Michael Rasmussen and I have different backgrounds and experiences. He has a focus, among other things, on policy management which I don’t (it was never a priority at any of my companies).
I talk more about risk management than he does, but in his most recent post, Michael has wise words on that subject.
This is refreshing for two reasons. Michael advises organizations on which software they should acquire, and there are too few voices when it comes to effective risk management that helps an organization succeed. Michael “gets it”.
In Got Risk Management? You Think You Do . . ., he says (with my emphasis):
- … resilience is not enough. We also need to be agile. The ability to see what is coming at us and navigate the organization to seize opportunities as well as avoid/mitigate the hazards and harms. That is true risk management. U.S. President Teddy Roosevelt stated, “Risk is like fire, if controlled it will help you if uncontrolled it will rise up and destroy you.” Judge Mervyn King of South Africa (King 1, 2, 3, and 4 reports on corporate governance) stated, “Enterprise is the undertaking of risk for reward.” Risk management is a strategic enabler and tool of the organization to navigate the chaos of the modern world and leverage it for greater return and performance while navigating the organization to also avoid and minimize the hazards, harms, losses.
- we need to manage risk in the context of the objectives, performance, and strategy of the organization.Risk management done right is a tool to be agile, and not just resilient (level 5 on the maturity model). This allows the organization to do horizon scanning, have full situational awareness of risk, make the right decisions for greater performance of the organization, and navigate the environment to avoid and mitigate the downside of risk.
- scenario analysis is critical. To be resilient and agile requires modeling scenarios of risk and the impact on the organization. Risk is a distribution of potential impacts, and the organization needs to understand this. We need to get past ridiculous heatmaps that bring misconceptions of risk to good scenario analysis. This is where business continuity moving into risk management provides value in being able to define scenarios, and even do things such as table-top exercises of risk. And risk management adds value through doing quantifiable analysis of risk to these scenarios as with monte carlo analysis and other risk modeling techniques. Read more:https://bit.ly/3GUv2BQ