Senior leaders who want to sleep better at night need to change their risk management mindset.
Fig. 1 Heatmap with and without controls
Dr. Ernest H. Forman, Expert Choice Chairman and Principal Decision Technologist finds that the C-Suite lives in fear of public or Board exposure. And, concern over criticism in failing to do enough to manage risk is often justified, given common simplistic and ad hoc efforts that fail to control risk.
But, leadership is typically relegated to receiving briefings that lack sufficient specificity about the prioritization of the organization’s objectives at risk. And, “[w]ith so many demands for organisations’ resources for needs that are certain, such as improved customer relations and product development, it is tempting to allocate resources for needs that are certain rather than invest in controls for a myriad of uncertain risks, most of which will never occur.
No wonder that senior leaders, at their peril, cede their oversight and rely too heavily on their Chief Risk Officer and staff to manage risk. C-level executives often think, (or hope,) that they are addressing risk through GRC, compliance, cybersecurity solutions and probably don’t necessarily grasp that these solutions singly or combined do not provide the “full picture” of the domino effect of risk at the enterprise level.”
But hope isn’t a plan. Forman says organisations who continue to rely on simple risk checklists, or on GRM and ERM tracking systems which often leave key risks uncontrolled, and fail to identify future risks–inevitably leading to a misallocation of organisational resources need to know that
“there exists a comprehensive and reliably valid process, that can empower you to truly know how to spend and manage the organization’s risks in the context of maintaining long term competitiveness and surviving short term catastrophic events.”
“There exists a comprehensive and reliably valid process, that can empower you to truly know how to spend and manage the organization’s risks in the context of maintaining long term competitiveness and surviving short term catastrophic events.”
Change mindset: Riskion innovates using advances in data and behavioural science
Expert Choice urges C-level executives to use modern techniques, like its Riskion solution, which embraces “the scientifically proven concept that humans and organisations approach risks to gains differently than they approach risks to losses.” Forman says that senior leaders can use Riskion to facilitate collection and synthesis of data about the past with expert judgements about the future, (where data is often not present, but can still be reliably derived). “Measurements about the relative importance of objectives, organised in a hierarchy, can be used to derive comprehensive and scientifically valid priorities.” Then, he adds, “The derived ratio scale measures are collected using techniques to produce ratio measurements that overcome cognitive limitation, use redundancy to improve accuracy and identify and reduce inconsistency and bias.”
Robert Scott Jack II, (formerly Deputy CIO for the US Marine Corps., Director of Communications and Information, Headquarters Air Force Global Strike Command, and currently President and CEO of BeNimble Consulting,) agrees that better measures of risk are needed.
“If you do not measure risk and understand what controls are required to manage the risks you will be reactive versus proactive and someone else will be occupying your office. It’s not a matter of if it’s a matter of when an unmitigated or unknown risk will impact your business and then all that is left is the screaming and gnashing of teeth.”
Change mindset: Seek strategic advantage in risk management
Forman says that Expert Choice designed Riskion for management teams ready to act as “risk visionaries [who] realise that real risk management is more than compliance. Risk management is a strategic advantage, developing and optimising improved risk controls frees-up resources for other strategic objectives.” And, the most astute of those risk visionaries are ones who recognize that you can’t truly manage risk without the ability to measure risk, including both past incidents and future risks.
Riskion claims to deliver “proper risk management, driven by mathematically valid measures that permit actionable insights into how risk affects finances, customers, the markets, impacts upon the environment, strategies, projects, competitors and thus, the entire organisation.” This, says Forman, is a risk management framework that can simultaneously measure and visualize risk from the points of views of the CFO, Chief Risk, Chief Operating Officer, and the Board of Directors. Such visualisations permit organisations to ensure that the right resources are allocated so that the right controls are in place.
Robert Scott Jack II adds: “With Riskion senior leaders can gain a view of risk to an enterprise-level, have an operational or finance view, and have access to a detailed project or subject matter view.” With the risk controls in place, it is easier to use what he calls “sound practices to measure risk, allowing organisations to accommodate uncertainty“ and to communicate a range of possible outcomes [which] is critically important to management in selecting the right mix of risk controls at a project or enterprise level.”
Risks (and alternative controls to reduce risk) can be visualised in Riskion using bowtie diagrams Fig. 2, control registers (Fig. 3) and heat maps, (Fig 1, above”. Riskion corrects the flaws inherent to “traditional” heat maps and control registers which are based on flawed ordinal measures. Forman claims that this “permits visualization of relative risk and shows amounts by which risk controls reduce risk.” He also says Bowtie diagrams are “a great way to visualise specific risk events in a manner that simplifies complexity.”
Fig. 2 Bow-Tie visualisation with controls
Expert Choice’s Top 5 Tips for improving risk measurement and controls
1. Use mathematically sound measures to replace endless discussion.Collect data and judgments using a structured process. Discourage BOGGSAT (bunch of guys and girls sitting around talking). Avoid ordinal measures, especially in heat maps – the results will be meaningless. Ratio scale measures are necessary for effective risk management.
2. Leave egos at the door. Collect judgments and data throughout the organisation.Ensure C-level and Director’s participation for questions regarding the importance of the objectives and external subject matter experts where appropriate.
3. Think outside the box.Don’t waste time trying to analyse and manage risks using spreadsheets that are not adequate to accommodate the many interrelationships that exist between risk elements.
4. Start small for success. Begin with a small model for one part of the enterprise. The team can see the flexibility of creating a risk model that answers risk questions from different perspectives and quickly iterate to accommodate other risk elements.
5. Empower management with risk data expressed in ROI terms to show strategic benefit. Properly measuring and communicating the most important risks is good, but real benefit to the organization is delivered via an optimized portfolio of controls expressed in currency and/or percentage measures to top management that can be used to choose the desired balance of risk reduction resource expenses, long term risk reduction, and short-term catastrophic risk exposure.
Fig. 3 Risk visualisation with controls
Change Mindset: Don’t be twice shy. Try again.
Expert Choice finds that having experienced unfulfilled promises from past risk management initiatives, some C-Suites exemplify the adage “once caught, twice shy” when it comes to tackling risk management. “Even if they have a handle on incident management, they are uncertain as to how to identify or measure future-facing risks– incorrectly assuming the effort will require long lead times or, herculean political efforts.“
Forman says that, with Riskion, the time and effort are proportional to the scope of the analysis. A very basic Riskion analysis, (consisting of a handful of events, their likelihoods, impacts and risks) can be performed in as little as an hour or two. A more complex analysis is possible in days or weeks, depending on availability of key personnel. Furthermore, it is easy to adapt or expand the analysis at any time and see impacts on decisions in real-time.
He adds: “Senior leaders no longer need to cede their oversight and rely too heavily on their Chief Risk Officer or staff to manage risk. Senior leaders who want to can have more reliable risk information at their fingertips now know that “comprehensive process exists, [which] can empower them to truly know how to spend to manage the organisation’s risks in the context of maintaining long term competitiveness and surviving short term catastrophic event.”