I have put all my intelligence and effort into some beautifully crafted risk assessments over my years as a practitioner and I've been consistently amazed and a little disappointed when senior managers weren't all that interested. It just didn't make sense - until I became a CEO myself.
As a risk manager and consultant for many decades, I have built risk frameworks, conducted risk assessments, written books, and articles, and delivered training on five continents.
An epiphany came when I was CEO of a $30 million IT systems integrator and later the divisional manager of a $350 million ASX-listed company. As a CEO, I didn't care about the details of the risk management framework anymore. Not really. And definitely not how many rows and columns were in the risk matrix.
As CEO, I wanted to know that our risk management was effective, but objectives were the details I focussed on.
A lot has been written about "risk management for executives" including endless platitudes such as "A key task of the leadership team is understanding the impact of technology on strategies, business models, operations, security, culture, and reputation—and aligning risk strategy accordingly. " or "Some risks arise from events outside the company and are beyond its influence or control.
If you're a senior executive or company director, you probably don't need to be told any of this. But there are some practical rules of thumb. SMART objectives and SWOT analysis in business plans, for example, are helpful shortcuts. Similar things exist in risk management. Just not as widely known.
Risk Statements - CASE
A constant issue in risk management is agreeing on how to treat risks because the risk isn't defined. I have seen complex risk assessments by international organizations that listed risks such as "terrorism," "climate change ", and "compromise of sensitive information. " These are not risks.
A risk statement needs at least four elements before you can analyze and treat it.
Consequence – What is the likely impact of this risk on our objectives?
Asset – What asset(s) are actually at risk?
Source – What hazards or threats create the risk?
Event – What type of incident are we concerned about?
And it doesn't have to be complicated. One sentence will do.
EXAMPLE: Financial loss (Consequence) due to spearphishing (Event) by competitors (Source) results in reduced profits (Asset).
Changing any one of those four elements will change the risk. And the risk treatments.
Rule of thumb: Read the first three risk treatments. If you can't see at least the essence of all four elements in the first three risks, you probably won't find quality work in the rest of the document either.
Risk Treatments - 4As and a B
Risk treatments aren't complicated. There are many processes for developing risk treatments, and the eight-step facilitated workshop is one very effective way. But for you, the busy executive, here is a scale that you can measure recommended risk treatments in seconds.
Four As
Every risk in the risk register should specify at least one risk treatment, even if the treatment is to accept the risk. And every risk treatment should have at least four elements:
Appropriate - Does it address the root cause identified in the risk?
Actionable - Can you see the specific timeframes, actions, resources, and accountable person to tell you how to implement the treatment/recommendation?
Achievable - What are the criteria, individual judgment, or milestones by which you will know that the recommendation has been actioned and is now complete?
Agreed - Who were the relevant stakeholders who were consulted, and do they support this recommendation?
EXAMPLE: After consultation with the Head of HR and Chief Security Officer (AGREED), the team recommends that external contractors selected by the CSO will update all servers to the current software version (ACHIEVABLE) within seven days (ACTIONABLE) and that the additional full-time staff be recruited by HR (APPROPRIATE) to commence within 30 days.
B for Budget
Every recommended risk treatment should specify the resourcing requirement. If it's just internal labor, great. But if it's more than a few hours of work, the treatment plan should specify a rough order of magnitude (ROM) estimate. That forms the basis of the business case to evaluate and fund or reject the treatment.
A risk treatment plan is more than a pile of recommendations. It needs to have some specific information so that managers can design and implement the treatments.
Rule of thumb: If you can't find the 4As and the resourcing implications in the treatment plan, you probably don't have enough information to implement the treatments.
Observations and Findings - 4Cs
I'll try not to make this a rant, but I daresay you may have experienced audit reports that go on for pages, becoming less clear with each page. When you go to the observations and findings section, you should find four elements in each observation.
I'm sure you're getting the idea by now. Look at the supporting or background information to see if the assessors have provided a robust summary of the issues.
Condition - What is happening? What are the observable artifacts?
Criterial - What should be happening? There should be some underlying legislative requirement, policy, procedure, or best practice.
Consequence - What is, or will be, the outcome in terms of the impact on objectives? Otherwise known as the "so what? " factor.
Cause - What is the cause of this situation? In particular, the underlying systemic root causes.
EXAMPLE: There appears to be a lack of compliance with information security procedures (CRITERIA) and significant under-reporting of incidents (CONDITION). This appears due to a lack of training (CAUSE) and is likely to reduce the organization's ability to identify and prevent information breaches (CONSEQUENCE).
Rule of thumb: If you can't find all four of the Cs in the observations, you're probably looking at a report that is either missing key details or is padded with fluff.
ISO31000:2018 Risk Management Guideline
Several guidelines and risk management standards exist, but over 100 countries have signed up to adopt the ISO31000 Risk Management Guideline. Produced by the International Standards Organization, this is the baseline by which all risk frameworks can be judged. Knowing this information will put you ahead of many self-professed risk experts and consultants.
ISO31000 isn't perfect. But it's consistent, and hundreds of us have contributed to it over the years. The key elements of ISO31000 are the Principles, Framework, and Process. Of these, the core of a good risk assessment report is the process.
The question to ask is, "There is no reference to ISO31000. Is this risk assessment consistent with ISO31000?" should return an immediate and confident "Yes!" and some explanation or a good reason why not.
Be prepared to receive only a blank look or an embarrassed, stuttering reply. Send it back with a "Bring this back when it aligns with ISO31000".
Note the word 'aligns' in the sentence above. Unlike ISO9000 (Quality) or ISO27000 series (Information Security), ISO31000 is not a compliance or certification standard. If someone says, their risk management framework is "ISO31000 compliant" or "ISO31000 certified," don't hire them. If you have already hired them, give them the link to this article, and suggest they give me a call or do some risk management training. Preferably all three.
A feature of ISO31000 is the succinct definition. Risk = the effect of uncertainty on objectives. This includes positive as well as negative outcomes. No risk is without some benefit to somebody. Even a tornado produces opportunities for tent manufacturers and builders.
Rule of thumb: If the risk assessment doesn't at least reference "ISO31000," you have to wonder if it is based on anything solid and how experienced the assessors are.
Objectives, Objective, Objectives
Ownership, objectives, and outcomes are the start and finish of risk management.
Rule of thumb: If you can't see how the risks affect objectives, they either aren't risks for your organization, or there is some gap in the analysis. Equally, if a risk treatment doesn't affect objectives, why is it there?
Summary
Risks: Consequence, Asset, Source, Event
Treatments: Actionable, Achievable, Appropriate, Agreed + Budget
Observation: Condition, Criteria, Cause, Consequence
ISO31000:2018 Risk Management Guideline has been adopted by over 100 nations. But is not a certification of compliance standard.
Objectives: First, last, and in the middle.
Last but not least
Look for a clear causal pathway linking backward from risk treatments that are based on specific risks. Risks that are linked to threats/hazards, then asset(s) and objectives.
Risk matrices can be problematic. See Figure 2 in this article on how to design and use a risk matrix.
From here, you might enjoy this short video and references on Five Insights Into Risk Management.
"Context for the 21st Century" in the Autumn Edition of the Institute of Strategic Risk Management journal talks about the business environment for the rest of this century.
If you are interested in a two-hour facilitated risk workshop based on the Eight Step Process or a 40-minute executive briefing session based on the content of this article, drop me a line.
Or give me a call. My mission is to help people achieve their objectives, and with 35 years of experience, I've found that risk management is a very effective means.
Comentários