GRC Tuesdays: Black Swans, White Swans: They’re All Risks At the End of the Day!
One thing I realized since I moved to Australia over 2 years ago is that black swans are pretty widespread here. Not the unforeseen – or silent – type of risks that is. No, the bird itself.
It just made me think about the European belief that held true until the 17th century that all swans were white because no contradictory observation had invalidated this hypothesis.
In many exchanges I’ve had with executives, a lot of the focus has been on so-called “Black Swans”. And understandably so, since these are the threats that can take a company the way of the dinosaurs if they aren’t adequately mitigated.
But what about all the other “swans?” White, green, yellow? Are they getting the attention they deserve by the executives?
Some time ago, Bruce McCuaig had suggested categorizing risks in 4 buckets as illustrated below:
I would argue that only the risks in the categories labelled as Human Behaviour and Control Focus are really getting sufficient oversight. Risks in the Loss Management Focus and Risk Focus categories are often either deemed appropriately managed and thus not deserving more attention, or it is felt that some sort of monitoring would suffice.
Due to this attitude, risks in these categories often fall through the cracks because there’s a perception that they’re no longer real threats to the organization
What Can be Done to Ensure That They Aren’t Forgotten?
This is where I believe lies one of the key advantages of the Three Lines of Defense approach: it’s risk agnostic! It reconciles views from all three lines (operational, risk & compliance, and audit) regardless of the risks’ criticality, status or category.
As a result, all “swans” are included in this approach and their residual aggregated exposure can be reviewed. To me, this precision is important. Taken in isolation, some of these risks might not be life threatening to a company. But together, they might amount to a significant exposure which could very well be above the organizational risk appetite and even above its ability to operate.
A coordinated response will therefore be needed and a Three Lines of Defense approach will help ensure that this is the case and that different departments work jointly to provide an effective response. Hence, we can break down typical departmental silos that we continue to encounter in many organizations.
A Risk Is a Risk Is a Risk
Don’t get me wrong, it’s absolutely not the intent of my discussion to say that black swans shouldn’t get attention. But, with resource constraints that all companies inevitably face, a sound balance is always necessary in my view. I personally believe that Three Lines of Defense, in addition to helping companies ensure sustainable compliance and correct reporting of the risk context, also supports such balance by enabling prioritization with regards to the company’s objectives and to the real assessment level. As such, it sheds light on all swans irrespective of their color.
What about you? How does your company deal with white and black swans? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Originally published on the SAP Analytics Blog