Systemic Risk Analysis

Systemic Risk Analysis

A systemic approach to risk management is necessary in order to deal with complex, intangible, interrelated risks that otherwise would be treated one-by-one.  Systemic risk work requires capable tools and techniques for finding, representing and analysing such risks.  It also requires an approach to understanding and learning from relationships and patterns between risks, so that risk management effort can be prioritised as a whole.

Systemic Risk Analysis is an action learning approach for finding, understanding and responding to complex, interrelated organisational risks.  It seeks to achieve an optimised whole outcome that is sustainable and evidence based.  It works on all risks at once, rather than one risk at a time.



As shown at the left hand side of the diagram, systemic risk analysis involves four key activities.  These are shown as steps 1-4:

1.  Design.  The first step is to design and plan the risk analysis process, including how data will be collected and recorded.

2(a). Gather Risk Data. Gathering risk data is best carried out through purpose-designed risk workshops and interviews.  The data required for analysis of systemic risks is likely to consist almost entirely of subjective, opinion based data.

2(b). Develop Risk Propositions.  As data is gathered, possible risks will begin to be visible either directly from comments made by individuals, or as a result of later review and reflection.  Each risk proposition should be noted, and tested during the collection of later risk data.
3(a). Collate Risk Data. In its raw form, information relating to multiple organisational risks will be highly intermingled.  To collate the risk data, every statement or idea in the raw data is reviewed, and is linked with one or more of the risk propositions that have been identified.
3(b). Map and Verify Individual Risks.  Each risk in the collated risk data is mapped, using the information collected.  In many cases, as the risk map is created it will prompt the use of additional risk information from the original raw data, and it is also likely to prompt further questions for stakeholders.  Every element on each finished risk map should be traceable back to the collated risk data.
4.  Systemic Analysis of the Total Set of Data.   Once all of the identified risks have been mapped and risk treatments identified (Step 7), it is possible to carry out a deeper level of risk analysis.  For example, a Risk Treatments Pattern Analysis will indicate systemic sources of internally generated risks.  A Risks Relationships Matrix can be used to understand which risks drive other risks, and therefore where the treatment priorities should best lie.

In order to achieve these outcomes, it is necessary to carry out the additional activities shown in the centre of the diagram.  They are Steps 5 -11 in the process of systemic risk analysis:
5. Identify and Deal with Sensitive or Urgent Issues.  At times sensitive issues or risks will be identified. If an issue or risk is sensitive or urgent, it may not be appropriate simply to include it in the risk mapping process. Instead, there is an obligation to identify where and how to pass the information on so that it can be managed effectively.
6. Policy and Practice on the Management of Sensitive Issues.  Every organisation should have specific policies and practices for the management of sensitive issues or risks.
7. Identify and Map Risk Treatments.  Once each risk has been mapped, it is possible to review that risk map as a whole, and to consider how to treat the risk (if at all).  Treatments are shown on the map, which then becomes a point of reference for managing the risk over time.

The four steps above are the major elements of systemic risk analysis.  However risk analysis is not an end in itself.  The aim is to achieve the outcomes and outputs on the right hand side of the diagram.

8. Link to Business and Risk Systems.  As risks are mapped and treatments are identified it is necessary to ensure that this work is embedded appropriately with business processes for decision making.
9. Build Whole-of-System Risk Maps.  The simplest whole-of-system risk map is a Risk Relationships Map, where every major risk proposition is placed on one risk map to show how they relate to each other.   However there are other forms of whole-of-system risk maps, such as a Strategic Risk Culture Map.
10. Prioritise Systemic Interventions. Senior leaders, armed with the insights created during Steps 3 – 9, are able to see beyond superficial risk relationships to deal with underlying root causes. They are also able to decide which risks to focus their effort on for best overall impact.
11. Work on Root Causes. Systemic Risk Analysis enables leaders to work on organisational risk causes from a strategic capability building perspective.  This means working to improve or adapt systems, structures, policies, behaviours and culture so that existing and future risks will be better managed.