This is Part Three of a four-part blog series on ERM from guest blogger Michael Rasmussen of GRC 20/20 Research.
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to risk management:
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”
Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is also true in risk management. What further complicates this is the exponential effect of risk on the organization. Business operates in a world of chaos. Applying chaos theory to business is like the ‘butterfly effect’ in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue. Dissociated data, systems, and processes leaves the organization with fragments of truth that fail to see the big picture of performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization needs to have holistic visibility and situational awareness into risk relationships across the enterprise. Complexity of business and intricacy and interconnectedness of risk data requires that the organization implement a risk management strategy.
Different Approaches Organizations Take in Managing Risk
The primary directive of a mature risk management program is to deliver effectiveness, efficiency, and agility to the business in managing the breadth of risks in context of organizational performance, objectives, and strategy. This requires a strategy that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of risks across the extended enterprise.
GRC 20/20 has identified three approaches organizations take to manage risk:
- Anarchy – ad hoc department silos. This is when the organization has different departments doing different yet similar things with little to no collaboration between them. Distributed and siloed risk management initiatives never see the big picture and fail to put risk management in the context of organization strategy, objectives, and performance. The organization is not thinking big picture about how risk management processes can be designed to meet a range of needs. An ad hoc approach to risk management results in poor visibility into the organization’s relationships, as there is no framework for bringing the big picture together; there is no possibility to be intelligent about risk and performance. The organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any silo understood on its own.
- Monarchy – one size fits all. If the anarchy approach does not work then the natural reaction is the complete opposite: centralize everything and get everyone to work from one perspective. However, this has its issues as well. Organizations run the risk of having one department be in charge of risk management that does not fully understand the breadth and scope of risks and risk management needs. The needs of one area may shadow the needs of others. From a technology point of view, it may force many parts of the organization into managing risk with the lowest common denominator and watering down risk management. Further, there is no one-stop shop for everything risk management as there are a variety of pieces to risk management that need to work together.
- Federated – an integrated and collaborative approach. The federated approach is where most organizations will find the greatest balance in collaborative risk management, governance, and oversight. It allows for some department/business function autonomy where needed but focuses on a common governance model and architecture that the various groups in risk management participate in. A federated approach increases the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, and compliance across risk relationships as it allows different business functions to be focused on their areas while reporting into a common governance framework and architecture. Different functions participate in risk management with a focus on coordination and collaboration through a common core architecture that integrates and plays well with other systems.
Risk Management Strategic Plan
Designing a federated risk management program starts with defining the risk management strategy. The strategy connects key business functions with a common risk governance framework and policy. The strategic plan is the foundation that enables risk transparency, discipline, and control of the ecosystem of risk across the enterprise.
The core elements of the risk management strategic plan include:
- Risk management team. The first piece of the strategic plan is building the cross-organization risk management team (e.g., committee, group). This team needs to work with risk owners to ensure a collaborative and efficient oversight process is in place. The goal of this group is to take the varying parts of the organization that have a vested stake in risk management and get them collaborating and working together on a regular basis. Various roles often involved on the risk management team are: enterprise/operational risk management, compliance, ethics, legal, finance, information technology, security, audit, quality, health & safety, environmental, and business operations. One of the first items to determine is who chairs and leads the risk management team.
- Risk management charter. With the initial collaboration and interaction of the risk management team in place, the next step in the strategic plan is to formalize this with a risk management charter. The charter defines the key elements of the risk management strategy and gives it executive and board authorization. The charter will contain the mission and vision statement of risk management, the members of the risk management team, and define the overall goals, objectives, resources, and expectations of enterprise risk management. The key goal of the charter is to establish alignment of risk management to business objectives, performance, and strategy. The charter also should detail board oversight responsibilities and reporting on risk management.
- Risk management policy. The next critical item to establish in the risk management strategic plan is the writing and approval of the risk management policy (and supporting policies and procedures). This sets the initial risk management structure in place by defining categories of risk, associated responsibilities, approvals, assessments, evaluation, audits, and reporting. The policy should require that an inventory of all risks be maintained with appropriate categorizations, approvals, and identification of risks.
The next step is enabling the risk management strategic plan and processes through a risk information and technology architecture with integrated automation and business intelligence. We will look at that in the next and final blog in this series.
Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.