strategic vocations of innovation, while STEM and invention are the tactical solutions. Yes, stats is math, but it allows us to understand bias as well as predictive analytics, which identifies and prioritizes targets for innovation.

See also: Why You Need a Digital Leader  

Where to From Here?

Accepting the need to transform your business model is in itself an inherent risk. Just as a window cleaner straps on a safety harness before scaling a building, so having an active risk and compliance system operational is a mandatory prerequisite before embarking on any transformation. You will need systems that alert you to emerging issues and to give you continual insight, throughout the transformation process, without the need to go and look for it. The business graveyard is as full of those who lost their footing on the way as those who did nothing. This is not a shameless plug for what I do but rather the reason I do it.

It’s Time to Revise ISO 31000

With the recent release of a new British standard BS 65000 on organizational resilience and the announcement by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of a review of its 2001 enterprise risk management (ERM) framework, I believe that business is moving ahead of ISO 31000 as a necessary response to the evolving business environment and accelerating rate of technical change. Therefore, there is a strong case for a taking a fresh look at ISO 31000.

As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century. So, too, has the role of risk management. The ground is continuing to move under our feet. Long a supporter of Martin Davies’ causal approach to risk management, I feel the albatross of risk heat maps and 20th century occupational health and safety (OHS) perceptions of risk are causing business to bypass risk management.

Has Risk Management Been Lost in Operational Risk?

In a recent article by David Vos titled “Ten steps to corporate risk analysis,” he refers to the need for quantitative risk analysis (QRA) and says “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me dumbfounded, for if risk is the level of uncertainty on objectives, how can any system claim to be managing risk without quantifying it? It leads me to ask, outside banking and insurance, how many people are really “managing” risk as opposed to recording it?

Could it be arrogance, where we have elevated ourselves to the “opportunity and decision making” levels of business, causing us to lose sight of our primary role in the business landscape?

Is the Legal Department Taking Over Risk?

In a recent article, I criticized plan, do, check, act (PDCA) as an outdated, serial approach to continuous improvement, proposing instead realization, optimization and innovations as an interactive real-time approach using mathematical predictive analytics. It seems the usually lagging legal fraternity is advocating a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.” Is the legal department to become the vanguard for ERM? With legal’s relationship to corporate governance, that is not beyond the realm of possibilities!

Although I am most likely preaching to the converted, we need to change the purpose of risk management from being administrative to being an active, valuable tool. This mandates, at a minimum, a reasonable level of understanding of statistical and analytic mathematics and the realization that an Excel spreadsheet cannot be proactive. As ISO 31000 is the only tool we have to wage this war, and 2009 was a lifetime ago in terms of business practice (basically, before the end of the Great Financial Crisis), I believe it requires a major overhaul or risk becoming irrelevant.

Finally, risking the wrath of the ever-swelling ranks of generalist operational risk consultants out there: However altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of certification to engender value and consistency into the reputation of ISO31000.

My Suggestions for a Revised ISO 31000

As a starting point, I would suggest:

  • Strengthen requirements on risk culture and risk appetite
  • Mandate the use of quantitative risk analysis (QRA)
  • Mandate the use of causal analysis and monitoring
  • Take an active approach to risk management
  • Incorporate BS65000 and resilience as part of ISO 31000
  • Introduce certification to protect the ISO 31000 brandaszzz