Enterprise Risk: Management, Measurement, Myth and the Multiverse of Alternates
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Enterprise risk remains a broad descriptor for many disparate functions, choices and variations across industry, context and commercial pursuits.
If anything, the expression serves as a unifying banner to ensure that the management of things that may be deemed risk at some point, are undertaken in a consistent, cohesive manner.
As a result, for the most part, measurement of 'enterprise risk' from one organisation to another confounds simple comparisons and complex, multivariate calculus.
Notwithstanding, the polycentric, protean nature of corporate objectives, external threats, choice and mounting technical alternatives disrupting, influencing and enabling organisations on a day-to-day basis.
In other words, the basic objective of an organisation such as find a customer, make money, don't break the law and survive... make for a constantly changing landscape of internal and external factors that defies simple, objective comparison or measurement due to the constant attenuation, reactive nature and resilience pursuits of many.
"Most of these are beyond the control of management, although active?enterprise risk management requires that there are systems in place to make a company more resilient and adaptable to major changes. Risk management is a dynamic process.?" (Dickinson, 2001)
Therefore, measurement becomes more about efficacy and relevance. Especially when it comes to threat(s), exposure and vulnerability. All precursors to what might reasonably tabled or considered 'risk'.
"Another set of factors that can cause outcomes to differ from those planned arise from within the company itself. These are human error, fraud, systems failure, the disruption of production, and so on. These internal causes represent a major part of what are generally known as "operational risks''.?" (Dickinson, 2001)
As a result, a topographical map of sorts is required. Key terrain, dense forests, treacherous outcrops, steep mountains and deep oceans within the enterprise must be surveyed and documented if individuals, departments or regulators as to navigate the frontiers or risk mangement and ensure survival. Which reads like a passage from one of the literary classics such as Kidnapped, Robinson Crusoe, Huckleberry Finn or Moby Dick.
But the modern world of business is far from any less dangerous and complex than days of old, despite seeming comfort, consistency or predictability.
In short, a schema of how risk is conceived, managed, mitigated and communicated remains essential. Moreover, variables, change, choice and innovation must all be captured and understood at some point.
No point having the blueprints and service manual for a steam engine when you're already driving a Tesla!
Therefore, enterprise risk architecture and understanding should be reviewed far more frequently than conventionally, quarterly business reporting. It should most assuredly not occur annually.
All manner of beasts, dragons, robots and mischievous bad actors could be present and successful during that time. Sorry, casting back to the classics again. ??
In sum, for discussions and analysis of enterprise risk to be productive, a map or schema is required.
The schema informs and qualifies action, which in turn determines scales of efficacy, observation and variance. Risk management is represented by specialism, process and resources, but must be present in every person, process, system and deliverable. Security management shares similar requirements in the broader enterprise security risk management discourse.
Decision Trees, Bayesian Belief/Relationship Networks, Information Cascades, Markov Chain Monte Carlo Simulations or Fisher's Exact Test may be used, modelled or inform practice but they remain imprecise units of analysis in open systems and environments where baseline factors and inputs change...if they are even detected, visible or conceived by the human navigators.
Hence, human factors remain essential, but come with their own inherent flaws, inconsistencies and biases. In just the same way the tools humans make do too. In short, manufacturing, production and engineering begin with sound, verifiable and guiding drawings. So too should your pursuits of enterprise risk, at all levels.
P.S. Just like a confusing or new shopping complex or evacuation guide. Don't for forget a 'you are here' remainder and orientation for all departments, management and representative specialists or professionals.
Risk, Security, Safety, Resilience & Management Sciences
Reference:
?Dickinson, G. (2001) Enterprise Risk Management: Its Origins and Conceptual Foundation, The Geneva Papers on Risk and Insurance, 26(3).pp.360-366
Senior Manager, Physical Security EMEA
2 年Excellent article Tony. I really think cognitive bias plays an extremely important part in our subjective measurement of risk across the business.