CHAPTER 1
Introduction – landscape and journey
This book has been written to take you, the readers, on a journey of design. This is a journey which has itself been designed to critically examine two of the most important performance-shaping disciplines for modern business: those of risk management and organisational resilience. As the journey we set out traverses their varied and often quite challenging landscapes we will find ourselves constantly crossing the hidden valley which joins these two disciplines with a third – that of human reasoning.
You should know from the outset that this is not a journey which attempts to introduce new fads or denigrate existing hard-working systems or groups. Rather, it is one which seeks to examine, at the DNA level, the integrity of the decision-making processes found in relation to risk and resilience in the complex and dispersed systems of modern large distributed organisations. This is a DNA which we will come to argue ought to be made up in equal parts from operational logic, organisational psychology and statistical technique.
As we go, we will examine how typical governance, process design, operational success (and failure) factors, measurement approaches and management systems are not, on the whole, designed with these three (performance-shaping) elements in mind. Rather, they are almost always typified by powerful trade-offs based around, just to mention three: the complicated allocation of responsibility for risk and resilience in any business; their perception as credible disciplines to add business value; and the appetite for complexity of the organisation to deliver systems in support of them.
These and other trade-offs, we will argue, are the decisions which, under scrutiny, can be shown to dramatically weaken the value proposition for mainstream risk management and operational resilience. In some cases, they can even turn this into a negative proposition.
NATIVE FORMS OF RISK REASONING – SOME EXAMPLES
Imagine, if you will, just the following six scenarios:
SCENARIO 1: TRANSFORMATION
In a major transformation project for your business the team is tasked with coming up with a formal risk register. Using a group brainstorming exercise, a large list of potential risks is drawn up. Next these are transferred onto post-it pads and, again in a group exercise, the post-it pads are positioned on a makeshift Cartesian graph hand-drawn on a flip-chart. This graph has been split into four equal-sized quadrants. Its two axes are labelled, the first probability and the second impact. The risk events which position high on both axes are considered the priorities. This information is later transferred to a spreadsheet where actions are added and responsible persons identified. This spreadsheet is reviewed at each subsequent project meeting (if there is time).
SCENARIO 2: ENTERPRISE RISK MANAGEMENT
Your Corporate Risk Department has contacted your department requesting a contribution to its Enterprise Risk Management exercise. You have been allocated as the responsible person for: “Availability of production – ensuring a responsive, resilient, continuous and profitable operation”. You are required to fill in a template which they have designed asking you for the following data:
• risk attitude;
• risk appetite;
• key activities;
• key Performance Indicators (including metrics and targets).
SCENARIO 3: BUSINESS CONTINUITY MANAGEMENT
The team responsible for Business Continuity Management has identified your function as business critical. In consequence they have asked you to use their template to provide a detailed business continuity risk assessment and mitigation plan. This must outline how you will ensure continued operation of your unit in the event of the loss of the use of the building. This is to include the steps you have taken to ensure:
• continuity of business;
• protection of staff;
• protection of reputation;
• protection of shareholder value;
• acceleration of effective decision making during serious incident or crisis.
SCENARIO 4: CYBER-RISK
The new team tasked with cyber-security in your organisation is drafting a cyber resilience strategy. They have contacted your team to inform them that all staff are required to sign off compliance with a newly drafted digital and computer hygiene policy. Furthermore, they want you to provide evidence that all staff have completed a basic on-line training package on cyber-security.
SCENARIO 5: EMERGENCY AND DISASTER RECOVERY
Following a recent corporate audit policy review your division has scored a level 2. This means that improvements are required. The Chief Operating Officer has therefore tasked you with an immediate update of:
• The Emergency Response Plan for your facility;
• The Disaster Recovery Plan for the IT hub you are responsible for;
• The Avian Flu Pandemic Preparedness Plan for your international team.
SCENARIO 6: SUPPLY CHAIN ANTI-CORRUPTION
As global Supply Chain Director for your organisation you have been tasked by the Corporate Secretaries Department to conduct a risk assessment exercise. This is to focus on the organisation’s ability to satisfy OECD guidelines on: “Ensuring integrity and transparency in the international economy … in particular in such areas as transparency and anti-corruption.”
THE NEED FOR A JOURNEY OF DESIGN
Why would you want to come on a journey of design which seeks to examine the integrity of the strategic and tactical decision making processes found in relation to risk and resilience in large, complex and dispersed systems? Well, these six scenarios will be familiar to a greater or lesser degree to anyone working in such an organisation. Each exemplifies ways in which the current industry standard approaches to risk and resilience, when viewed back to back like this, may be considered somewhat less than coherent.
