Seven Days of Disruption

On November 22, 2017, the Edmonton Chapter of the Financial Management Institute is running an event entitled ‘Disruptive Writers‘.  In addition to hearing 3 great speakers discuss their books on either future disruptions or managing change, we will be playing a game called ‘Pin the Tale on the Disruption‘.  Sort of a mini-Delphi of what participants at the conference think will be the biggest challenge to the Canadian Public Service between now and …. ohhhh, say…. 2025 (e.g. about 7 years hence).

The Source of Disruption

There is a variety of sources for the disruptions but they are primarily based on the excellent work of the A.T. Kearney who have produced 3 Global Trend documents (available as follows):

It’s tough to make predictions, especially about the future (Yogi Berra)

A word of caution about the difficulty of making predictions.  Inevitably something better or worse will have muscled all of the excellent possible futures out of the picture.  In addition, Black Swans and the unpredictable are a near certainty.  So, to my future self, I profusely apologize/acknowledge for being so absolutely wrong/right in naming the following future disruptions.

A Laundry List of Disruption (in alphabetical order)

  1. Accelerating Global Climate Change and the cost to mitigate (2015 and editor)
  2. Biotechnology: Frankenstein, Super-bugs and Super-cures (adapted from 2016 and editor)
  3. Canadian Competitiveness and Productivity (editor)
  4. Changing Nature of Power (2015)
  5. Cyber Insecurity (2015)
  6. Dawning of a new urban transportation age and the Canadian City (2017 and editor)
  7. Depopulation Waves (2015)
  8. Evolving Artificial Intelligence (2015)
  9. Geopolitical Realignment and Continued Global Violent Extremism (2015)
  10. Growing debt overhang (2017)
  11. Immigration and Changes to the Canadian Values and Characters (editor)
  12. Indigenous Power (editor)
  13. Islandization” of the global economy (2017), NAFTA Negotiations and the rise of protectionism (editor)
  14. IT Revolution 2.0 and the Rise of the Machines (adapted from 2015)
  15. Post Consumerism (adapted from 2016)
  16. Quebec and Regional Tensions (editor)
  17. Resource and Commodity Supply, Demand and Price (adapted from 2015)
  18. Rising storm of populism; Canada and Cultural War in the Age of Trump and the Progressives (adapted from 2016 and editor)

…. And I Endorse This Message.

Recently the Edmonton Chapter of the Financial Management Institute reached out to three levels of government to promote their May 17, 2017 Mental Health Event.  The result: two endorsements and some notes on how to ask senior officials and politicians to promote an event.

Why Do you Need an Endorsement?

A little context please… You are on a committee of some sort.  It may be for a volunteer organization (e.g. FMI, Scouts, church or work related) and you are doing something special (running a conference, publishing a book, launching a program or a website).  In doing this you would like someone important (politician, senior public servant, corporate officer or religious official – collectively these are affectionately known as the “grand pooh bahs of something” or the GPBS) to acknowledge or endorse the thing you are doing.

Because this is a memory jog for me, the focus of this blog is an assumption that you are on the board of a FMI Chapter here in Canada and you want a GBPS to endorse your upcoming conference. The first question to ask is ‘Why do you want/need a GPBS endorsement?‘; typical reasons include:

  • Mercantile: to increase sales to an event because you can point to the “GBPS’ endorsement” as proof the organization thinks it is important.
  • Extending a Corporate or Social Policy: increase the credibility of the event by showing that if good ole’ GBPS says it is important, it must be.
  • Immediate or Future Marketing: asking for an endorsement is one way that a GBPS will have a better awareness of your organization.  Reminding the GBPS of the endorsement is a potential ice breaker for other discussions.
  • Get Around Training Limitations: organizations may have constrained training budgets.  Having an organization’s GBPS endorse the event is a way to pry open the coffers.

What Am I Endorsing – the So What Question?

The next question to ask is what is in it for the GBPS?  This is critical as it is easier to get an endorsement that aligns with a policy, initiative or passion of the person rather than the GBPS being neutral, indifferent, or worse, hostile to your upcoming conference.

The reality is that the garden variety GBPS is probably interested in many of the same things you are.  In fact an endorsement could be a cheap and easy way for the GPBS to show progress on a subject area with very little cost or effort to them or their office.  For example, the theme of the May 17 FMI-Edmonton conference introduced above was a mentally healthy work place.  This was important to both the senior official from the Alberta government (who is passionate about employee engagement) and is central the federal government as well (the senior official has devoted considerable effort promoting mental health within the federal public service).

So, What Do you Want?

Be very clear what you want and articulate it early.  The following list of ‘ASKS’ is ordered from the easiest to the hardest for a GBPS to provide to your organization:

  1. Provide a letter of introduction or greetings.
  2. Provide written, in person or video opening comments and greetings.
  3. Endorse attendance and use this endorsement in FMI communications.
  4. Attend, speak or present at the event.

A letter of greetings is very low-cost for a GBPS particularly if you mostly write the letter for them (see more on this below).  Providing opening comments to a conference is slightly harder but once again are made easier if you write the first draft.  Attendance, video greetings or presentations are tough.  A GBPS’ calendar is not their own and even if they say they will attend they have a nasty habit of bailing at the last moment.  An endorsement to attend is also difficult to provide particularly if it sets up a precedence for other conferences.

The Care and Feeding of a GBPS

As noted above, the office of the GBPS is probably swamped – so make their life simple; this means doing the following (the first two bullets are recaps from above – but worth repeating):

  • Understand why you want the endorsement.
  • Be clear how this helps the GBPS achieve their goals and what is the ASK.
  • Send a clear request through formal channels (if they exist) but also use your informal networks to promote the endorsement with the GBPS.
  • Provide the GPBS with samples and even write the first draft as applicable.
  • Follow up with a courtesy phone call or email; be short, sweet and extremely respective of the person’s time.  For example, Betty is the Chief of Staff for the Deputy Minister GBPS; a phone call may follow this script:
    • JOHN: “Hello Betty, it is John Smith here. I am following up on an email I sent you two days ago concerning Mr. GBPS providing a letter of endorsement for our FMI conference on left-handed screw drivers.  Can you confirm that your office has received it?”
    • JOHN: “You did, perfect and thank you for confirming this.”
    • JOHN: “As you work through your internal processes, if you have any questions about the conference I am happy to answer them on the phone, email or pop down to your office.”
    • JOHN: “May I follow-up in two weeks to see how the letter is progressing?”
    • JOHN: “Is there anybody else I should be speaking with from your office so I don’t bother you”
    • JOHN: “Thank you very much for taking the time to talk and confirm the endorsement letter is in progress, it is greatly appreciated!”
  • Email is the typical way to initiate contact.  A sample format can be found at the bottom of the blog but generally is broken into the following:
    • 1. Salutation and who is FMI: A quick overview of who you are and what is FMI.  1-2 sentences is lots but include some links at the bottom in case the GBPS’ staff needs to do some research.
    • 2. The ASK and the WHY: Provide 1-3 sentences of what you are asking for, by when, how it will be used and what is in it for the GBPS.
    • 3. Thank You and the Sample: Close the email and include a sample (as applicable) for the ASK.  This may be in the email or attached.

Follow Up and Usage

When you have received the endorsement, immediately send a thank you note to the people who made it happen.  1-2 lines very short expressing your appreciation.

Hi Betty, John Smith here from FMI.  I received the endorsement letter and I wanted to let you know it is perfect.  I strongly believe that this conference will really advance an understanding of left-handed screw drivers and you and your office helped to make this happen.  Once again, on behalf of my board, thank you.

Only use the endorsement in manner you said you were going to use it.  If you said it was going to be on the chapter website, don’t necessarily send it out via your Linked in account to all of your users.  Think of the endorsement as a matter of trust – respect that gift of trust.

After the Event

The last step is easily as important as all the others above, let the GBPS know how the conference went and the impact of their endorsement.  Once again a quick email is sufficient.  Thank the GBPS re-affirms the time they spent providing the endorsement, increases your brand recognition and improves the chances of getting a future endorsement.

