Managing Uncertainty: Escalating Unknown Knowns (Part 2 of 2)
Steven Minsky | July 13, 2015
ERM Software in Action
As discussed in part 1 of this blog series, many businesses do not formally recognize their critical risk networks. Without proper acknowledgment, fundamental risks remain essentially invisible. That being said, it’s vital to create conditions that enable a useful risk management network to be formed and used across the enterprise. So, how does this “right” network of problem solvers form?
Relatively routine problems can be solved by rapidly created, temporary teams that are comprised of people from throughout an organization—not just from the specific area where the problem first occurred. This is necessary because seemingly straightforward problems can have widespread roots which require extensive institutional knowledge.
Expecting one individual to discern all information is daunting and lacks plausibility. Thankfully, due to ERM software systems, when given a sufficiently diverse portfolio of participants, companies can quickly identify the most complicated causal challenges.
Let’s take an example.
Several business processes rely on a single key asset, either physical or software. The asset’s vendor is managed by various departments: procurement, finance, vendor management, compliance, business continuity, and others.
If a news article announces an acquisition of that vendor, or worse, a security flaw found in their application, the connections between the vendor, product, and the business areas that rely on that product are rarely known by all of those different departments. As a result, the full impact of this announcement on separate users in different business silos is unknown. Ultimately, the aggregated impact is incomprehensible.
With ERM software, a built-in risk taxonomy automatically relates impacted silos, and prioritizes such an impact between silos. Furthermore, ERM software identifies each stakeholder in the process, alerts them of the change, and reports the combined threat’s impact to the appropriate level of the organization that makes decisions, allocates resources, and approves mitigation activities. Overall, ERM software tracks and reports each piece both individually and collectively until completion.
Risk management understands that informal business networks are valuable (albeit in unpredictable ways), and that they can be fostered to identify weaknesses within institutionalized procedures that trigger cyber breaches and other risk events.