Menu Close

Agile Enterprise Risk Management

“A bend in the road is not the end of the road…Unless you fail to make the turn.”
― Helen Keller

In a previous article (Is Your Tuchis Hanging Out?) I proposed that “companies should apply Enterprise Architecture, Business Architecture, Business Process Management, Transformation Portfolio Management and Program and Project Management techniques to Risk Management.”  In this article, I will describe a little of what I think that should look like and why.

The Facts of Life—Major Business Drivers Today and What’s Not Being Done About Them

A number of factors conspire to make managing enterprises more complicated today than ever.  A 2017 article in CNBC.com entitled Technology killing off corporate America: Average life span of companies under 20 yearscited a presentation by a team of Credit Suisse analysts led by Eugene Klerk in which they said “. . . The average age of a company listed on the [S&P 500] has fallen from almost 60 years old in the 1950s to less than 20 years currently. . .”  And, that was a few years ago, prior to COVID and evolution of technology and business models over the past two to three years, which has accelerated things even further.

With rapid change as a backdrop, what are many companies not doing to keep pace:

  • They are reluctant to dedicate staff or spend on anything that does not immediately contribute to profitability.  While somewhat understandable, they’re failing to establish information and knowledge assets and institute processes that enable the agility required to be sustainable.
  • They are falling prey to the human propensity to undervalue investments in preparedness that contribute to avoiding negative outcomes.
  • They are not investing in a variety of disciplines, such as Enterprise Architecture, Business Architecture and others, that accelerate decision-making only if they are established before decisions are required.

Why is complicated.  On one hand, a lot of these disciplines are practiced and tooled so as to incline them toward overkill—they require inordinate investment, are predicated on ingesting enormous volumes of detailed information and 98% of the output never creates real value.  On the other hand, the value they supposedly offer has not been made tangible to senior executives, who may not understand them.

Many, if not most large enterprises have a Risk Management function that, like budgeting and strategic planning, performs most of its work on a cyclical basis.  Unfortunately, risk is often not incorporated into day-to-day operations and may get shortchanged in the heat of a moment when dealing an unforeseen threat or business opportunity. 

Because the environment can change so quickly, Risk Management must be configured to respond dynamically to events as they occur.  Risk cannot be managed as an annual review of a snapshot of the enterprise’s circumstances followed by a discrete handful of initiatives.  Instead, it should be a powered by a combination of people, assets and processes integrated with those employed to manage the company’s business on a short-term and long-term basis.  In much the same way that technical solution development has evolved to be Agile, so too should ERM.

Requirements for a Dynamic Enterprise Risk Management Process

A Dynamic Enterprise Risk Management Solution should consist of (a) a Risk Information Repository, (b) integration with other relevant repositories, such as the EA metamodel, (c) user functions that include search, analytical and dashboard interfaces and (d) integration with enterprise planning and decision processes.  Before defining a solution, we should articulate the characteristics the solution will require.  These include:

  • It must accommodate a comprehensive metamodel of even the largest enterprise while also being capable of providing tangible value to a subset of the enterprise, such as at a business unit.
  • It must be malleable, easily transformed to adapt at speed to changes in the structure or operations of the enterprise.
  • It must be lightweight, not adding a significant burden to decision-making and design activities.
  • It must be integrated into business operations and decision processes executed by line staff, not bolted on and overseen by an administrative group that adds overhead.
  • It must contribute to business agility by eliminating decision latency at times of exigent need.

Outlines of an Agile Enterprise Risk Management Solution

Here are the elements I believe are required to begin to implement Agile Enterprise Risk Management:

  • RM processes that integrate with strategic and operational decision-making processes.
  • A centralized Dynamic Risk Management solution to house and provide access to information required to manage, enable and assess performance of the ERM function.
  • A model of the enterprise that shows the interrelationships of relevant entities, such as Products, Capabilities, Processes and their enabling infrastructure.  A lightweight EA metamodel, with a limited number of entities based on an enterprise-wide ontology is the backbone of such a model.
  • Extensions to the metamodel to enable rapid modeling of risks and their interactions, analysis and presentation, such as via heat mapping, so strategies to address them can be defined and communicated.
  • Business Analysis, Project Portfolio Management, Program and Project Management practices that integrate with and are tied to the metamodel, enabling the enterprise to update the Dynamic Risk Management solution to keep pace with the enterprise’s transformation and evolution.

Clearly, this represents a change in how ERM is traditionally conducted.  It’s an Agile, DevOps, Lean world now.  ERM has to change to keep pace.

In future articles, I will add detail to the vision of how this may be accomplished.