Agile Risk Management
Peadar Duffy of Solux[1] has shared a marketing piece that contains some valuable content, although it is (IMHO) incomplete.
He explains the need for risk management to be agile – with which I totally agree. By the way, I recommend reading pieces by McKinsey on Agile Organizations. To quote their headline,
“New ways of working are needed to survive and thrive in a fast-moving, technology-driven world.”
These excerpts from the Solux piece, Agile Risk Management (ARM): Continuous & Dynamic Decision Support, help us understand the need:
- …an environment where the speed of disruption across multiple fronts is on the increase demands of organisations that they similarly need a comparable speed in decision making.
- 21st century levels of uncertainty mean that there is zero chance that decision makers can reasonably expect to consistently plan perfectly and predict the future accurately. For this reason, organisations need to be prepared to fail fast and learn quickly such that scarce resources can be preserved and re-directed to where lessons learned, and continuous improvements increase the chances of success as soon as possible.
- Organisations clearly need to be more agile than resilient. Put simply resilient football teams don’t win championships as preparing and responding to opposing team tactics is a defensive play. It is akin to asking players to run onto the pitch with a given number of set-pieces in mind. Alternatively, anticipating opposing team tactics, being agile and bouncing forward ahead of less responsive players is what wins games. Agile players run onto the pitch with a game plan in their minds, thinking of winning with set pieces and rules of the game so embedded in their state of being that it is instinctive.
Let me put this in my words:
- The world in which we live and work is not only massively disruptive but the speed and volatility of change are increasing.
- Decisions need to be made at speed if organizations (and people) are to both seize opportunities and navigate risks.
- Those decisions are dependent on reliable, timely, and current actionable information about what might happen.
- That information is derived, at least in part, from risk management activities.
- Those activities, risk management, need to function at the speed of change – the speed of risk and the speed of the business.
- Risk management also needs to adapt and change to meet the needs of a changing business and environment.
Hence, there is a need for agile risk management.
Peadar explains the relationships between the Purpose or Mission statement, objectives, and the taking of risk. After all, it is supposed to be ‘risk to objectives, not risk for its own sake.
- Purpose is determined by stakeholders. Founders, shareholders, boards and their management teams determine core purpose given the needs of customers, society and employees as well as the partners, suppliers and most significantly those statutes and regulations which organisations need to observe. Thereafter corporate objectives, business and operating models required to deliver corporate purpose are selected as appropriate.
- Purpose to risk management is what true north is to navigation. Why? A risk is simply a thing which can stop you or slow you down on your journey to a given objective. For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
- Clearly when decision makers know why their organisation exists/what it is there to achieve, they are better equipped to do the right thing (making a decision) in the right way (process) as the organisation moves forward.
This is all excellent.
The next step, not addressed in his article, is weighing the pros and cons (the positive and negative effects) to see whether it is right to take a risk or not.
To repeat a quote:
For a given business objective some risks are worth taking, and some are not. The process of deciding what to do is called managing risk and this is what business managers do every day. On the journey from point A to point B you just need to know when to speed up, when to slow down, or when you should stop and plan another route altogether.
How do you know whether to speed up (take the risk), slow down (minimize a risk), or even stop if you don’t understand all the things that might happen? You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable.
I will continue to share and write about this (especially when I announce my new book).
I welcome your thoughts.
[1] It has not affected my writing, but I have an emerging business relationship with Peadar. He is one of the reviewers of my upcoming book.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Peadar makes some interesting observations, and the relationships between organisational agility, adaptive capacity and resilience are key elements in dealing with high levels of uncertainty. Traditional risk management is not particularly effective in dealing with low indicators, context volatity and ambiguity of information, all contributing to high uncertainty and a limited ability to assess possible consequence.
Bringing together these issues, and gaining clarity on concepts associated with risk, is the next challenge for ISO and the 31000 standard.
Agree, except that I think the greatest challenge is advising people on how to weigh the positive and negative effects of uncertainty.
I agree with you that Peadar’s observations are on the mark – as far as they go. I understand and agree with your remarks. However, your comment, “You have to be able to assess and evaluate both the good and the bad so what you put on each side of the scale is in fact comparable” does not fully cover the issue as any risk has to be measured in a dynamic manner. The good and bad of a risk cannot be judged in a vacuum. For example, a risk that is judged to be less than desirable when reviewing that specific exposure might be the best of all alternatives when action is required. This is why proactive risk and exposure analysis is a must.
Thanks, Norman. I echo many of these thoughts on the need for business agility and supporting risk management agility in my new book “A risk management book unlike all the others”. The nature of the book is intended to help bridging between risk specialists and non-risk specialists for agility and other purposes. For those who would like to check it out, the link to the US Amazon/Kindle store is https://www.amazon.com/dp/B08L3N9YFG
Its true that organization should respond to emerging symptoms of any risks with agility and capability. I am of the view that more than resilience the agility, in terms of building capability to apprehend the risks, decision on its mitigation and handling, is more important. In current world of technology dominance in every sphere of business activities, developing and upskilling of operational management and stakeholders is very important to handle unpredicted risks also. The emergence of unpredictive risks is more likely in a competitive scenario. Risks are perceived in a given scenario and with predefined assumptions and accordingly mitigation plans are defined and documented. However if any organisation has not built its capability in updating the scenario, review assumptions and reassess the risks and related mitigation plans, it will be ill prepared for any risks emerging over a period of time.