Friday, December 16, 2011

The role of the business case in risk management

Well-conceived and thoroughly researched business cases can play a pivotal role in improving the quality of organizational decision-making. The business case does not however, stand by itself as a risk management tool. It is simply part of a toolbox for analyzing and making decisions about proposed risk treatments.

Whatever risk treatment you’re considering, and whatever means you used to identify it, the business case is designed to determine and enunciate the value of that treatment. In Figure 1, we’ve used the ISO31000:2009 Risk Management Standard process to illustrate the role of the business case. Quite simply, it supports analysis, selection and implementation of risk treatments.
Figure 1: The Role of Business Cases in the context of ISO31000 Risk Management Process
At the risk of stating the obvious, lets go back to basics for a moment. Any proposed risk treatment should relate directly to a specific risk or risks. For example, if risk number one in your risk register is “Failure to deliver organizational outcomes within budget due to inadequate financial reporting” you might end up with a range of risk treatments, each of which will have different merits.  It’s worth pointing out at the moment that ‘risk’ includes both opportunities and threats (benefits and costs). Accordingly, you might also choose to rephrase the above risk in as an opportunity, such as “Increased profitability due to cost reductions resulting from improved financial reporting”.

Irrespective of how you phrase this risk, lets say that in our hypothetical example, you have identified two main treatments to address it. You’ll note from the examples in Table 1, that we’ve included a reference to which risk(s) each treatment addresses.

Table 1: Example of Risk Treatment Plan
In this hypothetical treatment plan (Table 1) each treatment has a reference to the risks it addresses. Risk Treatments number 1 and 2, primarily address risk number 1 but they also contribute to reducing the risks associated with risks 5 and 8. It’s not important what risks 5 and 8 actually are (it’s a hypothetical example remember). Risk number 8 may in fact be addressed primarily by Treatment number 4 and potentially also be improved by Treatments 1 and 11. It’s a complicated scenario but it’s worth remembering when you are defining the benefits of treatment number one, that you should consider it’s impact on risks number 5 and 8. You never know, it could be the indirect benefits of your proposed risk treatment that sways the decision makers in favor of supporting it. Add in ALL the intangible and indirect benefits. They all count.

Thursday, December 15, 2011

The Evolution of Risk Management...

It is sometimes tempting to respond to a risk or an incident, with a knee-jerk response by throwing time, money and effort at a quick fix.  That’s entirely understandable, given that our risk management decision-making evolved from a fight or flight response.  As Daniel Kahneman says in his latest book, "Thinking, Fast and Slow"we have two risk management decision making processes. Our ancient limbic brain is largely unconscious and it makes rapid decisions based on memory and emotions. Our more recently developed mammalian brain (neocortex) has the capacity for detailed analysis, abstract thought and logical inquiry. Unfortunately our logical brain is easily distracted, painfully slow and hard to engage, while our Limbic brain is (in todays modern world) wrong as often as it is right.

So, as it turns out, despite millions of years of evolution, we still make the majority of our risk management decisions in the emotional center of our brains.   This was fine when we lived in small Paleolithic communities, but the complexity of the modern world means we need better approaches to decision making.  Fortunately, we do have the capacity for analysis, and with hundreds of years of research in science, finance and engineering to name but a few, we have a pool of knowledge to draw on.

Until recently, when ISO31000 Risk Management Standard defined risk as “the effect of uncertainty on objectives”, risk management focused on negative risks. In this scenario, risk was bad, and had to be avoided, mitigated or to be transferred to another party through outsourcing or purchasing insurance. This led to risks being addressed as separate compliance issues and not integrated or managed broadly across the organization. Only comparatively recently has the role of Chief Risk Officer been created with the main focus (as it needs to be) on business integration, enterprise risk management and value creation.

Effective implementation of risk management into organizations and projects is not common.  Organizations that have tried to integrate risk management into their business processes have reported differing degrees of success and some have given up the attempt without achieving the potential benefits.  Aligning risk management with standard management systems including financial systems, workplace health and safety (WHS) and human resources is a key element of success in this area.  Existing platforms such as ISO9000 Quality Management and Balanced ScoreCards also help to demonstrate alignment with the business and are a key element of the process.

Linking business management to strategic risk management means setting up the corporate "infrastructure" for risk management. The evolving risk management function is designed to enhance understanding and communication of risk issues internally, to provide clear direction and demonstrate senior management support.  To be effective, this risk management framework needs to be aligned with the organization’s overall objectives, corporate focus, strategic direction, operating practices and internal culture.  Additionally, in order to ensure risk management is a consideration in priority setting and budget allocation, it needs to be integrated within existing governance and decision-making structures at the operational and strategic levels.