Hi Betty, John Smith from FMI.  I wanted to let you know the May 17 conference on left-handed screw drivers was a complete success.  3,000 enthusiastic public servants attended and we really advanced an understanding of this issue.  Once again the endorsement letter Mr. GBPS provided really helped to make this conference successful.  Thank you once again!

Links

Hello Ms. EBPS,

I am a Director with the Government of Widgetland but I am writing you wearing my other hat as President of the Financial Management Institute (FMI) Yegville Chapter. I am a volunteer board member with this not for profit organization and our primary purpose is to deliver high quality learning events on topics that are of interest to a public sector audience from all three levels of government. Our next event will be coming up on Wednesday May 17, 2098 and will include an impressive lineup of speakers who will address the topic of ‘The Safe Use and History of the Left Handed Screwdrivers‘.

I know in your role as Deputy Minister of Grand Pooh Bah and with our provincial government focus on employee engagement, you have a strong desire to support and encourage healthy left-handed activities and a resilient workforce that is well positioned for the future. So would you be willing to provide some written greetings from the Government of Widget Land that could be included in our moderator’s opening remarks? I believe that your message would be well received by our audience and would help boost our profile as well as share a positive message. Thank you in advance for considering my request and I look forward to hearing your reply in the near future.

By way of additional background we are part of the National Financial Management Institute of Canada that serves over 2,800 members across Canada. www.fmi.ca

In addition, the link below will give you some additional information about our upcoming event as well as past events that were delivered by the Yegville Chapter.

http://www.fmi.ca/chapters/yegville/

I have taken the liberty of providing some suggested content and format:

Format: an open letter from Ms. GBPS to members of the Widget land Public Service, fellow public servants and other attendees.  This will be reproduced digitally in the front of the pre-conference notes.

Re: Greetings from the Deputy Minister of Grand Pooh Bah.

Dear Colleagues,

[Note to  GBPS’s staff, possible themes in the message]…

  • Greetings from the Widgetland Public Service.
  • Public servants from all levels of all governments need to create open, inclusive and healthy workplaces for staff and colleagues.
  • Attending a conference such as this one is one way to learn more about how to build such work places.
  • Meet fellow public servants and learn how we can better serve our constituents through a healthy work place.
  • Safety is a paramount concern for the government of Widgetland and left handed screw drivers caused more than 1,000 injuries last year in our province.

Teaching Gears to Be a Better Manager

In the Spring I run a weekly program called ‘Wheeleasy Wriders‘ which teaches newbie cyclists how to go from a painful 20KM ride to thinking that a 60KM ride is a breeze. Although this is a hobby, the techniques that I use are directly translatable into a work environment and the reverse as well – Wheeleasy Wriders makes me a better manager – last week is a good example.

How To Explain The Round Gizmos On a Bike

Many new riders are scared of their gears.  Although a marvel of engineering, they do require a small investment of time to learn how to use them properly.  But using gears effectively is not what this blog is about (however the blogs listed below DO talk about such things).  Last week I took a page out of my work environment and did the following:

  1. I broke the riders into groups of three composed of 2-newbies and 1-experienced rider.
  2. I separated married couples into different groups (more on this later).
  3. My request was that each newbie explain to the other newbie how their gears worked on their bike (as if the other explainee-newbie was going borrow the explainer’s bike).
  4. After a couple of minutes they switched roles and the explainer became the explainee.
  5. The experienced rider was there to listen and provide additional information, corrections and encouragement.

Teaching Focuses the Mind

The result was that most of the newbies self-assessed their gear knowledge higher after the explanation than before.  Why, for the following reasons:

  • They had to actively recall past explanations and externalize the content and concepts.
  • Based on the recall, they had to match the explanations to what they were seeing.
  • There was a small amount of anxiety to get the explanation right.  This anxiety actually helps to better form memories.
  • Anxiety notwithstanding, the experienced rider represented a safety net.
  • The experience rider had to compare their own mental-model of how gears work into two different newbie explanations.  This conversion strengthen their own understanding of the gears.
  • I separated the couples because people who know each other very well can have a harder time communicating.  They use codes, shortened forms of speech, etc. that takes away from the effort to externalize and codify a complex topic (such as how bike gears work).

Giving Training the Gears

I use similar teaching methods at work when I need to train people.  Rather than standing around in a parking lot explaining bike gears, at work this is done through webinars and conference calls.  One of my ‘rules’ is that I actively encourage cheating on my exams. Thus, other audience members are encouraged to help the ‘trainer’ out. Because the audience knows they be asked next to provide an explanation, there is better attention and retention for the content.  I have learned a few cautions/guidelines though:

  • Always Build Up: This is not about ridiculing or embarrassing the person. Before asking the question, be reasonably assured the person can answer the question or be guided to the answer. Only use this technique (or select the person) if the person can feel more positive about themselves after they have done the activity.
  • Be Ready to Move On … QUICKLY: You may discover that you asked a person who simply does not know or is getting flustered by the attention.  If so, quickly move on so that person is not social embarrassed.  Moving on could include: providing lots of clues, going to someone else or changing the subject.
  • Gentle Humour Lubricates: use gentle and positive humour to help the situation. Be careful that the humour is not caustic or ridicules the person. A bit of self-depreciation works for me.
  • Mix Up the Couples: mix and match people who don’t know each other well.  This forces different levels of communication effort.
  • Bit Size the Learning: if possible, focus on only one to two key concepts in each session.  More than this will overload the person and create too much anxiety.
  • Summarize, Crystallize and Repeat the Learning: be sure to repeat the 2-5 key messages from the learning so that the memories can quickly form around these kernels. Memory and learning works best when there are mnemonic devices or conceptual construct to hang the details on.

Good luck with your efforts to train and explain in your organization.  Also, if you want to learn more about riding or how to use your gears, be sure to read:

 

 

ARM 6 – Governance

The Anti-fragile Risk Management (ARM) Model has seven components; the sixth is Governance.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Governance may be thought of as the first step in a process.  However, for Risk Management, it has the least immediate impact.  Nevertheless, Governance is a bridge between Long Term ARM Components and the Enduring Components such as Purpose.

Anti-Fragile Risk Management

Governance: Strategic and leadership capacity to Change the Above?

Governance has a wee bit of the People component because it includes leadership capacity.  Leadership is typically thought of as the C-Suite, the board or some other clutch of silver-back leaders.  Certainly these organizational elements are part of this ARM component but personal leadership, group self-direction, and good command and control elements are just as important.

ARM’s Length Definition

Does the organization have Governance and Leadership Capacity so as to develop, implement, monitor and validate initiatives which are in support of the over-arching organizational objectives?

Why Does this Matter

ARM stands for ‘Anti-fragile Risk Management’.  Anti-fragile was coined by Nicholas Taleb and if you have read any of his books you know that he takes a dim view of things like governance or strategy (for more on this see my 2016 article, Anti-fragile Strategic Planning).

Notwithstanding Taleb’s distaste and bias against suits, MBAs and strategy – these are the reality of any organization and Governance and Strategy will influence organizational risk and its mitigation.

Not-for-profit and government organizations share this risk and likely more so.  History is replete with examples of unsavory characters getting themselves elected (or grabbing power) and causing havoc for an organization or country.  At the same time, a good board and a good government can greatly reduce risks and capitalize on opportunities.

Returning the Taleb for one last time, in his first book ‘Fooled by Randomness‘ he discusses the role that chance (luck, probability) plays in our lives.  One of the reasons he has such a dim perspective of suits, MBAs, etc. is because it is easy to take credit for luck.  While this is true, his book also discusses the importance of ‘making your own luck’ (what I call Managed Serendipity) by establishing circumstances that are less prone to chance (the basic premise of Anti-fragile).  Having strong and capable leadership is one such element.

