ARM 6 – Governance

The Anti-fragile Risk Management (ARM) Model has seven components; the sixth is Governance.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Governance may be thought of as the first step in a process.  However, for Risk Management, it has the least immediate impact.  Nevertheless, Governance is a bridge between Long Term ARM Components and the Enduring Components such as Purpose.

Anti-Fragile Risk Management

Governance: Strategic and leadership capacity to Change the Above?

Governance has a wee bit of the People component because it includes leadership capacity.  Leadership is typically thought of as the C-Suite, the board or some other clutch of silver-back leaders.  Certainly these organizational elements are part of this ARM component but personal leadership, group self-direction, and good command and control elements are just as important.

ARM’s Length Definition

Does the organization have Governance and Leadership Capacity so as to develop, implement, monitor and validate initiatives which are in support of the over-arching organizational objectives?

Why Does this Matter

ARM stands for ‘Anti-fragile Risk Management’.  Anti-fragile was coined by Nicholas Taleb and if you have read any of his books you know that he takes a dim view of things like governance or strategy (for more on this see my 2016 article, Anti-fragile Strategic Planning).

Notwithstanding Taleb’s distaste and bias against suits, MBAs and strategy – these are the reality of any organization and Governance and Strategy will influence organizational risk and its mitigation.

Not-for-profit and government organizations share this risk and likely more so.  History is replete with examples of unsavory characters getting themselves elected (or grabbing power) and causing havoc for an organization or country.  At the same time, a good board and a good government can greatly reduce risks and capitalize on opportunities.

Returning the Taleb for one last time, in his first book ‘Fooled by Randomness‘ he discusses the role that chance (luck, probability) plays in our lives.  One of the reasons he has such a dim perspective of suits, MBAs, etc. is because it is easy to take credit for luck.  While this is true, his book also discusses the importance of ‘making your own luck’ (what I call Managed Serendipity) by establishing circumstances that are less prone to chance (the basic premise of Anti-fragile).  Having strong and capable leadership is one such element.

ISO 31000 Context

ISO 31000:2009 has a strategic focus and the importance of Governance is front and center through out the standard.  The following are a few references:

  • 2.11 internal context‘: internal environment in which the organization seeks to achieve its objectives.  NOTE Internal context can include:
    • governance, organizational structure, roles and accountabilities;
    • ⎯ policies, objectives, and the strategies that are in place to achieve them.
  • 3 Principles‘: a) Risk management creates and protects value.
    • Risk management contributes to the demonstrable achievement of … governance and reputation.
  • 4.3.1 Understanding of the organization and its context‘: Before starting the design and implementation of the framework for managing risk, it is important to evaluate and understand … the organization:
    • governance, organizational structure, roles and accountabilities;
    • capabilities, understood in terms of resources and knowledge.

ISO 31000 Risk Assessment Technique

Measuring the leadership capabilities of your organization can be a delicate matter. What happens if the CEO is a SOB, the CFO a crook or the Deputy Minister a political hack.  Documenting such limitations would be a career limiting move. Assessment techniques could include the following to provide some objective measurements:

  • Anonymous staff surveys.
  • 360 surveys of key leaders.
  • Decision cycle time.
  • Competency assessments for positions relative to the skills of the individuals in the role.

Examples of Risks

Risk Identification: The organization lacks the senior leadership capacity to operate and provide long-term direction for the organization.

Risk Identification: Turn over in the board has reduced capacity to establish organizational direction and planning.

ARM 5 – Planning

The Anti-fragile Risk Management (ARM) Model has seven components; the fifth is Planning.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Planning may be a bit misplaced in the following diagram.  Certainly operational planning has an immediate (short-term impact) on risk.  Tactical planning has a longer time horizon.  Irrespective, good planning takes time to ramp up  and then implement the results.

Anti-Fragile Risk Management

Planning: Cliches, Babies and Bath Water

There are numerous maximums and clichés when it comes to planning:

  • Fail to plan, plan to fail.
  • An idea without a plan is a wish, a plan without execution is a good intention, a plan undebriefed is a future lesson to be re-learned.
  • Always plan ahead. It wasn’t raining when Noah built the ark.

Like any cliché, they all have an origin of truth behind them.  Planning is central to risk mitigation; after all someone has to implement changes to mitigate risks.

This ARM Component asks the question, is the organization any good at planning and is it getting better or worse?  The time horizon is purposely non-strategic meaning that the overall objectives or purpose of the organization are assumed to be relatively constant.  Wholesale baby and bath water planning is the next blog on Governance.

Planning to Define Planning Definitions

Sometimes people get in a bit of a muddle when it comes to terms like operations, tactical or strategic.  As a result I am using these definitions (adapted from ITIL) to define these terms (as well as providing a multi-colour visual aide!).

