The Anti-fragile Risk Management (ARM) Model has seven components; the sixth is Governance.
- Purpose: Why Does the Organization Exist, what are its objectives?
- People: Does the Organization have adeptness to achieve its objectives?
- Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
- Product: Does the organization have a product or service that the market/society wants?
- Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
- Governance: Does the organization have the strategic and leadership capacity to Change the Above?
- Risk Tested: What identified risks can be used to test the above to ensure they are functioning?
Governance may be thought of as the first step in a process. However, for Risk Management, it has the least immediate impact. Nevertheless, Governance is a bridge between Long Term ARM Components and the Enduring Components such as Purpose.
Governance: Strategic and leadership capacity to Change the Above?
Governance has a wee bit of the People component because it includes leadership capacity. Leadership is typically thought of as the C-Suite, the board or some other clutch of silver-back leaders. Certainly these organizational elements are part of this ARM component but personal leadership, group self-direction, and good command and control elements are just as important.
ARM’s Length Definition
Does the organization have Governance and Leadership Capacity so as to develop, implement, monitor and validate initiatives which are in support of the over-arching organizational objectives?
Why Does this Matter
ARM stands for ‘Anti-fragile Risk Management’. Anti-fragile was coined by Nicholas Taleb and if you have read any of his books you know that he takes a dim view of things like governance or strategy (for more on this see my 2016 article, Anti-fragile Strategic Planning).
Notwithstanding Taleb’s distaste and bias against suits, MBAs and strategy – these are the reality of any organization and Governance and Strategy will influence organizational risk and its mitigation.
Not-for-profit and government organizations share this risk and likely more so. History is replete with examples of unsavory characters getting themselves elected (or grabbing power) and causing havoc for an organization or country. At the same time, a good board and a good government can greatly reduce risks and capitalize on opportunities.
Returning the Taleb for one last time, in his first book ‘Fooled by Randomness‘ he discusses the role that chance (luck, probability) plays in our lives. One of the reasons he has such a dim perspective of suits, MBAs, etc. is because it is easy to take credit for luck. While this is true, his book also discusses the importance of ‘making your own luck’ (what I call Managed Serendipity) by establishing circumstances that are less prone to chance (the basic premise of Anti-fragile). Having strong and capable leadership is one such element.
ISO 31000 Context
ISO 31000:2009 has a strategic focus and the importance of Governance is front and center through out the standard. The following are a few references:
- ‘2.11 internal context‘: internal environment in which the organization seeks to achieve its objectives. NOTE Internal context can include:
- ⎯ governance, organizational structure, roles and accountabilities;
- ⎯ policies, objectives, and the strategies that are in place to achieve them.
- ‘3 Principles‘: a) Risk management creates and protects value.
- Risk management contributes to the demonstrable achievement of … governance and reputation.
- ‘4.3.1 Understanding of the organization and its context‘: Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand … the organization:
- governance, organizational structure, roles and accountabilities;
- capabilities, understood in terms of resources and knowledge.
ISO 31000 Risk Assessment Technique
Measuring the leadership capabilities of your organization can be a delicate matter. What happens if the CEO is a SOB, the CFO a crook or the Deputy Minister a political hack. Documenting such limitations would be a career limiting move. Assessment techniques could include the following to provide some objective measurements:
- Anonymous staff surveys.
- 360 surveys of key leaders.
- Decision cycle time.
- Competency assessments for positions relative to the skills of the individuals in the role.
Examples of Risks
Risk Identification: The organization lacks the senior leadership capacity to operate and provide long-term direction for the organization.
Risk Identification: Turn over in the board has reduced capacity to establish organizational direction and planning.