ISO 31000 Context

ISO 31000:2009 has a strategic focus and the importance of Governance is front and center through out the standard.  The following are a few references:

  • 2.11 internal context‘: internal environment in which the organization seeks to achieve its objectives.  NOTE Internal context can include:
    • governance, organizational structure, roles and accountabilities;
    • ⎯ policies, objectives, and the strategies that are in place to achieve them.
  • 3 Principles‘: a) Risk management creates and protects value.
    • Risk management contributes to the demonstrable achievement of … governance and reputation.
  • 4.3.1 Understanding of the organization and its context‘: Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand … the organization:
    • governance, organizational structure, roles and accountabilities;
    • capabilities, understood in terms of resources and knowledge.

ISO 31000 Risk Assessment Technique

Measuring the leadership capabilities of your organization can be a delicate matter. What happens if the CEO is a SOB, the CFO a crook or the Deputy Minister a political hack.  Documenting such limitations would be a career limiting move. Assessment techniques could include the following to provide some objective measurements:

  • Anonymous staff surveys.
  • 360 surveys of key leaders.
  • Decision cycle time.
  • Competency assessments for positions relative to the skills of the individuals in the role.

Examples of Risks

Risk Identification: The organization lacks the senior leadership capacity to operate and provide long-term direction for the organization.

Risk Identification: Turn over in the board has reduced capacity to establish organizational direction and planning.

ARM 5 – Planning

The Anti-fragile Risk Management (ARM) Model has seven components; the fifth is Planning.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Planning may be a bit misplaced in the following diagram.  Certainly operational planning has an immediate (short-term impact) on risk.  Tactical planning has a longer time horizon.  Irrespective, good planning takes time to ramp up  and then implement the results.

Anti-Fragile Risk Management

Planning: Cliches, Babies and Bath Water

There are numerous maximums and clichés when it comes to planning:

  • Fail to plan, plan to fail.
  • An idea without a plan is a wish, a plan without execution is a good intention, a plan undebriefed is a future lesson to be re-learned.
  • Always plan ahead. It wasn’t raining when Noah built the ark.

Like any cliché, they all have an origin of truth behind them.  Planning is central to risk mitigation; after all someone has to implement changes to mitigate risks.

This ARM Component asks the question, is the organization any good at planning and is it getting better or worse?  The time horizon is purposely non-strategic meaning that the overall objectives or purpose of the organization are assumed to be relatively constant.  Wholesale baby and bath water planning is the next blog on Governance.

Planning to Define Planning Definitions

Sometimes people get in a bit of a muddle when it comes to terms like operations, tactical or strategic.  As a result I am using these definitions (adapted from ITIL) to define these terms (as well as providing a multi-colour visual aide!).

  • Task: takes less than a day or perhaps a few days to complete.
  • Operations: live, ongoing or extending into about a month’s time horizon.
  • Tactical: Medium term plans required to achieve specific objectives, typically over a period of weeks to months but generally a year or less.
  • Strategic: Strategic Activities include Objective setting and long-term Planning to achieve the overall Vision.  At least a year in length and longer.
  • Vision/Purpose: A description of what the Organisation intends to become in the future.

ITIL Based Planning Time Horizons

ARM’s Length Definition

After that little definition interlude – back to the main definition for this ARM component: What is the organization’s ability to identify, prioritize, initiate, monitor, close and learn from its planning activities through the operational and tactical time frames?

Why Does this Matter

The whole point of a risk management process is to ultimately mitigate risks to an organization.  Invariably the organization will need to make at least minor adjustments to its operations, implement new processes to sustain its products or react to an external event (e.g. change in legislation, market turmoil, social disorder, etc.)  The better, faster and more efficiently it can carry out these changes – and learn from its mistakes in the process – the sooner it can get back to normal (errr, assuming such a state exists).

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines contains numerous references and entreaties to the organization not to separate the risk management and organizational planning functions.  The following one example:

  • 3 Principles
    • b) Risk management is an integral part of all organizational processes.
      Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
    • c) Risk management is part of decision making.Risk management helps decision makers make informed choices, prioritize actions and distinguish
      among alternative courses of action.

ISO 31000 Risk Assessment Technique

Assessing an organization’s planning capacity is difficult but it can be measured indirectly.  Unfortunately the methods discussed in ISO 31010 Risk Assessment Techniques are of limited use (although they augment the analysis from the methods discussed below).  As a results, methods to measure planning capacity could include:

  • Budget cycle: how long does it take for the annual budget process, bonus points for continuous budgeting.
  • Capital planning cycle: ditto to budget.
  • New Market Uptake: how quickly has your organization being able to extend, re-position or create a whole new market for its products.
  • Response to the last emergency: how well did the organization respond to the last unplanned thing (outage, break in, flood, fire, hack, etc.).  How much faster could the response have been.
  • Disaster Planning: ditto to the above but under a controlled scenario.
  • Initiative List: Does an organization know what is in the hopper for its operational and tactical activities, can it effectively prioritize them without forcing its people to engage in Guerrilla Management?
  • Approval Cycle Time: If the organization does have a list of innitiatives, how long is the cycle time to approve the activities?

Examples of Risk Tests and Mitigation

Risk Identification: A request for a sudden and one time increase in a product to meet the unexpected demand of a customer.

  • Evaluation/Analysis: W.E. Coyote Corp has requested a large order of widgets to meet an unexpected demand.  Can ACME corporation ramp up production to meet this one time need for widgets.
  • Stakeholders: ACME Corporation, W.E. Coyote, current customers, staff.
  • Measure: The ability to meet unexpected sales or alternatively lost sales due to lack of operational and planning capacity.

Risk Identification: A northern city in Widget-land is threatened by Wildfires.

  • Evaluation/Analysis: How quickly can the Government of Widget-land mount a response to a rapidly changing wildfire scenario (or other disaster) that threatens are large population.
  • Stakeholders: Government of Widget-land, affected residents, citizens.
  • Measure/Example: Time to respond, scope of the response, comparison of times and effort .

ARM 4 – Product

The Anti-fragile Risk Management (ARM) Model has seven components; the fourth is Product.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Bringing a product or service to market can take seconds (if you are Amazon.com) to decades (if you are a drug company).

Anti-Fragile Risk Management Component Product impacts risks/opportunity in a medium term time frame.

Product: A product or service that the market/society wants?

On the one hand it may seem that this component is covered in prior ARM considerations such as Purpose, People or Process & Plant.  However, despite a good organization vision, fantastic staff and excellent processes – an organization’s product may still not sell.

The profit motive focuses the mind on which widget to sell or whether or not to exit a dying industry in a timely manner (with notable exceptions such Kodak).  Unfortunately for the volunteer and government sectors such signals may be less clear and as a result a decision to abandon a service, program or cause may be more difficult to make with vocal consumers of the service demanding its continuation at any price.  Governments in particular are at risk and may trudge on providing services rather than upset a  small but vocal minority.

ARM’s Length Definition

The ARM definition is simple to state but may be extremely complex and fickle to measure or plan for (ask your nearest Marketing professional how well they sleep the night before their next product launch): Does the organization have a product or service that the market/society wants and is this product the best way for the organization to use its resources to achieve its objectives?

Why Does this Matter

In a word, ‘cash-flow’.  Okay that is two words but it still is the biggest risk criteria.  If no one is buying your products – that risk trumps all.  If taxpayers are revolting because they do not see the value in the services being provided – that risk could be a change of government.  If donors have left in droves because you no longer speak to their social conscious – you got a big problem.

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines references an organization’s products or services in with its overall risk management consideration.  In section ‘3 Principles‘, the principle that risk management exists to create and protect value is highlighted including contributing to organizational performance and product quality.  Section ‘2.10, external context‘ alludes to but does not overtly discuss the role of having viable products and services.

ISO 31000 Risk Assessment Technique

The methods discussed in ISO 31010 Risk Assessment Techniques can be used indirectly to estimate the viability of a product or service.  For the for-profit sector a good cost accounting system and an understanding of organizational brand or inter-relationship of one’s products in the market place is important.  For the volunteer or government sectors, detailed statistical analysis may give the reality or at least the illusion of evidence based decision making.  Ultimately, the final decision to provide, rescind or change a product is often political or socially driven – and thus the profound risk to these organizations.

Examples of Risk Tests and Mitigation

Risk Identification: The market for and profitability of widgets, ACME Corps primary product, is shrinking over the next five years.

