The COVID-19 pandemic has posed unprecedented challenges to businesses across all sectors and throughout the world. Risk management systems and contingency measures have been put to the test, and as is so often seen in moments of crisis, many have been found wanting. The result? A real need now exists to determine what is meant by business resilience and how to apply it to organizations’ different operating models.
To the casual observer, all this prompts the question, “Why?” Key industry events in the early 21st century have demonstrated time and again the need for organizational resilience and robust risk management to ensure that companies, as well as public sector and nonprofit organizations, are able to withstand catastrophic events as they arise from time to time. Recent examples include worldwide cyberattacks like the WannaCry and NotPetya attacks in 2017, industrial accidents such as the Fukushima Daiichi nuclear accident in 2011 and the BP Deepwater Horizon oil spill in 2010, and various terrorist attacks and other geopolitical and economic events. Repeatedly, such events strengthen and prove the need for effective risk management. Also repeatedly, many companies declare the merits of their approaches, yet failures in risk management remain commonplace, revealing themselves once again as the pandemic continues. These failures are now prompting senior management to begin questioning the effectiveness of their risk management systems at the same time as they reiterate the need for a more dynamic approach to assessing and monitoring risk, coupled with the ability to create “true” foresight.
There are many factors at play, not least the sheer scale and breadth of impact of COVID-19. However, one major factor is a widespread reliance on historically established approaches to risk management that are not appropriate for the complex, interconnected risks facing 21st-century companies. In short, we cannot overcome the limitations of old methods by simply doing more of the same, since these approaches are characterized by being static in nature, backward-looking, and unable to present information to support the decision-making process.
The current crisis presents an opportunity to examine more closely what is wrong with our approach to risk assessment and associated risk management strategies and to move toward a more resilience-focused, forward-looking approach — what I term proactive risk management. Such an approach will better equip us to anticipate and manage not only the well-known risks of the past but the “known unknowns” that we can identify on the horizon now, which may evolve into future threats. Accomplishing proactive risk management requires a broad-ranging rethink of not only our business process but our attitudes toward risk and encompasses several distinct themes, including:
A wider culture shift within organizations regarding risk, toward a state in which all staff members see risk as part of their job, instead of the exclusive preserve of a dedicated risk function.
Looking forward as well as backward and being proactive as opposed to reactive. This includes recognizing that the future will often not resemble the past and that emerging risks (primarily known unknowns like COVID-19) on the horizon need to be assessed and managed with limited information. This involves reengineering risk management processes to focus on the earliest stages of causation of risk events, which then leads to the identification of appropriate forward-looking/leading indicators, otherwise known as key risk indicators (KRIs). The adoption of these leading indicators provides the basis for creating an analytical, augmented decision support platform that can convert available data into meaningful knowledge and foresight.
Building resilience rather than managing specific risks, which means engineering our businesses to be inherently more robust in the face of threat and uncertainty; we can best achieve this through the effective integration of processes and methodologies that address both prevention and recovery.
Recognition of the difference between complicated environments, where cause and effect are related by intricate but predictable mechanisms, and complex ones, which are inherently unpredictable, and of the reality that many modern business environments are complex rather than complicated.
Avoiding silo thinking, in which different risks are regarded and managed separately, and, further, in which risk management is separate from organizational strategy and performance measurement. In complex environments, the interrelation between risks renders such an approach blind to the realities of the threats it attempts to manage.
Learning from the mistakes and challenges of the past (and of the present crisis) and embedding appropriate changes into processes, as opposed to merely paying lip service and continuing to adopt a similar approach to before.
Embracing new techniques and technologies to enable forward-looking risk capability, including data-driven approaches employing machine learning (ML) and artificial intelligence methods. The use of appropriate KRIs can provide the foundations of developing effective ML algorithms in terms of the type of data we need to better predict different types of risk events. In addition, we can use ML to determine the correlation between different leading indicators, creating a more holistic understanding of how a risk can impact all areas of a business, as well as determining the thresholds that will help drive risk escalation to appropriate levels of management.
Addressing these themes will require the development of approaches that can explore the interactions between different risk areas, such as business, financial, and technical risks. The technological approaches previously mentioned, such as ML, will play a key role in linking predictive tools and models to a reality that is increasingly complex and often impossible to predict or model intuitively, or by using traditional analytical methods. There will also need to be some careful decisions about how much to invest in risk management and whether the apparent “efficiencies” of the past were true efficiencies or merely a failure to invest adequately in resilience while times were good.
In This Issue
In our first article, Cutter Consortium Fellow Bob Charette explores the current state of risk management in a world of repeated failures to adopt the lessons of the past, examining several of the most common ways in which risk management is failing and the reasons why. In his analysis, different areas of risk form a broader “risk ecology,” in which risks interact in complex ways, and isolated analysis and management of each area has the potential to increase risk in unforeseen ways.
Next, Payson Hall further explores the general context of risk management, noting the conflict between efficiency and resilience in organizations employing Lean practices to reduce their costs at the expense of robust risk management. Such approaches may beat the odds in the short term but lead to dangerous exposure when times are hard, as has been observed during the current global pandemic. Hall discusses ways in which a modest investment can provide vital hedging against catastrophe.
In his article, Noah Barsky returns to the Cutter Business Technology Journal (CBTJ) lineup and addresses many of the same ideas and explores some key shifts in mindset that effective risk management will require, such as making risk management the responsibility of all, avoiding silos, looking at issues that are important but not urgent, and building a culture that can ask, “Why?” Barsky focuses on the need to not only connect the dots between different risk areas, but also between risk management and other corporate planning and monitoring activities.
Next, Cutter Consortium Senior Consultant Barry M. O’Reilly makes his second appearance in CBTJ this year and takes us in a more technical direction, introducing the concept of residuality theory and its application to the complex relationships that exist between different risks in the modern business environment. Expanding on the issues of complexity versus complication in the world of enterprise software, O’Reilly shows how the principle of residuality — which can be generalized to other sectors — enables organizations to anticipate the impact of chains of interconnected risks.
Finally, Robin F. Goldsmith discusses the application of proactive risk management techniques in software testing and development. He observes that many of the risks encountered in software, as in other sectors, are in fact largely predictable and explores why businesses still manage to fall foul of them and how the real processes employed in our organizations can differ starkly from how we presume them to be. Goldsmith goes on to discuss how a more proactive approach to risk identification at the early stages of a project often saves time and money later.
Proactive risk management is a broad topic, and these authors approach it from a variety of angles, examining different aspects of the problems faced in the field of risk management today. A common theme of this issue of CBTJ is the need to create an environment that can turn data into information and then into insight, thereby providing the ability to drive business performance through improved risk-based decision making. I hope you will find their articles as interesting and insightful as I have and that they will enable you to develop the right approaches to risk management in your own organizations by managing complexity, looking forward rather than backward, breaking down the barriers between silos, and building a transparent, holistic view of risk.