Today's post covers two of my pet subjects: risk management and personal productivity. Rather, I apply some ideas which I've become aware of reading personal productivity literature to risk management. This is an iteration of a 2009 article, but with significant changes.
The missing risk management levels
I've recently reread COSO ERM front to back, to make sure I was fully familiar with all aspects which I either had forgotten or had subjectively reinterpreted after spending a lot of time thinking about and working with ISO 31000.
While both methodologies touch the issue of roles and responsibilities, the very pragmatic key question of what to do at what level and with which frequency always seemed to be just out of reach. It was never quite explicitly covered. And that bothered me.
When "Making it all work" started to make sense
Now, in the realm of personal productivity there is an entire movement around GTD, or Getting Things Done, which was developed by David Allen. He followed up on his initial book which is (unsurprisingly) titled "Getting Things Done" with a new book, "Making it all work" where he revisits the concept and further details and explains it. When I was reading the book, all of a sudden some of what he was writing was not only making sense in the context of personal productivity, but actually became the basis for the answer to the question I had been wrestling with for a long time … what risk management focus to apply at what level, by whom and with what frequency.
The risk management horizons
I see risk management now as a set of risk focused activities at several different levels, with different areas of focus and different frequencies, all interacting together, as follows:
The first horizon - Activity Based Risk Management
We practice very concrete, very operational risk management quite naturally every waking moment of the day. These risk management activities occur almost intuitively in our day-to-day activities. They involve very practical aspects such as “Did I make sure I put a lid on that saucer?” or “Did I make sure that person gave me all the required documents to process?”
While the process is mostly intuitive and very ubiquitous, we become aware of it when things of awry, such as situations where responsibility transfers go wrong, or when people trained for a task without understanding the purpose of the task need to deal with exceptions.
Applying all aspects of formal, COSO-ERM of ISO 31000 conform risk management in this context would be below the traditional operational risk management level, which I discuss further below. I've called this level of risk management Activity Based Risk Management. It occurs at the level of the individual activity or even at the level of individual process steps. If we make sure we do not overburden the process of risk management at this level, using a light risk assessment, reporting and treatment approach can be very beneficial to optimizing the results of these individual activities.
The second horizon – Project and Process Risk Management (or Operational Risk Management)
Most of us risk management nerds are familiar with this level. We delve into issues which can be found in either processes (ongoing activities) or projects (one shot activities). This level of risk management is likely to be impacted by the non-mitigated risks at the level of the first horizon.
Quite often we will described the actual process flows at an intermediate to high level and then analyze them for risks. In essence, this second horizon presents the link between the actual execution or the concrete next action, which is assessed for risk at the level of the first horizon on the one hand, and the strategic level on the other.
This type of analysis is familiar for most risk consultants. They tend to spend a lot of time at the process level. However, given this level is significantly impacted by the activity level (the first horizon), we need to make sure that we do not ignore issues flagged at this level by our collaborators, who often understand the processes and related activities a lot better than any external consultant may.
The third horizon – Strategic Risk Management
Ideally, all processes and projects are related to a set of strategic objectives to be reached. We execute processes and projects (horizon 2) (each containing multiple activities (horizon 1)) to make sure these strategic objectives are reached.
Strategic risk management then focuses on risks which can interfere with achieving these objectives. Again, this horizon can be found in most ERM and integrated risk management texts. However, it should not end there. After all, where do you go with strategic risks that cannot be mitigated? How do you capitalize on these? How do you learn from these issues and translate them into an adaptation? You need to take these risks one level higher. Each strategic intent integrates and rolls up into an overarching vision.
The fourth and final horizon – Vision related risk management
At this high altitude level we aim to gain perspective on risks threatening the realisation of our ultimate goal for the organization and even beyond the organization.
And at this point, a risk management tool becomes a key tool for vision and strategy enhancement and improvement. It helps answer the key question: "are we doing the right things the right way?" This is where the true value of risk management really comes forward.
An important caveat
There is a key assumption that is explicitly not made in this approach: I do not assume that all risks roll up to the higher or highest level or roll down from there to the lowest level. On the contrary, some risks may get treated at the higher level, but only because they cannot be adequately mitigated at the lower level.
Each horizon has its own risks, and each horizon has the prime responsibility to deal with these at that level. If they cannot be adequately managed, only then do they need to be escalated.
Who does what and when?
Below you will find a table which gives you an overview of the four horizons, the people responsible at each level, what we aim to achieve with risk management at this level and what a suggested frequency interval for dynamic risk management would be.