  • Evaluation/Analysis: Relative unit profitability for each widget is declining and will continue to do so with foreign competitors entering the market and the ability to download for free widgets.
  • Stakeholders: Shareholders, ACME Corporation, current customers.
  • Measure: Direct and indirect unit cost as compared to price of the widgets, recent and anticipated sales volumes.
  • Example: A Delphi review was done in which future demand for widgets was estimated by leading industry experts.  This survey estimated a 50% decline in widget consumption over the next 5 years.

Risk Identification: The Widget subsidy program is now consuming 25% of all government revenues and is expected to climb to 300% in ten years.

  • Evaluation/Analysis: Due to an aging widget consuming population and generous allowance to purchase widgets, the Widget Subsidy Program is consuming an inordinate amount of current government revenues.  As the population ages, this proportion is expected to double each year over the next ten years.  Riots have already occurred in some cities of Widget-land in response to rumors of a reduction in Widget subsidies.
  • Stakeholders: Government of Widget-land, taxpayers, widget consuming seniors.
  • Measure/Example: Number of widgets consumed per capita, the widget subsidy as a proportion of all tax revenue.

ARM 3 – Process and Plant

The Anti-fragile Risk Management (ARM) Model has seven components; the third is Process & Plant.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Changing process, buying machinery, installing software – these all take time which is why the ARM Component People & Plant has a medium term impact.  While your staff may be constantly on the look out for risk/opportunity it takes longer to give them systems, procedures or policies when things change.  This is demonstrated in the following diagram.

Changes to Process & Plant takes a little longer to take effective and support Anti-Fragile Risk Management.

Process: Knowledge to operate the systems?

The story so far is that an organization has discovered its Purpose, hired the right People and now needs to know what the heck these people are doing and are they doing it right!  The following are all examples of organizational plant and equipment. Each one requires knowledge of how to operate it through procedures, policy and of course organizational adeptness:

  • Machinery, buildings and land.
  • Computers, firewalls, networks.
  • Patents, rights, licenses and royalty agreements.

There are LOTS of books on not only risk relative to process but also on how to manage process.  Certainly one of the grand-daddies is the now classic ‘Balance Score Scorecard‘ by Kaplan and Nolan.  It introduces the concept of segregating (and measuring through key metrics) the business into four areas: finance, internal business, learning & growth and the customer.

No matter how your slice and dice your processes, this deductive process is the core of traditional risk management.  For Risk X, what process Y or asset Z is going to protect or mitigate the risk?

This ARM is Brought To You by Organizational Biology

Process & plant are all things you can drop on your foot or print off and drop on your foot.  Collectively all this foot dropping is called ‘Mass’ which brings us to our sponsor… ‘Organizational Biology‘ which describes how organizations work.  In a nutshell, organizations are composed of two parts, Mass and Adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

ARM’s Length Definition and Why Does this Matter?

The ARM definition for Process-Plant Component is: does the organizational have the tools to complete its objectives and do the people know how to properly use the tools?

This component strives to understand ‘How and What‘ processes an organization is engaged in and ‘Where‘ are the integration points between these processes.  A good first start is a listing of business functions that support an organization’s products and services (more on this in the next blog).  Quality processes will further define and articulate the business processes down to the point in which your staff are heartily sick and tired of being ISO-9001-compliant.

In other words, by spending time and effort on this ARM component, process and plant, the organization can better understand how its people are achieving the organizational purpose to deliver products and services.

ISO 31000 Context and Its Risk Assessment Techniques

ISO 31000:2009 Principles and Guidelines is full of managing process and plant including the following:

  • Section ‘2.11, internal context‘:
    • Policies, objectives, and the strategies that are in place to achieve them;
    • Information systems, information flows and decision-making processes (both formal and informal);
    • Standards, guidelines and models adopted by the organization; and
    • Form and extent of contractual relationships.
  • Section ‘3 Principles‘:
    • b) Risk management is an integral part of all organizational processes.
    • Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization.
    • Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
  • Section ‘4 Framework – 4.3.4 Integration into organizational processes’:
    • Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
    • The risk management process should become part of, and not separate from, those organizational processes.

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of process and plan on risk.

Examples of Risk Tests and Mitigation

Risk Identification: Does the organization understand its internal business processes?

  • Evaluation/Analysis: It is not clear what functions staff are doing and how the contribute to the final product.  Staff claim to be very busy but the exact work tasks, the relative importance to organization objectives and authorization to complete them is unclear.
  • Stakeholders: Staff, contractors, management, the board.
  • Measure: Identify high level business functions, staff time reporting, production cycle time.
  • Example: Within the Ministry of Widgets, there is a constant request for more staff and contractors.  However the Deputy Minister is not quite sure what all his staff ‘do’.  Key services are identified and business functions are mapped to these services to determine which activities are of highest priority and which can be stopped, scaled back, outsourced or deferred.

ARM 2 – People

This blog dives into the second component of the Anti-fragile Risk Management (ARM) Model: People.  As a refresher, ARM has these risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of these components impact the organization on a continuous (short term) or periodic (medium to long term) basis.  The People component is considered short term. That is it is your staff, volunteers, contractors, etc. who are on the front line mitigating risks or capitalizing on opportunities.  Another reason to include the ARM risk component of People here is that things such as trust, loyalty or affiliation take years to grow and a very short period of time to destroy.

The ARM Component ‘People’ is on the front line of Anti-Fragile Risk Management and thus has a short term focus.

People:  Does the Organization have adeptness to achieve its objectives?

Until the robot overlords force us all into the Matrix, People will be the second greatest risk/opportunity/uncertainty for organizations.  An example is the following classic cartoon that gets right to the heart of matter of cyber-security.  No matter how good the investments in technology human ineptness, malevolence or ignorance rules!

Cyber Security versus Dave (copyright and restrictions may apply)

This ARM is Brought To You by Organizational Biology

The name of this site is ‘Organizational Biology‘ which is my mental model to describe how organizations work.  In a nutshell, Organizations are composed of two parts, Mass and adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

Mass will be discussed more in the next blog when Process and Plant is considered. ‘People’ considers many different facets of organizational adeptness ranging from the board room to the shop floor and from the heart to the brains of the employee/volunteer.

Measuring Adeptness (NOT!)

Unfortunately adeptness cannot be directly measured because as soon as you can quantify adeptness it becomes mass.  Here is an example:

A master craftsman uses decades of experience to precisely machine a part.  He is adept in this task .

The moment the craftsman’s knowledge and experience is transferred to a computer program those same actions become mass (the computer, software, machinery, etc.). Beyond experience, adeptness includes innovation, creativity, informal communication, trust, loyalty, elan, esprit de corps and countless other adjectives that affiliation and organization pride.  Of course adeptness also includes the negatives of all of these attributes (e.g. stifled creativity, poor communication, hostility, disengagement, etc.).  Adeptness is not without its dark-side either as it can also lead to group think and conformity (read more on this in a healthcare context in my blog, the Healthcare Ethos).

Good, bad, light or dark – adeptness cannot be directly measured but it can be indirectly estimated through:

  • Organizational success (e.g. profitability).
  • Low staff, volunteer or contractor turn-over.
  • Social standing in a community.
  • Trust quotient or Metric.
  • Leadership and followership capacity/effectiveness.
  • Training and capabilities of staff, etc.
  • Organizational loyalty or affiliation.

ARM’s Length Definition

The ARM definition for the People-Risk Component is: does the organizational have the adeptness (people) capacity to carry out the objectives of the organization? 

Why Does this Matter and ISO 31000 Context

Organizational Objectives are completed by People (robot overlords notwithstanding) and risk often boils down to human error.  ISO 31000 alludes to adeptness.  For example the following extracts is from ISO 31000:2009 Principles and Guidelines:

  • Section ‘2.11, internal context‘:
    • The capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
    • Information systems, information flows and decision-making processes (both formal and informal); [editors note, emphasis added]
    • Relationships with, and perceptions and values of, internal stakeholders;
    • The organization’s culture
  • Section ‘3.h) Principles‘:
    • Risk management takes human and cultural factors into account.
    • Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives.

