agile risk management

Peadar Duffy of Solux[1]
 has shared a marketing piece that contains some valuable content, although it is (IMHO) incomplete.

He explains the need for risk management to be agile – with which I totally agree. By the way, I recommend reading pieces by McKinsey on Agile Organizations. To quote their headline,

“New ways of working are needed to survive and thrive in a fast-moving, technology-driven world.”

These excerpts from the Solux piece, Agile Risk Management (ARM): Continuous & Dynamic Decision Support, help us understand the need:

  • …an environment where the speed of disruption across multiple fronts is on the increase demands of organisations that they similarly need a comparable speed in decision making.
  • 21st century levels of uncertainty mean that there is zero chance that decision makers can reasonably expect to consistently plan perfectly and predict the future accurately. For this reason, organisations need to be prepared to fail fast and learn quickly such that scarce resources can be preserved and re-directed to where lessons learned, and continuous improvements increase the chances of success as soon as possible.
  • Organisations clearly need to be more agile than resilient. Put simply resilient football teams don’t win championships as preparing and responding to opposing team tactics is a defensive play. It is akin to asking players to run onto the pitch with a given number of set-pieces in mind. Alternatively, anticipating opposing team tactics, being agile and bouncing forward ahead of less responsive players is what wins games. Agile players run onto the pitch with a game plan in their minds, thinking of winning with set pieces and rules of the game so embedded in their state of being that it is instinctive.

Let me put this in my words:

  1. The world in which we live and work is not only massively disruptive but the speed and volatility of change are increasing.
  2. Decisions need to be made at speed if organizations (and people) are to both seize opportunities and navigate risks.
  3. Those decisions are dependent on reliable, timely, and current actionable information about what might happen.
  4. That information is derived, at least in part, from risk management activities.
  5. Those activities, risk management, need to function at the speed of change – the speed of risk and the speed of the business.
  6. Risk management also needs to adapt and change to meet the needs of a changing business and environment.

Hence, there is a need for agile risk management.

Peadar explains the relationships between the Purpose or Mission statement, objectives, and the taking of risk. After all, it is supposed to be ‘risk to objectives, not risk for its own sake.

  • Purpose is determined by stakeholders. Founders, shareholders, boards and their management teams determine core purpose given the needs of customers, society and employees as well as the partners, suppliers and most significantly those statutes and regulations which organisations need to observe. Thereafter corporate objectives, business and operating models required to deliver corporate purpose are selected as appropriate.
  • Purpose to risk management is what true north is to navigation. Why? A risk is simply a thing which can stop you or slow you down on your journey to a given objective. For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
  • Clearly when decision makers know why their organisation exists/what it is there to achieve, they are better equipped to do the right thing (making a decision) in the right way (process) as the organisation moves forward.

This is all excellent.

The next step, not addressed in his article, is weighing the pros and cons (the positive and negative effects) to see whether it is right to take a risk or not.

To repeat a quote:

For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.

How do you know whether to speed up (take the risk), slow down (minimize a risk), or even stop if you don’t understand all the things that might happen? You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable.

I will continue to share and write about this (especially when I announce my new book).

I welcome your thoughts.


[1]
 It has not affected my writing, but I have an emerging business relationship with Peadar. He is one of the reviewers of my upcoming book.

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *