Risk Frameworks: Dynamic Processes Over Static Practices

Many risk management frameworks set out to provide the architecture or assurance that risk is routinely, deeply and broadly considered within an organisations.

In addition to provision of the means on which risk is understood or applied.

Ironically, most risk framework result in the ossification of risk information, knowledge, evaluation and response.

That is, risk becomes fixed or static in nature, with risk registers and scheduled risk evaluations, attestations, audits and programatic activities triumphing over real world threats, challenges and demands that ultimately influence hazards, threats and therefore risk.

In other words, risk frameworks have noble intentions but the often real-world, disparate and complex framing of risk within an organisation is out of lockstep with the internal and external environments which create, shape, contain and conceal risk in all its forms.

"Organizations should ensure that the risk management process is repeated as often as necessary, to overcome the difficulty of a static snapshot of the status of the risks facing the organization. This will ensure that risk management remains a dynamic activity." (Hopkins, 2017)

Broad instructions, routinely followed, frequently updated and consistently challenged keep humans and systems informed.

Risk-informed decisions making remains better aligned with this concept than voluminous, abstract, dated and complex instructions archived deep within organisational structures and fiercely protected by champions and gatekeepers.

In short, if you can’t sketch it out on the back of an envelope, have 5 other people in your organisation provide a similar sketch on demand, then you are unlikely to have a universal risk framework. Instead, you more likely have wildly inconsistent understanding or application of risk practices, ceremonial barriers to effective risk knowledge creation or distribution and an inherently dangerous work culture and environment because even though most individuals agree the practice of risk management is overly constrained, nobody speaks up or seeks improvement.

It remains, ‘the way things are done around here’.

Perhaps more importantly, a simplified, diagrammatic expression of risk aides in highlighting variables, inconsistencies, weak points and even areas of concern or failure.

That is, a risk architecture or framing within an organisation has multiple components, stages, stakeholders and highly variable business operations.

Falsely believing or perceiving that risk is a constant production of infallible opinions, ratings or views should be quickly dispelled looking at your actual risk scaffolding, because each and every step is prone to change by various humans, not to mention those outside your organisation or acts of natural occurrence.

In sum, your plan looks nice but Mother Nature, criminals, bad actors, governments, regulators and even shareholders didn’t read it, don’t follow it and therefore do what they want and don’t act in accordance to the element plan you wrote some time in the past.

Things change, so too should your view, process and understanding of risk.

Moreover, despite all documented risk policy, procedure or practices, invisible human decision-making, trade-offs and choices are made at speed and frequently.

Therefore, work as imagined, is rarely work as done. Risk managers and risk practices would be well served to remember this also.

So, the challenge for most organisations is to demonstrate their risk management process in a simplified schematic.

Moreover, the lack of a simplified scaffolding or signposting visual raises questions as to how the concept of risk framework or procedure was designed in the first instance, let alone maintained or reviewed with any degree of consistency or foresight.

In sum, even the most complex of tasks are borne from diagrammatic outlines, to ensure consistency, transferability and universal understanding of even the basics.

Risk-informed decision making is no different.

More importantly, visual representation of how risk is viewed, approached and applied within an organisation communicates much to both practitioners and those impacted.

That is, if everyone at every level share the same understanding and approach, enterprise risk management is more likely than just a buzzword or policy shared among executives and boards. Moreover, frameworks aide in keeping current, encouraging revision and infusing new information, ideas and approaches into existing systems and structures.

As a result, risk management remains agile, informative and adaptive to real world events, threats and challenges.

Not just a document and concept scheduled according to business practices, accounting cycles or reporting obligations.

Can you identify and demonstrated the 8Rs and 4Ts in your organisation? Can others? Or, do you even have a roadmap, floor plan or architectural design for your existing approach to risk? If not, perhaps you have a new entry for your flat footed risk register, for the next scheduled meeting or review.

Tony Ridley, MSc CSyP MSyI M.ISRM

Safety, security, risk, resilience and management sciences

Reference:

Hopkin, P. (2017) Fundamentals of Risk Management: Understanding, evaluating and implementing effective risk management, 4th ed, KoganPage, p.53