Risk, Security, Safety and Resilience Newsletter - Week of 8 Dec 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 8 Dec 22.
Key themes for this week include:
---------------------------
Risk?as an expression is an explosion of variable definitions, understanding, disciplines and comprehension.
Notwithstanding,?risk?as a concept, varies across cultures, time, memory and how it is perceived.
As a result, basic consideration and understanding of risk variables are required by individuals, organisations and governments.
That is, no two risks are directly comparable unless units of analysis, methodology and scales of construction are adequately applied and disclosed.?Including?the people interviewed, affected, conducting the analysis or for whom the assessment was created for in the first instance.
For example, how risk is perceived by a person or group frequently depends upon the level of dread associated with both the threat and the likely outcome.
In other words, fear of a horrible, disfiguring death and mutilation makes some people and communities far more apprehensive about hazards, threats or danger than say a researcher half a world away not directly affect, objective or more knowledgeable on the subject.
Conflating these two perspectives obfuscates fear, cognition, perception and risk simultaneously.
"The value of the?#risk?assessment and management, then, stands on the quality of the methodologies and approaches adopted, and on the strength of the knowledge (K) on which these are built. Whereas procedures of quality assurance have been developed for the former, how to deal with the latter – knowledge K – is still an open issue and a research challenge in?#risk?assessment and management. How should it be described and evaluated in the risk assessment? How should it be reflected and taken into account in the decision‐making process of?#riskmanagement? This book aims to make some contributions to clarifying the problem, answering some of the questions and meeting the related practical challenges.?" - Aven, T., & Zio, E. (Eds.). (2018).?Knowledge in risk assessment and management. John Wiley & Sons, p.ix
"#Riskmanagement?is essential in today’s volatile economy. And yet many of the very financial firms that took such dangerous?#risks?before the financial?#crisis?had some of the most sophisticated risk-management operations around. What’s more, some of the very few financial companies that had been praised for their deft risk management before the financial crisis have since gone on to make major errors. One dramatic example is JPMorgan Chase, which suffered?a trading loss of $2 billion in 2012?due to trades that its CEO Jamie Dimon has termed “flawed, complex, poorly reviewed, poorly executed, and poorly monitored.”
We worry that in their headlong embrace of formal systems of risk management, many companies are making the same mistakes that companies in the financial sector made. Put simply, they are pursuing a highly technical approach to risk management—characterized by complex financial models and elaborate, formal risk-management systems—in isolation from the day-to-day activities of the broader organization. The result, as was the case at many banks, is that risk management may exist as a formal function, but it is not really embedded in the “mindset” of the broader organization and, therefore, is not shaping behavior and informing decision making."
Assessment and analysis of safety, security and risk are routinely celebrations of knowledge and confidence, often lacking adequate consideration, disclosure or understanding of what is not known.
In other words, every person, organisation and government is limited in the knowledge they have access to, retain or apply in any situation, including safety, security and risk.
Therefore, a failure to consider or evaluate both knowledge and that which is not yet known, forgotten, invisible or otherwise concealed, results in incomplete and inherently dangerous safety, security and risk assessments upon which to base lives, business decisions or investments on.
"Ignorance" is an ugly, offensive and polarising word for most.
Ironically, the cognitive dissonance that accompanies ignorance routinely demonstrates the individual or collective 'pain' at consider the very real possibility they are wrong, incompletely informed or just limited in what they 'know'.
However, ignorance means many more things than just what most people associate with uneducated, stupid or foolish. Including degrees of confidence and false assurance.
"The?#risk?identification phase seeks to create a comprehensive list of events that may prevent, degrade or delay the achievement of the businesses objectives. Comprehensive identification is critical because a?#risk?that is not identified at this stage will not be included in the?#riskanalysis?phase.?"
"...if the event is unique, that is, there are no comparable events known, then the probability estimate itself is likely to be nothing but a wild guess that may suggest precision where, in fact, on uncertainty reigns."
- Gigerenzer, G. (2015).?Calculated risks: How to know when numbers deceive you. Simon and Schuster.p.33
"Increasing complexity due to industry changes, globalization, and shifts in technology and business cycles can produce more?#risks?related to?#strategy?than ever before. By establishing a close link between a company’s strategic planning and?#riskmanagement?processes, management can help ensure that new strategic initiatives are connected to appropriate risk mitigation strategies, that changes in the company’s strategic direction are accompanied by timely assessment of new or emerging risks, and that the company is better prepared to identify risk- related competitive advantages.?"
Expressions of risk, resilience and guidance on urgent business actions such as crisis are routinely dearth of specific organisational contexts or characteristics.
That is, risk and resilience are not neutral nor universal across all types of organisations and typologies meaning that crisis or any other extra ordinary ‘call to action’ must be planned, considered and actioned within the context in which the organisation exists.
Moreover, threats and crisis that impact multiple organisations, industries and geographies must also consider a multitude of organisational constructs, typologies and characteristics too.
Not to mention that most large, contemporary organisations, like culture, may exhibit and demonstrate more than one version of these typologies at any one time, creating further complexity, tension and friction.
For example, relatively ‘simple’ organisational structures delivering highly regulated, controlled and consistent services in relatively ‘stable’ environments produce what is considered a?machine bureaucracy. Same thing, over and over with a high degree of reliable or expected consistency. Years of policy and procedures, routine delivery and scheduled refreshment of talent and processes. “This is how things are done around here, and there is little latitude for variance” type cultures.
Paradoxically, response to new threats, sizeable crisis and matters of novel disaster/catastrophe leave them flat footed with limited skill, experience or talent to manage or support an agile response. Such organisations include many emergency services and law enforcement/military services, due to the constrained, repetitive nature of what is delivered and expected. In short, not the pinnacle of agility and dynamism.
"In twenty-first century businesses, it’s not uncommon to find diverse teams of internal auditors,?#enterpriseriskmanagement?specialists, compliance officers, internal control specialists, quality inspectors,?#fraud?investigators, and other?#risk?and?#control?professionals working together to help their organizations manage risk. Each of these specialties has a unique perspective and specific skills that can be invaluable to the organizations they serve, but because duties related to risk management and control are increasingly being split across multiple departments and divisions, duties must be coordinated carefully to assure that risk and control processes operate as intended.?"
"When performance metrics discourage?#risk?they inadvertently promote stagnation."
- Muller, J. Z. (2019). The tyranny of metrics. Princeton University Press.p.171
"There are some interesting lessons here about the varied nature of?#EnterpriseRiskManagement?(#ERM) functions in these global corporations, most obviously that there is as yet no accepted view on the mission, scope and ultimately, value, of ERM. However at the same time there appears to be growing take-up of ERM-led approaches like encouraging healthy risk cultures, training and supply chain initiatives. This is a clear challenge that reinforces our determination to spread good practice and help organisations build competency to manage their?#risks?effectively.?"
Expectations and demands of 'service continuity' remains a complex interplay between contributing factors such as risk, resilience, crisis, security and management.
That is, distinct from the introspective, dispassionate concepts of 'business as usual' (BAU), service continuity?remains customer/client centric, viewing the need to keep services and supply maintained...regardless of what is happening or how you would typically/routinely conduct business. Especially when there is nothing 'usual' about what is occurring, has happened or required to change.
In other words, BAU is about you and your business, when customers/consumers don't really care. The priority is on what the customer/consumer needs...service, hence the emphasis on continuity in the wake of delay, disruptions, risk, etc.
"Service continuity,?as a concept, emphasises that organisational assets, soft and hard, remains to the end of satisfying customers and maintaining the explicit and implicit service level agreement between supplier and client." - (Elliot, et al., 2010)
The question for most traditional business continuity plans/management strategies is... what about?service?
领英推荐
"The Model enhances understanding of?#riskmanagement?and control by clarifying roles and duties. Its underlying premise is that, under the oversight and direction of senior management and the board of directors, three separate groups (or lines of defense) within the organization are necessary for effective management of?#risk?and control. The responsibilities of each of the groups (or “lines”) are:
1. Own and manage risk and control (front line operating management).
2. Monitor risk and control in support of management (risk, control, and compliance functions put in place by management).
3. Provide independent assurance to the board and senior management concerning the effectiveness of management of risk and control (internal audit).?
"The politics of?#healthrisk?gives rise to debate over the definition, bounds and meaning of human vulnerability, and in recent years this matter has been brought to the fore across a number of fields of interest. Most notably it features in development and disaster studies as a means to draw critical debate towards the plight of the most materially and institutionally disadvantaged groups in developing societies. In these domains, it is often the case that reference to people’s ‘vulnerability’ takes place as writers work to criticise technocratic approaches to?#risk?and?#disastermanagement?that overlook the involvement of state policy and capital interests in the on-set of disaster. Accordingly, by high- lighting the ways in which populations are made ‘vulnerable’ to experience harms, either challenges are brought to the ways in which the causes of disasters are officially identified (i.e. as discrete events that ‘strike’ from ‘outside’ the normal workings of the status quo) or, rather, increased levels of vulnerability are identified as the unintended consequence of managerial policy.?"
