Risk management has gone through various stages in its lifetime. During the early 2000s, risk management started to get more generically formalised beyond those specialist areas of risk control in domains like insurance, engineering and finance. We had various management standards for risk management including AS/NZS4360, COSO, FERMA, BS31100 and eventually the ISO31000 series. Although not mandated in any of these standards, we all got used to sitting in rooms with risk workshop facilitators trying to identify all of the risks our organisations faced and then analysing them to see how big they were, what we were doing about them, whether we were adequately mitigating the risk and what else might we be able to do to further reduce the risk. At various times throughout the last 20 years, ERM has dissolved into little more than a box-ticking exercise. However, in the era of global pandemics, global economic shocks, tsunamis, earthquakes and global warming, Enterprise Risk Management (ERM) is making a comeback as an important component of a sustainably successful enterprise.
Therefore it is interesting to note that there are actually a number of other approaches to identifying, analysing and mitigating risk that are not commonly practised in a structured way by most organisations. They are the forgotten risk analysis methods of ERM:
- History: A historical review of events at your own organisation can identify those risks that have actually realised (or maybe near-missed) over the history of your enterprise and how frequently and how big they actually were. This should be done rigorously using metrics wherever possible. Often, if the firm’s own history is ever mentioned, it is normally done so anecdotally. This runs the risk of primacy and recency effects overriding objective risk assessments of the likely frequency and severity of a risk realisation. Also, it may be possible to see what was tried before and to assess how well it worked to dampen the frequency and severity of occurrence, rapidly detect occurrence if it occurred, contain the consequences and then efficiently and rapidly recover and remediate.
- Research: A research effort to assess what kinds of risks have actually occurred to similar peer organisations across the globe and across time to help identify what could happen that may not have happened within your organisation before. Also, identify mitigations that have been attempted and assess the historical success of those.
- Experts: Getting the opinion of actual experts in a field. Too often the Financial Controller or the CEO’s Chief of Staff are providing opinions on the flood risk to the organisation’s operations. Are these officers really sufficiently qualified to assess the likelihood of flash flood or river/coastal flood at the organisation’s premises, and are they qualified to estimate the frequency and severity of those potential events? And are they qualified to estimate the likely impact such events might have on operations? When specialist knowledge is available, why not use it instead.
- Crowdsourcing: Very rarely are surveys or idea boxes employed to tap the ideas and thinking of all the brains available in your organisation. Your staff represent a very large number of eyeballs seeing the world, with a very wide diversity of experiences and a large repository of grey matter, which are, at least some of the time, thinking about your enterprise and what is good and bad for it. Senior executives at a risk workshop may not be aware of all of the thinking of their staff on these risks. This is much easier now in the era of cloud and social media.
- Literature: Academic survey of what researchers are highlighting and identifying in the literature as potential risks to your organisation. Once again this doesn’t need to be a hit or miss of what your CRO happened to be reading last week or last saw at a conference. A dedicated effort to monitor published articles on industry-relevant risks is useful especially in industries that are changing rapidly.
- Benchmarking: Undertake industry risk benchmarking. What are similar organisations to yours identifying as risks and taking mitigating action against? Is your enterprise missing something that others have identified?
- Models: Develop a digital twin of your enterprise or operations and run simulations to see where its vulnerabilities are. Armed with this knowledge, how likely is something going to occur that could threaten those vulnerabilities. Models can also be used to forecast the outcomes of various mitigation options. What mix of event suppression, detection, resilience, containment, recovery and insurance provides the most cost-effective mitigation option?
- Rollup: Local risk analysis is being undertaken for cybersecurity, treasury risk, workplace health and safety, IT & construction projects, asset management and various other domains. Some organisations neglect to aggregate these individual exercises as input into the enterprise level.
- Post-event analysis: Although this is sometimes done, it is not done frequently with the purposes of Enterprise Risk Management in mind. Post-event analysis should look at an occurrence from many angles: (a) had we identified this as a potential risk before? If not, why not and if so, did we assess its likelihood and severity accurately? If not, why not and if so, what did we do to mitigate the risk? (b) Did mitigations function? If not, why not, but if so did they decrease the likelihood and/or severity of the risk as expected (c) were containment and recovery plans available and triggered and did they function as expected?
- Scenario testing: Not quite as forgotten as the ones above. This is more commonly seen in the ERM subcategories of Disaster Planning and Business Continuity Planning, but can actually be used more widely for all kinds of risk management. Develop a scenario where things are going wrong and try to operate through the simulation. Often risks, weaknesses and vulnerabilities are brought into relief under the more realistic circumstances of a simulated scenario.
As you can see there are many other options to identify and assess enterprise risks. None of these are outside the various ERM standards; it’s just that they are not used very often in practice. This could be because many of these require somebody to spend time and effort in researching these risks and interviewing experts outside of the semi-annual executive risk workshop. But is it time to invest resources into actually taking risk management seriously? How many of these forgotten methods are actually practised in your organisation?
Jeff Popova-Clark, FounderĀ dataanalytics.com, jeffp@dataanalytics.com
See this article on LinkedIn – https://www.linkedin.com/pulse/enterprise-risk-assessment-forgotten-methods-popova-clark-gaicd/