ISO 31000 Risk Assessment Technique

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of people on risk although Human Reliability Analysis certainly is much more focused on this one particular ARM.

Examples of Risk Tests and Mitigation

Risk Identification: The organization is unable to attract and retain quality employees (or contractors/volunteers).

  • Evaluation/Analysis: Despite a supply orientated labour market, the organization has trouble recruiting suitable candidates.  Once recruited, turn over is high and the organization is constantly re-training staff.  As well, staff are poorly motivated and require constantly motivation, supervision and direction.
  • Stakeholders: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: staff retention, turn over analysis, employee satisfaction surveys.
  • Example: the industry average staff turn over for the qualified widget assemblers is 5-10% pa.  The organization’s turn over for assemblers is 50-75% pa.

Risk Identification: The organization lacks the management and leadership experience to enter into new markets.

  • Evaluation/Analysis: The experience and capabilities of management has focused on widget-exploration and there is little to no experience in widget refining – a key strategic objective of the organization.
  • Stakeholders: Executives, board (minister), regulator, etc..
  • Measure: Years of related experience in a particular expertise area on the part of all Directors and above.  Trust quotient on the part of staff in management.
  • Example: A survey or interview with the following question: ‘Describe your direct operational or management experience in the following business areas:’
    • Widget exploration: 1 – none… 5-ten or more years.
    • Widget transportation: 1 – none… 5-ten or more years.
    • Widget refining: 1 – none… 5-ten or more years.
    • Widget retailing: 1 – none… 5-ten or more years.

ARM 1 – Purpose

This blog dives into the first of the component of the Seven ARMed Organization: of the Anti-fragile Risk Management (ARM) Model: Purpose.  As a refresher, ARM has risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of these components impact the organization on a continuous (short term) or periodic (medium to long term) basis.  Purpose holds an unusual spot in that it is both enduring (very long term) and something that directly influences the next ARM risk component, People.  This is demonstrated in the following diagram.

Anti-Fragile Risk Management

 

Purpose: Why Does the Organization Exist, what are its objectives?

Let’s face it, if an organization has not nailed this one – even a little – it has MUCH bigger problems.  This component is also directly linked to ISO 31000 in which risk is defined as:

  • effect of uncertainty on objectives‘.
  • Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)’. [1]

ARM’s Length Definition

At this point I am hearing a collective groan of having to sit through another Mission Statement and Visioning death march…. groannnnn.  Don’t worry, my ARM definition for this is simply this: is there a consistent and wide spread understanding of what the organization does?  Widespread is both top-down and inside-out.

Why Does this Matter

Numerous great thinkers have expressed this concept in different ways.  Stephen Covey discussed it as ‘begin with the end in mind (habit 2)’.  Jim C. Collins described it as getting people on the bus (next component) and figuring out where you want to go in his book Good to Great.  The key thing is that the objective builds affiliation and belonging.  It is easier to motivate, communicate, control, command and reward people if there is a clear end state.

Just as important, it is easier to change to a different purposes if you know what your current purpose is.  If not, you may discover that you never stop doing things and your purpose gets increasingly diluted in a grey-goo of good intentions.

A lack of purpose is the greatest threat (risk) to an organization and a clear and focused purpose is the greatest benefit (opportunity) to an organization.

ISO 31000 Risk Assessment Technique

ISO 31010 Risk Assessment Techniques lists methods from brain storming to sophisticated statistical analysis on how to evaluate and analyze risks.  Interestingly there is not a specific technique relating to answering the fundamental question, does the organization have the right objectives?  Certainly a number of the 31010 techniques can be pressed into service however, including good old brain storming.  Others noted below are Delphi, interviews and surveys.

Examples of Risk Tests and Mitigation

Risk Identification: The organization lacks a clear definition of its purpose in the [market place, government services, volunteer/social space].

  • Evaluation/Analysis: What do the following stakeholders think the organization’s purpose is and measure the relative deviation between them.
  • Stakeholders: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: perhaps a sliding scale test on a number of measures.  Use statistical analysis (e.g. R Value) to measure relative differences between pairs or all-purpose statements.
  • Example: which of the following statements best exemplifies the role of the Minister of Widgets in the managing the affairs of Widgetland (1 = No Role and 5 = Central or core to the Ministry’s mandate):
    • Fund Widget Research and Development (1…5)
    • Regulate the use of Widgets in the home (1…5)
    • Provide education to children on safe widget use (1…5)

Risk Identification: The organization is engaged in activities or product lines it should shed.  For example it continues to run a data center despite the ability to purchase this service cheaply and reliably from the market place.  This risk builds on the above assessment but with a focus on what the organization should stop doing (as well, see my blog: Can We Stop and Define Stop).

  • Evaluation/Analysis: Using a Delphi’esque what business functions of the organization should it keep or divest.
  • Participants: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: a listing of key business functions with a requirement rank them or identify whether the organization should Build, Hold, Evaluate, Divest.
  • Example: The Widget Corporation has identified 10 key product lines and support functions.  You have been asked to rank them according to the following measures: a) invest and expand; b) hold and monitor; c) carefully evaluate for potential hold/divestment; d) divest/buy in the market place; and e) I really do not know.  You must apply ‘a) – d)’ at twice to the following ten lines/functions and you can only apply ‘e)’ once.
    • Product Line A: Widget-exploration.
    • Product Line B: Widget-transportation
    • Product Line C: Widget-refinement and conversion to products
    • Product Line F: Widget Real Estate Holdings
    • Function: Information Technology to Support the Above
    • Function: Real Estate Management
    • Function: Human Resources
    • Function: Supply Chain Management

Seven ARM Components

This is an overview my thoughts on Risk Management.  Part I, “Guns, Telephone Books and Risk” discussed Risk Management as long lists of things that will never happen. Part II, “Anti-Fragile Risk Management” considered the concept of Anti-fragility in a risk management concept (ARM).  This included an overview of ISO 31000 – Risk Management.  The second blog also introduced the Seven ARMed Organization.  That is an organization that has mastered these risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

No Ordinary Ordinality

The Seven Components of ARM can be managed and worked on in parallel but there is a method in the selection of the order they are presented.  If an organization does not have number 1 (objectives) at least started or well in hand component 2 (people) and onward becomes much more difficult.

Number 6 (governance) may surprise some people with its placement.  From a Risk Management perspective, Governance has little impact on day to day risks.  This is not to dismiss or discount it – but to put it into context that it has longer term or enduring impact as opposed to being a short term influence on risk management.  This concept is demonstrated in the following diagram.

Anti-Fragile Risk Management

No Business Gurus Were Harmed in the Making of this Blog

The first six components have been fodder for a whole flotsam of business books.  My focus will be to provide a high level explanation of why I included the component and answer the question why this component is important from a Risk Management perspective.

A Dive into the Pits of the Seven ARMs

The next series of blogs will consider each of the Seven ARMs in a bit more detail.  At a minimum I would like to consider:

  • The definition of each of the ARMs.
  • Its linkage (if at all) to ISO 31000.
  • Why is the ARM important?
  • Example of Risks and Mitigation particular to this ARM Component.

Anti-Fragile Risk Management (ARM)

This is part two of my thoughts on Risk Management.  Part I, “Guns, Telephone Books and Risk” focused on the problem of creating long lists of things that will (may) never happen.

ISO 31000 to the Rescue!

Risk management (RM) has become standard fare for most organizations.  To support these efforts, in 2009 the International Standards Organization (ISO) issued ISO 31000 Risk management – Principles and guidelines.  A pretty good standard for the following reasons:

  1. Recognition that uncertainty (aka risk) has both positive and negative consequences.
  2. The impact of uncertainty is the inability to execute on organizational objectives.
  3. Risk is organization-centric based on its particular legal, societal, cultural, technical, ‘etc.-al‘ circumstances.
  4. RM is integral to an organization rather than an isolated activity.

ISO 31000 – The Same Problem

In ISO 31000 the steps are: 1) identifying risks, 2) Analyze the Risks, 3) Evaluate the Risks (these are all part of Risk Assessment, ISO step 5.4) and then finally 4) Treat the Risk (the right hand column of the following graphic).

