GRC Tuesdays: Proactive Risk Management
There’s always a lot of “hype” around buzzwords and sometimes this doesn’t really translate into a real business need. In the particular case of proactive risk management, I do think that it has relevance – especially in the current economic situation that evolves on a near-daily basis and doesn’t leave too much adaption time for companies.
Cambridge Dictionary defines the adjective “proactive” as “taking action by causing change and not only reacting to change when it happens”. I personally think that this can fully apply to risk management where organizations can shift from making decisions based mostly on past risk events (i.e.: historical incident and loss information) and steer the ship based on educated assumptions instead; to try and make the best out of uncertainties.
As for all the previous GRC Tuesdays blogs, I don’t intend to lecture anyone as to what they should do. I only aim to suggest some ways that could be leveraged in order to adopt such an approach.
None of the below are exclusive, so all can cohabit of course. If you already have a risk management process in place or are in the process of (re-)designing one, why not include some of these and test them within your company? Some of the below doesn’t require too much investment and, should they be successful, will most likely yield a good return on investment sort of say as they will provide foresight to executives. At least that’s the idea!
1. Providing a Complete View of The Risk: Where is It Today and Where Should It Be Tomorrow
Knowing where a risk stands today is by no means an easy exercise. But based on internal and external previous data such as incidents and loss events, one should be able to assess the potential impact of a risk and its likelihood of occurrence. A quality defect for instance has a direct production cost that is quantifiable and, since most companies keep track of the anomalies detected during the quality review, a probability of occurrence based on past cases can be extrapolated.
Nevertheless, providing this information to executives can only help them understand where the risk sits today. If we start combining this with the Planned/Target level, it will not only help understand if the cost and effort planned for the mitigation strategy is worth it, but also what they could expect on the horizon. This would enable executives to start making proactive decisions. I.e.: we’ll invest more in increasing the automation of our production tool provided the process owners are able to lower the quality defect risk exposure on the time horizon defined at the target level. Furthermore, this can also give a timeline of when to reassess the situation should it not develop as expected.
2. Escalation of Emerging Risks
Emerging risks are these potential threats that have not yet manifested but that could really endanger your operations – and potentially the viability of the business – should they develop completely.
By escalating emerging risks, I am suggesting that they be raised to the right level of authority. In many cases, they are reported in an appendix of a report and not tied back to the business.
What if, instead, they were associated to the company’s objectives and raised to the board member in charge of this function? This board member would have not only the authority, but also the complete picture to assess whether they would be indeed critical to the company’s strategy and could then decide to adapt the strategy before the iceberg is too close to the ship to be avoided.
3. Setting Up Predictive Indicators
In a previous blog post released last year (GRC Tuesdays: Key Risk Indicators in a Sound Risk Management Process: What Are They Really?) I had tried to summarize the function of Key Risk Indicators (KRI). Many companies use this as a backward-looking approach where past information is collected for a risk. Much like key performance indicator feeds into a strategy planning review.
This is of course very interesting in itself since it can help assess the risk more accurately.
Going back to my production chain example above, I could gather the number of defective products identified during the Q&A process and then display it alongside the probability documented on the associated risk. The risk owner would then be able to make a more educated – if not guided – assessment concerning the likelihood that this would happen again in the future. But what about trying to change this and move to a preventative – if not predictive approach?
Assuming you are in the agriculture industry in a region that is prone to bushfires, wouldn’t it be interesting to get backward looking indicators about the precipitations (this will indicate how dry the vegetation is) as well as forward looking indicators warning you about weather forecast and potential thunderstorms? Since lightning strikes are one of the natural sources of ignition that triggers bushfires, it might be possible – in some cases – to bring forward the harvest so as to mitigate the risk of losing a crop. This basic example has been in use in agriculture for a long time, but we can drive parallels with other industries.
4. Making Use of Simulations
There are different simulation methods of course, but here I’d simply like to highlight the What-If Analysis. In this simple approach, the intent is to change some of the parameters to explore the various outcomes.
Usually, and since risks rarely happen in silo, you would first document the chain of events. For example, a bushfire impacting our crop could be caused by a draught combined with storms and lack of rain. Then, you can start to simulate different outcomes. What happens if the risk of lightening increases by 5% over 48 hours, etc. Going a step further, you can also simulate the effectiveness of your mitigation strategy. If early harvest is not an option, what if we would at least create a grazed area where livestock could be moved during a bushfire to protect at least part of the activity? What resources would be required to do so, and would we have them available? And so on.
5. Report in Full Transparency
As mentioned in the introduction, the whole intent of proactive risk management is to take action by causing the change rather than reacting to it.
Since this is typically the prerogative of company executives, providing them with this information would be capital for its success. But there’s a catch: they shouldn’t feel like this is a magical box that just spits out a random scenario. Even if detailed and tedious, I feel they should be given all the information – including the list of assumptions and parameters, so that they themselves could decide what is realistic and what is not in line with market expectations.
Should they start “playing” with the parameters, then you’ll know you’ve been successful in transforming risk management from a pure reporting exercise into a real decision steering tool.
What about you, has your organization already implemented some proactive risk management practices? If so, what were they and what’s your feedback on it? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard