- In traditional risk management, the quantity of risk reporting may crowd out quality, denying executive decision makers actionable insights about what is happening in the business.
- Today, the dynamic and unpredictable nature of both internal and external business environments requires an ‘intelligence-led approach’ to risk management.
- An intelligence-led approach is less about the efficient operation of the risk management function and more about informing strategic conversations and executive decision making.
During a recent consultation, I was struck by how little value my client’s enterprise was extracting from its significant investment in risk management. The policies, processes, procedures and artifacts prescribed by ISO 31000:2018 and other risk guidance were in place. Risk profiling and reporting was rolling up from business units, through divisions to the enterprise level, with no shortage of textual and tabular inputs for consumption by executive committees.
Yet decision makers were uneasy. The volatile external environment they were experiencing only exacerbated their concerns that small unfamiliar developments could cascade risk across the enterprise with unexpected asymmetric effects. I was reminded of the information paradox identified by John Naisbitt ‘We are drowning in information but starved for knowledge.’ The client needed actionable insights drawn from the fire-hose of fact-based reporting.
The situation I just described is not uncommon in corporate Australia. Incumbents are characterized generally by a desire for stability, certainty and predictability, not by a propensity to actively pursue risk. The traditional focus on risk events through multiple lines of reporting disguises deeper systemic issues, making it difficult for executives to understand what is really going on in the business, whether the level of uncertainty is changing, and the impact these factors should have on executive thinking at all levels. A key concern is the avoidance of surprise from unfamiliar threats.
The dynamic and unpredictable nature of both internal and external business environments requires a more sophisticated risk management approach. It’s always easier to consider known risks and what’s familiar, but as Thomas Schelling observed ‘One thing a person cannot do, no matter how rigorous his analysis or heroic his imagination, is to draw up a list of things that would never occur to him.’ Today, management needs to envision what different risks might emerge that could affect the business; for example, by shining a light on disruptive technology, new competitors, and prospective changes in regulations, economics or the political landscape.
From my experience as a professional intelligence officer, I knew actionable insights could not be drawn from the accumulation of facts alone but rather from the creation of ‘new knowledge’ or ‘risk intelligence.’ Intelligence is an evocative term, and in the popular sense, variously connoting a product, service, practice, process, people and organisation. In effect, intelligence is an amalgam of evidence and inference, offering a better understanding and new insights derived from information we possess but have not made sense of in novel ways. Intelligence is the world’s second oldest profession, but ‘risk intelligence’ is a more recent instantiation with more ambiguous interpretations and even its own abbreviation, RQ.
Some theorists have defined risk intelligence very narrowly. David Apgar defined risk intelligence as ‘the ability to reach accurate judgements about a specific new risk,’ where one’s level of risk intelligence varies according to the type of risk in question. Dylan Evans characterises risk intelligence as ‘the ability to estimate probabilities accurately by gauging the limits of our own knowledge.’ Frederick Funston considers risk intelligence to be ‘the ability to effectively distinguish between two types of risk: the risks that must be avoided to survive by preventing loss or harm; and the risks that must be taken to thrive by gaining competitive advantage.’
I prefer a broader definition of risk intelligence. Leo Tilman defined risk intelligence as the ‘organizational ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value.’ In my view, Tilman’s definition best captures the potential of intelligence-led approaches to risk management, but I would add that risk intelligence is not solely an organisational attribute and can be exercised at the individual and team levels.
An intelligence-led approach is less about the efficient operation of the risk management function and more about informing strategic conversations from different points of view, especially external to the organisation, to foster opportunity rather than exacerbate risk aversion. Both Apgar and Evans agree that keeping track of what one learns in a methodical way and seeking out diverse sources of information – expanding our cognitive horizon - contribute to higher risk intelligence. Risk intelligence also highlights affordances – what a deeper understanding of the environment offers the enterprise – which are a key focus of actionable insights. But the enterprise must possess the capabilities to perceive the affordances and to use them.
The preceding definitions offer little insight about risk intelligence as a capability, and the practice of risk intelligence. However, the broader intelligence body of knowledge has much to offer risk practitioners for generating risk intelligence. For example, structured analytic techniques, visualisation tools, and sensemaking allow us to step beyond the facts to actionable insights. I used each of these techniques in the consultation I mentioned at the beginning of this article – let me explain.
A key constraint in examining the firehose of risk reporting is the amount of information analysts can both keep at the forefront of their minds and think about. Structured analytic techniques make explicit and examine the relationships between elements of information. For example, a simple mnemonic called POLE, structures the relationships between; People, Objects, Locations, and Events to find patterns. In terms of risk intelligence, we can examine the relationship between business units, their individual risk descriptions, the associated element(s) of risk, key incidents (especially causes), and internal audit reports over time. However, at the enterprise or divisional level, we are still confronted with structured data of enormous complexity.
Visual representation of the data in a natural and intuitive form, makes full use of the human capacity to absorb and interact with complex images, far beyond typical directory structures or screens of text and numbers. Visualisation provokes insights, enabling communication of these insights to clients and colleagues, and confirming the integrity of observations. The risk intelligence consultation used the Kumu open source visualisation platform to visualise the web of connections based on the parameters previously manipulated by the structured analytic techniques.
The term ‘sensemaking’ was introduced by Karl Weick, to refer to how we structure and articulate the unknown to be able to act in it. David Moore suggests sensemaking for intelligence purposes encompasses ‘the processes by which specialised knowledge about ambiguous, complex, and uncertain issues is created.’ The resulting insights, according to Gary Klein, trigger an unexpected shift to a new set of beliefs that are more accurate, more comprehensive, and more useful – which change how we understand, how we act, how we see, and what we desire. By enabling decision-makers to have a better grasp of what is occurring in their business, sensemaking facilitates other activities such as visioning, relating, and inventing.
The disciplined application of techniques for structuring, visualising and making sense of the risk data led to risk intelligence that would otherwise not be apparent in traditional textual or tabular reporting formats. In the context of the risk consultation, the insights included:
- Understanding the relationship between key incidents and the elements of operational risk allowed risk exposure to be framed in ways that were more useful for designing and applying controls.
- Understanding the relationship between key incidents and operational risks helped challenge existing risk ratings, the adequacy of investment in controls, the precision of the risk description, and underlying complexity in the exposure that may lead to surprise.
- Understanding the relationship between operational risks and the elements of operational risk highlighted the comprehensiveness of the risk profile, the balance of attention in the risk profile, opportunities for adjusting investment in controls, and the potential for cascading effects across the portfolio of risk.
In the pursuit of risk intelligence, practitioners can draw upon the wider intelligence body of knowledge to shape theory and practice into a set of processes for the ‘transformation of risk data into meaningful and useful information for risk analysis, treatment and planning purposes.’ More recently Leo Tilman has argued that risk intelligence will become a cornerstone of organizational agility in an increasingly dynamic and unpredictable world.
Brett Peppler is an indepedent consultant at EarlyBirds – a specialist in providing intelligence-led approaches for managing uncertainty in strategic planning. Brett is a Fellow and former President of the Australian Institute of Professional Intelligence Officers (AIPIO). Follow Brett on Twitter @cbrettp and @iFuturesAU