ISO 31000 Framework Courtesy of the Victoria (Australia) State Government; SWER 2010.

Unfortunately this is where ISO 31000 fails; would it not be better to start with Risk Mitigation and then use the compendium of risks to test the organization’s ability to weather the uncertainties when they occur?  This ‘turned on its head‘ methodology is what I call ‘Anti-Fragile Risk Management‘ or ARM.

Anti-Fragile Risk Management (ARM)

In his book, ‘Antifragile: Things that Gain from Disorder‘, Nicholas Taleb introduces the concept which can be summarized as follows:

Anti-fragility is a property of systems that increase in capability, resilience, or robustness as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. [Wikipedia]

Ecosystems and biological things (such as your bones or your heart) need continuous mild stress to stay healthy.  A sea wall is robust but ultimately each successive ocean wave incrementally destroys it; the wall is robust but ultimately fragile.  A tide pool colony needs each successive wave to bring in new nutrients, remove more feeble members and, yes, sometime even bring in destructive predators; it is anti-fragile.

In 2016 I introduced the idea of ‘Anti-fragile Strategic Planning‘ including suggesting that Taleb was a bit too absolute with his dismissal of art of planning.  ARM is effectively a continuation or an element of overall Anti-fragile Strategic Planning including having the following four attributes or maxims:

  1. Do No Harm: Makes the organization no worse off than as if no RM activities had occurred.
    1. This includes ensuring that the RM process has delivered value for money.
    2. Like insurance, this may be difficult to quantify other than convincing senior leadership of the value of piece of mind.
  2. Core Competencies: Ensures the organization is getting better at its core business(es).  Conversely, the organization is shedding businesses that they should no longer be involved in.
    1. This is well articulated initially in ISO 31000 but then quickly seems to get lost as the standard moves into designing a RM framework and process.
    2. Are we in the right business or do we continue to provide these services to our citizens given their costs are the ultimate RM questions.
  3. Creating a Sustainable Organization: Describes the known-known changes facing the organization and ensures it has the capacity to weather all but large-scale unpredictable and irregular (Black Swan) events.
    1. This places risk mitigation at the forefront.  The organization will need to manage risks it likely can not predicted.  Its robustness and resiliency allows it to absorb or exploit events.
    2. A risk list (telephone book’esque or otherwise) provides an excellent training/ testing tool to assist an organization to develop change-muscle-memory.
  4. Balanced Scorecard: Identifies long-term outcomes, implementation plans to achieve these outcomes and short-term milestones to monitor their execution – but only after the above maxims have been satisfied.
    1. One critical metric is the scorecard is the measured and perceived ‘robustness and resiliency’ of the organization.
    2. Scorecards and strategic plans inherently make the organization Anti-fragile. Nevertheless an organization needs some direction and operational/tactical planning.
    3. The previous 3 maxims will allow the organization to quickly shed and change scorecard entries as changes in fortune dictates.

ARM Overview

At this point you may be scratching your head wondering how you can treat a risk if you don’t know what it is?  The answer is that most risk an organization faces is already being treated without its explicit identification.  Your web presence is constantly being tested by hackers, your employees handling cash or cutting purchase orders always have an ever so slight temptation to line their pockets.  The launch of your next product line (or continuation of an existing service/product) is also fraught with unknowns.

Perhaps you hire white hats to test your web security, have good segregation of duties to manage fraud or you have completed a formal risk assessment before introducing a line of children lawn darts.  More than likely many of the risks are mitigated through trust worthy people, good training, systems, operational procedures, planning and good old fashion luck.  These and a myriad of other things are an organization’s response to risks and they make an organization more (or in their absence) less robust, resilient and risk proof.

ARM is that simple.  It is the listing of the implicit and explicit things an organization does to exploit/manage uncertainty (risk).  This robustness/resiliency is then periodically tested through a formal RM program.

An ARMed ISO 31000

ARM and ISO 31000 are entirely compatible even if ARM slightly adjusts the sequences of risk steps.  Section 4, Framework, in ISO 31000:2009 Principles and Guidelines includes component ‘4.3.4 Integration into organizational processes’ with the following attributes or advise for creating a risk management program in an organization:

  • Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
  • The risk management process should become part of, and not separate from,
    those organizational processes.
  • In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.
  • There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organization’s practices and processes.
  • The risk management plan can be integrated into other organizational plans, such as a strategic plan.

Seven ARMed Organization and the Next Blog

The good news is that rather than running a RM program in isolation ARM is integral to the organization.  The bad news is that it takes work to integrate anti-fragile behaviour so as to be robust or resilient.  Integration involves the following seven steps:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of the seven steps will be discussed in future blogs in greater detail.

Guns, Telephone Books and Risk?

At work I have been given the task of implementing a risk management strategy for an IT department.  The problem is that I am not convinced that Risk Management adds much value to organizations.  To be clear, I am all for pondering and evaluating risks when making decisions.  After all, if you are currently an adult, you are likely an expert on Risk Management having survived your childhood or possibly that first year of college (just saying).

Gun Shy of Risk Management

My point is that I am not a huge fan of is the Risk Management process.  I have worked for a few organizations in which Risk Management became a bit of a fad and organizational resources were poured into a very comprehensive list of risks.  The list was a fascinating read and many could have been the basis for either a cheap thriller or space-cowboy science fiction book.  Generally though, these lists were a compendium of obvious things covered by a few good operational plans or a comprehensive list of things that in all likelihood would never come to pass.

Once these telephone book’esque lists of risks were compiled, they were dumped on some poor unsuspecting line manager.  Called the risk owner, this poor sod now had to develop a treatise on how he or she would react to a cornucopia of risks.   The smart manager would generally set the telephone-book of risks to one side and get on with their day job… hoping the Risk Management fad had passed before they were asked for their response.

Audit Fodder

Of course auditors love risk management.  If auditors can’t find something juicy in the operations of an organization they know they can always get an observation or recommendation from criticizing the risk management process.  This is because no list of risks is ever complete; there can always be one more entry added.  The auditor can also examine the events affecting an organization over the past year.  In all likelihood an untoward event that occurred was not precisely described in the telephone book.  At this point the auditor shouts with glee: ‘AH-HA, your risk management process is flawed, pour more resources into it so I can make more observations next year! BRUHAHAH.. Cough, sputter…

Why is Risk Management so Hard?

Okay, I am being a bit harsh on auditors (some of my best friends are recovering auditors). So why is risk management so hard and why does it add so little value?  I have a few thoughts on why Risk Lists is an enumeration things that will never occur:

  • Identification is Mitigation:
    • Simply identifying a risk can help to mitigated the risk.
    • In economics this is known as the efficient information model meaning the organization has internalized and corrected for the risk – good Risk Management in action!
    • Example: cash controls are deemed a risk and internal controls are beefed up such that theft or fraud are no longer likely risks.
  • Easter Egg Effect
    • This effect states that if you tell a person that there are ‘X’ number of things, they will stop looking once they find that number.
    • In the same way, an organization may look at an ever growing list of risks and at some point say ‘that is good enough’.
    • As a result, an organization may have a beefy telephone book of lists which have low likelihood or occurance or of poor predictive power .
  • Post-Diction Focus:
    • Nicholas Taleb [see further reading section below] introduced the concept of ‘post-diction’ which is a play on the concept of prediction.
    • The ability to predict the occurrence of a past event improves after the event has occurred.  Post-diction is the certainty an individual or organization did in fact PREDICT something in retrospect.
    • This gives the organization an impression that it has better predictive powers than it really does have.
  • The Past as a Guide to the Future:
    • While one does not want to be doomed to repeat past mistakes by not reading history, the reality is that the past has only limited predictive power.
    • Certainly there are themes from the past that are enduring and can be used in the future.
    • Examples:
      • Given opportunity, even the most honest person may be tempted to steal if they believe the chances of being caught is nominal.
      • Eventually your organization will be hacked, cyber-ransomed or be a victim of a denial of service act if you have an online presence.
  • Social Blindness:
    • Risk identification can be politically or social driven/influenced.
    • Thus a risk may be ignored because of organizational desire to align with social norms.
    • In early September 2001, an organization renting real estate in the New York Trade Center would be disinclined to consider listing a catastrophic attack by Islamic extremists as a potential risk so as to not be accused of being Islamophobes.
  • Black Swan Events
    • Returning to Taleb, the risks that will have the greatest impact on your organization are by definition unpredictable.
    • Called Black Swans, they have are a positive or negative significant event that creates enormous upheaval in an eco-system.  Think of a comet striking the earth or the 2008 financial melt down.
      • Events that are extreme, unknown and very improbable (according to our current knowledge)”; adapted from p.xxvii, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007.

