Risks must be perceived as uncertain events that will impact objectives that will, in turn, create variations in outcomes relative to the objectives. With high expectations on all fronts these days, the risk of not achieving those objectives must be managed to an acceptable level.
That means there is a very real need to assess, manage and report on risks for the benefit of the entity, investors, and other stakeholders. For public companies, risk management drives the controls that are put in place and the type of auditing performed.
Obviously, the objective any business is to make money. At the same time, there is a pressing need to adopt efficient and well-thought-out risk assessment and management practices due to regulatory compliance and other drivers. We also will see how trading partners that make up a value chain, or participate in some way within your business ecosystem, need to contend with ''risk chains'' -- complex interrelationships between risks within a definitive enterprise value chain.
If we focus on profits, the earning numbers expected by investors must be met. Wild swings created by unmanaged risks and subsequent variation are unacceptable because those same investors don't like losing money. Investors desire and reward consistency and this necessitates risk management.
With today's lean organizations, complex systems and dynamic environmental factors, the risk management methodologies and systems must evolve quickly. They must move past the current enterprise view and extend into the ecosystem of entities that the company participates in. In the same way that manufacturing and business realized that optimization required refining supply chain operations, entities must extend their risk management practices into the value chain and create managed risk chains wherein a given risk chain is the combination of entities that are coupled together to achieve common objectives.
As a result, these firms have a vested interest to systematically address risk at a level that minimizes impact to the constituents.
Despite the recent hype, outsourcing has been around for a very long time and has had many names. The fact of the matter is that one organization solicits products and services from another that specializes in delivering what is needed. This diversity creates power through specialization and economies of scale. The reliance on a given vendor, or vendors, can result in tight coupling that creates vulnerabilities.
For instance, if a company sole-sources and the vendor goes down, the consequences can be dire. IT organizations, for instance, that may have overlapping vendors or causal relationships can have vulnerabilities that can negatively impact, if not outright cripple, the IT service delivery -- especially as traditional buffers are removed.
A Complex Chain
In fact, the ''IT value chain'' is particularly complex as it is composed of webs of interlinked chains with shared risks moving within and between IT value chains in unexpected ways. Because each firm in the chain is unique, it has different risks. But due to the integration, certain risks can impact the whole IT value chain.
The automotive industry provides a rich example wherein the top tier buyers in a supply chain extend many layers deep. In such a system with tight lead times, risks can impact multiple tiers when they trigger. A negative event several layers down can snowball and potentially halt production at the top. If that top-level production is halted and the component demand is affected, then all firms in the chain are negatively impacted.
However, if the organizations shared their risk data and mitigation ideas, a rich set of mitigation strategies would naturally merge due to diversity in perspectives and resources. The idea would be to proactively reduce the likelihood of work stoppages and have plans in place to reduce the impacts of identified risks through improved resiliency.
The first step is to logically review the feasibility of managing large distributed hierarchical risk models.
Currently, most companies are using ordinal-based risk assessment scales known as Likert Scales. The Likert rank-based approach is fine for determining relative order, but is not mathematically capable of determining the interval between the risks.
The Likert method would not achieve satisfactory results in a chain where there can be wide changes in orders of magnitude. For example, Ford or GM may measure risks in millions of dollars, whereas a small supplier may be concerned about thousands of dollars. Moreover, it is always interesting to contemplate that the delivery of a good that costs thousands of dollars can be halted for want of a part that costs less than a nickel -- say an emissions or safety sticker or specialized nylon fasteners.
In large-scale distributed risk models, what is needed is a ratio number based risk assessment approach. Companies are not generally familiar with the use of ratio-based numbers. This is the de facto standard methodology for complex risk assessment. It can be used to synthesize both hard quantifiable data with non-quantifiable data, which is always a part of the process as is the generation of a mathematically valid ''risk-adjusted cost:benefit analyses''.
In fact, this ability to blend ratios with ''gut feel'' information is critical to build highly effective risk models in the real world.
Very few risk assessment tools support an extensible ratio- and rule-based risk assessment approach. One that does is RuleSphere's Decision Factor system, which enables companies to create portfolios of risks that can be compared and assessed across business entities due to the use of ratio-based numbers. Companies can employ any best-practice risk-assessment framework, such as COSO ERM, to ensure that their risk chain assessment coverage is appropriate for their circumstances. The ability to define business rules for the resource allocation phase is particularly helpful so your organization can properly fund dollars and FTE's to the risk remediation project. RuleSphere's solution meets the need to manage complex risk chains as a portfolio of risks and risk remediation projects that the COSO ERM framework espouses.
Finding a Common Language
For enterprise risk management teams to effectively collaborate, both within and across organizations, all participants need a common risk management language. Teams cannot manage anything if they cannot effectively communicate. A common language will facilitate sharing of best practices, expedite the handling of risks, and ensure that there is mutual understanding on the concepts being discussed.
With a common language in place, to realistically manage the torrent of data that will be generated, companies must invest in collaborative software systems that will help the virtual teams not only assess the risk chains, such as credit, capital, supply, design, etc... but to also allow for the proper management throughout the life-cycle of the risks, the use of best-practice frameworks, and the risk assessment and migration processes themselves. By assigning responsibilities carefully, a company can ensure that any complex risk chain is comprehensively assessed and managed. Next, an integrated common reporting mechanism is required. Perhaps the XBRL (eXtensible Business Reporting Language) will support some future aspect, such as an Extensible Risk Reporting Language (XRRL), not yet in existence, or leverage some other XML schema.
Once risks are being appropriately managed, then a company can start down the path of automating internal controls so the highest risks can be monitored and/or mitigated via straight through processing (STP) approaches. STP leverages automated business rules and processes to manage the ''heavy lifting'' of parsing; aggregating; translating; alerting participants in the risk chain with various event triggers; notifications, or by firing business rules that will help legacy systems cope with newly available risk chain information.
The goal is not only to identify and manage risks before they happen but to move further and reduce the recovery time, improve the efficiency and timeliness of responses and increase the overall resiliency of the organization and risk chain.
In the integrated world of today, with its increased complexity and tight coupling, the need to manage risks is great. To do this effectively, risk models must move beyond the organization into the webs of risk chains that make up the ecosystem within which the firm participates. Firms that adopt distributed risk management models will be able to more predictably achieve goals while better managing resources.