'Apathetic' risk management is putting your business at risk

 

Last week the World Economic Forum released its’ Global Risk Report for 2019. The report cautions that those who remain blind, apathetic or opposed to addressing the disruptive forces engulfing our working world right now, are “sleepwalking into crises”. More specifically, the WEF argues that despite the increased intensity of the global risk landscape in recent years, comparatively few organisations have invested in the necessary risk management planning and capabilities required to respond effectively to emerging global threats. As a result, our modern working world now exists in a state of self-induced vulnerability whereby many participating organisations are ripe for disruption.

The collective will to tackle intensifying global risks appears to be lacking - WEF 2019

Regardless of the shock value of this year’s Risk Report, its’ messages are not particularly unique. Rather, this is just the latest in a series of WEF reports urging modern organisations to prepare themselves for the risk-based symptoms of the “Fourth Industrial Revolution”. TheFourth Industrial Revolution being the term coined by the WEF to describe the ongoing, mass-scale political, technological and social revolutions we are currently experiencing and which are expected to radically transform our working world over the next few decades.

Our world currently stands on the brink of a mass political, technological & social shift which will transform our existence in ways we can not yet possibly know - Klaus Schwab WEF

Enter the Age of Perpetual Disruption

As the name suggests, the Fourth Industrial Revolution is not the first of its kind. Over the past 250 years our working world has experienced three other such radical transformations; the Steam Revolution (late 1700’s), the Electricity Revolution (early 1900’s) and the Computer Revolution (late 1900’s). In all three cases, the world experienced a mass metamorphosis of new opportunities, innovations and management practices to a degree whereby the previous generation’s methods became unrecognisable to the new.

Most of us are fortunate enough to remember how the personal computer revolutionised the 1990’s (data, software, internet, e-commerce etc.), but consider just how disruptive electric power must have been in 1910. The sheer unlimited number of frontiers that accessible electricity could help improve ensured that industrial disruption came in many forms, on many fronts, on an almost daily basis for the better part of a generation. Such was the transformational power of readily available electricity.

In a similar vein, the Fourth Technology Revolution is expected to radically transform our existence yet again. Consider how in the past decade alone we have seen exponential advancements in such global game changers as handheld smart devices, digital applications, big data, predictive analytics, cyber intelligence, social networking and real-time information sharing. Now consider how all of these changes are collectively re-shaping our global consciousness, our preferred politics, our social behaviours, the cities we will live in, our places of work, our management practices and even our children’s future careers?

Just like the previous three, the Fourth Revolution, implies an “age of perpetual disruption” whereby that which we accept as business as usual or better practice today, will almost certainly have to change to meet the needs of tomorrow. Whether this mandated change occurs smoothly or chaotically, really comes down to the pro-activity and maturity of the organisation and/or industry in question.

There is a very real need for modern organisations to constructively critique, transform and mature their existing risk management capabilities to meet the challenges of a transitioning working world

What the Fourth Industrial Revolution means for Risk Management

The new reality is that our working world is in the early stages of an evolutionary growth spurt that will yield not only tremendous opportunities but also noticeable turbulence. As we continue to experience mass-scale, global changes in the form of shifting political relationships, rapidly evolving technologies and dynamic social behaviours, our working world will almost certainly become more frequently exposed to high impact risks (aka disruption). It is in turn a given that the more industry changes that occur in any set time period, the more industry-wide volatility that will be experienced. Modern organisations are therefore now faced with a particularly ominous risk management challenge; how to effectively control high impact risks, borne from a highly inter-connected world, experiencing ever increasing frequencies of change.

Building on this observed challenge, the 2019 WEF Risk Report advocates that there is a very real need for modern organisations to constructively critique, transform and mature their existing risk management capabilities to meet the challenges of a transitioning working world. Considering that the primary purpose of an organisation’s risk management capability is to prevent the organisation from being disrupted (at any level); the obvious question which organisations must now answer is whether their invested risk management capability is helping them to become “ready for the revolution” or merely ensuring that they become “ripe for disruption”.

In order to answer such a question with empirical confidence, organisations might look towards the documented case literature. Case studies of once iconic global brands as Compaq, Kodak, Yahoo, Blackberry, MySpace, Toys-R-Us and Blockbuster Video provide excellent insight into what causes risk based disruption within established organisations. More specifically, four Disruption Indicators appear to be most frequently referenced as being the leading contributors to disruption. These indicators can in turn serve as practical metrics for assessing the “disrupt-ability” of an organisation’s risk management capability.

The four Disruption Indicators are as follows;

Disruption Indicator #1 - The organisation retains its’ historical beliefs, despite the obvious impairments and/or availability of new information

It is claimed that “…but this is the way we have always done it” isthe most dangerous phrase in the English language as the phrase eliminates all possibility of advancement. To this point, history is littered with organisations who clung fiercely to their original service offerings, core products and management practices only to be left behind by the new generation of learnings.

