Home

See more content on my blog.

What is Agile Enterprise Risk Management?

The State of Things

The world is changing faster and faster.  Volatility, Uncertainty, Complexity and Ambiguity (VUCA) is and will be the new normal for the foreseeable future.

COVID’s impact on working life and the Future of Work has been enormous.  Changes that were expected to take place over the next several years materialized within one.  Hybrid work models and Work from Anywhere have begun to change the way that many people work and with it, the way that employment markets work, resetting the balance of power between employers and the workforce.  This will ultimately have significant implications for what I call the Education Industrial Complex.  The traditional four-year bachelor’s degree as prelude to a career may well be transformed into a lifetime of alternating education and employment sprints of no more than two years at a time.  Many institutions of higher learning will not be able to adapt to the changes.

The lifetime of companies is decreasing.  100-year-old industrial companies are giving way to companies that last ten to 20 years before succumbing to the inability to support asset- and workforce-heavy business models or to keep pace with more nimble competitors.  The lifecycle of products is contracting, and more and more people are seeing value in renting or leasing things that they have use for but do not wish to own.  Conversely, electronic goods, such as cell phones, used to be replaced with newer models while they still had substantial useful life.  Now, people are hanging onto them.  Social Media fads come and go with such rapidity, it’s difficult for companies other than the largest players to exploit them in the longer term.

Technology, especially cloud-native architectures and pay-as-you go service models, has enabled start-up and early-stage companies to compete with larger and established competitors in ways they never could before.  The lifespan and value of the ‘Cash Cow’ are diminished, pushing companies to experiment and take risks to ramp up their product pipelines in ways they never did before.

Digital Transformation is now an unavoidable requirement for companies and to be successful, it will have to be performed in a way that impacts how companies do nearly everything.  Just implementing some new technology will not be enough.  It will be critical to set concrete performance objectives and manage the process of transformation based on business results, not traditional project metrics, such as development velocity or completion within the planned scope, schedule and budget.

A sustainable design for your company must be reflect:

  • The need for rapid evolution of business models,
  • The strategic impact of Cloud architecture and pay-as-you-go infrastructures,
  • The diminishing ability to leverage cash cows,
  • The accelerating appearance of new risks and transformation of existing ones and
  • The existential criticality of business agility.

What this all adds up to is high volume, high-velocity change.  Risk Management (RM,) as traditionally practiced, will not be adequate to keep up.

Why?  A lot of current RM is not designed to meet these challenges:

  • A great deal of it is practiced iteratively.  It’s updated periodically while change is occurring continuously.
  • Many companies employ simplified quantitative shortcuts that are not based on valid statistical methods.  This leads to mis-estimating the probability of events and the magnitude of their potential impacts and can lead to inappropriate controls or mitigation efforts.
  • Companies’ RM efforts are often reactive—more tied to mitigating outcomes than addressing sources of risk.
  • Many risks are tied to interdependencies among elements of companies’ anatomy, which are often not well understood.  When changes occur, risks morph and propagate.

Accelerating Risk Management is what AERM is all about.

What’s the Goal?

O.O.D.A. stands for Observe, Orient, Decide, Act.  It was coined by an Air Force officer during the Korean War to describe the process by which a fighter pilot detects and reacts to threats.  The only way to accelerate a response is to shorten the cycle time and each of the steps contributes to decision latency.

Elements of AERM can be applied to each of the steps:

  • Observe: Identifying event indicators you will monitor focuses your attention to enable rapid recognition.  Thinking through a model of what’s important before a change in your business ‘goes live’ helps reduce noise once it does.
  • Orient:  Highlighting characteristics that differentiate indicators and events from each other allows you to filter out noise and make sense of what you’re seeing more quickly than you otherwise could.
  • Decide:  Working within an established framework, with specified parameters, articulated assumptions and pre-determined actions, reduces decision latency.
  • Act:  Having defined how you will respond gets you moving faster than you would if you had to Orient and Decide from scratch under the pressure of exigent circumstances

So, What’s AERM?

Risk Management, like so many other forms of management and governance, is a business process.   An existing repository of risk-related information and a set of defined processes are the starting point for this.  Today, the repository would be your risk register.  If you are implementing AERM, it will be something more.

The resources you have dedicated to RM, the scope of the processes you operate and how they are integrated with your functional business processes will determine your capacity to identify, react to and address risks as they appear or evolve in your business.  In the current environment, the rate at which events to which your RM function must respond will increase, likely dramatically.  You must figure out how to increase your capacity and accelerate your ability to react.  Reconfiguring your RM function to shorten your OODA loop will serve to expand your capacity and increase your velocity by increasing the efficiency of your ability to respond to events.

Business Process Redesign and automation are the tools available to you to do this, just as they would be for any other process in your business.  AERM is predicated on the information generated by management disciplines, such as Enterprise and Business Architecture and Business Process Management, that you should already be employing to run your company.  In formalizing the processes by which you evolve and transform your company, you will enable yourself to shorten your OODA loop and facilitate your ability to transform at speed.

How does AERM help?

  • It defines a set of models which you will use to help understand your organization and identify interdependencies that can create or amplify risks.
  • It defines processes that ensure that the repository data is maintained consistently and treats changes as transactions against it that trigger governance and RM actions.
  • Employs Knowledge Management and Taxonomy disciplines to ensure consistent recognition of events, maximize opportunities for consolidation and reuse of assets and minimize the creation of Technical Debt.

Why the Book?

To meet the challenges of the moment, you will have to undertake two transformations simultaneously: Digital Transformation and AERM adoption.  All transformations have risks associated with execution and outcomes.  In the book, I show how these can be complementary to one-another and how your AERM adoption can help to mitigate the risks associated with your Digital Transformation.  In addition to laying out a logical path to reaching a desirable end-state, I also provide three case studies that show how it’s done.  Obviously, you will need to design, prioritize and plan your own path.  The book will help you to do that.

Good luck with your transformations.