It’s a common challenge.
The uncertainties that affect a business have been defined and categorised. Some are classed as ‘operational’: risks that are largely known, limited and controllable. They relate to routine processes of what organisations do; the day-to-day stuff that is known about, can be predicted (within reason) and can be measured.
Ownership and management of these risks, if not already clear, can usually be determined through the logic of structures, roles, responsibilities and reporting lines – there’s rarely a blurred line. Similarly, risk responses are usually settled and established through the know-how of people and teams using their expertise and experience.
It starts to get tricky when these risks start ‘behaving’ in a way that deviates from these established patterns. They are no longer confined to their immediate part of the business and start to have impact and meaning on a much larger scale.
The difficulty here is that by the time that this happens, they are no longer risks that are operational in nature and require an enterprise-level response that may sit outside the remit of their original owners. At this point it is usually too late to respond with operational-level actions.
Five signs
So, what are the signs that may help us recognise, monitor and respond better?
1. Volume: There are significant changes in the volume of activity so that the magnitude of ‘transactions’ or similar units of work grow beyond normal patterns or trends associated with the daily operations in this area or function. Volume levels beyond the usual or expected scale are likely to be noticeable to at least one stakeholder group outside of the usual audiences to which a risk relates. Any significant growth, particularly over a short period of time, may also raise concerns around the capability and capacity of the organisation to continue to manage such an area of work under current systems, conditions and resources.
Response – monitoring of volumes (as well as impacts and outcomes of any noteworthy change): any significant growth or decline should be investigated to understand the cause of such a shift away from the usual patterns of activity. If they aren’t already in place, establishing performance measures, indicators and benchmarks that can act as early warning signs that an important change may be afoot.
2. Visibility: This may be linked to volume (see above). The scale of the issue becomes noticeable, either inside or outside of the organisation, or outside of its immediate area of operation (e.g. department). There may be occasions where various elements contribute to the increased visibility of the issue that is being realised and are amplified by routes such as social media. The role and effect of a specific stakeholder group is also worth bearing in mind – if they are particularly influential or impactful on an enterprise and its activities, then an issue which becomes visible to them may be worthy of concern and action.
Response – identifying linked systems and processes, which may be impacted by the increased visibility of the event will help in monitoring activity. Examples include increased ‘noise’ and activity by users (internal or external), etc. raising concerns. Measuring the impact through monitoring of complaints systems as well as traffic volumes in mainstream and social media will assist in gauging the extent (or perception of) the issue. Some social media monitoring tools also measure emotion/strength of feeling, etc. and this can also be useful area for attention.
3. Connectedness: the ‘problem’ or event occurs in one operational area but because of the connected nature of work (design) and organisational systems, it has a significant impact upon other areas of the organisation. This is also sometimes referred to as ‘contagion risk’ and can be prevalent where there are extended supply or process chains (inside and outside of the organisation). This is most damaging when it happens along a critical path, say, of a key project or with a key delivery partner.
Response – initially there should be some understanding of the degree of connectedness can be managed through building in resilience and redundancy into systems and processes. Many organisations are also including back-up and recovery conditions into key contracts where key suppliers exist. There is also the tried and trusted approach of continuity and recovery methods and scenario planning to test resilience in key areas of work and operation.
4. Established models no longer apply: natural and usual models or working no longer ‘fit’ and routine activities start ‘behaving’ way outside of the permitted or agreed boundaries and thresholds. Existing policies, models and practices are effectively broken and no longer work – the activity has changed in shape and size and ‘moved to a new place’: existing measures and monitoring are ineffective.
Response: monitoring of capacity and capability of people and processes and review of the operating models. Focusing upon management and performance information that provide data about outliers, Nil returns and the volume of these in relation to thresholds and limits, particularly how things have happened over time to ascertain trends and patterns. Where outliers are identified, measure the frequency of such instances and whether the periods between multiple outlier events are changing (i.e. getting shorter, faster, etc.)
5. Reliance on a single source: reliance on one measure or source of activity/performance monitoring can mean that organisational ‘blind spots’ develop and that oversight and monitoring diminish in quality and relevance to that activity. This is particularly relevant where these measures are embedded in the models or frameworks that no longer work (see above). Problems can also arise where the information being reported no longer bears any relevance or importance to the activity concerned or its complexity makes it difficult for the intended audience to interpret. It’s also worth noting that the ‘source’ can be a person and the credibility of their message being reported may be affected by who they are perceived to be in terms of the prominence, profile and respect that they have with those they are reporting to.
Response – development of early warning systems and sources of monitoring that represent rounded assurance and potentially ‘multiple versions of the truth.’ The business drivers of an activity should be periodically reviewed so that the performance information being created and reported in support of it can be evaluated from time to time.
Unfortunately, most risk information systems – principally intended to support decision-making in conditions of uncertainty – do not recognise these elements routinely in their design. The ‘boiler-plate’ approach of risk registers and heatmaps that focus on impact and likelihood do not equip organisations to manage changes and disruptions (or disruptors) that can pose an existential threat to an enterprise. There’s a need to change what’s measured and managed regarding risk but it requires thinking that goes beyond operational constraints.