This is part two of my thoughts on Risk Management. Part I, “Guns, Telephone Books and Risk” focused on the problem of creating long lists of things that will (may) never happen.
ISO 31000 to the Rescue!
Risk management (RM) has become standard fare for most organizations. To support these efforts, in 2009 the International Standards Organization (ISO) issued ISO 31000 Risk management – Principles and guidelines. A pretty good standard for the following reasons:
- Recognition that uncertainty (aka risk) has both positive and negative consequences.
- The impact of uncertainty is the inability to execute on organizational objectives.
- Risk is organization-centric based on its particular legal, societal, cultural, technical, ‘etc.-al‘ circumstances.
- RM is integral to an organization rather than an isolated activity.
ISO 31000 – The Same Problem
In ISO 31000 the steps are: 1) identifying risks, 2) Analyze the Risks, 3) Evaluate the Risks (these are all part of Risk Assessment, ISO step 5.4) and then finally 4) Treat the Risk (the right hand column of the following graphic).
Unfortunately this is where ISO 31000 fails; would it not be better to start with Risk Mitigation and then use the compendium of risks to test the organization’s ability to weather the uncertainties when they occur? This ‘turned on its head‘ methodology is what I call ‘Anti-Fragile Risk Management‘ or ARM.
Anti-Fragile Risk Management (ARM)
In his book, ‘Antifragile: Things that Gain from Disorder‘, Nicholas Taleb introduces the concept which can be summarized as follows:
Anti-fragility is a property of systems that increase in capability, resilience, or robustness as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. [Wikipedia]
Ecosystems and biological things (such as your bones or your heart) need continuous mild stress to stay healthy. A sea wall is robust but ultimately each successive ocean wave incrementally destroys it; the wall is robust but ultimately fragile. A tide pool colony needs each successive wave to bring in new nutrients, remove more feeble members and, yes, sometime even bring in destructive predators; it is anti-fragile.
In 2016 I introduced the idea of ‘Anti-fragile Strategic Planning‘ including suggesting that Taleb was a bit too absolute with his dismissal of art of planning. ARM is effectively a continuation or an element of overall Anti-fragile Strategic Planning including having the following four attributes or maxims:
- Do No Harm: Makes the organization no worse off than as if no RM activities had occurred.
- This includes ensuring that the RM process has delivered value for money.
- Like insurance, this may be difficult to quantify other than convincing senior leadership of the value of piece of mind.
- Core Competencies: Ensures the organization is getting better at its core business(es). Conversely, the organization is shedding businesses that they should no longer be involved in.
- This is well articulated initially in ISO 31000 but then quickly seems to get lost as the standard moves into designing a RM framework and process.
- Are we in the right business or do we continue to provide these services to our citizens given their costs are the ultimate RM questions.
- Creating a Sustainable Organization: Describes the known-known changes facing the organization and ensures it has the capacity to weather all but large-scale unpredictable and irregular (Black Swan) events.
- This places risk mitigation at the forefront. The organization will need to manage risks it likely can not predicted. Its robustness and resiliency allows it to absorb or exploit events.
- A risk list (telephone book’esque or otherwise) provides an excellent training/ testing tool to assist an organization to develop change-muscle-memory.
- Balanced Scorecard: Identifies long-term outcomes, implementation plans to achieve these outcomes and short-term milestones to monitor their execution – but only after the above maxims have been satisfied.
- One critical metric is the scorecard is the measured and perceived ‘robustness and resiliency’ of the organization.
- Scorecards and strategic plans inherently make the organization Anti-fragile. Nevertheless an organization needs some direction and operational/tactical planning.
- The previous 3 maxims will allow the organization to quickly shed and change scorecard entries as changes in fortune dictates.
At this point you may be scratching your head wondering how you can treat a risk if you don’t know what it is? The answer is that most risk an organization faces is already being treated without its explicit identification. Your web presence is constantly being tested by hackers, your employees handling cash or cutting purchase orders always have an ever so slight temptation to line their pockets. The launch of your next product line (or continuation of an existing service/product) is also fraught with unknowns.
Perhaps you hire white hats to test your web security, have good segregation of duties to manage fraud or you have completed a formal risk assessment before introducing a line of children lawn darts. More than likely many of the risks are mitigated through trust worthy people, good training, systems, operational procedures, planning and good old fashion luck. These and a myriad of other things are an organization’s response to risks and they make an organization more (or in their absence) less robust, resilient and risk proof.
ARM is that simple. It is the listing of the implicit and explicit things an organization does to exploit/manage uncertainty (risk). This robustness/resiliency is then periodically tested through a formal RM program.
An ARMed ISO 31000
ARM and ISO 31000 are entirely compatible even if ARM slightly adjusts the sequences of risk steps. Section 4, Framework, in ISO 31000:2009 Principles and Guidelines includes component ‘4.3.4 Integration into organizational processes’ with the following attributes or advise for creating a risk management program in an organization:
- Risk management should be embedded in all the organization’s practices and processes in a way that it is relevant, effective and efficient.
- The risk management process should become part of, and not separate from,
those organizational processes.
- In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.
- There should be an organization-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organization’s practices and processes.
- The risk management plan can be integrated into other organizational plans, such as a strategic plan.
Seven ARMed Organization and the Next Blog
The good news is that rather than running a RM program in isolation ARM is integral to the organization. The bad news is that it takes work to integrate anti-fragile behaviour so as to be robust or resilient. Integration involves the following seven steps:
- Purpose: Why Does the Organization Exist, what are its objectives?
- People: Does the Organization have adeptness to achieve its objectives?
- Process & Plant: Do the People have the right Operational knowledge to operate the systems they are responsible for?
- Product: Does the organization have a product or service that the market/society wants?
- Planning: Does the organization know how to do Operational and Tactical Planning to sustain or enhance the above?
- Governance: Does the organization have the strategic and leadership capacity to Change the Above?
- Risk Tested: What identified risks can be used to test the above to ensure they are functioning?
Each of the seven steps will be discussed in future blogs in greater detail.