Musings by the Tao Of Risk

Organizational Culture and Risk Management

When you are standing in front of the mirror preparing for the day, how many people think to themselves "I will do everything I can to save the company 57 cents including putting customer’s lives at risk." Or how about "I will lie to, deceive, and obstruct anyone who attempts to uncover product faults so our company can save $130 per unit." As bizarre and unthinkable as it may seem these two scenarios occurred recently. Checkout my RIMS 2016 presentation to learn more about these scenarios and how organizational culture can drive organizations to ignore or cover up risk that cost pennies to treat but can result in billions of dollars in exposure if ignored or left untreated.

Simplicity is the Key to Success

simplicity smallMany organizations and tools tend to complicate risk management by utilizing complex prioritization schemes, algorithms, and procedures.  I have found no evidence or studies to indicate that complex prioritization schemes provide more effective risk management capability than simplistic prioritization schemes or processes.   Organizations that focus on simplicity and risk management fundamentals tend to be very successful because they can easily and quickly adapt to changing market conditions.  The ability to quickly adapt to changing market conditions is clearly a critical success factor in our current global economy.  The epic rise and fall of BlackBerry is a striking example of what happens when an organization does not recognize and adapt to rapidly changing industry trends. 

Disciplined Execution

disciplined smallA disciplined process with emphasis on simplicity and flexibility yields a highly effective process that is dynamic and can quickly adapt to changing market conditions.  An effective risk management program includes both a strategic and a tactical component.  The strategic component of risk management begins with a set of risk management principles that includes management acknowledgement and support, recognition that risk management is an inexact science, and recognition that a disciplined approach yields significant value to the organization.  Another key principle is recognition that, even though risk management is an inexact science, the risk management process must be disciplined and systematic.  A disciplined and systematic risk management program facilitates continual improvement and creates true value for the organization.  A disciplined and systematic risk management approach also helps avoid overspending on risk management.  It doesn’t make sense to spend $100,000 to treat a risk with a $20,000 impact. A disciplined risk management approach will quickly identify cases where the cost to treat a risk exceeds the cost of the impact and can divert the remaining effort to higher priority risks.

Risk Scenarios

risksyntax smallRisk scenario is an analysis technique consisting of five components that help people visualize and understand risks. The five components of a risk scenario are: actor, threat type, risk event, assets or resources, and time.  The actor is who or what generates the risk.  Actors can include internal staff, competitors, regulators, nature, and the market. Threat type describes the nature of the threat and can include malicious events, accidental events, natural disasters, equipment or process failures, and external requirements. The event is what causes project or organizational objectives to be impacted.  Events can include disclosure (e.g. confidential information), interruption (of services or production capability), theft, destruction, ineffective design, ineffective execution of processes, compliance or regulatory changes, and inappropriate use. Assets or resources are objects of value that can be affected by the event and lead to impact to project or organizational objectives.  Assets and resources include the organization, personnel, process assets, infrastructure (e.g. facilities, networks, equipment, communications), and information. There are two dimensions to the time component: duration of the event and timing of when the event occurs.