Although in ISO 31000, monitoring risk is a key tenet, I see little monitoring in most risk management systems. Periodic review, dashboards, heat maps and key risk indicator (KRI) reports are all review (a different ISO 31000 tenet), not monitoring. IoT technology can deliver real-time monitoring of risk for more than just physical environmental metrics.
To monitor means to supervise and continually check and critically observe. It means to determine the current status and to assess whether the required or expected performance levels are actually being achieved.
This is the fifth in the series on the Top 10 Disruptive Technologies that will transform risk management in the 2020s. This week, I look at how IoT technology can be extended to deliver real-time monitoring of risk for more than just physical environmental metrics.
In my 2013 book “Mastering 21st Century Enterprise Risk Management,” I suggested “horizon scanning” as a method for monitoring risk and threats. With IoT, we have the opportunity to extend this from a series of discrete observations into continuous real-time monitoring. But let’s start with basics.
What Is IoT – Intelligent Things?
The IoT acronym for Internet of Things, like most IT acronyms, is meaningless, so it’s more recently being referred to as Intelligent Things, which is both more meaningful and allows for its expansion outside its original classification (I will come to that shortly).
IoT technology is about collecting and processing continuous readings from wireless sensors embedded in operational equipment. These tiny electronics devices transmit their readings on heat, weight, counters, chemical content, flow rates, etc., to a nearby computer, referred to as at the “edge,” which does some basic classification and consolidation and then uploads the data to the “cloud,” where some specialist analytic system monitors those readings for anomalies.
The benefits of IoT are already well-established in the fields of equipment maintenance and material processing (see Using Predictive Analytics in Risk Management). Deloitte found that predictive maintenance can reduce the time required to plan maintenance by 20% to 50%, increase equipment uptime and availability by 10% to 20% and reduce overall maintenance costs by 5% to 10%.
Just as the advent of streaming video finally made watching movies online a reality, so streaming of data readings has produced a real paradigm shift in traditional metrics monitoring, including being able to make operational predictions up to 20 times earlier and with greater accuracy than traditional threshold-based monitoring systems.
Think about it. What if we could achieve these sorts of improvement in risk management?
Monitoring Risk Management in Real Time
The real innovation from IoT is not from the hardware technology but from the software architecture built to process streaming IoT data. Traditionally, data was collected, then processed and analyzed. Like traditional risk management, it is historic and reactive. Traditional analytics used historical data to forecast what is likely to happen based on the historically set targets and thresholds, e.g. when a sensor hits a critical reading, a release valve would open to prevent overload. Processing and energy has already been expended (lost), and the cause still needs to be rectified.
IoT technology continuously streams data and processes it in real time. Streaming analytics attempt to forecast what data is coming. Instead of initiating controls in reaction to what has happened, IoT steaming aims to alter inputs or the system to maintain optimum performance conditions. In an IoT system, inputs and processing are continually being adjusted base on the streaming analytics expectations of future readings.
This technology will have its profound and transforming effect on risk management. When it migrates from being used to measure hardware environmental factors to software-based algorithms monitoring system processes and characteristics, we will be able to assess stresses and threats, both operational and behavioral.
In the 2020s, risk management will be heavily driven by KRI metrics, and as such will be a prime target for monitoring by streaming analytics. In addition to obvious environmental monitoring, streaming metrics could be used to monitor in real time staff stress and behavior, mistake (error) rates, satisfaction/complaint levels, process delays, etc. All change over time and can be adjusted in-process to prevent issues arising.
In addition to existing general-purpose IoT platforms, such as Microsoft Azure IoT, IBM Watson IoT or Amazon AWS IoT, with the advent of “serverless apps” (this technology exists now), we will see an explosion in mobile apps available from public app stores to monitor every conceivable data flow, to which you will be able to subscribe and plug in to your individual data needs. We can then finally ditch the old reactive PDCA chestnut for the ROI method of process improvement and risk mitigation (see PDCA is NOT Best Practice).
