In my blog last week I defined the terms in the poll below and explained how risk management can prevent these failures from occurring. Vote your opinion and then view the results of what others think:

Thanks to Toren for his comments on my blog last week "Intelligence Failures, Part II: Risk Management is the Answer" Toren writes:

"How would Risk management software deal with perceptions and preconceptions that drive leaders and make them look the other way once intelligence points against their gut feeling? Is there a software that integrates human experience and takes preconceptions, even feelings and mere hunches that may drive a decision, into account?"

Business has political interests and politics has business interests, but the discipline of risk management applies to all just the same. Toren's comment highlights the need for acquiring human intelligence front line experts and balancing it with other data sources to achieve better decision making. This is the heart of what risk management software is designed to address.

First, the underlying prerequisite for a successful risk management program is the "tone from the top" from leadership to embrace a rigorous, objective and qualified risk management process. Transparency in the risk assessment and mitigation process is necessary to build the confidence and credibility for this buy-in. Software achieves this with embedded best practices and real-time interactive dashboards and reports for efficiency and governance of the process. Senior leadership commitment to actively engage in the risk management process will result in their conviction in the results.

With this mandate in place, the next issue then is how to widen the net and process the information in an objective and consistent fashion to prevent unsubstantiated preconceptions from blocking out the facts. True Enterprise Risk Management software supports a risk control self-assessment approach with a library of guided questions to qualify, quantify and prioritize human intelligence for follow-up. This process breaks the information down into its root cause categories and factors and quantifies the potential impact of the risk, the likelihood that the risk will occur and the current effectiveness of controls in place should the risk actually occur. A risk index score is calculated with the formula of (impact x likelihood x control). The highest risk score index can now systematically cull a broader base of information systematically to the most dangerous or high risk issues or scenarios.

Follow-up activities are assigned with due dates for deeper analysis that culminates in a recommendation for action along with the supporting documentation of cost benefit analysis, controls, budgets, etc. This web based system aggregates data from all areas of the organization. Control activities enforce discipline in the implementation and monitoring phases of then preventing risks or minimizing the impact of risks should they occur. It is this combination of methodology, process and software that prevents a premature conclusion or disregard for the facts.

Thanks again to Toren, keep your inquires coming and don't forget to vote your opinion above!

Posted by stevenminsky in Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

In my last Blog I referenced the article History of Intelligence Failures illustrating the most spectacular military intelligence failures over the course of history. I also presented my adapted list of the 6 most important root cause reasons resulting in business risk failures, Looking for Risks in all the wrong places?

Jacob commented on my Blog "You mean to say all above mentioned business challenges can be handled by Enterprise Risk Management Software?" My Blog below will provide a definitive yes. Below is an outline on how Enterprise Risk Management together with the right software can effect the impact and/or likelihood of these failures showing up on your watch.

First of all, let's define Enterprise Risk Management. According the Australian Risk Standard it is the culture, processes and structures that are directed towards realizing potential opportunities while managing adverse effects".

Now let's look at those 6 risk coverage vulnerabilities:
Overestimation - a determination to overemphasize information, leading to a false conclusion.

Enterprise Risk Management establishes a standard and easy to understand methodology to systematically identify, qualify and quantify risk. The hard part is getting started. Software facilitates the identification and assessment process and offers three criteria, Impact, Likelihood and Effectiveness of Controls for you to score risk in order to prioritize and balance all the aspects of risk and performance to get a more objective estimation. Establishing objective criteria is the first defense against overemphasizing or becoming blinded by your own or convictions or those of others.

Underestimation - business analysts or leadership completely misreads a competitor's intentions, market event or regulators guidance or intentions.

Key risk indicators help prompt thinking about how risk can effect your organization in different ways and a variety of different angles. Further, strategic key risk indicators are designed to help uncover disruptive threats that are difficult to address with traditional risk approaches. A quality ERM software package should come with a robust library of key risk indicators organized by industry, function and core process.

Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.

These embedded best practice risk indicator libraries together with the software framework help us to do gap analysis on how our organization is looking a issues versus the lessons learned by peers in our industries. A framework should incorporate best practices from leading industry organizations such as Standard & Poor's, Australian Risk Management Standard, COBIT for IT Governance and Security, COSO for Financial Controls and other frameworks.

Complacency - something is going to happen, though not sure what or when, and yet no action is taken.

You do not have to take action on every risk, but you do need to quantify and measure your current risk and compare it with your thresholds of acceptable risk to decide to monitor, take action or if the risk is adequate. Using software to standardize the process and capture risk issues helps formalize the process and escalate issues for follow-up. Software helps manage the workflow of assigning roles and responsibilities as well as follow-up notifications and tracking.