- Petersen, A. & Wilkinson, I. (2007) Health, risk and vulnerability: An introduction. In Petersen, A. & Wilkinson, I. (eds) Health, risk and vulnerability. Routledge.p.2
"The purpose of this framework is to; 1) define?#riskmanagement; 2) outline the department’s risk management plan (Appendix 3); 3) describe the approach to managing risks based on AS/NZS ISO 31000 principles; 4) outline guidance on the risk management process with a detailed context (Appendix 4); 5) oFrautline roles and responsibilities for risk management within the department; and 6) explain the risk management recording and reporting requirements within the department"
Pursuit of managing risk/s associated with people is plagued by numerical values and calculations that inadequately capture or consider human factors, natural variances and the full spectrum of hazards, threats, harm and ultimately matters considered as 'risk'.
In other words, people risk management practices predominately seek to convert select information, behaviours and historical events into future, numerical risk models that serve very few and lack even rudimentary risk sciences inclusions.
This includes people risk management practices undertaken in the name of security and safety.
These oversights and fallacies are most apparent where 'value' or 'worth' are not individually considered in the model or practice.
That is, everyone within the system is value-neutral or identical.
Whereas in real life and practice, individuals contribute, generate and represent differing values, costs and productivity.
Put another way, the asst utility value of individuals remains an essential element of risk consideration, therefore, when it is absent, the model is flawed.
"The purpose of this thought paper is to help management develop effective key risk indicators (KRIs) to heighten board and management enterprise risk awareness in order to increase the effectiveness of an ERM process and improve the execution of an organization’s strategy.?"
There is an overwhelming, persistent pursuit with all matters related to 'risk' to invent the next 'big thing'. Not only is the rate of manufacture staggering, but the rigour and research that goes into these expressions, buzzwords or?neologisms?are all but non-existent.
That is, a new term, concept or 'model' associated with 'risk' becomes normative and demanded by organisations, industries and even professions, with little or no questioning of the validity, efficacy and origins of the concept or that of the originator.
Especially where an industry, organisation or practice is seeking to reinvent itself after recent, prolonged or public failure(s).?Governance, Risk & Compliance?(GRC) is just such an invented, disparate and often 'forced' confluence of considerably different functions, skills, expertise and focus.
"The acronym GRC was?created?by OCEG (originally called the "Open Compliance and Ethics Group") as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance"
Source:?OCEG
GRC made its first 'academic' appearance in a?journal?in 2007, where the author/originator held an advisory position at the same journal—essentially relegating functions and practices related to 'risk' to that of a consolidated, back office function, or similar to that of a?BPO. Where the expression was picked up, popularised and 'endorsed' by various multinationals as the definitive solution for risk management across physical and?digital?jurisdictions.
"#Risk?and?#riskperception?are important concepts for rural policy and research. In recent years discussion of risk has increasingly focused on possible bad outcomes moving away from a traditional sense of risk taking as a potentially positive activity. Understanding how stakeholders and the broader community perceive risk can assist policy makers in developing better policy and more effective means for communicating government policies and programs in areas involving?#riskmanagement.?"
Forecasts abound when it comes to security, risk and resilience. That is, there seems to be a new universal safety, security, risk or resilience forecast every day or so.
However, have you noticed the lack of universal process, measurement and vastly differing inputs and a lack of disclosure on methods, prior accuracy and author bias, competencies or qualifications?
In other words, not all forecasts are created equal, nor should they be consumed or relied upon equally either.
Moreover, any reasonable, professional forecasts -- regardless of the domain such as safety, security, risk or resilience -- both the forecast, methods and findings are measurable whether it be for accuracy, completeness, context and errors.
"...a simpler system might be better. Avoid pseudoaccuracy when the data are too patchy to allow for sophisticated statistical analysis. Instead of creating a complex analytical system, focus on facilitating the engagement of the organization with key?#risks?through simple and accessible analyses. Encourage plausibility checks of underlying assumptions. Avoid generating output that serves only to distract the organization from arriving at conclusions and taking action. The appropriate level of complexity will be company specific and will depend on the industry, business model, availability of data, level of experience, and mandatory legal requirements. Banks, for example, can rely on massive amounts of data for complex statistical analysis. They also have long-term experience in interpreting complex metrics. What’s more, they are legally obligated to have detailed?#riskmanagement?systems in place. But many other industries are not in this situation."
Vast volumes of books and articles have been written on the subject of leadership, much of it from the perspective of a single individual or observational summaries of those watching others lead, curated to the point where authors speak about select individuals and contexts.
Very few offer empirical comparisons or structures upon which to make consistent comparisons and analysis of leadership from one context to another, especially in the realm of security risk management or during times of crisis, emergency or extreme situations.
Not surprisingly, select military studies of leadership in specific contexts have established broad leadership in extreme contexts typologies to better evaluate and compare leadership.
Moreover, this evaluation framework offers signposting for others to follow and compare leadership during both routine and extreme circumstances.
The most notable consideration for leadership in extreme contexts is that of life or death situations.
---------------------------
Risk, Safety, Security, Resilience & Management Sciences