With the recent release of a new British standard BS 65000 on organizational resilience and the announcement by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of a review of its 2001 enterprise risk management (ERM) framework, I believe that business is moving ahead of ISO 31000 as a necessary response to the evolving business environment and accelerating rate of technical change. Therefore, there is a strong case for a taking a fresh look at ISO 31000.
As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century. So, too, has the role of risk management. The ground is continuing to move under our feet. Long a supporter of Martin Davies’ causal approach to risk management, I feel the albatross of risk heat maps and 20th century occupational health and safety (OHS) perceptions of risk are causing business to bypass risk management.
Has Risk Management Been Lost in Operational Risk?
In a recent article by David Vos titled “Ten steps to corporate risk analysis,” he refers to the need for quantitative risk analysis (QRA) and says “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me dumbfounded, for if risk is the level of uncertainty on objectives, how can any system claim to be managing risk without quantifying it? It leads me to ask, outside banking and insurance, how many people are really “managing” risk as opposed to recording it?
Could it be arrogance, where we have elevated ourselves to the “opportunity and decision making” levels of business, causing us to lose sight of our primary role in the business landscape?
Is the Legal Department Taking Over Risk?
In a recent article, I criticized plan, do, check, act (PDCA) as an outdated, serial approach to continuous improvement, proposing instead realization, optimization and innovations as an interactive real-time approach using mathematical predictive analytics. It seems the usually lagging legal fraternity is advocating a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.” Is the legal department to become the vanguard for ERM? With legal’s relationship to corporate governance, that is not beyond the realm of possibilities!
Although I am most likely preaching to the converted, we need to change the purpose of risk management from being administrative to being an active, valuable tool. This mandates, at a minimum, a reasonable level of understanding of statistical and analytic mathematics and the realization that an Excel spreadsheet cannot be proactive. As ISO 31000 is the only tool we have to wage this war, and 2009 was a lifetime ago in terms of business practice (basically, before the end of the Great Financial Crisis), I believe it requires a major overhaul or risk becoming irrelevant.
Finally, risking the wrath of the ever-swelling ranks of generalist operational risk consultants out there: However altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of certification to engender value and consistency into the reputation of ISO31000.
My Suggestions for a Revised ISO 31000
As a starting point, I would suggest:
Strengthen requirements on risk culture and risk appetite
Mandate the use of quantitative risk analysis (QRA)
Mandate the use of causal analysis and monitoring
Take an active approach to risk management
Incorporate BS65000 and resilience as part of ISO 31000
Introduce certification to protect the ISO 31000 brandaszzz
This is Paper 3 of a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.
Paper 1, the shortest paper, makes a number of general observations based on experience with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. This paper, Paper 3, answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.
Paper 3: Should all organizations have a risk appetite framework?
The relationship between risk and strategy is a function or neither risk management nor strategic management. Rather, it is simply good management in an uncertain world, where business models are:
Increasingly driven to be available on a 24/7 global footprint,
Online using telecom networks,
Becoming more dependent on third-party service providers,
Becoming more connected within larger financial, supply chain and energy supply chains.
It is our view that the term “risk management” will, within the 2010 decade, become supplanted by the term “resilience management” and that the latter term will become an integral part of risk culture in organizations that are trading internationally or vulnerable to international supply chains.
Maintaining a risk appetite framework will thus, before the end of this decade, be a matter of necessity, and not a matter of choice. The driver in this regard will be the pace of change. Look at the pictures above, both at a papal blessing, and you see what a difference less than a decade years can make.
What is leading organizations to put formal risk appetite frameworks in place?
Greater investor and regulatory focus, combined with a recognition that risk practices are becoming increasingly professional, has caused organizations to change attitude toward risk from a broadly negative stance to a more positive and engaged approach.
We note a global scarcity of skilled chief risk officers and unwillingness by organizations to commit resources in the current economic climate. Nevertheless, enlightened organizations are gaining appreciation of the links between risk and strategy and in turn toward putting in place the necessary resources and supports to provide greater risk professionalism.
How are risk appetite and strategy related?
The diagram below describes the relationship.
Figure 2: RMI’s 7 elements approach to aligning strategy and risk
Earlier in these papers, we described board risk assurance as assurance that strategy, objectives and execution are aligned.
