Enterprise Risk Management: Organisational Setting, Structures, Power and Modifiers that Defy Universal Standardisation and Direct Comparisons
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Enterprises, operations, money-making venture(s), systems, human factors, policies, regulations and external influences are not manufactured from a template or universal, standard mold. Nor are the practices, processes and influences that relate to risk, safety, security or resilience.
As a result, enterprise risk management further confounds attempts or desires to standardise or produce consistent, reliable and valid, direct comparisons.
Even within the same industry.
While there are similarities, there are outliers and variants that reside beyond the central structures, governance and 'risk' parameters of organisations. As a result, where there is the appearance of similarity and conformity...the real question (read as risk), is what happens outside this narrow corridor of conformance, compliance, measurement and 'standard practice'? Invariable, this is where chaos, danger, undocumented, threat, exploitation, vulnerability and other hazards/perils lay for organisations, communities and industry.
Because everyone is overly focused or invested in the appearance of standards, reporting as though they were all alike or all thinking and acting (for appearances) in the same way. This is why so many 'threats' go undetected, unprepared, under-resourced or responded to when they change.
When in reality, organisations and resulting enterprise risk management demands, structures and monitoring defy universal standardisation, comparison and measurement. conformity.
A simple schematic highlights all the variables (both dependent and independent), which require specific, updated and unique calculations. There is no one calculation that represents or captures them all. In this context, 'neat' means dangerous. Because it conceals more than it informs.
Decisions of 'risk', harm, or of consequence should not be made on such calculations, assertions or assumptions...which further flow through each level, decision and function across an organisation.
Notwithstanding power, culture and climate that either empower, resist or reject change, oversight, accountability or access by functions or representatives of audit, quality, safety, security and risk.
The concept and reality of risk is 'messy'. Both the practice and understanding of risk varies from person-to-person, organisation, industry, community and government(s).
The only place risk looks 'neat', is a on a spreadsheet or risk register.
Therefore, a practical sketch of what 'risk' looks like in the wild is not only necessary, but also revealing in how organisations and individuals comprehend or apply management, control or mitigation to things that may/may not result in risk(s).
What does your risk landscape, environment, universe or perceived reality look like?
Enterprise risk remains a broad descriptor for many disparate functions, choices and variations across industry, context and commercial pursuits.
If anything, the expression serves as a unifying banner to ensure that the management of things that may be deemed risk at some point, are undertaken in a consistent, cohesive manner.
As a result, for the most part, measurement of 'enterprise risk' from one organisation to another confounds simple comparisons and complex, multivariate calculus.
Enterprise security risk management and climate change are subject to similar, concealed, subtle, compounding and complex influences, inadequately summed up in topline reports, metrics, models or narratives.
Moreover, these dependent and independent variables amass over disparate timelines, geographies, and across varying disciplines or knowledge-based professions.
That is, both climate change and enterprise security risk management are routinely represented by summary findings in the form of reports, metrics or extended, simplified storylines, yet, as a phenomenon, are comprised of a complex, layers, highly variable and ever-changing network of influences, variances, natural forces and human actors.
领英推荐
Fear, auditing, politics, ideology, power, special interest groups, professional practice and academia all continue to try and 'standardise' risk management, security management, resilience management and safety management.
This 'war of competing/alternate standards' has been raging for decades, but the speed and volume has accelerated in recent years.
As has the underlying or prevailing threat(s), which is the paradox of standards...because nature, bad actors and free markets don't use or follow identical patterns or practices.
As a result, standards can act as considerable inhibitors or restrictions in remaining agile, dynamic and resilient, despite the noble attempts to inform and guide communities, individuals or organisations.
Our environments and the world are subject to perpetual change. As a result, resilience and protection remain fleeting in wake of change, threats, technology, and adaptive, intelligent human actors.
In other words, individuals and organisations alike must constantly review and respond to their immediate and influential environments, in order to to pursue resilient structures, practices or operations.
An objective that will never be finished, and a defined state constantly subject to change, with each passing hour and day.
Culture shapes 'risk'. Culture creates risk. Culture distorts risk. Culture dismisses risk. Culture prioritises risk. Culture demands action for risk(s). Culture amplifies risk. Culture restricts risk mitigation.
In short, culture bludgeons, distorts, builds, destroys, manages and mitigates risk(s).
Culture is invisible, transient, complex, provisional and varies across teams, organisations, communities, context and 'risk' issues. Climate influences culture and risk too.
In sum, enterprise risk management remains a 'messy' business. Because business, processes, environments, people and relationships defy universal quantification or static qualifications. Each ecosystem, sub-structure or unit level moves, adapts, respond and functions according to internal and external stimuli. "Work as imagined" is far from "work as done".
Standards routinely seek to constrain or govern 'work as imagined', or 'above the line ', not what happens in reality or 'below the line', as is observed and analysed in safety science, complexity, along with risk and security sciences.
It does make some people 'calm' or 'happy' though. Further confounding the illusion of control, bounded rationality, naive empiricism and naive scaling. Further attenuators of cognitive functions, organisations and real-world existence. Which in turn influences threat, exposure, vulnerability and resilience.
This is why so many seemingly comply or excel when measured against a 'standard', when in fact they, their organisation and industry remain fragile, brittle, and vulnerable.
In short, investment in survival and sustainability would be better served understanding and exploring reality, complexity and the concealed...not the creation or mandate of yet another 'standard'.
Long, complex and interactive chains or sequences of 'standards' create new, unexplored and often catastrophic, systemic risks of their own. In other words, if you are a 'standards' organisation, you likely have many coupling, competing and hidden risks throughout your organisation that aren't detected by or supported by standards, resulting in false assurance and confidence, let alone response, resilience or resourcefulness in the event of threat or service continuity disruption.
Risk, Security, Safety, Resilience & Management Sciences