Over the weekend while traveling, I was reading Malcolm Gladwell’s Outliers, and as coincidence would have it, I hit “Chapter Seven: The Ethnic Theory of Plane Crashes,” at a cruising altitude of 30,000 feet.
The challenge with Enterprise Risk Management is quantifying how many disasters have been prevented due to its efforts. Because of this, there is still skepticism among senior management around exactly how ERM can help to prevent major operational, strategic, regulatory, and reputational disasters.
In the chapter, Gladwell examines not just plane crashes, but industrial accidents as a whole. His primary argument is that accidents are not the result of a single event, like a major mechanical failure as people often fear, but are actually a series of “completely unrelated events… each of which, had it happened in isolation, would have caused no more than a hiccup in the plant’s ordinary operation,” using Three Mile Island meltdown as a case study.
These are exactly the types of situations an Enterprise Risk Management Taxonomy helps to identify. A taxonomy creates a common repository of business processes, product lines, geographic regions, strategic goals and resources such as physical assets, applications, vendors, and people.
A risk taxonomy enables risk assessments, controls, tests, issues, findings, and incidents, to be conducted for a variety of governance and operational reasons, integrated or independently, and all tie back to each other and to central components of your organization. As a result, you can identify when red flags, that on their own “would cause no more than a hiccup” in operations, all tie to a common area that could combine to cause a disaster.
As an example, using LogicManager’s Taxonomy, one of our customers was able to start looking at vendors holistically because vendor management, legal, finance, and the process owner could all tie their assessment of the vendor to a common source.
With changes in the economic environment, the organization re-evaluated vendors and discovered that this vendor was weak financially and posed serious financial and operational threats. However, the vendor had extraordinary performance in a key line of business, so when brought to the attention of the process owner, a stalemate occurred, as the alternative was to take away certainty of profit and performance in order to potentially prevent a loss event in the future.
With a common taxonomy and a risk-based approach, the information gathered in the assessment of the vendor uncovered the multi-dimensions of the problems and put all the facts on the table. The true source of the risk was identified and a contract change provided a cost-free way to significantly mitigate the financial risk of this vendor. The organization was able to prevent a major loss event, and add value to the organization by finding a way to continue using the vendor when it was most beneficial to the bottom line, while significantly mitigating the risk.