We further explained that alignment is achieved by operationalizing the links between risk and strategy. This is done by integrating each of the seven numbered elements described in the diagram above as follows:
1. Reaching a determination as to long-term purpose and formulating those strategic initiatives and objectives that are required to achieve it,
2. Understanding obstacles to the achievement of objectives: This needs to be understood practically in terms of a motor journey from say Dublin to Cork or Berlin to Paris.
Before the journey, people need to understand, and manage, what can stop them, slow them down or distract them on the journey. Once people understand risk management in these simple and practical terms, they understand that risk management is more about achieving objectives (getting from point A to point B) than compliance with regulations. It is about improving performance on the journey.
What people? In the simplest of terms, they are the owners of the car (shareholders represented by the board), the driver (CEO and executives) and passengers (primary stakeholders, i.e. customers, employees, investors, suppliers and secondary stakeholders and others with a legitimate interest in the business).
3. Setting objectives and getting balance and alignment (Note: strategy maps, e.g. Balanced Scorecard):
This is done in risk management terms by:
a. Strengthening the strategic planning process; for example:
i. Increasing rigor, formality and consistency in the strategic planning office (SPO), which derives its authority from the board and the CEO’s office,
ii. Aligning strategy, risk and audit board subcommittees (through cross-representation) in a manner that largely mirrors the conventional three lines of defense model and reflects the requirement to strengthen board risk oversight, reporting and monitoring,
iii. Embedding risk management competence within the SPO,
iv. Explicitly articulating corporate and organizational objectives,
v. Testing the alignment of group, corporate and organizational objectives through development and review of risk appetite statements.
b. Establishing an effective risk appetite framework, which includes:
i. Statement of purpose and values of the organization,
ii. Explicitly stated board risk assurance requirements; factors to consider would include:
Mapping objectives to a risk appetite continuum,
Qualitatively expressed risk appetite statements,
Quantitatively expressed risk criteria related to both risk tolerance and risk limits.
c. Understanding and improving the organizational level of risk maturity
Risk maturity is outside the scope of this paper; however, discussion on the topic would be welcomed by RMI. RMI has developed a five-level RMI Risk Maturity Index, which provides a road map to risk optimization. The index scores risk maturity capability requirements, etc. In summary, it describes:
Level 5: “Value-Driven” — Optimizing value through aligning risk and strategy with corporate objectives,
Level 4: “Managed” — Gaining value through aligning risk and strategy in pursuit of corporate objectives,
Level 3: “Insight” — Gaining insights into how to better align risk and strategy in pursuit of corporate objectives,
Level 2: “Awareness” — Developing awareness into how to align risk and strategy in pursuit of corporate objectives,
Level 1: “Basic” — Seeking awareness of the links of risk and strategy in pursuit of corporate objectives.
d. Building resilience:
i. Ensuring that the SPO engages in systematic risk horizon scanning as well as:
1. Understanding near misses and escalation reports in the organization and externally,
2. Monitoring performance of risk treatments,
3. Proofs and tests of the quality of decision making, and decision making processes, through simulated threat and opportunity crisis scenario(s) exercises,
4. Evaluating the amount of risk the organization is prepared to accept in pursuit of the long-term statement of purpose; and then deciding how to treat risks:
Just as implementation is critical to performance, risk treatment is at the cutting edge of risk management and managing risks!
Disappointingly, however, very many organizations commit disproportionate resources to risk assessment with inadequate attention paid to what really matters; that is,treating risks. In essence, very many organizations concentrate on the P in the PDCA (plan, do, check, act) cycle, with not enough attention paid to doing, checking and acting on continuous improvement requirements.
This is pretty much in evidence in a review of many of the risk registers we have examined on behalf of clients. The majority of the surface area/content of the report (sadly, and sometimes tragically, an Excel, Word or Power Point document, as distinct from a credible database solution) is given to risk assessment.
In our experience, often, precious little detail is given to:
Who, specifically is responsible for individual risk treatments,
Change management and resource requirements supporting risk treatments,
The project/risk treatment key performance indicators (KPIs), milestones and gateways,
The expected residual effect of risk treatments on likelihood and impact,
The role of management in reviewing performance against KPIs, milestones and gateways.
