Failed backward innovation

Failed backward innovation in the age of disruption is severely damaging all those organisations that spent many years and lots of cash to dig beautiful trenches for their useless 3 lines of defense. They are now left with even more effort, to fill up their trenches and get out on the battlefield of real business.

R.I.P. 3LoD, your creators saw a tiny speck of light, millions are left without defense and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have 3 lines, but these are now so blurred that they must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches. https://na.theiia.org/news/Pages/IIA-Issues-Important-Update-to-Three-Lines-Model.aspx

What a great success story of failed backward innovation, making something useless, even more useless…… and that in the middle of the age of disruption.

As Michael Volkov recently said: “The IIA’s revised model should be ignored and relegated to the ash heap of bad ideas” (https://www.jdsupra.com/legalnews/the-iia-s-new-three-lines-of-defense-22623/ )

The Elephant in the room is actually a grey rhino (https://thegrayrhino.com/about/ ), not a black swan, it is time for Risk Practitioners to accept that and learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk; together with beautifully crafted RAG reports linked to a bunch of risk mitigating responses are of no use; and, that following any standard or framework contribute nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front-line and the decisions made by them in every situation of risk that they encounter.

It is time for Auditors to get away from the management of risk, far away; and to stay away. By the time anything gets to their line, it is too late anyway, all they can do is to issue a finding, implying that they “found” something. I have never seen an Auditor resuscitating a dead business. Lately we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.

What a pity that the hours of heated, heatmap-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or even worse, last quarter); came to .....nothing!

The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates, are still going with the flow; just like dead fish.

We also learned that "tested" business continuity plans have very little value, no disaster will follow your plan, success lies in the way each and every employee will respond to the situation of risk on D-day.

It is time for Risk Practitioners to pack the bull by the horns and learn this elephant-size lesson that the only way forward is Building an effective Risk Culture and teaching everyone in the company Radical Risk Management skills.

The Future is here!