This concept of being left behind I see as being particularly problematic in the risk profession right now. Consider how despite the advanced uncertainty inherent within our modern working world, most of the industry accepted risk management guides still promote methods which are only suited for controlling risks which are both foreseeable andquantifiable. This is most evident within the commonly accepted risk tools such as risk registers, bow-ties, audit plans and quantitative modelling - all of which require risks to be both identified and evaluated as part of their treatment. Clearly one can not identify nor evaluate a risk if it is neither foreseeable nor quantifiable, hence the observation that existing risk control methods are not suited for environments of high uncertainty.

This observation presents a real challenge for modern organisations because as our working world advances into an era of more frequent changes; the ability to articulate exactly when, where, how and at what magnitude risks will materialise is going to become increasingly compromised. It is almost certain that in the new dynamic era, major organisations are going to become increasingly exposed to such complex-uncertain risk phenomena as Black Swans, Rogue Waves, Wicked Risks, Unknown-Unknowns, Butterfly Effects and even Chaos . Hence risk management methods which only focus on controlling those risks which are foreseeable and quantifiable, have obvious limitations in this new, dynamic age.

In turn, organisations which remain indifferent to these observed limitations, even despite the presence of new industry information, are merely choosing to compromise the integrity of their risk management capability. Just like the previous three revolutions, the Fourth Revolution will ensure that for a while Emergence, Disruption and Evolution becomes part of the new normal. Thus any organisation which continues to control risks the ”way we have always done it”, is simply allowing themselves to become ripe for disruption.

Disruption Indicator #2 - The organisation incentivises & rewards conformity, rather than innovation

Everywhere we look these days, organisations are crying out for Innovative Solutions to solving complex challenges, but just try bringing any form of innovative thinking to the risk management discipline and see how many organisational resistance barriers jump out at you. Equally, there is no shortage of business books advocating for original and disruptive thinking as the means to personal advancement, but again just try being a disruptive-original thinker in the risk management universe and see what happens. There is a reason why there is no Steve Jobs, Elon Musk, Bill Gates or Mark Zuckerberg equivalent currently leading the global risk management discipline - industry standards simply won’t allow for it!

Unfortunately risk management has always been a compliance-driven discipline and as a result, innovation is far too often suffocated at its’ expense. Consider how there is no shortage of practising risk managers who at some time in their careers have proposed a truly inspirational or innovative risk solution to their Executive, only to have had it knocked back for not conforming to set standards.

For me personally, I first experienced this negative phenomenon back in the day when I was working for a Global Firm whose internal motto was “Think Different, Talk Straight”. Looking back I can now tell you quite confidently that this firm’s risk leadership really did not want their risk resources to think differently and they certainly did not want them to talk straight. What they actually wanted was their risk teams to keep their head’s down and just conform. Over the years I have unfortunately worked with many risk management teams who are subjected to this keep calm and comply principle of risk management.

So much so, that I see this negative philosophy as being one of the most severe restrictions to the advancement of the modern risk management discipline. If organisations only ever retain risk managers who are masters of the conformance, then how do these organisations expect to grow, take greater risks and advance in a working world which is getting more challenging each year? Equally, if practising risk officer’s are more likely to be hired and promoted based on their mastery of conventional risk methods, then all that organisations are doing is discouraging their appointed risk resources from seeking out and mastering the next generation of risk learnings. By promoting conformance organisations are also promoting complacency and as history has taught us repeatedly; complacency is the biggest enabler of catastrophic risks.

Complexity theory 101 tells us that complex problems can not be solved with standardised solutions. So, those organisations which do not actively encourage, incentive and reward the development of innovative risk solutions for addressing complex risk challenges, are in turn setting themselves up to become victims of disruption. Argue it any way you wish, but the Fourth Industrial Revolution is going to require advanced risk solutions, and such improvement can only come from innovative risk thinking, not compliant risk thinking.

You can not solve complex, next generation challenges through compliance!

Disruption Indicator #3 - The organisation continues to draw on historical successes as the evidence for future successes

For anybody who has ever lived in England you will know how every time an international soccer tournament kicks off, the streets are flooded with supporters wearing t-shirts that say “England - 1966 World Champions”. In fact, it’s a bit of a running gag in Europe that England’s sole World Cup win is seen by its’ supporters as the only evidence they need to convince themselves that England have the talent to win the next major football tournament.

In the real world however, success in the previous generation does not automatically translate into success in the modern game. Consider the cases of Motorola who invented the first commercially viable Mobile Phone (1973) and Sony who invented the first commercially viable mobile music player (1979). How much confidence do we have that either will come back to lead the mobile phone or mobile music markets anytime soon? The belief that historical successes are evidence of future successes is flawed and contrary to the very nature of evolution. At some point in history the Tyrannosaurus Rex looked out onto their domain and thought “Life is good!”, but today they are just another extinct Dinosaur.

