Complex Enterprise Risk Management Mandate
We saw in post 1/6 that, from the Black Swan perspective, unless we are overstating it, risk-optimized decisions and rational planning are illusory; redundancy and randomness are better.
But a balanced approach is required. Risk managers will not stop helping to optimize business decisions anytime soon, because people definitely want a risk-based analysis of the investment proposal, project, policy, plan or initiative. Excessive risk aversion can be costly and retrograde.
I wrote a statement today in support of a new Enterprise Risk Management certification:
‘Enterprise Risk Management will prove its value only as long as risk managers persist, with a variety of methods, to challenge assumptions in program plans and projects, and carry out strategic assessment to safeguard the organization’s core values and sustainability.’
That is pretty much the point of this series of posts. ERM presents risk managers with a complex mandate. They must identify and assess near-term operational risk, and in so doing overcome reliance on forecasts whose scope is insufficient, and whose underlying assumptions are not challenged.
They must also cope with the low-frequency/high consequence risk, and even the unknown and unpredictable (black swan). Time frames extending to 30 years are commonplace in infrastructure projects. Furthermore, they are charged with helping to create a risk-aware culture.
I believe it is possible to meet the ERM mandate, but only through a coordinated suite of risk methodologies.
1. Strategic Identity is a model to help define the essence of the organization. It calls for a review of Mission, Vision, Stakeholders, Corporate Values, Unique Assets and Capacity for Innovation.
2. Targeted Environmental Scan is a better use of your research dollars than generic industry reports, because it investigates your unrealized internal assets, as well as developments in your field.
Strategic Identity, informed by environmental scan, gives you a frame of reference for all strategic planning and risk assessment.
3. Business Continuity and Emergency Planning: this is the classic cornerstone to business resilience. A common problem is trying to identify disaster risk in a standard operational risk exercise – you can’t. You need to run a dedicated session, identify mission-critical functions, and set out mitigation with the help of a specialist.
4. High Quality Risk Identification and Assessment. With so many organizations still reporting dissatisfaction with their ability to effectively assess risk, this needs close attention.
5. Innovation. Arguably, the most important source of competitive advantage. This is not a fringe activity, but critical for the long term viability of the firm. Risk managers are well placed to lead the innovation process.
6. Future Scenarios Planning. Risk scenarios lets you expand the planning discussion, explore options, and stress test strategic plans in terms of their underlying dynamics and relationship of forces.
Integrating Risk Management and Corporate Planning
Therefore we recommend a balanced array of risk methodologies. The above listed methods cover the different philosophical approaches; i.e., rational planning and quantification of risk; and preparedness and resilience; adaptability and flexibility, as well as challenging assumptions, creativity and visioning.
Tags: strategic risk assessment