Risk treatment reports, which are presented to the level of detail described above and which are evaluated by the SPO in a manner that provides a feedback loop to the performance of objectives, become leading indicators of the future state of health of objectives.
5. Weighing the odds consistently throughout the organization: This is the function of the chief risk officer (CRO), a most important role within the organization, and risk committee.
The ability of the CRO and risk committee to efficiently and effectively perform this function is directly proportional to the efficacy of the assurances delivered as described above.
Typical weaknesses and challenges that can occur include:
1. Frequency of changes required to risk criteria (tolerances and limits) in early stage (risk) maturity organizations as a consequence of:
Pace of change internally and externally in the organization,
Identification of emerging and external risks hitherto not understood.
2. Inability to undertake real time dynamic tests of risk aggregations:
Around discrete objectives,
Across risk categories.
The weaknesses and challenges described above often result in:
1. Meetings where questions asked can only be answered in terms of:
i. This is the historic “point in time” information we have prepared.
ii. We will need to revert with answers to your query in X days.
2. Risk aggregation tests not being run and emerging/known unknown risks not being identified until there is an occurrence.
6. Compliance with laws and regulations: Organizations are established to achieve superior returns, with limited liability to risk takers. However, they are expected to do so having full regard for all legal requirements.
Clearly, it is axiomatic to assume the lawful intent of a company’s original promoters, and thereafter its directors and the executive. To this extent, compliance is an operational imperative and a sunken cost.
Compliance alone does not drive value, but without it value cannot be created.
It would seem inappropriate to place compliance at the center of board agenda, just as it would be a mistake to place compliance at the center of the diagram above, which describes the relationship between risk and strategy.
However, compliance is a mission-critical element within the risk/strategy governance framework.
7. Tough governance, setting policy and monitoring performance: In the context of the relationship between risk and strategy,tough governance means risk culture.
“Risk culture” is a term describing the values, belief, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization. This applies whether the organizations are private companies, public bodies or not-for profits, wherever they are in the world..
Risk culture, as an aspect of culture, can be practically described thus:
Culture: The way we do things around here!
Risk culture: The freedom we have to challenge around here!
Risk culture is capable of being demonstrably and credibly evidenced by:
1. Board and executive messaging on threats and risks to operations and jobs when people fail to act/report when they:
i. Identify a smarter way of completing a task, achieving an objective,
ii. See a threat or risk to the organization.
2. Escalation reports and their treatment by the executive and management,
3. Near misses reported and averted.
 Strategy formulation is not part of the development of risk appetite frameworks; however, each is intrinsic to, and informs, the other.
 IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Internal Control, January 2013
 Board Risk Oversight, A Progress Report: Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities (Protiviti Report commissioned by COSO (Committee of Sponsoring Organizations of the Threadway Commission))
 NOTE: Risk Management and the Strategy Execution System by Robert S. Kaplan, which advances a method for aligning enterprise risk management with strategy through the Balanced Scorecard
 Effective reporting and monitoring of risk treatments delivers the twin benefits of 1) monitoring risk performance, and 2) establishing leading indicators on the future state of health of objectives
 Crisis is defined as: An inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization: PAS 200:2011 Crisis Management – Guidance and Good Practice, UK Cabinet Office in partnership with the British Standards Institute
 Reference Kaplan, Mikes Level 1 Global Enterprise Risks,
 McKinsey, August 2014, Why Implementation Matters: Good implementers—defined as companies where respondents reported top-quartile scores for their implementation capabilities—are 4.7 times more likely than bottom-quartile companies to say they ran successful change efforts over the past five years. Respondents at the good implementers also score their companies around 30% higher on a series of financial performance indexes. Perhaps most important, the good-implementer respondents say their companies sustained twice the value from their prioritized opportunities two years after the change efforts ended, compared with those at poor implementers
 Functionally designed and specified to meet the ISO 31000 series
 Institute of Risk Management (IRM) , Risk Culture, Under the Microscope: Guidance for Boards
 Speak up/Stand up/Ethics Line/Whistleblower Lines etc.