Ignorance - When there is virtually no intelligence, we are at the mercy of events.

Much like TurboTax for personal taxation, we don't have to be experts on everything. The software can prompt us for the relevant information and walk us through the process to successful compliance and even tax savings. The Enterprise Risk Management software embeds best practice risk methodology which is all about embedding risk management in the existing culture of an organization. That means everything from planning and analysis process, capital allocations, performance evaluation, strategic planning, internal audit, IT business continuity and security assessments, etc.

Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Ad hoc Risk Management done with home grown tools lends itself to having information buried in spreadsheets and word documents all throughout the corporation. Many times there is a dependency between a risk in one business area with a risk in another business area or a compound risk of two separate but identical risks in separate areas occurring at the same time that can be worse than either risk individually. Aggregating this information up to interactive dashboards and flexible reporting that can filter and present risk segmented by risk or by risk dependencies is invaluable in seeing the big picture.

Now that we have walked through the concepts, you may be interested to read a real life company's story in InformationWeek's article last month, Software makes risk management easier to swallow.

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Identification | Permalink | Comments (1) | TrackBacks (0)

IBM announced today their newest Risk Management service offering, Contingency Planning Assessment in their press release, IBM TO HELP COMPANIES DETERMINE PANDEMIC PREPAREDNESS. I had the opportunity to speak with Rich Cocchiara, IBM Distinguished Engineer & CTO for Business Resilience at IBM prior to their announcement. Rich made the point that business continuity and disaster recovery and crisis management is constantly evolving and that new threats need new strategies. Rich outlined a few of the differences to consider in planning for a Bird Flu Pandemic versus a traditional business continuity and disaster recovery issue.

1) People vs. Infrastructure Resources - Bird Flu scenarios can affect up to 40% of employees where traditional business continuity has been all about the physical property infrastructure of buildings, transportation, data and communications.
2) Global vs. Local Geographies - a Pandemic is forecast to affect multiple cities, regions and entire countries simultaneously where traditional business continuity planning has been focused on reactions to single localized events.
3) Long term vs. Temporary Impacts - Avian Flu may have several waves lasting several years and may change the way business is conducted on the long term, where traditional business continuity has been thought of as a few days to a few weeks in duration.

Rich posed the question on corporate preparedness "Does your organization know how operations will be impacted due to a health Pandemic? What business areas will need to be shut down or functions, locations or processes abandoned?” Rich also pointed out that all organizations are impacted, including small and medium sized businesses, not just the largest enterprises and government agencies.

Rich also commented on the importance of risk management software tools to support an Enterprise Risk Management program for identifying and assessing scenarios, evaluating options as well as planning and tracking results. Further, having Corporate Objectives and a Performance Management view in mind can also help address current business operations issues to help make your business better today. For example, enabling business processes for greater effectiveness in telecommuting or shifting operational capabilities for work between offices and regions can help business reduce costs and increase productivity today even if a bird flu pandemic does not materialize.

This announcement by IBM validates the critical need to put an enterprise framework in place with both a methodology and process to constantly reevaluate thinking and planning on how risk can impact your business and what actions need to be taken.

What is keeping you up at night and what are you doing about it?

Posted by stevenminsky in Enterprise Risk Management • Methodology • Risk Assessment • Risk Mitigation • Software | Permalink | Comments (0) | TrackBacks (0)

Risk Management is all about unidentified risks that can pose a major threat to your organization or result in significant opportunities being missed. Frequently just after a failure, loss, blunder or catastrophe we discover in hindsight that the facts have been staring us all along in the face, but they have been either ignored or overlooked. Why is that?

A great article, Long history of intelligence failures responds to this question based on the military intelligence blunders from the wooden horse in Troy to the Yom Kipur war, Pearl Harbor, 9/11 and the Iraq War. I have adapted the article's categorization of these risk failures in a way that I think we can all easily apply to our own business challenges:

1) Overestimation - a determination to overemphasize information, leading to a false conclusion.
2) Underestimation - business analysts or leadership completely misreads a competitor's intentions or market event.
3) Over-confidence - bad assumptions based on our own certainty on how we would handle the situation.
4) Complacency - something is going to happen, though not sure what or when, and yet no action is taken.
5) Ignorance - When there is virtually no intelligence, we are at the mercy of events.
6) Failure to join the dots - failure to make connections between bits of intelligence to make a coherent whole.

Enterprise Risk Management is a proven framework to systematically address these six categories of weakness. My next Blog entry outlines the parallels in the enterprise business world and articulates how Enterprise Risk Management can be effectively used to protect us from these risk process pitfalls.

Posted by stevenminsky in Enterprise Risk Management • Risk Assessment • Risk Identification | Permalink | Comments (2) | TrackBacks (0)