Although in ISO 31000 monitoring risk is another of its key tenets, I again see little monitoring in most risk management systems. Periodic review, dashboards, heat maps, and KRI reports are all Review (a different ISO 31000 tenet) not monitoring. IoT technology can deliver real-time monitoring of risk for more than just physical environmental metrics.
Enterprise Compliance Today
The failed Risk Management practice of the ubiquitous risk matrix will finally be laid to rest in the 2020s. Vague subjective estimation of likelihoods and consequences will be replaced with Predictive Analytics objective predictions, based historical patterns and current trends, leading to informed risk based decision making.
Regardless of the hype surrounding Predictive Analytics, and even the fact there are some excellent and relatively inexpensive tools available, not only has its implementation been weak, but a 2017 Gartner survey found in many areas investment is going backwards.
Although risk identification is a fundamental tenet of ISO 31000, from the GFC to Brexit traditional methods have spectacularly failed. Neural Network mapping is the first real technique to actually identify risk drivers and their outcomes.
Probably one of the most recognized but least understood disruptive technologies for Risk Management in the 2020’s is Big Data.
ISO31000:2018 stresses the need for risk management to be integrated into operational functionality and decision making, but little has be written on how to actually achieve this. Scenario Analysis is not a modern technology but how you can provide operational management with risk based decision marking collateral.
The 2009 release of ISO 31000 was the first step across the threshold into 21st century risk management. Unfortunately the industry that has developed around it has firmly grabbed the doorway and won’t let go. Although the latest revisions make references to decision making and integration into functional purpose, it totally misses the point of risk management, which is to assist navigating a complex world.
In my 2013 book "Mastering 21st Century Enterprise Risk Management" I quipped “just as the Wild West of the 1890's had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, be long forgotten by the 2020s”. Just 5 years on and not only has the world changed emphatically but the rate of change is accelerating.
So why don’t most Enterprise Risk Management system work? Simply, they don’t “manage” risk, they just record it. Manage is a verb not a noun. It is activity not an item. Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.
Unfortunately, there seems to be a lack of understanding of what GRC really is. Contrary to popular belief GRC is NOT ERM, but 3 separate disciplines Governance, Risk and Compliance. Here I look at the neglected Governance component.