ARM 5 – Planning

The Anti-fragile Risk Management (ARM) Model has seven components; the fifth is Planning.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Planning may be a bit misplaced in the following diagram.  Certainly operational planning has an immediate (short-term impact) on risk.  Tactical planning has a longer time horizon.  Irrespective, good planning takes time to ramp up  and then implement the results.

Anti-Fragile Risk Management

Planning: Cliches, Babies and Bath Water

There are numerous maximums and clichés when it comes to planning:

  • Fail to plan, plan to fail.
  • An idea without a plan is a wish, a plan without execution is a good intention, a plan undebriefed is a future lesson to be re-learned.
  • Always plan ahead. It wasn’t raining when Noah built the ark.

Like any cliché, they all have an origin of truth behind them.  Planning is central to risk mitigation; after all someone has to implement changes to mitigate risks.

This ARM Component asks the question, is the organization any good at planning and is it getting better or worse?  The time horizon is purposely non-strategic meaning that the overall objectives or purpose of the organization are assumed to be relatively constant.  Wholesale baby and bath water planning is the next blog on Governance.

Planning to Define Planning Definitions

Sometimes people get in a bit of a muddle when it comes to terms like operations, tactical or strategic.  As a result I am using these definitions (adapted from ITIL) to define these terms (as well as providing a multi-colour visual aide!).

  • Task: takes less than a day or perhaps a few days to complete.
  • Operations: live, ongoing or extending into about a month’s time horizon.
  • Tactical: Medium term plans required to achieve specific objectives, typically over a period of weeks to months but generally a year or less.
  • Strategic: Strategic Activities include Objective setting and long-term Planning to achieve the overall Vision.  At least a year in length and longer.
  • Vision/Purpose: A description of what the Organisation intends to become in the future.

ITIL Based Planning Time Horizons

ARM’s Length Definition

After that little definition interlude – back to the main definition for this ARM component: What is the organization’s ability to identify, prioritize, initiate, monitor, close and learn from its planning activities through the operational and tactical time frames?

Why Does this Matter

The whole point of a risk management process is to ultimately mitigate risks to an organization.  Invariably the organization will need to make at least minor adjustments to its operations, implement new processes to sustain its products or react to an external event (e.g. change in legislation, market turmoil, social disorder, etc.)  The better, faster and more efficiently it can carry out these changes – and learn from its mistakes in the process – the sooner it can get back to normal (errr, assuming such a state exists).

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines contains numerous references and entreaties to the organization not to separate the risk management and organizational planning functions.  The following one example:

  • 3 Principles
    • b) Risk management is an integral part of all organizational processes.
      Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
    • c) Risk management is part of decision making.Risk management helps decision makers make informed choices, prioritize actions and distinguish
      among alternative courses of action.

ISO 31000 Risk Assessment Technique

Assessing an organization’s planning capacity is difficult but it can be measured indirectly.  Unfortunately the methods discussed in ISO 31010 Risk Assessment Techniques are of limited use (although they augment the analysis from the methods discussed below).  As a results, methods to measure planning capacity could include:

  • Budget cycle: how long does it take for the annual budget process, bonus points for continuous budgeting.
  • Capital planning cycle: ditto to budget.
  • New Market Uptake: how quickly has your organization being able to extend, re-position or create a whole new market for its products.
  • Response to the last emergency: how well did the organization respond to the last unplanned thing (outage, break in, flood, fire, hack, etc.).  How much faster could the response have been.
  • Disaster Planning: ditto to the above but under a controlled scenario.
  • Initiative List: Does an organization know what is in the hopper for its operational and tactical activities, can it effectively prioritize them without forcing its people to engage in Guerrilla Management?
  • Approval Cycle Time: If the organization does have a list of innitiatives, how long is the cycle time to approve the activities?

Examples of Risk Tests and Mitigation

Risk Identification: A request for a sudden and one time increase in a product to meet the unexpected demand of a customer.

  • Evaluation/Analysis: W.E. Coyote Corp has requested a large order of widgets to meet an unexpected demand.  Can ACME corporation ramp up production to meet this one time need for widgets.
  • Stakeholders: ACME Corporation, W.E. Coyote, current customers, staff.
  • Measure: The ability to meet unexpected sales or alternatively lost sales due to lack of operational and planning capacity.

Risk Identification: A northern city in Widget-land is threatened by Wildfires.

  • Evaluation/Analysis: How quickly can the Government of Widget-land mount a response to a rapidly changing wildfire scenario (or other disaster) that threatens are large population.
  • Stakeholders: Government of Widget-land, affected residents, citizens.
  • Measure/Example: Time to respond, scope of the response, comparison of times and effort .

Leave a Reply

Your email address will not be published. Required fields are marked *