So why don’t most Enterprise Risk Management system work? Simply, they don’t “manage” risk, they just record it. Manage is a verb not a noun. It is activity not an item. Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.
The single most important thing is to use your risk collateral as part of day-to-day operational decision making and not let it stagnate in risk registers only being reviewed annually.
Sadly most ERM systems are rooted in Health & Safety risk philosophy which is risk adverse in nature. We all realise that using the WHS “just don’t take risks” mantra for strategically running a business is blatantly wrong in today’s disruptive marketplace. But many still rely on those same systems to manage business risk. Those systems are about identifying risks to be avoided and put a tick in a register (aren’t I a good little boy) to say they comply. They don’t help you accept the risks that are necessary to conduct business nor do they assist you in navigating them.
They don’t manage threats
To manage threats you need to actively monitor risk drivers and influences thru lead and lag KRIs in real time. Reporting systems aren’t much use if they're telling you after the event. By the time it shows up on a heat map it’s not a risk, it’s an incident. Simply moving your risk management from spreadsheets to a cloud risk register does nothing to pursue an active defence against threats.
To create a workable system, you need to take your risk registers, work out what causes those risks to worsen (drivers and influences), and what lead/lag KRI to use to monitor the movement of those drivers and influences. You then need to set up a real-time system for collecting those KRIs and alerting the appropriate people who can act on the threats immediately.
They don’t tell you HOW it will affect Objectives
The common practice of recording what objectives might be affected by a risk does nothing to assist in achieving or optimizing those objectives. The real purpose of risk management is to navigate the myriad of influences on the objective’s outcome as they occur, i.e. it is an interactive real-time activity.
Risk Management’s primary purpose in the strategic and tactical planning phase is to identify the best course to market and thereby optimize resources (time and capital). This requires specifying HOW risks and actions interrelate and compound effect on one another. This highlights two things. For ERM to work it must integrate both risk and actions, and it must know HOW variations in either compound effect.
Once these are in place they can easily be used to monitor progress in achieving objectives. Workflows and Issue reporting become inputs to risk drivers and influences which in turn automatically update risks. With a real-time aggregation of risks (roll-up), alerts can be sent to interested parties when the risk threshold of any objective is threatened.
They don’t improve the quality of decision making
By definition complex systems (the business world) are chaotic (see Chaos Theory), where small variations alter outcomes, like the weather and the winner of the Melbourne Cup. But risk management was never about predicting the future. It’s about providing advice on the effects of possible decision outcomes and being prepare for any adverse effects.
But here’s the real rub. For ERM to be useful it has to employ Predictive Analytics and machine intelligence. In my defence, Predictive Analytics doesn’t actually predict the future, it just highlights obscure facts. It provides true decision making collateral on possible opportunities and threats in any scenario, from which “informed decisions” can be made, instead of “gut feel” guesses. It helps mitigate decision bias and raise ramifications sometimes overlooked in the heat of a problem.
Obviously many ERM systems have numerous other failing, such as a single hierarchy for aggregating or “rolling-up” risks (wouldn’t it be nice if the world was that simple), and not including Incident Management in ERM to create a closed feedback loop, which drives evolution and effectiveness. But the single most important thing is to use your risk collateral as part of the day-to-day operational decision making and not to just let it stagnate in risk registers being reviewed annually.
Fast Track markets a comprehensive suite of ERM and GRC software, both On Premise or in the Cloud that provides true effective ERM through our unique Neural Network architecture. You can find out more at www.fasttrack365.com website.
Related articles you may be interested in:
- Why Aggregate Risk in an Enterprise Risk Management (ERM) System
- Pro-Active vs Re-Active Risk Management
- How to Identify Corporate Risks in ERM
- Resilience - The Evolution of Risk Management
- Chaos Theory & C-Level Disillusionment with Risk Management
- Where to start your Enterprise Risk Management (ERM) system
|Risk Management Data Sheet
How Fast Track provides truly proactive ERM
FastTrack 3min ERM Demo
|FastTrack Product Guide
Technical specifications, pricing, and more.