Can Risk Management Be Value Added?

In general, can Risk Management add value?  Absolutely, evaluating risk is an inherent human trait; we are constantly calculating and estimating risk to our advantage. The fact that we are here shows its evolutionary success.

However, for organizations, I am proposing a strategy called ‘Anti-Fragile Risk Management‘ or ARM.  This concept builds on the ideas in my 2016 article, Anti-fragile Strategic Planning and builds on ISO 31000 – Risk Management.

Further Reading:

  1. Anti-fragile Strategic Planning, FMI Journal January 2016; Frank Potter.
  2. Managing Risks: A New Framework, HBR June 2012; Robert S. Kaplan, Anette Mikes.

 

String Theory on a Bus

People are central to Organizational Biology (orgbio) and orgbio is composed of two fundamental elements: Mass (machinery, intangibles such as patents and policies and procedures) and the ephemeral quality of Adeptness which is the human application of mass toward an organizational objective.

Adeptness typically means managing people.  And whether these people are staff, contractors or volunteers; this is not easy.  For one thing, people have a terrible habit of coming in all shapes and sizes.  For another, they have different opinions and perspectives.  Notwithstanding this, we also know that some staff/contractors/volunteers are golden and some are more silver, bronze or even made of up of post-masticated-nutrients.

Keep, Invest or Divest Decision

This blog is not about how to motivate staff, recruit top contractors for low costs or create a volunteer nirvana.  Instead it provides a model for placing people on a decision matrix to evaluate their contributions relative to the costs and investments made into them.  Like any asset or investment there are costs, returns and exit strategies to consider when managing people.

At this point you might be feeling a bit uncomfortable thinking about people having a return or there being a ‘total cost of employment’ compared to the ‘total benefit of employment’.  The reality is that employees and contractors have a clear economic relationship with their employer/client.  It is a bit more fuzzy with volunteers but even then one can discuss how best to pay your volunteers.  As well, we use economic language all of the time in these contexts.  Organizations ‘invest in their people’, they are the firm’s biggest ‘asset’ and organizations have human resource departments.

Just like any other asset, organizations need to evaluate whether to keep, invest or divest in the staff, contractors and volunteers they are engaged with.  To do this, the 2×2 Abilities model is described below – as well as its limitations and risks.

Technical versus Personal Abilities

The model is based on a 2×2 matrix of high and low technical and personal abilities. Technical abilities are the tangible skills to produce a product or service requiring education, ability and experience.  Computer development, machining parts, analyzing financial investments and flying airplanes are examples of technical skills.  As a test, these are generally the skills that are most readily automated or computerized.

Personal abilities are the social dimensions of individuals within an organization context.  They include leadership, followership, drive, social graces, charm, customer service or humour.  Personal abilities are difficult to automate although they can be mimiced by computers (e.g. you may have been speaking to call center robot and not even realized it).

Personal and Technical Abilities

Personal and Technical Abilities

People have different innate technical and personal abilities; which to a point, they can improve on.  As well, people both gain and lose their respective abilities over time.  A CIO may still be a killer COBOL programmer but her learned personal abilities around leadership and strategy are much more important now.

String Theory and Challenges

Plotting the gradient of personal and technical abilities on a 2×2 matrix yields the following with three resulting ‘strings’ and challenges:

Technical/Personal Ability Matrix

Strings and Challenges

  1. First String: most proficient individuals.  These individuals blend technical skills with personal attributes such as communications, leadership, interpersonal abilities and thought leadership. Super stars are found in this area.
  2. Second String: these individuals have less of one or more of the blend skills of the first string.  For example a technically proficient individual may have poor communication or interpersonal skills.  Or an individual has good but not exceptional technical or personal abilities.
  3. Third String: these individuals are often junior, have dated technical skills, completing work outside of their abilities (e.g. a business analyst asked to write computer code) or are simply not that good at what they do.
  4. Challenges: these individuals do not have or have lost their technical and/or personal abilities.

The Strings on the Bus Go… *

Jim Collins, in his book ‘Built to Last’ introduces the concept of the bus, specifically:

Good to great companies first got the right people on the bus–and the wrong people off the bus–and then figured out where to drive it.

In other words, the greatest organizations jettisoned individuals with the wrong personal or technical skills and then the wrong COMBINATION of these skills.  Of course removing people is easier to said then done.  For us in the public sector, removing a ‘challenge’ person is pretty much impossible.  In addition, removing a person who has had the wrong opportunities within an organization may be throwing away corporate knowledge and the ability to demonstrate to the remaining employees compassion and a willingness to set people up for success (a sure-fire way to build positive orgbio adeptness).

People will move across the strings throughout their career and perhaps even throughout the day.  I have known a few ‘first stringers’ who were challenges until their first cup of coffee.

(* for those who have not had the pleasure of hearing this Raffi masterpiece of music genius… well, perhaps count yourself lucky).

So What and What is Next

Although I have thought about the above concept for the past few years, it solidified during a discussion on what is the right balance between public sector staff and contractors in an IT department.

The challenge with that discussion was that the proponents of a staff only model would only acknowledge the upside of having staff while inflating the costs of contractors. This model helped to broaden the discussion by acknowledging that contractors should only be first and second string individuals.  Staff will cross all three of the strings (and there could even be a few immovable challenge-employees in a hypothetical public sector organization).

This model helped to remove some of the emotion and dogma from that conversation (to a greater or lesser degree of success).  Instead, the focus was on the organization’s business objectives and resources needed to accomplish these.

Hopefully the model can be used in your organization to have tough conversations about strings, challenges and buses.  Beyond the model, organizations need to apply compassion, empathy and integrity while dealing with their people – no matter what shape, size or dispositions they come with!

Islamophobia – Defined

This may end up being a wrong turn at Albuquerque but I see that Mississauga-Erin Mills Liberal MP Iqra Khalid is proposing a private members bill M-103 to address ‘Islamophobia’.  I thought I would contribute to the democratic process by providing some definitions and examples of what Islamophobia should mean.

A Little Constitutional Reminder

The Canadian constitution reads as follows: 2. Everyone has the following fundamental freedoms:

  • (a) freedom of conscience and religion; 
  • (b) freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication;
  • (c) freedom of peaceful assembly; and
  • (d) freedom of association.

As a result, under the constitution, the following statements are equally protected:

  1. The Pope is God’s Vicar here on earth.
  2. Mohamed is God (Allah’s) last prophet.
  3. Joseph Smith received golden plates from God.
  4. Ones actions should be mindful of Karma.
  5. All the above is superstitious nonsense not worthy of a rational person.

Superstitious Nonsense & the Belief instinct

To number five above, the likes of Richard Dawkins would take this as their belief protected by the constitution.  Where atheists can fall down is not recognizing the enormous evolutionary advantage religion has given humanity in being a successful species, the importance of the ‘Belief Instinct‘.

Religion has allowed us to create larger organizational units by applying the mortar of group cohesion across individuals.  This has not been without its costs.  The Crusades, the oppression of women under Sharia Law or polygamy under early Mormonism are all examples where religion has gone wrong.  While it is easy to spin and wish to re-write the past, it is more important to recognize the following:

  1. Religion is a fundamental instinct of humanity and will manifest itself with or without a formal outlet.
  2. Religion, like other primal urges, needs to be directed to the betterment of society.
  3. Religion must evolve as societies do so, while there are some universal truths, such as though shall not kill, there is no universal or ‘right’ religion.
  4. Without religious evolution, humanity risks reaping the worst from the belief instinct while losing the benefits it can provide.
  5. Canada can be a guiding light of helping individuals, communities and religion evolve to accommodate new social and cultural norms.

