- Strategy & Partners
- News & Views
- My IIRSM
Integrated risk and resilience - a new approach
Date of Issue: Tuesday, 30 April, 2019
by Steve Fowler MIIRSM
A few years ago, the risk management community invented a new concept – so-called enterprise risk management (ERM). ERM was supposed to take an integrated view of all risks, both threats and opportunities, across the whole organisation. As a business manager, I’ve always struggled with the difference between this and ‘ordinary’ risk management. Well, it seems, it all depends who you ask. Ask an insurable risk manager and they’ll tell you that plain old risk management only handles insurable risks. Ask a health and safety manager and they’ll tell you that they’re an OSH manager or SHE manager or some other acronym, rather than a risk manager. Likewise business continuity practitioners will emphasise that they’re in the world of (obviously) business continuity, or business recovery or resilience. And over in the worlds of governance and project management, you’ll hear risk management called GRC (governance, risk and compliance) and project risk management respectively.
This seems to be a bit like counting the number of angels on the head of a pin or, for those old enough to remember Monty Python’s Flying Circus, the bar full of Australians called Bruce all arguing with each other, when in walks a stranger and announces, ‘Well, you’re all Bruce to me’.
The standards world is no better. The ISO 31000 series of standards defines (enterprise) risk management, ISO 22301 business continuity, ISO 37000 governance and BS65000 organisational resilience. And these are just some of the ‘Tower of Babel’ we are creating. The ISO 9000 series of quality management standards doesn’t even mention risk management, instead opting for ‘risk based thinking’. Help!!!!!!!
So from an organisational or business perspective, do these concepts and standards help? The answer, like so much in life, is ‘partly’. Returning to first principles, organisations want to capitalise on opportunities whilst defending themselves against threats, with a combination of resilience and positive risk treatment. In other words, most business leaders, unlike consultants, think of all these concepts holistically. They’re just a set of tools, techniques and frameworks to achieve organisational success.
There are hundreds of real life examples to illustrate this. When the BP Deepwater Horizon oil rig exploded and sank in April 2010, they’d just been congratulated for an excellent safety performance. They’d made the cardinal error of focussing on slips and trips, a common cause of injury on rigs, rather than the much higher severity threat caused by drilling in much deeper water than normal. In other words, there was no coherent joined-up approach.
Also, traditional approaches tend to focus on the mechanics and processes of risk management rather than the heuristics, behaviours and culture that unpin organisational success or failure in the real world. Complex, next generation problems can’t after all be solved through compliance alone as many an industry has learned to its cost: think the banking crash of 2009 or today’s Boeing 737 MAX problems.
Organisations are therefore increasingly looking to ensure sustainable and efficient operations through resilience which in turn enables the avoidance of adverse risk and the exploitation of emerging opportunities.
The power and water utilities industry has already recognised this challenge and so has launched work with a leading standards organisation to build an integrated risk and resilience standard covering these areas. This will be a ‘capping document’ that sits above existing risk management, resilience, business continuity and governance standards – an integrating signpost document, if you like. This work is being kept high level and flexible to ensure organisations can adopt it to meet their own style, situation and culture.
Due for launch at the beginning of next year, this standard will ultimately provide the much needed response to the question I get asked all the time, namely, ‘Risk management – isn’t that just management?