- Strategy & Partners
- News & Views
- My IIRSM
New tools and techniques for new risks
The advent of disruptive technologies such as artificial intelligence, robotics and blockchain, as well as other global changes such as geo-political power shifts, climate change and wholesale population movements, are examples of innovations and environmental changes that present today’s organisations with both significant threats and significant opportunities.
Many of these threats and opportunities emerge more quickly than ‘traditional’ risks, and they can combine in ways that hitherto might not have been foreseen, creating outcomes that can prove existential for the organisation involved. For instance, TSB’s outsourcing of its new IT system to its parent company Banco Sabadell, almost cost the firm its very existence. Blockbuster Video’s failure to adapt to a world of video on demand ultimately did cost that firm its existence.
In this ‘new world of risk’, whilst the old proven tools and techniques still have their place, we also need new approaches, indeed a much wider range of skills and disciplines than are implied by ISO 31000 alone. Four of these are:
- Integrating risk and resilience management.
- Emerging risks management.
- Complexity management.
- Extreme uncertainty planning.
1. Integrating risk and resilience management.
Traditionally, risk management and business continuity management are carried out separately and by totally different teams. They’re two different worlds, with their own languages and their own international standards.
Increasingly however, organisations are realising that by performing risk identification and assessment and Business Impact Analysis (BIA) together, risk management and business continuity plans can be developed in a coordinated and synergistic way, with better outcomes for the business.
For instance, identification of mission-critical activities and the required recovery time in the event of disruption is a key part of any BIA, but is equally important in understanding the risks facing an organisation in order to develop a broader risk treatment strategy.
2. Emerging risks management.
New, previously unknown or not identified, ‘emerging’ risks can pose the greatest challenges to resilience, safety, strategy and operations in any organization. These risks can be related to new processes, new technologies, new types of workplace, or social or organisational changes.
A new international standard, ISO 31050, currently under development, aims to provide:
- the much needed foresight and insight to deal with these risks,
- new ways for enhancement of organisational resilience, and
- new capabilities to deal with new challenges, helping, at the same time, to increase the level of trust in management of risk.
Strategies to manage emerging risks include:
- Risk radar or visualization – using graphical methods to spot emerging trends and connections. This can be as simple as a ‘risk dartboard’ with more significant net risks shown towards the centre, or use of sophisticated risk data mapping software.
Moving from Gantt charts to Activity networks can help draw out the true nature of risk in an organisation.
- Risk velocity or risk clockspeed - a useful concept in environments that are rapidly evolving.
Detailed mitigation measures can only be implemented for a risk when information about it is available promptly before an event,
However, management information for certain other risks might only come at or close to an event -these are termed fast risk clockspeed risks. These risks require a different management style and competencies – see diagram:
3. Complexity management
‘The challenge we face today requires new ways of thinking about and understanding the complex interconnected and rapidly changing world in which we live and work’ – Stephen Hawking, 2000
Today’s events can affect people and locations in different ways than were hitherto commonplace. Take, for example, the WannaCry cyber-attacks that affected 200,000 victims across 150 nations. These demonstrate how risk can spread rapidly and cut across all sections of an organization.
Complexity is increasingly recognized as a key factor in the formation of major events, from the combination of a number of otherwise low likelihood and/or impact risks.
Complexity compounds the likelihood and impact of risk, so how do we visualise it? One example is in a network diagram (see example in the diagram below, taken from World Economic Forum, Global Risks Report, 2019):
Complexity and tight coupling.
When all the parts of a system, process or organisation are seamlessly integrated, they are said to be ‘tightly coupled’. In other words, there is little slack or buffer between the individual parts. The failure of one part can therefore easily affect the others.
Loose coupling means the opposite: there is a lot of slack among parts, so when one fails, the rest of the system can usually survive.
In tightly coupled systems, it’s not enough to get things mostly right. Inputs must be precise, and they need to be combined in a particular order and time frame. Everything happens quickly, and we can’t turn off the system while we deal with a problem.
For instance, in a nuclear power station, controlling a chain reaction requires a specific set of conditions, and even small deviations from the correct process, like a stuck valve, can cause big problems.
This is illustrated thus:
Introducing a buffer or a break in the system can create breathing space in case of failure.
Other factors that should be considered in any approach to complexity management include:
- Nature of the external and internal environment.
- Interconnectedness between organizations - collaborative working.
- Supply chains.
- Varying work practices between divisions and departments.
- Geographic and cultural diversity and language barriers.
- Internet of things (IoT) – an estimated 50bn devices are now connected to the internet, versus 18bn only 5years ago.
- Risks with low immediate impact but high systemic impact – how to identify and communicate them.
- Sheer quantity of data.
- Complex interdependencies.
For example, the Crossrail/Elizabeth Line underground rail project in London has complex interdependencies between stations, trains, signalling, track, software integration, control systems and a myriad range of companies. This has led to a last minute delay of over two years in opening the new railway.
4. Extreme uncertainty planning.
Learning how to learn and adapt in a fast changing world is important when things are changing quickly and in interconnected and sometimes unpredictable ways.
Techniques which can be used include:
- Horizon scanning – used to spot potential causes of uncertainty, ensure adequate preparation, exploit opportunities and help survive threats. Use of STEEPLE/PESTLE techniques.
- Scenario planning – consideration of possible futures.
- Capacity modelling
- Knowledge and insight from:
- Publications and industry websites
- Professional and standards bodies
- Learn from outside the sector e.g. as medicine has learnt better risk management practice from aviation
- Power of diversity – especially non-statutory characteristics such as social or business background
- Know who as well as what to believe in a world of fake news.
- The 4Sight methodology (BSI/Cranfield University. Organizational Resilience, 2017).
This leadership agenda tool complements existing risk management techniques and the established Plan-Do-Check-Act (PDCA) methodology used in quality, environmental and safety management. Whereas PDCA provides consistency, 4Sight provides the flexibility to deal with the complex issues inherent in business today.
4Sight is particularly effective with situations that involve changing behaviour, values and priorities, or that are indeterminate in scope and scale.
This brief article introduces some of the tools and techniques now being used to manage risk in today’s brave new world. IIRSM plans to keep ahead of trends in this area, and anyone interested in contributing is encouraged to contact the author, Steve Fowler: firstname.lastname@example.org | @steverjfowler | www.linkedin.com/in/srjfowler