“The art of being wise is the art of knowing what not to overlook.”
William James, psychologist and philosopher
When it comes to risk, having too much information can be confusing. Knowing how to cope with the overload helps to create order in an otherwise complex environment.
It is for this reason that I like to keep the function of risk management as simple as possible. In so doing, it helps to pinpoint how the value of managing risk can be proven.
Sure, in some environments, it’s very complicated. Still, there is software to deal with that – unfortunately, most of it has been developed based on a traditional model – known as the objectivist or frequentist view. Such models are typically applied for complex financial risks, economic predictions or environmental forecasts.
In day-to-day business operations, such complex software is not needed half as much as common sense, good judgement, and a more modern approach.
For our purpose today, let’s look at a different approach for managing Operational Risks, referred to as ORM.
I’ve had much pushback on this!
Many senior managers and executives will say they prefer to manage risk in an ‘ad hoc’ manner. May a higher power be on their side when a crisis strikes.
Anything ad hoc in risk management is immature, inconsistent, and adds no value; in fact, it is costly.
I teach ‘newbies’ who are just learning risk management, through a simple illustration, known as the Bow Tie Model. See below.
Of course, there are several practical tools that support the initial learning.
Graphically, this is a simplified method for identifying how and where the various parts of risk management come into play.
The main reason for this illustration is to make a clear distinction between risk management and problem-solving. This is important!
Surprisingly, this is news for some.
Often, I see a risk register – (and I look at dozens every year) – that appears to be confused. Why?
Because . . . .
Problems show up as risks on the register without any supporting scenario of how it could become a future risk event. This implies that an assessment or analysis of the stated risk is entirely incomplete or not even attempted in any sort of structured process.
This is not helpful!
Some Operational Risks are significant enough that they capture Board and C-suite attention, yet, they accept such reports.
There have been no less than five industry sectors that have been subject to severe scrutiny over their Operational Risk Management practices, or lack of them.
Publication of public studies, reports and inquiries reveals that there is still a long way to go to achieve a consistent and reliable approach.
- In mining, Vale’s Brumadinho Dam Collapse in 2019 highlighted poor ORM practices, including inadequate monitoring and failure to act on known risks. This led to catastrophic failure and significant loss of life, and environmental damage.
- In healthcare, the Mid Staffordshire NHS Foundation Trust Public Inquiry in 2013 revealed systemic failings in patient care and highlighted a culture of neglect and poor management oversight, leading to numerous preventable deaths.
- In IT, the U.S. House Oversight and Government Reform Committee pointed out multiple operational failures, such as failure to patch a known security vulnerability and inadequate incident response protocols that led to the Equifax Data Breach in 2017.
- My own experience with failures in ORM is tied to the financial services sector. I was present in a meeting with a major funding agency in the United States prior to the housing crash. The suggestion that failed ORM processes contribute to a financial crisis was dismissed out of hand. Several reports have since confirmed that indicators of failing ORM processes led to the crisis. Consequently, the agency was placed into conservatorship, where it remains today.
While ORM focuses on manageable internal risks, managers must be aware of external factors that could impact their operations.
This means having not only awareness, but a high level of preparedness and responsiveness should a shift occur due to a sudden change in external factors.
Thus, the managers’ prime responsibility is to maintain the conditions that allow them some control in a dynamic environment that is often uncertain.
This means > > always be asking questions.
As Peter Drucker often said –
“The truly dangerous thing is asking the wrong questions”.
Asking good questions is like the backbone that supports the success of every job. Just as a well-built foundation is essential to erecting a sturdy building, integrating risk questions into daily activities is crucial for creating stability, agility and resilience in the workplace.
What questions are you asking about the gaps, patterns and barriers that are hindering your best efforts to manage operational risks?
We have a process that will help you with that.