Integrated and convergent risk approaches

Integrated and convergent risk approaches need some discussion. Are they so different? And what about the good old Enterprise Risk Management (ERM)?

In our modern society, organizations require a 360-view across all business units, risks and compliance functions. ERM approaches should cover that.

Experience shows that oftentimes ERM does not cover key business partners, suppliers and finally outsourced entities, the “Enterprise” (system) definition remains implicit. Thus there is no 360-view across business units, risks and compliance functions.

Maybe that was the driver to create new names for more comprehensive approaches.

Integrated Risk Management (IRM)

Gartner defines the Integrated Risk Management (IRM) objective as to enable the simplification, automation and integration of (strategic, operational and IT) risk management across an organization.

Solutions working in that direction are IRM solutions. Such solutions should:

• Enable the implementation of performance improvement thanks to governance and risk ownership.
• Identify, evaluate and prioritize risks
• Help identify and implement mechanisms to mitigate risk
• Support risk and risk response communication
• Track Governance objectives, effectiveness of mitigations, risk accountability, etc.

Beside the fact that this should be done through a specific technological solution, there isn’t much new in this definition with respect to the good old ERM, isn’t it?

IRM is good for your business provided it does not miss, again, some important targets we will discuss below.

Convergent Risk Management (CRM)

Convergent Risk Management approaches tout to achieve streamlining by bringing all risk information under the same roof. That allows better risk informed decision making.

Here again nothing really new, aside the very important idea to use a single platform.

The denomination came perhaps as a result of numerous mishaps due to the “siloed” culture, among which we can cite:

• Management being blindsided by multiple sectoral risk reports.
• Multiple requests for risk information (Audit, Risk Management, Compliance, H&S)
• Lack of risk-awareness, risk ownership and interest in risk management.
• Multiple data repositories (including “crazy” spreadsheets) fostering data losses, blindness to the big-picture
• Lack of visible return on investments due to the poor quality of the decision-making process.

So what? Integrated and convergent risk approaches

It seems that once again the risk community is trying to sell common practice by changing the name and putting a couple new finishing touches. That is likely because the definitions of Integrated and convergent risk approaches are missing a few important points.

Indeed, as it stands now, we do not see any characteristics of the IRM following Gartner’s definition that would warrant a “new name”. The main notable element is that IRM should “look outside” the system. Frankly, no need to invent a new name. A good old ERM could work, with a proper definition of the system and success/failure criteria. Define the system first, develop success and failure criteria, and of course, develop a single platform.

As far as per convergence, well, the idea of having everything on the same platform is indeed important. See above for expalnations.

At Riskope we have fostered for over twenty years some aspects such as:

• using clearer glossary to avoid risky confusion
• better definition of the system to allow transparent, and scalable Risk Assessments and finally
• establishing performance criteria to understand what we are measuring, what is a failure and what is a day to day business-as-usual event

Neither integrated nor convergent literature references quote these paramount points.

Our “universal” ORE platform is indeed a convergent and integrated solution and we have been pushing forward with it for the last couple decades.

Unique elements of ORE

I find astonishing that no one cites paramount characteristics that a modern platform should have, around which the ORE platform has been created, namely:

• Uncertainties inclusion. Uncertainties exist both on the probability and the consequences of events. Ranges based on the state of knowledge at the moment of the deployments should take care of characterizing them. These ranges will change during the life of the system (see updatable below).
• Scalability. This means that the structure should be built in such a way that new business lines, in depth studies of some of the areas of the entreprise can be added, developed.
• Updatability. At any time the values of probabilities and consequences as well as their respective uncertainties can be updated to deliver a new risk landscape of the company.
• Drillability. Data can be retrieved using various queries. For example: which are the highest risks within the company having potential earthquake, or employee dishonesty as root cause?

For relatively small systems, like a productive operation, a logistic hub, or a cluster of relatively small operations, we can implement ORE “manually”. That means use a “worksheet-based” approach which keeps the deployment cost to a minimum.

Closing remarks

A software upgrade is necessary for larger systems. Thanks to the pairing with a specific Business Intelligence software which seamlessly integrates the ORE framework there is no limit to size of the system we can analyze.

Welcome to the world of BI-ORE the ultimate solution for corporate Integrated and Convergent Risk Management.

Contact us to learn how BI-ORE, the ultimate solution for corporate Integrated and Convergent Risk Management, will change your understanding of your risk landscape and allow you to surpass your competitor.

Tagged with: convergent, Integrated, risk approaches

Category: Consequences, Risk analysis, Risk management