A report by the Security Executive Council (a firm that "specializes in corporate security risk mitigation solutions") makes interesting reading.
For example, it says the following:
We find, that despite best intentions, enterprise-wide risk management often fails. British Petroleum's Deepwater Horizon catastrophe is one of many examples. All-hazards risk mitigation assurance requires that we get beyond one-dimensional, compliance-only, enterprise risk "list" management.
It is interesting that rather than talking about risk management or ERM, they talk about "all hazards risk mitigation assurance." Hold that thought for a moment.
I like the reference (I believe the phrase was created by Jim DeLoach) to "list management." I join Jim and the Council in calling that practice out as ineffective, although it creates the
illusion of risk management.
The report continues with:
Programs that work are multi-dimensional, operationally integrated and relevantly informed by cross-functional subject matter expertise. They include:
· 24 x 7 x 365 situational risk awareness communications.
· Continuous risk/threat/vulnerability assessments.
· Mitigation design, performance testing, and innovation pilots.
· Persistent all-hazards risk monitoring, anomaly detection and response assurance.
· Critical event management; including near-miss after-action queries with objective targeted performance improvement.
· Engaged leadership governance.
· Ongoing prevention/mitigation systems hygiene.
· Understood roles and responsibilities including compliance-plus brand reputation Duty of Care dependencies.
All the items surely belong, but an effective program needs more.
This is focused on harms (or hazards) and not on what might happen that could affect the achievement of our objectives.
As such, it remains incomplete and unlikely to be effective in helping the organization succeed.
An important part of the report talks about why ERM often fails:
A review of the literature reveals enterprise risk management has shortfalls in the 5 following areas:
1. Organizations adopt frameworks or processes that are siloed, regulatory-focused, and overly prescriptive; often self-focused with insufficient attention on emerging hazards.
2. Risk inventories are often "personal-opinion" management polls that are infrequently supported by research, or weighted subject matter expert opinion or proven practices.
3. Plans speak to, but seldom assure integrated cross-functional prevention, protection, mitigation planning, funding, testing, or performance inside and outside the organization.
4. Compliance requirements are often less rigorous than intended and do not sufficiently educate, incent, or protect anomaly reporters and whistleblowers.
5. Leadership governance is largely in name only, part-time and seldom involved in cross-functional resilience operational dependency planning, testing and performance oversight.
Note the reference to "siloed" risk management functions.
I believe, based on what I read here, that the Council's recommendations are putting corporate security's risk activities in yet another silo.
That's not to say that the corporate security function shouldn't have a program to address the risks in their area of responsibility. But they should be integrated with the management of other risks.
For example, the potential for thieves to break into a warehouse should be aggregated with risks such as the potential for failing to comply with employee safety regulations or waste water disposal rules when considering a decision to establish a new building to house valuable metals.
In addition, the authors are focused on hazards and not on results, or what can influence results.
They also seem to see operational risk management (ORM) and enterprise risk management (ERM) as separate and distinct. If that is their experience, no wonder risk management is failing! The whole point of ERM, as I see it, is to bring an enterprisewide view to all risks, everything that might happen and influence the achievement of objectives.
Only when all related risks are considered can the best decision be made.
However, I think their concept of a risk oversight council and their list of benefits is on the right track. To quote:
· It enables persistent Unified Risk Oversight governance. Subject matter expert business leaders and section chiefs may now cross-functionally evaluate, prioritize and resource mitigation options for both emerging and residual threats.
· Many senior management leaders recognize that the expanding organizational strategy faces persistent and evolving external and internal risk factors that require collaborative, continuous, and nimble processes, including emerging and residual threat vigilance with operational oversight.
· It is often a course correction for efforts that did not cross-functionally connect enterprise risk management for emerging and fast onset of risks, especially at the operational levels.
When I was chief risk officer, I had an executive risk committee that performed a similar function and more. For example, it:
- Was comprised of direct reports to the CEO.
- Owned the management of risk across the extended enterprise.
- Ensured management participation, resources, and actions as appropriate.
- Approved policies and processes.
- Resolved differences in risk assessment and evaluation.
- Approved reporting to the CEO and the board.
- Monitored the performance of risk management and initiated changes as necessary.
The paper references ISO 31000 but it is interesting that COSO ERM is not mentioned.
They close with 13 questions for "responsible leaders." What do you think of them? Are they useful?
I welcome your comments.