  • Task: takes less than a day or perhaps a few days to complete.
  • Operations: live, ongoing or extending into about a month’s time horizon.
  • Tactical: Medium term plans required to achieve specific objectives, typically over a period of weeks to months but generally a year or less.
  • Strategic: Strategic Activities include Objective setting and long-term Planning to achieve the overall Vision.  At least a year in length and longer.
  • Vision/Purpose: A description of what the Organisation intends to become in the future.

ITIL Based Planning Time Horizons

ARM’s Length Definition

After that little definition interlude – back to the main definition for this ARM component: What is the organization’s ability to identify, prioritize, initiate, monitor, close and learn from its planning activities through the operational and tactical time frames?

Why Does this Matter

The whole point of a risk management process is to ultimately mitigate risks to an organization.  Invariably the organization will need to make at least minor adjustments to its operations, implement new processes to sustain its products or react to an external event (e.g. change in legislation, market turmoil, social disorder, etc.)  The better, faster and more efficiently it can carry out these changes – and learn from its mistakes in the process – the sooner it can get back to normal (errr, assuming such a state exists).

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines contains numerous references and entreaties to the organization not to separate the risk management and organizational planning functions.  The following one example:

  • 3 Principles
    • b) Risk management is an integral part of all organizational processes.
      Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
    • c) Risk management is part of decision making.Risk management helps decision makers make informed choices, prioritize actions and distinguish
      among alternative courses of action.

ISO 31000 Risk Assessment Technique

Assessing an organization’s planning capacity is difficult but it can be measured indirectly.  Unfortunately the methods discussed in ISO 31010 Risk Assessment Techniques are of limited use (although they augment the analysis from the methods discussed below).  As a results, methods to measure planning capacity could include:

  • Budget cycle: how long does it take for the annual budget process, bonus points for continuous budgeting.
  • Capital planning cycle: ditto to budget.
  • New Market Uptake: how quickly has your organization being able to extend, re-position or create a whole new market for its products.
  • Response to the last emergency: how well did the organization respond to the last unplanned thing (outage, break in, flood, fire, hack, etc.).  How much faster could the response have been.
  • Disaster Planning: ditto to the above but under a controlled scenario.
  • Initiative List: Does an organization know what is in the hopper for its operational and tactical activities, can it effectively prioritize them without forcing its people to engage in Guerrilla Management?
  • Approval Cycle Time: If the organization does have a list of innitiatives, how long is the cycle time to approve the activities?

Examples of Risk Tests and Mitigation

Risk Identification: A request for a sudden and one time increase in a product to meet the unexpected demand of a customer.

  • Evaluation/Analysis: W.E. Coyote Corp has requested a large order of widgets to meet an unexpected demand.  Can ACME corporation ramp up production to meet this one time need for widgets.
  • Stakeholders: ACME Corporation, W.E. Coyote, current customers, staff.
  • Measure: The ability to meet unexpected sales or alternatively lost sales due to lack of operational and planning capacity.

Risk Identification: A northern city in Widget-land is threatened by Wildfires.

  • Evaluation/Analysis: How quickly can the Government of Widget-land mount a response to a rapidly changing wildfire scenario (or other disaster) that threatens are large population.
  • Stakeholders: Government of Widget-land, affected residents, citizens.
  • Measure/Example: Time to respond, scope of the response, comparison of times and effort .

ARM 4 – Product

The Anti-fragile Risk Management (ARM) Model has seven components; the fourth is Product.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Bringing a product or service to market can take seconds (if you are Amazon.com) to decades (if you are a drug company).

Anti-Fragile Risk Management Component Product impacts risks/opportunity in a medium term time frame.

Product: A product or service that the market/society wants?

On the one hand it may seem that this component is covered in prior ARM considerations such as Purpose, People or Process & Plant.  However, despite a good organization vision, fantastic staff and excellent processes – an organization’s product may still not sell.

The profit motive focuses the mind on which widget to sell or whether or not to exit a dying industry in a timely manner (with notable exceptions such Kodak).  Unfortunately for the volunteer and government sectors such signals may be less clear and as a result a decision to abandon a service, program or cause may be more difficult to make with vocal consumers of the service demanding its continuation at any price.  Governments in particular are at risk and may trudge on providing services rather than upset a  small but vocal minority.

ARM’s Length Definition

The ARM definition is simple to state but may be extremely complex and fickle to measure or plan for (ask your nearest Marketing professional how well they sleep the night before their next product launch): Does the organization have a product or service that the market/society wants and is this product the best way for the organization to use its resources to achieve its objectives?

