GRCTuesdays: Coronavirus pandemic: black swan or poor risk management? Part 2
See this link for Part 1 of the blog
Enterprise Risk Management for Good
I deliberately had 2 meanings for the phrase Enterprise Risk Management for Good: (1) organisations put Enterprise Risk Management processes + enabling software in place as part of business as usual operations (i.e. for ever) and (2) it are rolled out to all the corners of the entire organisation, their interconnected physical ecosystem, and ideally their metaphysical ecosystem (i.e. for the good). What does that lead to?
I think of Operational Resilience as one part of at a minimum, a 5-dimensional approach, also including Operational Risk Management, Financial Risk Management, Business Continuity Management and Enterprise Risk Management. Or more usefully Enterprise Risk Management sitting on top of the other 4. Together they cut vertically and horizontally through a business, and through time for both acute and strategic horizons. They can address inside, inside-out, outside-in and outside vulnerabilities & opportunities.
While each of these are often seen as separate disciplines, I envisage these working together in real time to achieve and perpetuate the antifragile businesses.
And the importance of linking for example Operational Risks into an Enterprise Risk program is that silos running Operational Risk may not be aware of the enterprise impact of operational events, or cumulative interactions between operational risks.
This also allows for extending the breadth of Enterprise Risk Management to include for example Health and Safety, ITGC, Legal, Third party, Cybersecurity, Reputational risk etc. And just to put the cat amongst the pigeons, but hopefully to emphasise the point, I remember during a discussion with the chief risk officer of a bank he quipped that Financial Risk should fold into Operational Risk anyway because it is dealt with as a business task. I’d tend to agree, and it underlines my observation earlier on: too much terminology granularity can be unedifying. I want to make risk management more accessible and easier to use in steering an organisation.
While this blog does not reflect the opinions of my employer, I work for SAP and our solutions provide a comprehensive coverage of the GRC & Security domain. I’ve used two of these solutions, SAP Process Control and SAP Risk Management (which share their data), to show a vertical slice through business and how software can link operations and strategy. In this example it is the ability to increase or maintain profit, one of the typical strategic objectives significantly impacted by Covid-19. The software allows documenting risk compared to threshold for say availability of cash, dependence on a single supplier for a key widget, or the time lag to resolve delivery issues. Risks are linked to objectives, business processes, risk and process owners, and effectiveness of mitigating controls (testing of which can be automated).
Assuming the software is being used in an Enterprise Risk Management context it should take current input from operations, financial risk and business continuity plan content. The more of the business that can be engaged in feeding risk information into the integrated software solutions, the better the flow up to objectives and feedback loop down again to operations (or finance, BCM etc.). I think this rich body of real time information within software is essential to feed into a useful operational resilience process. And for determining the impact of resilience options on financial viability and operational delivery within the documented risk thresholds and resource availability.
By the way, this is also a good approach to build a Return on Investment business case.
This figure illustrates a horizontal slice through business by means of the operating cycle, useful for estimating the amount of working capital that an organisation will need in order to maintain or grow its business. SAP’s finance software solutions will manage the expected financial processes within each financial process, and links directly into our ERP software for immediate analytics and management. Our GRC & Security software will monitor and help manage unexpected, illegal, out of tolerance & out of policy events and threats within financial processes as well as across processes. They also help manage within the ERP system and the other business systems in a typical heterogeneous landscape.
For example, processes that in the past depended on office-based working, when suddenly and imperfectly changed to home working, can be analysed and monitored for risk and error. The exact cause of the change (e.g. pandemic – new or second peak, working from home to reduce overheads or carbon footprint, or committing to a circular economy approach) doesn’t have to be a dependent part of the logic, but can be one of a number of scenarios driving analysis, impact and strategy.
Information flows up through the software GRC & Security software to the overarching reporting and analytics. Decision-making is pushed down using the GRC & Security software via risk thresholds, policies, control testing, training etc. back out through to all corners of the business. As a sidebar, having Excel being used for risk management domains in this flow makes it almost impossible to have a consistent and robust information flow loop, and also therefore effective decision making.
Our GRC & Security software (and others) is well suited to analyse and protect businesses from ranges in events, results and process exceptions, as opposed simple binary pass/fail logic. It is also well suited to help manage outcomes due to cascading and/or linked risk events, for risk assessing possible threat and opportunity scenarios. The software setup becomes a kind of watchman overseeing the state, security and proper running of the business – within defined operating parameters – but still allowing flexibility and organic change. This is necessary for agility working hand in hand with assurance, for antifragility.
This rich multi-dimensional information and process cube must be presented to the board and management team in an intuitive and helpful way. In SAP we use our Analytics Platform (i.e. Digital Boardroom) to showcase this information.
It will enable a continuous feedback loop that includes objectives and strategy linked to operations, finance, IT, cyber, third party and other risk domains. Organisations can therefore ensure that every risk, control, issue, and mitigating action is mapped to the requirements and objective(s) that drive the activity, and be able explore scenarios of change when driving factors change. Thus the management team will have a deep multi-dimensional view of the business health and the framework for assessing agility, exposure and resilience to change.
Making use of the Johari Window (made famous by Donald Rumsfeld in 2002) is an interesting and helpful way to talk about categories of risk, and to indicate how organisations can use the above to manage them:
- known knowns: risks are known, organisations prepare for a documented impact
- known unknowns: risks are known but not the size and effect (e.g. an election), organisations plan for most probable outcome & an approach to convert these to known knowns
- unknown knowns: risks have low likelihood but size and effect can be estimated by subject matter experts (e.g. 1:100 year flood), organisations track indicator metrics and have a plan in place to deal with them
- unknown unknowns: our black swans, very rare and unexpected risks with severe impact, organisations build and regularly test a thorough risk and control framework linked to agile operational and financial viability linked to corporate objectives, strategy, and management decision-making – deliberately varying scenarios
A simulation of a black swan type event could start with an asteroid hitting earth. Don’t take the specific event happening as the only input (if it truly is a black swan, we won’t know what the event is) but look at the consequences of an asteroid hitting the earth such as disrupted and extreme weather, temperature and light fluctuations, global satellite disruptions, communication and supply chain disruptions, staff mobility restrictions. Model your resilience in dealing with these consequences, or look at emerging risks, to help create areas of useful redundancy and antifragility.
I envisage an ongoing real-time evolving discussion of risk & control, exposure, corporate objectives and strategy, and not a ‘fire and forget’ risk & compliance report. Creating a ‘digital twin’ of business risk to constructively inform and support leadership decision-making. I’d summarise it in 3 points:
- Corporate leadership & tone at the top to adapt to volatility, with a fully represented risk function feeding evolving KPI’s for well informed decision making and strategy setting
- Agile operations with assurance feedback loop through integrated organic technology assisting operational and resilience management to continue delivering goods and services, including depth of internal dependencies and broadest supply chain ecosystem
- Business data, information and processes as a complex asset allowing organisations to protect and develop it, and explore consequences of process & scenario changes