Intelligence Failures, Part II: Risk Management Is the Answer
Steven Minsky | June 15, 2006
In my last Blog I referenced the article History of Intelligence Failures illustrating the most spectacular military intelligence failures over the course of history. I also presented my adapted list of the 6 most important root cause reasons resulting in business risk failures, Looking for Risks in all the wrong places?
Jacob commented on my Blog “You mean to say all above mentioned business challenges can be handled by Enterprise Risk Management Software?” My Blog below will provide a definitive yes. Below is an outline on how Enterprise Risk Management together with the right software can effect the impact and/or likelihood of these failures showing up on your watch.
First of all, let’s define Enterprise Risk Management. According the Australian Risk Standard it is the culture, processes and structures that are directed towards realizing potential opportunities while managing adverse effects”.
Now let’s look at those 6 risk coverage vulnerabilities:
- Overestimation – A determination to overemphasize information, leading to a false conclusion. Enterprise Risk Management establishes a standard and easy to understand methodology to systematically identify, qualify and quantify risk. The hard part is getting started. Risk analysis software facilitates the identification and assessment process and offers three criteria, Impact, Likelihood and Effectiveness of Controls for you to score risk in order to prioritize and balance all the aspects of risk and performance to get a more objective estimation. Establishing objective criteria is the first defense against overemphasizing or becoming blinded by your own or convictions or those of others.
- Underestimation – Business analysts or leadership completely misreads a competitor’s intentions, market event or regulators guidance or intentions. Key risk indicators help prompt thinking about how risk can effect your organization in different ways and a variety of different angles. Further, strategic key risk indicators are designed to help uncover disruptive threats that are difficult to address with traditional risk approaches. A quality ERM software package should come with a robust library of key risk indicators organized by industry, function and core process.
- Over-confidence – Bad assumptions based on our own certainty on how we would handle the situation. These embedded best practice risk indicator libraries together with the software framework help us to do gap analysis on how our organization is looking a issues versus the lessons learned by peers in our industries. A framework should incorporate best practices from leading industry organizations such as Standard & Poor’s, Australian Risk Management Standard, COBIT for IT Governance and Security, COSO for Financial Controls and other frameworks.
- Complacency – Something is going to happen, though not sure what or when, and yet no action is taken. You do not have to take action on every risk, but you do need to quantify and measure your current risk and compare it with your thresholds of acceptable risk to decide to monitor, take action or if the risk is adequate. Using software to standardize the process and capture risk issues helps formalize the process and escalate issues for follow-up. Software helps manage the workflow of assigning roles and responsibilities as well as follow-up notifications and tracking.
- Ignorance – When there is virtually no intelligence, we are at the mercy of events. Much like TurboTax for personal taxation, we don’t have to be experts on everything. The BCP software can prompt us for the relevant information and walk us through the process to successful compliance and even tax savings. The Enterprise Risk Management software embeds best practice risk methodology which is all about embedding risk management in the existing culture of an organization. That means everything from planning and analysis process, capital allocations, performance evaluation, strategic planning, internal audit, IT business continuity and security assessments, etc.
- Failure to join the dots – Failure to make connections between bits of intelligence to make a coherent whole.
Ad hoc Risk Management done with home grown tools lends itself to having information buried in spreadsheets and word documents all throughout the corporation. Many times there is a dependency between a risk in one business area with a risk in another business area or a compound risk of two separate but identical risks in separate areas occurring at the same time that can be worse than either risk individually. Aggregating this information up to interactive risk dashboards and flexible reporting that can filter and present risk segmented by risk or by risk dependencies is invaluable in seeing the big picture.
Now that we have walked through the concepts, you may be interested to read a real life company’s story in InformationWeek’s article last month, Software makes risk management easier to swallow.