Why Does this Matter

In a word, ‘cash-flow’.  Okay that is two words but it still is the biggest risk criteria.  If no one is buying your products – that risk trumps all.  If taxpayers are revolting because they do not see the value in the services being provided – that risk could be a change of government.  If donors have left in droves because you no longer speak to their social conscious – you got a big problem.

ISO 31000 Context

ISO 31000:2009 Principles and Guidelines references an organization’s products or services in with its overall risk management consideration.  In section ‘3 Principles‘, the principle that risk management exists to create and protect value is highlighted including contributing to organizational performance and product quality.  Section ‘2.10, external context‘ alludes to but does not overtly discuss the role of having viable products and services.

ISO 31000 Risk Assessment Technique

The methods discussed in ISO 31010 Risk Assessment Techniques can be used indirectly to estimate the viability of a product or service.  For the for-profit sector a good cost accounting system and an understanding of organizational brand or inter-relationship of one’s products in the market place is important.  For the volunteer or government sectors, detailed statistical analysis may give the reality or at least the illusion of evidence based decision making.  Ultimately, the final decision to provide, rescind or change a product is often political or socially driven – and thus the profound risk to these organizations.

Examples of Risk Tests and Mitigation

Risk Identification: The market for and profitability of widgets, ACME Corps primary product, is shrinking over the next five years.

  • Evaluation/Analysis: Relative unit profitability for each widget is declining and will continue to do so with foreign competitors entering the market and the ability to download for free widgets.
  • Stakeholders: Shareholders, ACME Corporation, current customers.
  • Measure: Direct and indirect unit cost as compared to price of the widgets, recent and anticipated sales volumes.
  • Example: A Delphi review was done in which future demand for widgets was estimated by leading industry experts.  This survey estimated a 50% decline in widget consumption over the next 5 years.

Risk Identification: The Widget subsidy program is now consuming 25% of all government revenues and is expected to climb to 300% in ten years.

  • Evaluation/Analysis: Due to an aging widget consuming population and generous allowance to purchase widgets, the Widget Subsidy Program is consuming an inordinate amount of current government revenues.  As the population ages, this proportion is expected to double each year over the next ten years.  Riots have already occurred in some cities of Widget-land in response to rumors of a reduction in Widget subsidies.
  • Stakeholders: Government of Widget-land, taxpayers, widget consuming seniors.
  • Measure/Example: Number of widgets consumed per capita, the widget subsidy as a proportion of all tax revenue.

ARM 3 – Process and Plant

The Anti-fragile Risk Management (ARM) Model has seven components; the third is Process & Plant.

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Changing process, buying machinery, installing software – these all take time which is why the ARM Component People & Plant has a medium term impact.  While your staff may be constantly on the look out for risk/opportunity it takes longer to give them systems, procedures or policies when things change.  This is demonstrated in the following diagram.

Changes to Process & Plant takes a little longer to take effective and support Anti-Fragile Risk Management.

Process: Knowledge to operate the systems?

The story so far is that an organization has discovered its Purpose, hired the right People and now needs to know what the heck these people are doing and are they doing it right!  The following are all examples of organizational plant and equipment. Each one requires knowledge of how to operate it through procedures, policy and of course organizational adeptness:

  • Machinery, buildings and land.
  • Computers, firewalls, networks.
  • Patents, rights, licenses and royalty agreements.

There are LOTS of books on not only risk relative to process but also on how to manage process.  Certainly one of the grand-daddies is the now classic ‘Balance Score Scorecard‘ by Kaplan and Nolan.  It introduces the concept of segregating (and measuring through key metrics) the business into four areas: finance, internal business, learning & growth and the customer.

No matter how your slice and dice your processes, this deductive process is the core of traditional risk management.  For Risk X, what process Y or asset Z is going to protect or mitigate the risk?

This ARM is Brought To You by Organizational Biology

Process & plant are all things you can drop on your foot or print off and drop on your foot.  Collectively all this foot dropping is called ‘Mass’ which brings us to our sponsor… ‘Organizational Biology‘ which describes how organizations work.  In a nutshell, organizations are composed of two parts, Mass and Adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

ARM’s Length Definition and Why Does this Matter?

The ARM definition for Process-Plant Component is: does the organizational have the tools to complete its objectives and do the people know how to properly use the tools?

This component strives to understand ‘How and What‘ processes an organization is engaged in and ‘Where‘ are the integration points between these processes.  A good first start is a listing of business functions that support an organization’s products and services (more on this in the next blog).  Quality processes will further define and articulate the business processes down to the point in which your staff are heartily sick and tired of being ISO-9001-compliant.

In other words, by spending time and effort on this ARM component, process and plant, the organization can better understand how its people are achieving the organizational purpose to deliver products and services.

