Welcome to

Articles on best practices and our experiences in managing business, technology and data risk.

 


Styles in Risk

August 7, 2018 in Enterprise Risk Management, Risk Cultures, Uncategorized

Is risk about the probability and measurable impact of events? Certainly, you cannot excel in a risk management program without insights into actuarial risk. But as we saw in an earlier post, risk is also about how groups of people react to uncertainty itself. The cluster of attitudes, priorities and behaviors around this kind of risk response can be called a risk style.

Such a preference or style can be something you see across a whole organization, or in smaller teams, and also individuals. And the influence of multiple, conflicting styles can be seen at all those levels.

A school of thought called Cultural Theory has tackled the problem of risk styles in recent decades—you can read more about it here. An overarching insight across styles is that it is useful to look not just at how an event would impact an organization, but also at how blame and consequences are managed and distributed across the group. The archetypal risk styles Cultural Theorists identified include:

INDIVIDUALIST: the style closest to the classical likelihood-times-impact model, this approach sees risk and opportunity as two sides of a coin, and is based on reasoning from interests and probabilities, and predicts a proportional individual response dictated by fungible INCENTIVES, or SKIN IN THE GAME, as Nassim Nicholas Taleb would say.

HIERARCHICAL: a style strongly influenced by the priorities and influence of leadership and powerful parties—key determinants of a group’s risk response are CHAIN OF COMMAND, RANK + STATUS.

EGALITARIAN: a style driven by avoiding internal inequalities created by risk —basic drivers in risk aversion and management are factors like COHESION OF GROUP and AVOIDING TURMOIL IN RANKS.

Simple tools that help manage and make the most of your risk culture are a big part of what we do—contact us today if you have any questions!

The ISO Definition of Risk and What it Can Teach Us

July 24, 2018 in Enterprise Risk Management, General, Risk Cultures

In 2009, the ISO (International Organization for Standardization) pushed out a definition of risk which is expansive, but controversial, and not immediately intuitive for everyone.

They called risk “the effect of uncertainty on objectives” (see ISO 31000:2009 etc.). This definition was and is hotly debated partly because it is not event-centered and also partly because it is not cashed out in terms of likelihood or chance of loss, or for that matter measurable likelihood or impact.

But if we step back we can at least acknowledge some simple, real benefits of the broader concept of risk, which do not depend on using ISO, or any other large, elaborate framework.

First, it is generally advantageous to think of risk and uncertainty in terms of unexploited, undefined and potential upside, as well as potential losses. This is one of the benefits most commonly associated with the ISO 31000 definition and paradigm.

Second, if we think about risk for a moment we quickly realize that it is about more than the actuarial tables of probabilities and losses, or any other measured impacts. From an organizational and enterprise standpoint, uncertainties alter the behaviour of individuals and groups. The way incentives, authority, and blame or liability are distributed will cause different groups to respond differently to the “same” nominal risk.

This opens a wider topic of the way risk culture or style is expressed in individuals, in teams and across an enterprise, which is worthy of a separate blog entry in coming weeks.

Third, Management by Objective including Risk Management by Objective, is becoming an important trend in the risk management practices of industry leaders from several sectors.

If you are looking for surprisingly easy ways to align your objectives to the uncertainties facing your enterprise, contact us today!

Risk Management on Offence

July 19, 2018 in Enterprise Risk Management, Risk Cultures

Although the final shape and direction are as yet far from clear, the concept of risk management is shifting in a big way. Just as Finance was remodelled as a value-add function from its old caretaker model, Risk teams have been looking at ways to go on offense.

One challenge is that individual reasoning looks at risk as a product of uncertainty and impact, and makes estimates, but groups and teams don’t react to risk simply as an aggregate of reasoning individuals. The classifications and estimations of risk aren’t uniform or obvious across an enterprise.

But, when you think about the serious reputational dimension of many top risks, it is clear that galvanizing the group around both positive and negative motivators is very important. Harnessing teams to turn risk management into an enterprise building activity is the vision. There are many trends and directions in play, but a few cardinal points stand out:

1. Risk upside—Many risks, if not most, also contain opportunities, either financial or corporate. Furthermore, risk management is about reducing the cost of mitigation to reflect risk appetite, not just spending more.

2. Tempo—Risk velocity is increasing on a number of fronts, not least cyber, technology and information risks. Unless risk management is to be a backwards-looking or forensic exercise, cycles need to be tightened.

3. Continuity—Similarly, treating risk management as a static exercise or a fixed annual assessment is not only less valuable and responsive to significant changes, it tends to be less engaged with the front lines of the enterprise. Ongoing risk management diversifies perspectives as well as keeping the risk register fresh.

4. Participation, Insight and engagement—While out and out risk democracy is not a common occurrence, getting better, more relevant knowledge from non-risk-specialist team members is a growing priority. Simple tools that give basic risk literacy coaching to managers and other team leads are one way forward.

5. Integration – Organizations on the bleeding edge of risk management explicltly link annual strategic plans with risk management processes. In this way, the risk management process provides an ongoing assessment of progress or risks to achieving strategic objectives.

Our focus is on tools that facilitate agile, proactive risk management at the Enterprise level. Reach out to us today to find out more!

Miles Smit, PhD
Tracker Networks

[contact-form-7 title="" id="4"]