As our world continues to evolve, new frontiers will bring new challenges and in turn require new management approaches - risk management is no exception to this rule. Now more than ever, organisations need to actively critique their historically accepted risk management practices (and retained expertise) in light of meeting more modern contextual requirements. The Fourth Industrial Revolution implies a period of prolonged, momentous industry changes thus much of what is accepted as leading practice today, may very well be impaired tomorrow. For this reason, modern organisations can no longer afford to assume that their industry’s historically successful risk methods (nor the certified risk personnel) are all they need to succeed in the future. Accepting any form of risk solution without questioning its’ contextual suitability and/or future vulnerability could be fatal.

In light of this, those organisations who fail to continuously test, transform and mature their perceptions of risk management better practice (no matter how historically successful), are potentially allowing themselves to become ripe for disruption in this new dynamic age. Equally, those appointed Risk Managers and Chief Risk Officer’s who continue to preach the merits of the old testament risk literature whilst shamelessly ignoring the new generation risk literature, run the risk of becoming the next T-Rex - once mighty, but now just history!

As our world continues to evolve, new frontiers will bring new challenges and in turn require new management approaches - risk management is no exception to this rule

Disruption Indicator #4 - The organisation remains blissfully ignorant of the potential impacts of emerging industry forces

In the original 1993 Jurassic Park movie there is a scene where the resident chaos theorist(played by Jeff Goldblum) warns the others that tampering with Dinosaur DNA is a mistake as natural evolutionary systems cannot be contained by lab science. Natural systems have throughout history always found a way to break through the boundaries and limitations which have at some time or another constrained them. This is how they have all survived billions of years - as Goldblum put it; “Nature always finds a way”

What Goldblum was actually describing is the complex systems’ phenomena of “Emergence”. Whereby a complex system which has an advanced number of continually transitioning parts will eventually break through its’ environmental boundaries to create new behaviours and phenomena that are not an intended outcome of their design.

In the case of Jurassic Park, Emergence came in the form of the all-female dinosaurs finding a way to reproduce despite the absence of any males. Turns out that hidden deep in their manufactured DNA was the DNA of frogs with A-Sexual reproductive organs, so in the end the lack of male dinosaurs wasn’t an issue, nature simply found another way. The point of this story line was to illustrate how a highly complex natural system (such as Dinosaur DNA), has an advanced number of contributing components which can interact to form an unlimited number of behavioural relationships. Thereby making it impossible to account for all the outcomes that could emerge from within the system.

For organisational risk management, the phenomena of Emergence means that regardless of the rigour of an organisation’s internal control framework, continually shifting industry forces will ensure that risks are able to transform and evolve to expose the vulnerabilities of said framework. Consider how in the modern world everything is connected to everything else and all of these relationships are continually transitioning. Therefore every time there is a subtle change in one established relationship, it has the potential to ripple and compound through all the other connected relationships enabling new emergent behavioural variations, phenomena and outcomes.

What this means, is that modern organisations will have to get better at observing and responding to emerging industry changes (external focus), as well as assessing how these changes might take advantage of organisational vulnerabilities (internal focus). There is a certain industry-wide intelligence, responsiveness and agility now required from risk management which has perhaps been historically lacking. In brief, those organisations which fail to embed risk management solutions which allow them to respond positively to emerging industry forces, will almost certainly become ripe for disruption.

The phenomena of Emergence means that regardless of the rigour of an organisation’s internal control framework, risk will simply find another way to materialise

So What?

For the past few years the World Economic Forum’s Global Risk Reports have been encouraging organisations to start embedding risk management practices that will allow them to become intelligently responsive to the emerging industry upswells, stresses and shocks which could cause organisation-wide disruption. Proponents of the WEF have repeatedly warned that the rise of the Fourth Industrial Revolution will forever alter the way we live, work and behave and therefore organisations need to start preparing themselves for an era of continuous, rapid and momentous industry-wide changes.

The obvious question which organisations must now answer is whether their invested risk management is helping them to become “ready for the revolution” or merely ensuring they become “ripe for disruption”

In a modern working world of increased complexity, dynamism and uncertainty; organisational risk management can no longer just be about adopting methods for controlling quantifiable risk scenarios. It also has to be about embedding strategies, tools and practices which allow the organisation to respond intelligently to rapidly changing industry circumstances. For many organisations this will require a conscious and dedicated effort to (i) improving their environmental scanning mechanisms, (ii) improving their ability to address internal vulnerabilities and (iii) improving their ability to respond positively to “whatever this way may come”. Regardless of effort, organisations can no longer continue to manage risks the way they always have, nor can they afford to promote compliance at the expense of innovation, nor can they remain blissfully ignorant of emerging industry forces.