A Suggested Addendum to the Private Member’s Bill

To help Ms. Khalid to navigate the tricky waters of religion, I would suggest the following revision to private member’s bill M-103 (written in non-legal speak):

Whereas the people of Canada:

  • hold core values, such as the freedom of religion, above all others,
  • recognize the role of faith and the belief instinct in personal matters and social cohesion,
  • recognize the value religion has conveyed and inflicted on humanity,
  • recognize the values of equality of all people and equality of all before a common law.

Whereas the people of Canada acknowledge the Arabic word Islam to mean ‘acceptance’ and therefore Islamophobia means an irrational fear of acceptance. We the people thus condemn Islamophobia which is defined as any religion or systematic or personal belief system that:

  1. Seeks to enrich individuals who hold position of religious-authority through corruption, personal gain of power or actions contrary to the law or Canadian norms;
  2. Has tenants and implicit/explicit actions that are contrary to the law and fabric of historical Canadian values including those of justice, freedom of religion, equality, personal responsibility and reasonable inclusion of people of all faiths and perspectives;
  3. Seeks to do harm to Canadian society through either direct or indirect action including encouraging actions contrary to the laws of good government;
  4. Seeks to forcibly convert or impose its views on individuals who chosen to have alternative views including a non (atheist) view of religion; and
  5. Fails to evolve with the changing nature of society, for example the changing role of personal beliefs in contrast with the original tenants of the religion.

To reduce Islamophobia, we ask all Canadians to not only look into their respective minds and souls but to also reach out to others who do not share their beliefs and state:

I don’t believe in your God or religious view-point, but first and foremost I will do everything in my power here on earth to protect your right to hold your beliefs as a Canadian‘.

Acceptance-philia

In a small way hopefully the above can lead to Islamophilia or a love of acceptance.  Acceptance that religion is a human instinct to be managed, that religion must evolve to meet cultural changes.  Ultimately our time here on earth is short – let’s all make the best of it before we meet our respective maker.

90 or 99 – That is the Strategic Question

Nicolas Taleb would have us believe that strategic planning is ‘superstitious babble’ (see Anti-fragile strategic planning).  In contrast, Kaplan and Norton make strategic planning a cornerstone of the Balanced Scorecard.  The reality is probably in the middle.

This blog however considers the question, how much time should an organization spend on planning?  Successful or not, when do you cut your losses for a year or when do you think that you are not doing enough?

How Much Is Enough?

On the one hand, strategic planning can become its own self-sustaining cottage industry.  Endless meetings are held and navels are closely examined with little to show for it.  On the other hand, the organization is so tied up in operations and ‘crisis du jour‘ that they wake up and discover the world (and even their organization) has completely changed around them.

What rule of thumb or heuristic can be used to know that you are doing enough without decorating cottages?  My proposed answer is somewhere between the 1.0% and 0.1%. Although a full order of magnitude separates these values, a range is important due to the volatility of an environment an organization finds itself in.  Governments are likely on the low-end (closer to 0.1%) and tech start-ups on the higher end (1.0%).

For more on the basis for these heuristics, take a read of ‘A Ruling on 80, 90 and 99‘ for my thoughts and a review of such things as Vilfredo Pareto’s legacy and internet lurkers. A recap from this blog is as follows:

  • Pareto: 20% of an organization’s actions account for 80% of its results.
  • 90 Rule: 1% of the operational decisions are enacted by 9% of the organization affecting the remaining 90%.
  • 99 Rule: 0.1% of the strategic decisions are enacted by 0.9% of the organization which impacts the remaining 99%.

Thus the 99 Rule provides a minimum amount of time for an organization to consider strategic questions while the 90 rule provides a maximum amount of time.

Who Does What and What to Do with Your Time?

Consider a fictional organization of 1,000 people.  This is a medium sized business, typical government Ministry or employees of a large town or a small city.  Assuming there is about 1,700 productive hours on average per year per employee (e.g. after vacation, training, sick time, etc. see below for my guesstimation on this) this means the organization in total has 1,700,000 hours to allocate.  How much of this precious resource should be spent doing strategic planning?

I am recommending no less than 1,700 hours and no more than 17,000 hours in total.  In total means involving all people in all aspects of the process.  Thus if there is a one hour planning meeting with 20 people in the room, that is 20 hours.  To prepare for this meeting, 3 people may have spent 2 full days each – another 3 x 2 x 8-hours or another 48 hours against the above budget.

Measuring what Matters

The point of completing these measurements is to answer four fundamental questions:

  1. Is the organization doing enough strategic planning relative to the environment?
  2. Is the organization doing too much planning?
  3. Are we getting value for the investment of resources?
  4. How do we get better at the activities to reduce this total?

Is the organization doing enough strategic planning relative to the environment?

What happens if you discover you are not doing enough?  For example your 1,000 person organization is only spending 100 hours per year doing planning.  You may be very good and efficient and if so bravo to you and your planning folks!  On the other hand, you may be missing opportunities, blind sided by challenges and mired in the current day’s crisis – in which case maybe a bit more effort is needed.

Is the organization doing too much planning?

The 1,000 person organization may also be in a Ground Hog Day’esque hell of constantly planning with not much to show for it.  Perhaps you have a full time planning unit of five people who host dozens of senior management sessions and the best they can is produce an anemic planning document that is quickly forgotten.  In this case, measuring the effort of consuming 10 to 20 thousand hours of efforts for nought can lead to better approaches to the effort.

Are we getting value for the investment of resources?

The above two examples demonstrate how a bit of measurement may help you decide that 100 hours is more than sufficient or 20,000 hours was money well spent.  The output of the planning process is… well a plan.  More importantly it is a culture of monitoring, planning and adapting to changing organizational and environmental circumstances.  Thus setting an input target of planning to measure the quality of the output and the impact of the outcomes can answer the question if the planning effort were resources well spent.

How do we get better at the activities to reduce this total?

The advantage of measuring, evaluating and reflecting on the planning efforts is to get better at.  Setting a target (be 1.0% or 0.1%) is the first step of this activity and measuring against this target is the next.

Good luck with your planning efforts and let me know how much time your organization spends on its planning initiatives.

* How much Time Do You Have?

How much time does an organization have per annum to do things?  The answer is … it depends.  Here are two typical organizations.  The first is a medium size enterprise that works an 8-hour day, offers 3-weeks vacation per year, in addition to sick days and training (e.g. for safety, regulatory compliance, etc.).  On the other hand is a Ministry that offers a 7.25-hour day, 5-weeks of vacation plus sick and training days.

Organization Medium Size Company Government Ministry
Hours/day (1) 8 hours 7.25 hours
Work days per year (2) 254  250
Work Hours per year 2,032 1,812.5
Avg Vacation days x work hours (3) 120
(3 weeks)
181.25
(5 weeks)
Avg Sick Days/year x work hours (4) 60
(7.5 days)
54
(7.5 days)
Avg Hours of Learning/year (5) 42 29
Total productive hours/employee 1,810 1,548.25
  1. Few professionals work an 8-hour day let alone a 7.25-hour one.  Nevertheless, everyone has non-productive time such as bathroom breaks, filling up on coffee, walking between buildings.  So I am leaving the actual average productive hours at 8 and 7.25 respectively.
  2. For a cool site in adding this calculation, see: www.workingdays.ca.  Note this includes 3 days of Christmas Closure.
  3. 10 days is the minimum number of vacation days required to be given to an employee.  The average is a surprisingly difficult number to find (at least to a casual searcher).  15 days is based on an Expedia 2015 survey.
  4. Reference Statistics Canada: Days lost per worker by reason, by provinces.
  5. Sources vary.  I have chosen the high value for the for-profit organization as they often have stringent regulatory requirements for health and safety training.  For government I have chosen a medium value.  Sources:

Other Thoughts on Strategic Planning