Risk Management: benefits in the business battlefield - mentoring by Sun Tzu
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu – The Art of War
During the last few years, organizations have faced new and unexpected enemies, which always seemed improbable until they happened. Did organizations consider themselves victorious without knowing themselves nor the new enemies, and eventually succumb in these battlefields? Are they still suffering the consequences?
How can we increase the awareness of our organizations? Which approach can modern and innovative organizations introduce? Which enemies must we consider in order to be prepared and ‘not fear’ the result of a hundred battles?
We can consider an organization ‘known’ when we have identified its values, what is needed to achieve/produce/generate these values, and when we have evaluated the impacts that the worst case scenario can have on them. In other words, by analysing what and how enemies cause impacts to our organization.
What about our enemies?
If we ask the brave and valuable warriors that manage our organizations ‘what are your worst working nightmares?’ and ‘what about your role keeps you awake at night?’, we can see by the answers how every day is a battle and how some enemies can be classified as severely impacting and aggressive.
Indeed, recent history has shown how some enemies can aggressively attack our organizations for the first time in a totally new manner, with unpredictable outcomes and effects (new cyber threats, pandemics, shortage of commodities, international conflicts, etc).
Therefore, it is clear that knowing the enemy is important. This process can be summarised as an assessment of potential threats and risks and their potential impacts on the organization – or the application of risk management as a holistic management process.
Risk management is defined by ISO Guide 73 as coordinated activities to direct and control an organization with regards to risk. This process should be an integral part of management and decision-making, as well as being integrated into the structure (from governance to the stakeholders), operations and processes of the organization (ISO 31000). The objectives are to avoid or reduce the likelihood that a risk will occur, reduce its impact on the business and the organization, as well as to drive the strategic decisions that build and strengthen the organization’s resilience.
The purpose, in the context of a broader framework, is not the complete elimination of all risks but to determine an acceptable level of risk by defining the strategic and tactical objectives, and then working to keep those risk factors within the agreed-upon boundaries.
According to international standards, risk management is composed of the following steps:
- Identify the risks. Different approaches can be used and different references can be found for this first step (e.g. the NIST Interagency Report (NISTIR) 8286A, clause 5.4.2 of ISO 31000, etc), but we can recap it as establishment of the context and of what can cause a potential impact. Based on the structure and nature of the organization, different methods can be used, such as: questionnaires, assumption analysis, scenario analysis, what-if analysis, incident investigation and lessons learned; critical path templates, cause & effect diagrams, process review or flow charting; expert interviews or auditing and inspections; working group or risk assessment workshops.
- Analyse the likelihood and impact of each risk. Evaluate each potential risk by looking at the combination of likelihood and the resulting impact (considering the context and the worst case scenario in the current set up). This can be structured in a matrix or index.
- Evaluate risks based on enterprise objectives. The determination of risk acceptance and the identification of the key risks build the bases for organizational management, the investments and the projects aimed to achieve the defined objectives.
- Treat (or respond to) the risk conditions. Different types of responses can be defined for each risk, based on the previous steps and the organization’s priorities. For instance:
- Avoid the risk: eliminating the causes of the risk, changing the processes, the system or the dependence. Not always applicable.
- Transfer the risk: outsourcing or transferring the risk to third parties, which are potentially more robust, structured, or prepared.
- Mitigate: adopt actions capable to reduce the likelihood or the impacts.
- Accept the risk: take full ownership of managing the risk, costs, and its associated consequences.
Of particular relevance in the effectiveness of the risk management is the monitoring, reviewing, recording and reporting of the risk, with the aim to revaluate the risks. How has the implemented actions and risk management changed the risk in terms of impact or likelihood? How have the worst-case scenarios changed over time?
What would the strategist successors of Sun Tzu have liked to add?
Today’s strategists, living in the digital era, are used to looking backward and forward, crossing disciplines, and mixing and matching sciences in order to build the resilience required to face the modern world. The current efforts are aiming for excellence through serendipity, but what can be added to the strategic plan?
Never base your assessment on the average - In fields like risk, threats, and hazards, the average tells you a totally different story in terms of impacts.
First things first - Focusing on the current context and actual risks and threats, as well as using accessible and reliable resources and solutions, can build the foundation of the resilience journey. Over time, with continuous monitoring and improvement, risk management can be improved.
The past can provide good advice, but shouldn’t be the only source - Lessons learned and procedures are made on the knowledge learned from a past episode. Reflection on what determined the success or defeat can make organizations more conscious and more robust, but studying the past does not always allow control of the future. An unexpected event is always an unexpected event. The way we dealt with a risk 10 years ago may not necessarily apply today, which is why the monitoring phase is very important.
Plan the unplannable - Strategies and plans can make the difference, but robustness will increase from testing and exercises.
Prepare a ‘don’t do that’ list - Understanding and identifying ‘what to do’ is as relevant as identifying what to avoid. Creating a ‘don’t do it’ list means not making a situation worse than it currently is or causing a chain of risks. In this case, analysis tools such as ‘WIA’ (what is analysis) can be a good support.
Consider the human factor - People are the main resources in the organization, identifiable through skills and abilities and, as such, must be included in the risk assessment. The psychological effect of the risks should be considered in the analysis.
Investment should be aimed at increasing the resilience of critical resources, particularly oriented to people, therefore ensuring the ability to evolve within the organization and to face enemies proactively by identifying their mutations.
About the author
Global Business Continuity Officer - EMEA
I am Global Business Continuity & Resilience Officer at Royal
Philips (Philips) within Group Operations – Integrated Supply Chain
My key accountabilities are the implementation, the compliance of the ISO22301 certified global business continuity management system (BCMS) in the sites assigned to me, related processes, and the compliance of the global Business Continuity Management (BCM) Program, which entails the Manufacturing Sites in the EMEA Reagion, Indonesia, the Amsterdam HQ. Furthermore I collaborate with the ISC Organization to implement our BCM Program in the IWD Locations.
I strongly believe in the continuous improvement, in the lean approach to achieve the excellence, based on these approaches year after year we improved the quality and the level of our BCM Program and System.
Our Center of Excellence Business Continuity & Resilience received the Fusion Team Pace Setter Award in 2019. Also, the team was awarded in 2021 by the Business Continuity Institute (BCI) with the Global & European Collaboration in Resilience Award.
Resilience means firstly prepare people, structuring organizations to live events and changes any time any place, ensuring safety and business continuity.