The Costa Concordia, a Carnival Cruise Line owned ship, ran aground resulting in at least 6 deaths. This is a 4,000-passenger, 115,000 -ton cruise mega-ship, with the latest and greatest technology, as it is just 5 years old. As an Enterprise Risk Management (ERM) professional, my forecast is that we will learn over the next six weeks that this is not the first near miss for the Costa Cruises organization, nor the first questionable judgment call by one of their ship’s captains. My bet is that one of the thousands of crew management have reported issues in the past and that other Carnival ships have faced similar operational risks in the past several years. The problem is each one on these issues in its silo is a one-off near miss and perhaps in isolation is not worth escalating to senior management. Put them together however, and you see a grave systemic pattern that is likely to result in disaster that would have been preventable had the systemic pattern been detected and managed as a whole rather than as one-off incidents.
To be effective, Enterprise Risk Management must be pushed out to the front-line business process activity level where decisions are made and information must aggregate up across silos and levels to be understood by senior management. Few organizations have their ERM programs functioning at the business process activity level. Typically, organizations interview the top management about their “risk worries” and boil things down to the “top ten risks”. Unfortunately, these top ten risks are disconnected from the everyday operating controls at the business process activity level, so these “top ten risks” continue to be unresolved. GRC programs are no better, as they focus on heavily silo’d compliance, such as SOX, IT, and Internal Audit, and also do not link risk to operating controls and business metrics at the business process activity level.
The fact is that operational risk is all around us, typically most prevalent in the organization’s area of core competence. In the last year, I have blogged about oil discovery firm’s failure to manage drilling risks, leading banks’ failure to manage investment risks, power companies’ failure to manage power risks and manufacturers’ failure to manage product quality risks. I have heard risk managers say their bosses give the same answers too many times, “It won’t happen to us,” or, “Although enterprise risk management is a priority, we are not ready to take our ERM program to the business process level.” Since 89% of ERM and GRC programs fail to adequately manage operational risk at the business process activity level, this dangerous game of not moving their ERM and GRC programs forward to detect and manage operational risk at the front line activity level is not only fraud, but also a form of “Russian roulette” with real consequences.
Due to SEC requirements passed in February 2010, the once wide-spread practice of, “Don’t write it down,” is no longer viable. Boards of directors are now liable for not having their risk management programs reach the front line business process activity level. Now, both management and their boards of directors are liable for what they don’t know, but should have known. If you are a publically traded company or you are a supplier to a publically traded company, evaluate your risk management effectiveness with these five competencies:
1) Create a risk taxonomy by naming your business processes
2) Conduct a risk assessment in each of these business processes
3) Connect mitigation activities to each of the key risks in these processes
4) Connect your business metrics for each process to these mitigation activities
5) Connect your process risks to performance management strategic objectives
These are five of twenty five requirements outlined in this complimentary risk management maturity test available on-line: www.rims.org/rmm. If you do not score above a “managed level” of risk management maturity, it means your organization is failing to achieve these five simple steps in a material manner at the front line business process activity level, where it matters the most. The Costa Concordia accident was preventable, and so are the risks at your organization.