ISO 31000 Context and Its Risk Assessment Techniques

ISO 31000:2009 Principles and Guidelines is full of managing process and plant including the following:

  • Section ‘2.11, internal context‘:
    • Policies, objectives, and the strategies that are in place to achieve them;
    • Information systems, information flows and decision-making processes (both formal and informal);
    • Standards, guidelines and models adopted by the organization; and
    • Form and extent of contractual relationships.
  • Section ‘3 Principles‘:
    • b) Risk management is an integral part of all organizational processes.
    • Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization.
    • Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
  • Section ‘4 Framework – 4.3.4 Integration into organizational processes’:
    • Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
    • The risk management process should become part of, and not separate from, those organizational processes.

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of process and plan on risk.

Examples of Risk Tests and Mitigation

Risk Identification: Does the organization understand its internal business processes?

  • Evaluation/Analysis: It is not clear what functions staff are doing and how the contribute to the final product.  Staff claim to be very busy but the exact work tasks, the relative importance to organization objectives and authorization to complete them is unclear.
  • Stakeholders: Staff, contractors, management, the board.
  • Measure: Identify high level business functions, staff time reporting, production cycle time.
  • Example: Within the Ministry of Widgets, there is a constant request for more staff and contractors.  However the Deputy Minister is not quite sure what all his staff ‘do’.  Key services are identified and business functions are mapped to these services to determine which activities are of highest priority and which can be stopped, scaled back, outsourced or deferred.

ARM 2 – People

This blog dives into the second component of the Anti-fragile Risk Management (ARM) Model: People.  As a refresher, ARM has these risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of these components impact the organization on a continuous (short term) or periodic (medium to long term) basis.  The People component is considered short term. That is it is your staff, volunteers, contractors, etc. who are on the front line mitigating risks or capitalizing on opportunities.  Another reason to include the ARM risk component of People here is that things such as trust, loyalty or affiliation take years to grow and a very short period of time to destroy.

The ARM Component ‘People’ is on the front line of Anti-Fragile Risk Management and thus has a short term focus.

People:  Does the Organization have adeptness to achieve its objectives?

Until the robot overlords force us all into the Matrix, People will be the second greatest risk/opportunity/uncertainty for organizations.  An example is the following classic cartoon that gets right to the heart of matter of cyber-security.  No matter how good the investments in technology human ineptness, malevolence or ignorance rules!

Cyber Security versus Dave (copyright and restrictions may apply)

This ARM is Brought To You by Organizational Biology

The name of this site is ‘Organizational Biology‘ which is my mental model to describe how organizations work.  In a nutshell, Organizations are composed of two parts, Mass and adeptness:

Mass are the physical elements of an organization such as machinery, land, as well as intangibles such as patents and policies and procedures.  Adeptness is an ephemeral quality by which humans apply mass toward an organizational objective. For example, it can be the culture or gestalt that makes an organization attractive (or not) to work for and be associated with.

Mass will be discussed more in the next blog when Process and Plant is considered. ‘People’ considers many different facets of organizational adeptness ranging from the board room to the shop floor and from the heart to the brains of the employee/volunteer.

Measuring Adeptness (NOT!)

Unfortunately adeptness cannot be directly measured because as soon as you can quantify adeptness it becomes mass.  Here is an example:

A master craftsman uses decades of experience to precisely machine a part.  He is adept in this task .

The moment the craftsman’s knowledge and experience is transferred to a computer program those same actions become mass (the computer, software, machinery, etc.). Beyond experience, adeptness includes innovation, creativity, informal communication, trust, loyalty, elan, esprit de corps and countless other adjectives that affiliation and organization pride.  Of course adeptness also includes the negatives of all of these attributes (e.g. stifled creativity, poor communication, hostility, disengagement, etc.).  Adeptness is not without its dark-side either as it can also lead to group think and conformity (read more on this in a healthcare context in my blog, the Healthcare Ethos).

Good, bad, light or dark – adeptness cannot be directly measured but it can be indirectly estimated through:

  • Organizational success (e.g. profitability).
  • Low staff, volunteer or contractor turn-over.
  • Social standing in a community.
  • Trust quotient or Metric.
  • Leadership and followership capacity/effectiveness.
  • Training and capabilities of staff, etc.
  • Organizational loyalty or affiliation.

ARM’s Length Definition

The ARM definition for the People-Risk Component is: does the organizational have the adeptness (people) capacity to carry out the objectives of the organization? 

