Enterprise Compliance Today

Pro-Active vs Re-Active Risk Management

Posted by Greg Carroll on Wed, Feb 26, 2014 @ 10:25 AM

ISO31000 needs to address the understanding of the fundamental nature of risk if it hopes to advance the maturity of risk practices in business


risk burnout chart

Risk Burndown, or Waterfall chart, popular in Project Management. Unfortunately measuring and reporting of the Risk Exposure will not alter its likelihood.

Risk Management is firmly entrenched in a world of re-active modelling and reporting that belies the goals of ISO31000 and until there is an epiphany in the industry on understanding the nature of risk, it is unlikely that ISO31000 will achieve anything more than a documentary role in corporate governance and business management.  Risk Management must add value, and this means add Shareholder Value, if it is to be accepted as a part the strategic management of business.

The fundamental nature of risk is controlled by 2 basic laws of physics, the 2nd law of thermodynamics and Chaos theory.  When looked at in relation to risk, you get a better understanding of the nature of uncertainty.  Under the 2LofT everything deteriorates over time whether it be rust, ware out, or old age.  Due to tiny variations in the surrounding environment, or due to interaction with other things, the rate and effect of that deterioration cannot be predicted.  Since the time of the dinosaurs man has tried to manage this by protecting themselves or by handling its fallout. 

As history has shown on numerous occasions, progress does not come from policies of isolationism and appeasement but from taking the initiative and changing the environment to which we are subject, to the chicane of environmentalists.  From the uncertainty of hunters and gathers to a more consistent food source of domesticating cattle and sowing cornfields, man has only effectively mitigated risk by taking proactive actions to affect the cause of the risk, not by measuring and controlling its impact.

Current risk practices are firmly focused on the reactive methods of risk management.  This is best highlighted by one of the latest “best practice” innovations in risk, that of the Risk Burndown, or Waterfall chart, popular in those doyens of risk management, IT Project Management.  Its proponents are inferring that by measuring and reporting the “estimated” probability on the “estimate” work left in the project, then compared with the original “estimated” project completion rate, that they have managed the project risk. With a track record of 40% failure in IT Projects and 70% failure in Business Intelligence (BI) projects, senior management needs to start taking a serious look at involving competent risk management into IT Project Management, if they want to stop “Burning” cash.

I used IT Project Management to highlight the current reactive nature of risk management, but it is by no means just an IT issue.  In general terms, it is referred to as managing Risk Exposure.  Unfortunately measuring and reporting of the Risk Exposure will not alter its likelihood.  Nor will Disaster Planning strategies and increasing leverage ratios and capital reserves. 

We need to change the focus to be on affecting the influences and drivers that are the causes of risks. The real “best practice” in Risk Management is known as Environmental Scanning.  This is a practice of continually monitoring Key Risk Indicators (KRI) attached to externally (and internally) facing influences and drivers that can affect the risks in an organisation.  With current 21st century technologies available today such as Big Data, Social Media, RSS (automatic subscription feeds), and predictive technologies, Environmental Scanning is not only possible but should be your first line of defence.  It not only introduces Proactive Risk Management but also introduces Opportunity Management with its ability to identify both positive as well as negative trends, and thereby raises Risk Management to a Value-Adding business strategy. 

Environmental Scanning is not a standalone answer to effective risk management, as you will need to change your current siloed risk profiles to integrated risk profiles, (like in the Fast Track Neural network) and step up from the 4x4 Risk Matrix to something like Bayesian mathematics to calculate risk. 

If you are interested in reading more on the subject, Google: Environmental Scanning, Scenario Analysis, and Bayesian mathematics, or get a hold of my book “Mastering 21st Century Enterprise Risk Management”, or watch my webinar series (link below) on Mastering 21st Century Enterprise Risk Management. Also have a look at our fact sheet on the Fast Track Enterprise Risk Management product.



reduce compliance costs  reduce non-compliance  reduce compliance costs
Risk Management Data Sheet
How Fast Track provides true ERM
Webinar Videos
See recorded webinar on 21st century Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: risk management, shareholder value, project management, risk identification