More than this, much of the applied reasoning found within the processes which surround these typical, and very different, approaches to risk can be shown to be fallacious. Chiefly this is because such reasoning is constrained, almost from the outset, by a competing set of desires which are: coming from fundamentally different processes; requiring wholly different data types; supporting a completely different narrative for different parts of the business; and addressing wholly separate internal and external audiences.
The time and workload pressures alone these combined processes create for a large business build up natural constraints which tend to resist them. These amass to prejudice expedient, unsophisticated risk systems with a low tolerance for complexity. These are just some of the reasons which will predict a failure of these systems to add value and indeed a potential for these systems to strip it out. This is not least just in an inappropriate channelling of resource.
FACTORS WHICH SHAPE EXPECTATION
Resistance and expedience conspire in the face of a larger frustration still. The need for these plural forms of risk and resilience systems, like those shown above, has become a given in today’s industry. Performance in this area, in a variety of guises, is therefore expected to be reported. That expectation may even, in certain quarters, be a regulatory requirement of the licence to operate. Perhaps because of that regulatory context, organisations often become heavily committed to a narrative of demonstrating outward compliance with policy and or industry standard. This is rather than analysing the operational effectiveness and value creation potential of risk and resilience systems for their own particular context(s).
This is a state of affairs not helped by the fact that both internal and external audit processes will tend to reinforce the expedience of measuring episodic performance indicators over measuring long-term business performance itself – a situation which is not helped by the shifting tides of British, European and International Standards. These are constantly co-evolving alongside a rather more robust kind of marketplace application of the concepts of risk and resilience by those tasked, but not necessarily formally equipped, to deliver them.
To all of these challenges you have to add two other observable performance factors. First, the professionalisation of the risk and resilience disciplines remains falteringly slow. The person given management responsibility to deliver a monitoring system in these areas is usually a manager of a different expertise who may have many other roles. This explains why it is easily observable that the design of systems remains so derivative. It tends to rest on the received wisdoms of accepted long-term practices, rather than benefitting from the many decades of formal research evidence on this subject.
Second, and lastly for now, it is important to note in consequence that many practice enablers, such as policy, processes and tools, can be shown to contain significant flaws. These continue to enshrine failures of logic and of definition, prominent reasoning pathologies and suboptimal, or even completely invalid, approaches to measurement and therefore deduction. This is a state of affairs which may, in private, be attested to by their responsible agents. However, it is justified by a cardinal set of fears around available time and tolerance for complexity.
Seen as a whole problem set, rather than traded off in private isolation against the wider aims of any given set of business priorities at any time, we would argue that these and other factors strain the strategic credibility of most risk and resilience systems well past breaking point. The received wisdom might be that such lowered strategic credibility will leave organisations more exposed to threats, crises and reputation losses. However, we argue that organisations are simply being rendered less effective in meeting their primary business objectives.
The solution to all of these challenges is a journey of design. One that tries to critically re-establish, perhaps from first principles for some, the purpose and the utility of risk and resilience reasoning for complex industries. A journey that suggests how risk and resilience systems might be purposely designed to deliver context-specific and strategically effective business value as a primary objective and compliance and reassurance as a side effect.
A MAP FOR OUR JOURNEY
So, as this book has been written to take you on that journey of design – to critically examine risk management and organisational resilience – we may benefit from stopping a moment to look at the map. The book will be split into four roughly equal parts as follows:
PART 1: ON RISK-BASED
Part 1 begins by examining how risk is currently constructed in industry (Chapter 2). Risk, we shall see from these arguments, cannot be thought of as having any agreed single definition. Its definition is therefore a case of choosing to speak of it by making a range of appropriate selections from the available dialects – for example, by comparing the language of ethics and diligence with the language of pragmatic events.
Continuing this discussion (Chapter 3), we examine some of the key design features that would enhance the definition and application of the risk construct in general. What becomes clear is that several critical reasoning problems stand in the way of the utility of the current end product – for example, the semantics of which risk terminology (agreed or otherwise) to apply and the use of measurement science to quantify business materiality. Negotiating these challenges early, and somewhat head-on, clears the space to talk about how a risk system might be designed and used.
To begin addressing some of the challenges raised by these early chapters, a detailed case study (Chapter 4) examines one applied solution which tackled them. This is a comprehensive risk methodology designed in a fast-moving consumer goods company. This chapter goes on to examine the benefit of accepting an appropriately complex formulation of risk. This is in order to reason effectively about the performance-shaping factors of its strategic decisions and business outcomes.
It is the (very thorny) issue – of the meaning of probability within the risk constr...