Why Does this Matter and ISO 31000 Context

Organizational Objectives are completed by People (robot overlords notwithstanding) and risk often boils down to human error.  ISO 31000 alludes to adeptness.  For example the following extracts is from ISO 31000:2009 Principles and Guidelines:

  • Section ‘2.11, internal context‘:
    • The capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
    • Information systems, information flows and decision-making processes (both formal and informal); [editors note, emphasis added]
    • Relationships with, and perceptions and values of, internal stakeholders;
    • The organization’s culture
  • Section ‘3.h) Principles‘:
    • Risk management takes human and cultural factors into account.
    • Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives.

ISO 31000 Risk Assessment Technique

Most of the ISO 31010 Risk Assessment Techniques can be used to estimate the impact of people on risk although Human Reliability Analysis certainly is much more focused on this one particular ARM.

Examples of Risk Tests and Mitigation

Risk Identification: The organization is unable to attract and retain quality employees (or contractors/volunteers).

  • Evaluation/Analysis: Despite a supply orientated labour market, the organization has trouble recruiting suitable candidates.  Once recruited, turn over is high and the organization is constantly re-training staff.  As well, staff are poorly motivated and require constantly motivation, supervision and direction.
  • Stakeholders: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: staff retention, turn over analysis, employee satisfaction surveys.
  • Example: the industry average staff turn over for the qualified widget assemblers is 5-10% pa.  The organization’s turn over for assemblers is 50-75% pa.

Risk Identification: The organization lacks the management and leadership experience to enter into new markets.

  • Evaluation/Analysis: The experience and capabilities of management has focused on widget-exploration and there is little to no experience in widget refining – a key strategic objective of the organization.
  • Stakeholders: Executives, board (minister), regulator, etc..
  • Measure: Years of related experience in a particular expertise area on the part of all Directors and above.  Trust quotient on the part of staff in management.
  • Example: A survey or interview with the following question: ‘Describe your direct operational or management experience in the following business areas:’
    • Widget exploration: 1 – none… 5-ten or more years.
    • Widget transportation: 1 – none… 5-ten or more years.
    • Widget refining: 1 – none… 5-ten or more years.
    • Widget retailing: 1 – none… 5-ten or more years.

ARM 1 – Purpose

This blog dives into the first of the component of the Seven ARMed Organization: of the Anti-fragile Risk Management (ARM) Model: Purpose.  As a refresher, ARM has risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of these components impact the organization on a continuous (short term) or periodic (medium to long term) basis.  Purpose holds an unusual spot in that it is both enduring (very long term) and something that directly influences the next ARM risk component, People.  This is demonstrated in the following diagram.

Anti-Fragile Risk Management

 

Purpose: Why Does the Organization Exist, what are its objectives?

Let’s face it, if an organization has not nailed this one – even a little – it has MUCH bigger problems.  This component is also directly linked to ISO 31000 in which risk is defined as:

  • effect of uncertainty on objectives‘.
  • Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)’. [1]

ARM’s Length Definition

At this point I am hearing a collective groan of having to sit through another Mission Statement and Visioning death march…. groannnnn.  Don’t worry, my ARM definition for this is simply this: is there a consistent and wide spread understanding of what the organization does?  Widespread is both top-down and inside-out.

Why Does this Matter

Numerous great thinkers have expressed this concept in different ways.  Stephen Covey discussed it as ‘begin with the end in mind (habit 2)’.  Jim C. Collins described it as getting people on the bus (next component) and figuring out where you want to go in his book Good to Great.  The key thing is that the objective builds affiliation and belonging.  It is easier to motivate, communicate, control, command and reward people if there is a clear end state.

Just as important, it is easier to change to a different purposes if you know what your current purpose is.  If not, you may discover that you never stop doing things and your purpose gets increasingly diluted in a grey-goo of good intentions.

A lack of purpose is the greatest threat (risk) to an organization and a clear and focused purpose is the greatest benefit (opportunity) to an organization.

ISO 31000 Risk Assessment Technique

ISO 31010 Risk Assessment Techniques lists methods from brain storming to sophisticated statistical analysis on how to evaluate and analyze risks.  Interestingly there is not a specific technique relating to answering the fundamental question, does the organization have the right objectives?  Certainly a number of the 31010 techniques can be pressed into service however, including good old brain storming.  Others noted below are Delphi, interviews and surveys.

Examples of Risk Tests and Mitigation

Risk Identification: The organization lacks a clear definition of its purpose in the [market place, government services, volunteer/social space].

