Systemic risk management frameworks

 

Taking a systemic approach to risk management, it is immediately apparent that risks are created and managed through the decisions taken by leaders and staff. Every time a decision is taken it causes one or more risks to change – except in the case where the decision is to change nothing. An example serves to illustrate the powerful impact of even the most straightforward decision.

Example. A decision is taken to send a junior manager on a training course to improve their project management skills. This decision will reduce the risk of the manager’s new project failing. However the manager will be away for two weeks, during which time the other work they are doing will be at increased risk of disjoints or delays. The training course is expensive, and adds to the risk that the organisation will over-run its budget. The project manager is a high performer. With the extra training, is there an increased risk that he will be head-hunted? The decision has reduced some risks and increased others.

Risk management is therefore less about risk processes than it is about the quality of decision making. Where specific risk management activities occur, these should always be within (embedded in) a framework of effective business decision making.  Expanding this thinking one step further, risk management work is simply one aspect of good governance,and of ‘business as usual’.

diagram08

The above diagram represents a simple view of governance. Decisions are made and records are kept. This is within a larger framework of business planning and performance review, in turn linked to reporting and monitoring systems. Included in these systems are essential governance control loops such as audit and review.

Although not shown in the diagram, there would also be external links such as formal requirements to report performance or to be subject to external audit. The ‘below the green line’ drivers of behaviour are also not shown, but do need to be a constant part of all elements of decision making and governance. If governance as a whole works well, the organisation will be aware, responsive and resilient.

Even though the management of risk is shown as embedded in core business systems and processes, it is clear that at times leaders need to turn their mind specifically to identifying, analysing and responding to both risks and opportunities. To show this, we need to expand the diagram to include three additional elements. The first is the work of leaders in building risk management capability. The second is the formal risk management work such as risk identification and analysis. Finally it is necessary to include systemic analysis, in order to understand the root causes of strategic and systemic risk, and to provide the insights needed for focused internal capability development. These three elements are shown in the modified diagram below.

diagram02

 

Carrying out Systemic Risk Analysis as a systemic health check serves two important governance functions:

  • It tests the effectiveness of risk management activities from first principles. If there are weaknesses in the system of governance, this will be identified and can be rectified as part of ongoing organisational development (OD) work. Systemic Risk Analysis is a powerful tool for driving ongoing organisational development.
  • It identifies complex underlying (systemic) risks and their root causes, and provides new insight into how to best manage risk holistically. It also tends to identify sensitive risks that are not easily documented in formal systems. In this way, Systemic Risk Analysis can be used to significantly lift the quality of risk management effort.

The figure above is a useful model or framework for an holistic approach to the management of risk in organisations. Although it includes risk management processes, these are themselves significantly more complete and effective than the approach described in ISO 31000. The framework as a whole provides leaders with a useful way to discuss the nature of risk management work and how this work is done in their organisation.

From a systems thinking perspective it is clear that it is not possible to develop an effective ‘template’ or one size fits all risk management framework.  Such templates, like those often developed from traditional risk management standards, inevitably over-simplify the contextual complexity every organisation faces.  This problem is typified by software solutions, which are seductive but which people often experience as bureaucratic and ineffective.  Likewise, Enterprise Risk Management (ERM) approaches seem to offer a single, integrated, whole approach, but unless they operate from a systemic perspective they have the same weaknesses as all process-based approaches.  They are not truly holistic, nor do they deal with the complex, intangible risks that are the root causes of most organisational failures.   This illustrates that just because a risk management framework seems well organised and ‘complete’, this does not mean that it is effective.

It is much more powerful to take a systemic risk management concept such as that described above, and to develop a tailored risk management framework that meets the specific needs of the organisation and its context.  This is not a long or difficult process, but it does require that leaders are willing to invest in designing their organisation from first principles, rather than just applying ‘templates’ based on old assumptions.