I recently read an article questioning the ERM approach and I agree in principle. ERM is a marketing tool created by "The Big Four", most especially in the CSO format. I like to think that ISO31000 is a more wholistic approach, but again it has limitations.
So, what's the answer?
It is unlikely that a mere mortal like myself can come up with the real answer, I don't believe there is the silver bullet that everyone is seeking. I am of the belief that there is no one size fits all solution.
So, bear with me as gaze into the great blue sky for inspiration.
Ok, so if we agree that bad things happen to good organizations and as risk professionals our role is to ensure that organizations are able to survive and thrive through the bad events that occur, our objective has got to be; Ensuring organizations have a future.
So as my kick off point I will use a quote from Donald Schon, "shall we remain on the high ground solving unimportant problems according to prevailing standards of rigour, or shall we descend to the swamp of important problems and non-rigorous inquiry?" and then immediately back that up with another quote this time by Einstein, "Many of the things that we can count, don't count and many of the things you can't count, really count".
Those two quotes in my view capture where current approaches to risk at an enterprise level are failing. By this I mean that unless we fully understand how an organization ACTUALLY functions i.e. how the resources, infrastructure, technology, information and knowledge all contribute to operations and how the strategy, policy and process govern the functions we will never comprehend the interdependencies and integration that enable the operations to continue. In other words, we have to join up the dots.
Many of the ERM programme's that I come across are so far removed from the actual operations of the organization that the risk registers, mitigation plans, and impact analyses are light years apart. To often ERM is a Top Down driven process with little or no allowance for Bottom Up inputs.
This brings me on to Impact and Consequence, two terms liberally used interchangeably by many executives who have little understanding of the difference between the two. Yes I know, "we can't expect non-risk people to understand the jargon", but it goes much further than that and highlights that unless we are able to present risk, resilience and continuity in a manner that lay people can easily grasp and understand we will be fighting a losing battle.
Along comes the "Scenario" easy to present, if well-constructed easy to understand for all, and most importantly topical, practical, and relevant.
So, if we adopt a SMARTS (Specific, Measurable, Actionable, Realistic, Timely and Simple) to the
our Risk Management Approaches, we will have started the journey real Strategic Risk Management.
In my view Strategic Risk Management is supported by the pillars of:
Society as a whole and enterprises globally have continually shied away from contemplating the low-likelihood, high-impact events through a focus on exotic risks rather than enduring risks.
An example being a continued focus on terrorism at the expense of really planning for a pandemic.
Why is this because it is easier, more headline grabbing or that the pandemic issue was actually beyond the comprehension of many senior decision makers.
Resilience is about survival; it is about the ability to define between perception and reality. Risk is no longer the responsibility of risk managers, now it belongs to every manger, across any enterprise, they are all now Risk Navigators. Risk Navigators need to know a lot about the world and how it works, how its really works, they need to use Systems Thinking. Thinking how an event can impact an enterprise, not immediately, but also in the long-term and not, just locally at the point of impact, but also the wide-ranging consequences of the event.
Resilience is required not only across enterprises but also at their margins and interfaces with other entities including other enterprises, supply chains, financial institutions and most especially governments at a local and national level. Right now, even the most resilient organisation would be stressed without the government acting as the resilience guarantor of last resort through financial support.
If private enterprises were more involved with national resilience plans and government actively engaged across all levels of society and the economy, the national response to COVID19 and all the associated issues (supply chain, PPE, data modelling, policy confusion etc) may not have been as challenging as it has turned out to be.
A final thought on resilience is highlighted by a story told be the former head of CPNI (Centre for The Protection of National Infrastructure). When running national exercises looking at catastrophic power grid failure, some banks proudly informed him that they were super resilient. He responded by saying their efforts wouldn't do much good if there was no power to run cashpoints, card machines or tills across the economy along with phones, media, IT, refrigeration, shops, buses, heating, hospitals.(Martin, 2019)