  • Evaluation/Analysis: What do the following stakeholders think the organization’s purpose is and measure the relative deviation between them.
  • Stakeholders: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: perhaps a sliding scale test on a number of measures.  Use statistical analysis (e.g. R Value) to measure relative differences between pairs or all-purpose statements.
  • Example: which of the following statements best exemplifies the role of the Minister of Widgets in the managing the affairs of Widgetland (1 = No Role and 5 = Central or core to the Ministry’s mandate):
    • Fund Widget Research and Development (1…5)
    • Regulate the use of Widgets in the home (1…5)
    • Provide education to children on safe widget use (1…5)

Risk Identification: The organization is engaged in activities or product lines it should shed.  For example it continues to run a data center despite the ability to purchase this service cheaply and reliably from the market place.  This risk builds on the above assessment but with a focus on what the organization should stop doing (as well, see my blog: Can We Stop and Define Stop).

  • Evaluation/Analysis: Using a Delphi’esque what business functions of the organization should it keep or divest.
  • Participants: Executives, board (minister), customers (clients), management, staff (volunteers), regulator, etc.
  • Measure: a listing of key business functions with a requirement rank them or identify whether the organization should Build, Hold, Evaluate, Divest.
  • Example: The Widget Corporation has identified 10 key product lines and support functions.  You have been asked to rank them according to the following measures: a) invest and expand; b) hold and monitor; c) carefully evaluate for potential hold/divestment; d) divest/buy in the market place; and e) I really do not know.  You must apply ‘a) – d)’ at twice to the following ten lines/functions and you can only apply ‘e)’ once.
    • Product Line A: Widget-exploration.
    • Product Line B: Widget-transportation
    • Product Line C: Widget-refinement and conversion to products
    • Product Line F: Widget Real Estate Holdings
    • Function: Information Technology to Support the Above
    • Function: Real Estate Management
    • Function: Human Resources
    • Function: Supply Chain Management

Seven ARM Components

This is an overview my thoughts on Risk Management.  Part I, “Guns, Telephone Books and Risk” discussed Risk Management as long lists of things that will never happen. Part II, “Anti-Fragile Risk Management” considered the concept of Anti-fragility in a risk management concept (ARM).  This included an overview of ISO 31000 – Risk Management.  The second blog also introduced the Seven ARMed Organization.  That is an organization that has mastered these risk mitigation components:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

No Ordinary Ordinality

The Seven Components of ARM can be managed and worked on in parallel but there is a method in the selection of the order they are presented.  If an organization does not have number 1 (objectives) at least started or well in hand component 2 (people) and onward becomes much more difficult.

Number 6 (governance) may surprise some people with its placement.  From a Risk Management perspective, Governance has little impact on day to day risks.  This is not to dismiss or discount it – but to put it into context that it has longer term or enduring impact as opposed to being a short term influence on risk management.  This concept is demonstrated in the following diagram.

Anti-Fragile Risk Management

No Business Gurus Were Harmed in the Making of this Blog

The first six components have been fodder for a whole flotsam of business books.  My focus will be to provide a high level explanation of why I included the component and answer the question why this component is important from a Risk Management perspective.

A Dive into the Pits of the Seven ARMs

The next series of blogs will consider each of the Seven ARMs in a bit more detail.  At a minimum I would like to consider:

  • The definition of each of the ARMs.
  • Its linkage (if at all) to ISO 31000.
  • Why is the ARM important?
  • Example of Risks and Mitigation particular to this ARM Component.

Anti-Fragile Risk Management (ARM)

This is part two of my thoughts on Risk Management.  Part I, “Guns, Telephone Books and Risk” focused on the problem of creating long lists of things that will (may) never happen.

ISO 31000 to the Rescue!

Risk management (RM) has become standard fare for most organizations.  To support these efforts, in 2009 the International Standards Organization (ISO) issued ISO 31000 Risk management – Principles and guidelines.  A pretty good standard for the following reasons:

  1. Recognition that uncertainty (aka risk) has both positive and negative consequences.
  2. The impact of uncertainty is the inability to execute on organizational objectives.
  3. Risk is organization-centric based on its particular legal, societal, cultural, technical, ‘etc.-al‘ circumstances.
  4. RM is integral to an organization rather than an isolated activity.

ISO 31000 – The Same Problem

In ISO 31000 the steps are: 1) identifying risks, 2) Analyze the Risks, 3) Evaluate the Risks (these are all part of Risk Assessment, ISO step 5.4) and then finally 4) Treat the Risk (the right hand column of the following graphic).

ISO 31000 Framework Courtesy of the Victoria (Australia) State Government; SWER 2010.

Unfortunately this is where ISO 31000 fails; would it not be better to start with Risk Mitigation and then use the compendium of risks to test the organization’s ability to weather the uncertainties when they occur?  This ‘turned on its head‘ methodology is what I call ‘Anti-Fragile Risk Management‘ or ARM.

