Managing Risk Creatively & Structurally
I think best in the abstract and imaginative. My mind is wired to be more intuitive and see relationships and images. I am more like my mother. My brother, he is like my father – wired for math and numbers. I have been competent with math, but it is not what engages me. While my father and brother were CPAs, I pursued theology and law. Just like we are left or right-handed in our dexterity, we also tend to be either left-brained (structured and analytical thinker) or right-brained (unstructured and creative). I would like to think that I am ambidextrous in my brain, but I know I favor the right side of my brain.
When we think of risk management we often think of structured approaches with complex models, mathematics, and analytics. We dive into the world of Monte Carlo analysis, and Bayesian modeling. There are calculations such as Capital at Risk (CaR) or Value at Risk (VaR). The field of risk management has been dominated by left-brain thinking. Does being a right-brain thinker make me bad for risk management? I do not think so.
Let’s step back and look at what risk management is. If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.
In the business world, we have all sorts of objectives. They can be strategic entity level objectives for profit, growth, expansion. They could be division or department objectives. They can then drill into process, project, or even asset level objectives. We need to understand and manage the risk (uncertainty) in achieving those objectives. This requires both left-brain and right-brain risk thinking.
Historically, risk management has been dominated by left-brain thinking on risk. We have structured risk models, simulations, and analysis. We try to put uncertainty/risk in a box. As long as that box roughly resembles reality then our analysis is to some degree fairly sound. Good risk management requires structured thinking about risk and using models. As Sir Arthur Conan Doyle stated, “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.“
I argue that this is not enough. Good risk management does need structured data and analysis, but it also needs to think about risk creatively. Business is complex and dynamic. There are so many variables that can hinder us from achieving objectives. Some of these can be fairly evident and common sense, some can be very abstract, remote, and down in the weeds of the organization. That requires creatively thinking about risk and risk event scenarios. Look at the world around you, what started as a health and safety risk in Asia has had a great impact on objectives at all levels around the world. It has cascaded and increased risk exposure to objectives, it has increased risk exposure to IT security, physical security, morale, harassment and discrimination, fraud, bribery and corruption, and more [check out my blog on this last week: The Pandemic & the Dominos of Risk Interconnectedness. This requires us to explore intuitively complex relationships of risks to other risks and objectives. In the words of Alvin Toffler, “You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”
Creatively thinking about risk requires good risk models from the structured risk thinkers, but then to think outside the box on how those models break down or what they do not cover. Right-brain risk thinking involves a lot of visuals of risk and going through risk scenarios. From a risk analysis point of view, I love bow-tie risk assessments. Monte Carlo simulations and such are valuable, but they also put me to sleep. I love the mind mapping analysis of a bow-tie risk assessment to visually analyze causes and effects, come up with things that are being missed, and look for ways to mitigate, transfer, and manage that risk to an objective.
Technology enables not only the left-brain structured risk thinkers but also the right-brain creative risk thinkers. Some key things to look for in enterprise risk management technology are:
- Performance management. Any good risk management solution does not start with risk but starts with performance. What are the objectives the organization is trying to achieve and then what are the risks to those objectives? Again, these can be entity, division, department, process, project, or asset level objectives.
- Risk mapping. Can the solution enable multi-dimensional mapping or risk and objective relationships in many to many fashion?
- Risk visualization. Does the solution deliver rich risk visualizations, maps, charts, graphs, and modeling to engage both the left and right-brain risk thinkers?
- Risk quantification. Does the solution deliver structured risk analysis through things like Monte Carlo simulations that can give you solid objective information on risk probability and impact?
- Risk scenarios. Does the solution allow you to create multiple risk scenarios and document and measure multiple impacts and exposure to a risk event to look at various outcomes on different scales?
- Risk normalization and aggregation. This often gets missed. Does the solution allow for risk normalization and aggregation? What happens when one departments/projects high-risk is measurable to another departments/projects low-risk? For an enterprise risk management perspective, it is necessary to be able to compare apples to apples and not apples to oranges.
- Risk workshops. Can the solution support and deliver in-person or virtual risk workshops to analyze and work through risk scenarios collaboratively?
- Risk creativity. This last one is hard to define specifically, as it is abstract itself. Simply, how does the solution enable and engage right-brain risk thinkers to see a lot of pieces/elements of risk in different ways to identify complex outcomes and interdependencies?
What type of risk thinker are you? left-brain or right-brain? I would love to hear your thoughts on this.
BTW – as an analyst, I cover the range of GRC solutions in the market. I can always be engaged through inquiry to interact and discuss which solutions I see delivering on these and other relevant criteria fo risk management.
Upcoming Webinars . . .
The Future of Compliance: A Virtual Summit
- June 17 @ 7:00 am – 11:30 am CDT – COVID-19 has challenged companies and their compliance departments in unprecedented ways. Without your expertise as a compliance professional when it comes to the people, processes, and technology needed to ensure continued collaboration? The business ecosystem could literally break down overnight. The governance, risk and compliance community is going to lead the way out of this […]WED17
Risk Management to Support Operational Resilience
- June 17 @ 11:00 am – 12:00 pm CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]THU18
Adapting to Pandemic Disruption: TPRM Lessons Learned
- June 18 @ 9:00 am – 10:00 am CDT – Now more than ever, companies rely on suppliers for key business functions. In the midst of disruption, it’s critical to have a third-party risk management (TPRM) program to pinpoint at-risk suppliers and help your organization minimize risk, all while improving business resilience. To achieve this, organizations need an integrated view across all risk domains, including […]THU18
How COVID-19 Learnings Will Shape the New Normal of Risk Management
- June 18 @ 11:00 am – 12:00 pm BST – Thursday 18th of June – 11am BST (London) / 8pm AEST (Sydney) Join Michael Rasmussen and David Tattam as they share their views on how risk management will change as a result of our very real and often sobering COVID-19 experiences. In this webinar, we’ll cover: What the “new normal” will look like for risk […]WED24
Minimize Growing Data Risks: Best Practices for Legal Leaders
- June 24 @ 12:30 am – 1:00 am CDT – In the coming months Legal Leaders will be tested with a variety of challenges around how businesses are managing their data. More remote workers means that more data is stored in the cloud. New data privacy laws (CCPA, GDPR) means additional requirements for managing data. In this upcoming webcast, hear from legal leaders like yourself […]July 2020THU30
Why Policy Management Matters
- July 30 @ 10:00 am – 11:00 am CDT – GRC 20/20 Speaker GRC 20/20 ResearchMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 27+ years of experience, Michael helps organizations improve […]
I like this, the more good quality information that we have, both quantitative and contextual, the better our chance of managing risks well.