- LATEST BLOG POST
- echo $post_date ?>
- A decade of physical risks generated by industrial systems hacking is featuring a remarkable and worrisome acceleration. Indeed, it all…
- Read More
Corporate risk management (ERM) platform requirements to limit corporate failures explores why corporations, projects, startups continue to fail. That is despite apparent efforts made by various stakeholders.
Voices here and there say that Enterprise Risk Management does not work, that we need new and esoteric tools. At Riskope we firmly believe, based on our experience, that Enterprise Risk Management does work if the platform has some important characteristics that common practice platform do not have.
ERM deployments should always start with a clear definition of the system (enterprise, project) they apply to. No ERM deployment should start without a definition of the success and failure criteria. That is because without a failure criteria, one cannot state failure, and hence cannot evaluate downward risks in a rational and coherent way.
People that are part of the process should possibly only help identify hazards and maybe help quantify basic consequences and probabilities. As people near to a process or system tend to blind themselves over time, become victims of normalization of deviance, they should not assess the risks. Thus they should not define the “extreme” ranges of probabilities and consequences. And they should not try to censor them. A party external to the process should perform this to avoid conflict of interest.
The risk management platform should consider all types of different consequences in order to avoid biasing issues. For example if you limit yourself to consider physical losses the tool will not deliver a clear picture of the potential exposures. These may indeed also include significant reputational or environmental damages, with potential influence on Social License to Operate. People that incur in this mistake oftentimes invoke, during or after a failure, the complexity of the system. The culprit is however a biased, shallow analysis which did not look at blatant interdependencies.
The risk management platform should transcend operations and look at management as well as at internal and external contracts. This will help formulate integrated and convergent roadmaps to strategic tactical and operational mitigation. Of course it should also include 3rd parties like, for example, Contractors.
Oftentimes we see corporations outsourcing processes, read “risks”, under unfortunately wrong assumptions. A common one is that outsourcing removes or transfers risks to another entity. That wrong assumption in itself can cause tremendous damages because third parties consequence can back-fire.
Finally, the risk management platform should facilitate risk communication by supplying the right level of information to the right hierarchical level. That of course means avoiding arbitrary decisions on what constitutes strategic rather than tactical risks. Indeed, that classification is a result brought by the risk management platform, rather than an arbitrary taxonomy.
Outward risk communication should be simple, while allowing transparent inclusion of uncertainties and formulation of the results. The platform should foster communication that all parties involved can understand.
Risk blindness is an unfortunate common syndrome which has oftentimes involuntary causes. It’s enough to inadvertently use obsolete common practice tools believing they are good because every one seems to use them.