Everywhere I’ve been, risk management is broken into discreet units and managed individually ostensibly due to it’s complexity, working on the assumption that what they have is enough. Even Enterprise Architecture Frameworks skip over how Risk Management is to be engaged and offer little to no support in understanding the holistic picture.
Despite the argument of organisations that they don’t believe enterprise risk management (ERM) is necessary or that the existing static, compliance based tools or technique employed are sufficient, there is a place for ERM. By assuming that the nature of the business will stay the same, as-good-as-it-gets is an arrogant disregard for the fact that environments change. There will always be a requirement to navigate risk in business, as to avoid risk is to avoid success.
- How do you navigate risk in your business?
- Do you use a spreadsheet compiled from compliance questions?
- How about a pre-canned register provided by a consulting company?
- Is risk management handled at a project or programme level without higher level visibility within the organisation?
- Is there a single, unified view of risk management?
To disregard risks that may destroy value, you risk destroying the business; this is what static, disaggregated risk management techniques can cause. ERM, that is looking holistically at the organisation, provides a structured and disciplined process that aligns strategy, process, people and technology in order to maximise the desired outcomes and minimise the undesirable.
A holistic ERM approach allows the identification of various types of risks, providing the necessary visibility to the business. This visibility can provide the business with the ability to apply a measured and complete approach to the remediation or mitigation of risks, through tools and techniques, as well as identifying emergent risks to the organisation. As an example, a change in one area of the business’ policy due to legislative change, may have further implications though if handled in isolation, wouldn’t allow the business to be proactive.
Focusing on a single component of risk, such as looking to insure as a loss reduction technique for operational and financial risk, neglects the other risk types (of Technical, operational, financial, commercial or project-based/time based) and has the same affect as a business silo risk management model.