Anti-Fragile Risk Management (ARM)

In his book, ‘Antifragile: Things that Gain from Disorder‘, Nicholas Taleb introduces the concept which can be summarized as follows:

Anti-fragility is a property of systems that increase in capability, resilience, or robustness as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. [Wikipedia]

Ecosystems and biological things (such as your bones or your heart) need continuous mild stress to stay healthy.  A sea wall is robust but ultimately each successive ocean wave incrementally destroys it; the wall is robust but ultimately fragile.  A tide pool colony needs each successive wave to bring in new nutrients, remove more feeble members and, yes, sometime even bring in destructive predators; it is anti-fragile.

In 2016 I introduced the idea of ‘Anti-fragile Strategic Planning‘ including suggesting that Taleb was a bit too absolute with his dismissal of art of planning.  ARM is effectively a continuation or an element of overall Anti-fragile Strategic Planning including having the following four attributes or maxims:

  1. Do No Harm: Makes the organization no worse off than as if no RM activities had occurred.
    1. This includes ensuring that the RM process has delivered value for money.
    2. Like insurance, this may be difficult to quantify other than convincing senior leadership of the value of piece of mind.
  2. Core Competencies: Ensures the organization is getting better at its core business(es).  Conversely, the organization is shedding businesses that they should no longer be involved in.
    1. This is well articulated initially in ISO 31000 but then quickly seems to get lost as the standard moves into designing a RM framework and process.
    2. Are we in the right business or do we continue to provide these services to our citizens given their costs are the ultimate RM questions.
  3. Creating a Sustainable Organization: Describes the known-known changes facing the organization and ensures it has the capacity to weather all but large-scale unpredictable and irregular (Black Swan) events.
    1. This places risk mitigation at the forefront.  The organization will need to manage risks it likely can not predicted.  Its robustness and resiliency allows it to absorb or exploit events.
    2. A risk list (telephone book’esque or otherwise) provides an excellent training/ testing tool to assist an organization to develop change-muscle-memory.
  4. Balanced Scorecard: Identifies long-term outcomes, implementation plans to achieve these outcomes and short-term milestones to monitor their execution – but only after the above maxims have been satisfied.
    1. One critical metric is the scorecard is the measured and perceived ‘robustness and resiliency’ of the organization.
    2. Scorecards and strategic plans inherently make the organization Anti-fragile. Nevertheless an organization needs some direction and operational/tactical planning.
    3. The previous 3 maxims will allow the organization to quickly shed and change scorecard entries as changes in fortune dictates.

ARM Overview

At this point you may be scratching your head wondering how you can treat a risk if you don’t know what it is?  The answer is that most risk an organization faces is already being treated without its explicit identification.  Your web presence is constantly being tested by hackers, your employees handling cash or cutting purchase orders always have an ever so slight temptation to line their pockets.  The launch of your next product line (or continuation of an existing service/product) is also fraught with unknowns.

Perhaps you hire white hats to test your web security, have good segregation of duties to manage fraud or you have completed a formal risk assessment before introducing a line of children lawn darts.  More than likely many of the risks are mitigated through trust worthy people, good training, systems, operational procedures, planning and good old fashion luck.  These and a myriad of other things are an organization’s response to risks and they make an organization more (or in their absence) less robust, resilient and risk proof.

ARM is that simple.  It is the listing of the implicit and explicit things an organization does to exploit/manage uncertainty (risk).  This robustness/resiliency is then periodically tested through a formal RM program.

An ARMed ISO 31000

ARM and ISO 31000 are entirely compatible even if ARM slightly adjusts the sequences of risk steps.  Section 4, Framework, in ISO 31000:2009 Principles and Guidelines includes component ‘4.3.4 Integration into organizational processes’ with the following attributes or advise for creating a risk management program in an organization:

  • Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
  • The risk management process should become part of, and not separate from,
    those organizational processes.
  • In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.
  • There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organization’s practices and processes.
  • The risk management plan can be integrated into other organizational plans, such as a strategic plan.

Seven ARMed Organization and the Next Blog

The good news is that rather than running a RM program in isolation ARM is integral to the organization.  The bad news is that it takes work to integrate anti-fragile behaviour so as to be robust or resilient.  Integration involves the following seven steps:

  1. Purpose: Why Does the Organization Exist, what are its objectives?
  2. People: Does the Organization have adeptness to achieve its objectives?
  3. Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
  4. Product: Does the organization have a product or service that the market/society wants?
  5. Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
  6. Governance: Does the organization have the strategic and leadership capacity to Change the Above?
  7. Risk Tested: What identified risks can be used to test the above to ensure they are functioning?

Each of the seven steps will be discussed in future blogs in greater detail.

Guns, Telephone Books and Risk?

