Recent correspondence with a client drew me into a debate on ‘Interconnectedness’ or specifically: It would be good to get your thoughts on the second bullet point – Interconnectedness?
This entire session in the Australian Risk Management Leaders Forum [LINK] was designed to debate four specific topics around adaptive approaches to risk management:
Incorporating flexibility in risk management frameworks to adapt to evolving risks
Taking interconnectedness into account
Analysing risk trends and how to predict the likelihood of occurrence
Diversifying risk management strategies to prepare for eventuality
Incorporating flexibility in risk management frameworks, adapting to evolving risks and taking interconnectedness into account. There is a lot going on here and each bullet point alone could consume pages of contemplative writing but to stay in line with the topic of ‘interconnectedness’ let’s drive out some important deliberations on this subject matter.
The ability of risk managers to appreciate Interconnectedness in their risk assessment work is perhaps one of the top ten key reasons why a risk management response strategy will be successful or not and we are seeing ever-increasing evidence today that specific risks may be interrelated in more ways than perhaps we imagined some decades ago. The global economy is certainly Supply Chain ‘interlinked’ on one level and on another, fuelled by an autonomous integrated media network that rapidly dissimilates opinion across stakeholder communities that may result in diverse outcomes.
These interconnections can be interpreted as information layers and risk managers need to have an epistemic understanding of how specific relationships fuel outcomes if they have any hope in improving risk management oversight.
Crisis Planning Trends
If the United Airlines incident teaches us anything about risk management, it is Crisis Planning and Developing a Proactive Media Response must be operated in an interconnected fashion. I am sure most of you reading this blog will be aware of the event I am referring to without clicking the LINK supplied because you are plugged in, you are part of an interconnected self-directed propagated network of rapidly changing opinion. This digital opinion has the potential to carry reputational currency with a surplus or a deficit, just as United Airlines discovered. Social media is a game changer because information (not data) quickly dissimilates across stakeholder communities while a situation is unfolding, this digital opinion can add to or take away from a specific risk event. If you want to see interconnection, then this is a great example of it !!!
ISO 31000 Integration
ISO 31000, the global risk standard has plenty to say on Integration (interpreted from interconnectedness) and ideas of interconnectedness feature in both the 2009 published guideline as well as the 2017 revision that has recently been made available to the practitioner community.
“Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organizational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes.”
Principles 4.3.4 | ISO 31000:2009
“Risk management is an integral part of all organizational activities, including decision making. It is not a stand-alone activity that is separate from the activities and processes of the organization. Everyone in an organization has responsibility for managing risk. Risk management improves decision making at all levels.” ... Everyone becomes interconnected and unless they work in harmony, the overal risk management framework is going to be compromised.
Principles 4b | ISO / DIS 31000
I believe the interconnectedness concept ISO 31000 correctly makes mention to in its guidance should not only be applied to how the overall process of risk management is embedded into risk identification and decision-making efforts. Interconnectedness should also be considered introspectively in the risk management standard and across the entire people~process~system space!
In the diagram below we can see the various activity centres of ISO 31000, moving from establishing context through to risk treatment. These individual ISO 31000 functions feed each other with data, information or narratives and while they are relatively ineffective on their own, they become incredibly powerful when they are interconnected or combined in the right order with the right people.
Integrated Framework Elements | Causal Capital
From a system perspective, the Framework Elements (shown to the right of the diagram) also need to be integrated otherwise the overall risk management framework is compromised.
These Framework Elements, just like the ISO 31000 Risk Management Processes, may be individual activities for an enterprise-wide risk framework but they also act as data pools or tables in a final risk management IT solution. One of the key reasons why risk management fails comes down to how the Framework Elements are interconnected between individuals in the company and there are some risk managers I stumble across who have never even considered this network of interrelations. From the IT camp, there are also not enough developers with a solid grasp on risk management requirements. These IT developers also tend to drop the importance of interconnectedness between software interfaces and the people that use those solutions.