Adapting the Risk Management Process Model
Fortunately, the risk management processes typically used in most organizations can easily accommodate the modifications needed to develop an integrated people, risk, and security management process. The generic process of risk management has the following basic components as illustrated in Fig. 2.1.
A traditional risk management model logically begins with risk identification. Put simply, it begins with an effort to understand what are the events or actions that could negatively impact the enterprise. Once there is an understanding of the potential risks, the next step is to attempt to measure the extent of the organization’s potential exposure. In other words, how vulnerable are we? After determining the extent of exposure, the basic risk management process model next looks at what is the likely impact if an exposure risk materializes into a harmful event.
The process of determining the potential impact of a risk should be examined from several basic standpoints, the grasping of which can aided by the following simple questions:
- • If event ‘X’ were to happen, how long could the organization function normally?
- • What is the worst time of the year for event X to take place? Why?
- • If event X happens, what might be its run-on effects? In other words, what other systems or processes may be affected?
- • What is the probable range of financial impact if event X’ happens?
- • In general, what is the character of the impact of X event? Significant? Moderate? Minor?
The impact analysis step is intended to determine whether or not the occurrence of event X is a ‘big deal’. The identification of risks and the analysis of their impact naturally lead to an examination of what should be done to mitigate the risk. As Fig. 2.2 illustrates, an effective risk management process should be ongoing or cyclical. Consequently, the risk management process should periodically review the mitigation approach to determine if it is still valid and working. If not, the strategy or strategies should be revised.
The generic risk management process is most effective when those responsible for its operation are willing to dramatically expand their scope of imagination when asking the basic risk identification questions just discussed—‘What are the risks? What can happen? What is our exposure?’ In a way, developing an integrated people, risk, and security, process requires developing an organization’s capability to ‘think the unthinkable’ and then apply that thinking to the risk management process model.
Though 15 years have passed since the 2001 terrorists attacks on the World Trade Center towers in New York City, the emotional wounds in the American intelligence and law enforcement communities are still felt because of their acknowledged ‘failure of imagination’ concerning the possibility of the attacks. The sensitivity revolves around the criti-
Fig. 2.2 Generic risk management process cism that was eventually leveled at the leaders of the various government agencies and at President George W. Bush. In hindsight, many point out that there were warning signs and that the attacks were predictable. Understandably, during the period of shock immediately following the attacks most officials went on record as saying, ‘No one could have seen that something like this was coming.’ However, the dispassionate and objective analyses of the events conducted sometime after the attacks indicated otherwise. Bush and his senior advisers were criticized for not paying close enough attention to a daily intelligence briefing he received almost a month before the attacks. It stated in no uncertain terms that Osama Bin Laden was intent on attacking the USA and would likely use hijacked airplanes in the process. The previous history of intentional crashes of aircraft by persons with various personal causes was an existing warning. And, the revelation that a number of foreign nationals undergoing flight training in the USA were interested in understanding how to fly a plane but not how to land it was the biggest warning of all.
Unfortunately, the clarity of these signs was only seen after the fact. The various ‘dots’ of information were not connected. Today, the inability to connect those dots back in 2001 is generally attributed to a failure of imagination by the authorities. The inability to connect the dots and the lack of sharing of information between the various independent government agencies led to the creation of the ‘umbrella’ Department of Homeland Security in order to avoid such failures in the future. Elimination of a stovepipe approach to the country’s national risk and security issues was the goal. In my opinion, a similar model should be the goal of the more sophisticated organizations interested in addressing people, risk, and security issues on an integrated basis.
An objective and analytical approach to identifying and determining the best way to address various risks is the foundation of effective management. Over time, businesses have become more and more sophisticated at understanding and managing the financial risks that an organization may face. For many, this process is the important responsibility of senior management and the board of directors. However, as we have discussed, this represents only one form of risk that any organization or business may face.
Many of the approaches by businesses and other organizations to understand and manage risk have failed to explicitly address it in a fully integrated sense. There is a nexus between people, risk, and security that is ever present. The nexus has become more pronounced and needs to be a core part of management thinking. Business leaders and others in the organizations will need to adopt a new people, risk, and security mindset. From my perspective, the important thing for any business leader to remember and understand is that the challenges associated with people, risk, and security are organic. As a result, they are constantly changing and adapting—and so should management.
For many years, insurance has been used by organizations to guard against financial and economic risks. As many of us know, the modern insurance industry has its roots in the marine and shipping business of the early 1600s. Lloyds of London, synonymous with insurance, began in a coffee house by providing information about shipping from England across the Atlantic to the Americas and other parts of the globe. Eventually, insurance was offered to protect ships that might be lost.
Though the earliest forms of insurance were financial instruments, the persons offering the protection against the risk of loss took into account other factors that could come into play. As part of the underwriting process, the persons offering the insurance had to examine and understand not only the financial aspects of the ship and its cargo, but also the environmental, societal, geopolitical, and technological risks that might be involved in the voyage. Very early on, the more astute and successful businesspersons were those who saw and understood the interconnectedness of the risks of that day. The same holds true for skilled managers and executives now, who are captains at the helms of the modern-day ships of business and industry.