So why don’t most Enterprise Risk Management system work? Simply, they don’t “manage” risk, they just record it. Manage is a verb not a noun. It is activity not an item. Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.
They don’t manage threats
To manage threats you need to actively monitor risk drivers and influences thru lead and lag KRIs in real time. Reporting systems aren’t much use if they’re telling you after the event. By the time it shows up on a heat map it’s not a risk, it’s an incident. Simply moving your risk management from spreadsheets to a cloud risk register does nothing to pursue an active defence against threats.
To create a workable system, you need to take your risk registers, work out what causes those risks to worsen (drivers and influences), and what lead/lag KRI to use to monitor the movement of those drivers and influences. You then need to set up a real-time system for collecting those KRIs and alerting the appropriate people who can act on the threats immediately.
They don’t tell you HOW it will affect Objectives
The common practice of recording what objectives might be affected by a risk does nothing to assist in achieving or optimizing those objectives. The real purpose of risk management is to navigate the myriad of influences on the objective’s outcome as they occur, i.e. it is an interactive real-time activity.
Risk Management’s primary purpose in the strategic and tactical planning phase is to identify the best course to market and thereby optimize resources (time and capital). This requires specifying HOW risks and actions interrelate and compound effect on one another. This highlights two things. For ERM to work it must integrate both risk and actions, and it must know HOW variations in either compound effect.
Once these are in place they can easily be used to monitor progress in achieving objectives. Workflows and Issue reporting become inputs to risk drivers and influences which in turn automatically update risks. With a real-time aggregation of risks (roll-up), alerts can be sent to interested parties when the risk threshold of any objective is threatened.
See also: The Current State of Risk Management
They don’t improve the quality of decision making
By definition complex systems (the business world) are chaotic (see Chaos Theory), where small variations alter outcomes, like the weather and the winner of the Melbourne Cup. But risk management was never about predicting the future. It’s about providing advice on the effects of possible decision outcomes and being prepare for any adverse effects.
But here’s the real rub. For ERM to be useful it has to employ Predictive Analytics and machine intelligence. In my defence, Predictive Analytics doesn’t actually predict the future, it just highlights obscure facts. It provides true decision making collateral on possible opportunities and threats in any scenario, from which “informed decisions” can be made, instead of “gut feel” guesses. It helps mitigate decision bias and raise ramifications sometimes overlooked in the heat of a problem.
Obviously many ERM systems have numerous other failing, such as a single hierarchy for aggregating or “rolling-up” risks (wouldn’t it be nice if the world was that simple), and not including Incident Management in ERM to create a closed feedback loop, which drives evolution and effectiveness. But the single most important thing is to use your risk collateral as part of the day-to-day operational decision making and not to just let it stagnate in risk registers being reviewed annually.