The future of enterprise and risk management?
This looks like an article on risk management. And it sort of is. But actually, it's about business management. A challenge and an invitation to organizations that want to go to the next level.
When it comes to risk management we often make our decisions based on emotions. We get wrapped up in processes, compliance, and guesstimation of risks. Tools, such as quantitative risk analysis (QRA) are helpful of course, but they are just tools. In the end, risk management is about decision making and it comes down to people.
We know how to do this. For the most part. Nuclear power plants and aircraft carriers, are well-studied examples of risk culture in action. They use all the tools, but above all, they empower people to manage risk ‘at the point at which it occurs’.
It's the 21st century and we have the tools ...
Wouldn't it be great to build an active enterprise risk management system. I'm talking about a system of risk management awesomeness (SORMA). Something that tracks decisions, issues and environmental inputs in real-time. We can draw some inspiration from how military and intelligence watch offices operate as real time risk management systems. Process control systems for oil and gas or nuclear plants are also great examples of risk management at the operational level. But what about the enterprise level.
What would it look like?
Imagine a system that monitors inputs, processes and outputs, tracking culture, and organizational behavior.
In practice, it might look like the NASA launch control center. Video feeds, computer screens, and real-time inputs. But integrated into all levels and elements of the enterprise and accessible to everyone who needs particular information to manage risk or make decisions.
It might include:
Risk profiling for key business activities such as manufacturing, hiring, firing, borrowing, lending, investing, mergers, and acquisitions.
Root cause analysis to identify and rectify underlying organizational issues.
Predicting 2nd and 3rd order consequences of incidents and potential business decisions.
Some software promises to do a lot of this. The expression of 'promise the world and deliver an atlas' comes to mind. Often it's not the fault of the software. Building such a system is never going to be easy. We buy software with great expectations, and then under-fund the implementation and ongoing management of it.
And yes, we have some great examples of excellent watch offices, operations centers, and capability management systems. But mostly we stop there, under utilizing the information and tools that we have available.
Frankly, I'm yet to see or even hear about an operational risk management system that comes close to integrating the available data and inputs into a strategic risk management system. This is what I would call a true enterprise management system.
At this level, it's not even about risk management any more. It's a strategic organizational decision management process; in real time.
Looking for a challenge?
Forget risk registers and risk policies. In the early years of the 21st century we are on the cusp of true enterprise risk management. It will be expensive but will provide a significant advantage to the first organizations that manage to implement such a beast.
if you have the vision and appetite to build a system of risk management awesomeness, drop me a line. Let's build the first one.