Succeeding at Enterprise Risk Management depends upon your organization’s ability to identify existing risks and foresee what new or transformed ones you might be exposed to as your business evolves. While companies may be capable of identifying obvious risks, they often fall short of accounting for dependencies that create or magnify others. In addition, companies that employ a periodic process for adjusting their Risk Management to accommodate changing circumstances leave potential gaps in which things may have changed but await reassessment before they are managed.
It’s simple—if you don’t identify risks, you can’t manage them. A plethora of factors are driving change and you will have to evolve your company at an accelerating rate to sustain your competitiveness. You will need to transform continuously if you intend to compete in the digital economy but it means you will be facing new and fluid risks at a faster and faster pace. If your Risk Management program is not updated continuously, you’ll invariably delay your response to risks. Agile Enterprise Risk Management shortens the recognition cycle on new or changing risks, enhances your insight into them and accelerates your ability to respond to them.
Managing Distributed Management—Artifacts You Need
If your company has distributed its management and delegated decision-making responsibilities, you’re not alone. This is essential to agility and a key to achieving it is fine-tuning your governance processes and controlling where your people can make independent decisions and where you will retain oversight. Maintaining guardrails, enforcing standards and enabling sharing and reuse will pace how agile you can become and how efficiently you can operate your business. Several enterprise-level artifacts form the basis for accomplishing this: your Enterprise and Business Architecture (EA and BA) models, Risk Repository and Business Process Management (BPM) models.
Managing Evolution—the Disciplines You Need
Transformation involves transitioning your company from a known current state to a desired target state. It requires comprehensive knowledge, planning and disciplined execution. Change involves reflexive or reactive responses to threats or opportunities with incomplete knowledge or without discipline. Change creates Technical Debt; transformation helps avoid it. The disciplines that enable you to transform are Program and Project Management (PgM/PM), Scenario Analysis and Roadmapping and Project Portfolio Management (PPM). These disciplines are at least partially based on and enabled by the artifacts, described above.
The Artifact Toolbox
Enterprise Architecture provides a schema of the constituent components of your company. An EA model sufficient in detail to support AERM is composed of the following entities:
- Market Segments
- Products and Services
- Value Chains
- Capabilities
- Enablers
- People
- Processes
- Physical and non-physical Assets (such as intellectual property)
- Technology/Systems
- Components
- Information Assets (also called business objects by some)
The model is hierarchical from the top down; however, there may be a great deal of intertwining where shared enablers are employed across products or capabilities. EA has acquired a dubious reputation based on historical attempts to ‘boil the ocean’ that ended up costing a fortune and not providing commensurate value. This model is far simpler and its value to volume ratio is far higher than many models produced from traditional EA frameworks, such as TOGAF® and the Zachman Framework™.
Value Chains are not tangible entities; they are components of the BA model, which overlays the EA model. They are containers for elements of the enterprise that combine to create value for customers and the enterprise. For example, an order-to-cash value chain would encompass all of the capabilities required to produce and deliver the items ordered and eventually collect payment for the sale. The value chain might contain: receive and manage order, approve customer credit, acquire materials or parts, assemble them, inspect the product, package the product, ship the order, send invoice, collect payment.
Processes encapsulate how work is performed and, more importantly for AERM purposes, often formalize how logic and business rules are applied. Decisions may be made implicitly, based on how they are designed, or they may be systematized and applied automatically. Since risks frequently attach to and influence decisions, risk management must address each decision process. Discovering and documenting them comprehensively can easily be one of the more labor-intensive tasks undertaken in the process of assembling the EA model.
Why are these artifacts so important? If your company is about to transform, say by consolidating elements of two parallel value chains and rationalizing the enablers supporting all of their shared capabilities, then you need to know where dependencies and conflicts create or magnify risks that you will need to address. Often, this sort of change occurs under duress, when an unforeseen external threat has become tangible. It is at times like that that not having the artifacts in place will cost time and money and expose your company to unaddressed risks.
In the next article, I will discuss the discipline toolbox and how to transform instead of change.