At work I have been given the task of implementing a risk management strategy for an IT department.  The problem is that I am not convinced that Risk Management adds much value to organizations.  To be clear, I am all for pondering and evaluating risks when making decisions.  After all, if you are currently an adult, you are likely an expert on Risk Management having survived your childhood or possibly that first year of college (just saying).

Gun Shy of Risk Management

My point is that I am not a huge fan of is the Risk Management process.  I have worked for a few organizations in which Risk Management became a bit of a fad and organizational resources were poured into a very comprehensive list of risks.  The list was a fascinating read and many could have been the basis for either a cheap thriller or space-cowboy science fiction book.  Generally though, these lists were a compendium of obvious things covered by a few good operational plans or a comprehensive list of things that in all likelihood would never come to pass.

Once these telephone book’esque lists of risks were compiled, they were dumped on some poor unsuspecting line manager.  Called the risk owner, this poor sod now had to develop a treatise on how he or she would react to a cornucopia of risks.   The smart manager would generally set the telephone-book of risks to one side and get on with their day job… hoping the Risk Management fad had passed before they were asked for their response.

Audit Fodder

Of course auditors love risk management.  If auditors can’t find something juicy in the operations of an organization they know they can always get an observation or recommendation from criticizing the risk management process.  This is because no list of risks is ever complete; there can always be one more entry added.  The auditor can also examine the events affecting an organization over the past year.  In all likelihood an untoward event that occurred was not precisely described in the telephone book.  At this point the auditor shouts with glee: ‘AH-HA, your risk management process is flawed, pour more resources into it so I can make more observations next year! BRUHAHAH.. Cough, sputter…

Why is Risk Management so Hard?

Okay, I am being a bit harsh on auditors (some of my best friends are recovering auditors). So why is risk management so hard and why does it add so little value?  I have a few thoughts on why Risk Lists is an enumeration things that will never occur:

  • Identification is Mitigation:
    • Simply identifying a risk can help to mitigated the risk.
    • In economics this is known as the efficient information model meaning the organization has internalized and corrected for the risk – good Risk Management in action!
    • Example: cash controls are deemed a risk and internal controls are beefed up such that theft or fraud are no longer likely risks.
  • Easter Egg Effect
    • This effect states that if you tell a person that there are ‘X’ number of things, they will stop looking once they find that number.
    • In the same way, an organization may look at an ever growing list of risks and at some point say ‘that is good enough’.
    • As a result, an organization may have a beefy telephone book of lists which have low likelihood or occurance or of poor predictive power .
  • Post-Diction Focus:
    • Nicholas Taleb [see further reading section below] introduced the concept of ‘post-diction’ which is a play on the concept of prediction.
    • The ability to predict the occurrence of a past event improves after the event has occurred.  Post-diction is the certainty an individual or organization did in fact PREDICT something in retrospect.
    • This gives the organization an impression that it has better predictive powers than it really does have.
  • The Past as a Guide to the Future:
    • While one does not want to be doomed to repeat past mistakes by not reading history, the reality is that the past has only limited predictive power.
    • Certainly there are themes from the past that are enduring and can be used in the future.
    • Examples:
      • Given opportunity, even the most honest person may be tempted to steal if they believe the chances of being caught is nominal.
      • Eventually your organization will be hacked, cyber-ransomed or be a victim of a denial of service act if you have an online presence.
  • Social Blindness:
    • Risk identification can be politically or social driven/influenced.
    • Thus a risk may be ignored because of organizational desire to align with social norms.
    • In early September 2001, an organization renting real estate in the New York Trade Center would be disinclined to consider listing a catastrophic attack by Islamic extremists as a potential risk so as to not be accused of being Islamophobes.
  • Black Swan Events
    • Returning to Taleb, the risks that will have the greatest impact on your organization are by definition unpredictable.
    • Called Black Swans, they have are a positive or negative significant event that creates enormous upheaval in an eco-system.  Think of a comet striking the earth or the 2008 financial melt down.
      • Events that are extreme, unknown and very improbable (according to our current knowledge)”; adapted from p.xxvii, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007.

Can Risk Management Be Value Added?

In general, can Risk Management add value?  Absolutely, evaluating risk is an inherent human trait; we are constantly calculating and estimating risk to our advantage. The fact that we are here shows its evolutionary success.

However, for organizations, I am proposing a strategy called ‘Anti-Fragile Risk Management‘ or ARM.  This concept builds on the ideas in my 2016 article, Anti-fragile Strategic Planning and builds on ISO 31000 – Risk Management.

Further Reading:

  1. Anti-fragile Strategic Planning, FMI Journal January 2016; Frank Potter.
  2. Managing Risks: A New Framework, HBR June 2012; Robert S. Kaplan, Anette Mikes.