Journey from RM (Risk Management) to GRC (Governance, Risk, and Compliance) to IRM (Integrated Risk Management) to OR (Organisational Resilience)

While Risk domain is very old, Governance and Compliance added in past decade or so, many organisations still do not have the Risk Function/ department. Some have reactive approach to Risk Management. Rarely, one has the list of regulatory requirements, and almost no one has the process to establish the same. Even in the organisations that have very well-established Risk function/ department, the methodology for Risk Management is not documented. And finally, where you find the methodology, then the methodology and the output do not match. This way, a lot of improvement exists in the full ecosystem.

I know almost the whole world claimed that they were almost 100% workfromhome during Covid-19 Pandemic, I believe both parties - the suppliers and the customers have made an unsaid/ unsigned compromise. I believe the home cannot match the office with respect to physical or information/ cyber security. Somehow, I have not been able to digest a situation where we are in an online session (meeting/ training) and the cameras are not on – that simply brings the effectiveness down. Why should we use the platforms like zoom, Microsoft Teams, Cisco WebEx, Google Meet etc., if camera is not to be switched on?

I believe there is no perfect solution. Whether we talk of GRC or BCM or Organisational Resilience as a whole, the most important point is that ‘its all about people’ – which to my next belief is the weakest link in the chain. Some provisions like NDA, Code of Conduct/ Ethics, Whistle Blower Policy, Information Security Policy, Clear Desk Policy etc. help. Workfromhome dilutes it further. Most of these are ‘one time signed and forgotten’ documents. Regular reminders and re-enforcement are required.

The first point is ‘not to be a pigeon’ (in a mythological story, the pigeon closes its eyes when it sees cat – as if there was no risk) i.e. as a COO, I would first like to admit that I have these challenges, only then I have a possibility of resolving these (or at least some of these). While some tools do help, access rights can also control the situation to an extent. Overall, manual audits cannot be replaced. Sometimes, setting an example helps – e.g. disciplinary action on one employee will set the rest right for long.

I have been practicing Risk Management for over 30 years, a lot has changed with respect to my own understanding as well. I started using the principles of ISO 31000 in last 10 years or so. The key in Risk Management is to be able to understand the context of your own organisation (trust me, many do not), based on which one would do the identification - for which I have expanded my sources – including brainstorming, books, summits/ conferences, webinars, AON maps, WEF Global Risk Report, other Horizon Scanning Reports etc.

I develop a Heat Diagram to sort the risks, and the top (hot) ones become my target. Metrics are difficult. Theoretically RoI, Cost Benefit Analysis, Pay back period etc. can be used. But mostly this has been qualitative and hence has been subjective.

There is constant eye on existing and emerging risks locally, nationally, and globally. Then regular meetings are held to review the whole elements – risk management process, parameters, definitions, risk appetite, effectiveness of the controls, progress on in-implementation controls (some risks will take long to get mitigated e.g. training 15000 people may be yearlong program). My audit experience is that ‘almost everyone knows Risk Appetite, but no one knows it actually’. People tell me the definition. I am not interested in definition – the question is about ‘your risk appetite’. Even if the value is known, it is known only to few people. Even those people then do not use it. And the value is too old (not reviewed/ refined in recent times). Ultimately, I would like to see the process (documented process – written, reviewed, approved, published, used) to establish the risk appetite.

This is a long and continuous journey. Even large and matured organisations that I have interacted with during my training and consulting assignments (and I have touched hundreds and hundreds of them) lack at this point. The most that they do is first level of risk management. I tend to go deep and to many levels lower than that. Covid-19 Pandemic is a good example. The risk of Covid-19 was managed (by the governments) by announcing lockdowns. This created another risk for the organisations – they managed it by workfromhome (mostly). But that gave rise to multiple risks – physical security, information security, infrastructure, stress, sedentary lifestyle, privacy etc. During 6 months of Covid-19 Pandemic, I have run over 60 mini surveys – with one common question “are you eagerly looking forward to going back to office’ and the responses have been from 45%-55% ‘yes’ (touching 100% in couple of cases). My interpretation is that ‘there is some pain’ at home!

In one of the discussions with me, the CEO of an organisation said, “Daman, I agree, we perhaps have been working from home ‘illegally’”.

Simple approach of identify-evaluate-mitigate works well. A degree of qualitative and quantitative parameters exists in this. I have been following principles defined in ISO 31000 as a whole Risk Management Process. I know ISO 31010 also exists and has over 30 techniques just for Risk Assessment, but I have not used those yet.

In recent times (added challenges by the Covid-19 Pandemic), I see transformation of roles – COO-to-CEO. No emotions, just being reasonable and practicable. There are pressures on revenues and profits. I see emergence of highly Resilient Organisations.

Risk Management, Governance Risk and Compliance came closer decade ago. There have been discussions about Integrated Risk Management or Integrated Management Systems – some successes have been achieved - mostly ISO 9001, ISO 14001, ISO 45001 (Quality Management System, Environment Management System, Occupational Health and Safety Management System).

ISO 22316:2017 related about 20 domains/ disciplines to Organisational Resilience, and I see it to be exceedingly difficult to integrate so many into one! I have recently developed a 2-days course on Organisational Resilience (based on ISO 22316) – will talk about it separately. And, in the process I realised need for a tool to Assess the Organisational Resilience and developed one – while doing this I added 4 more parameters and this assessment now revolves around 24 factors.

In the immediate terms, I see the transformation from RM-GRC-IRM to OR (Organisational Resilience). The world is going through difficult times. The CxOs need to take some tough decisions. Multiple domains need to amalgamate. Hence, I see Organisational Resilience to be the solution. The need of the hour is to be more efficient to generate resources (including budget) to invest in tools, techniques, people and be Resilient.

My definition: A Risk Managing, Learning, and Continually Improving organisation is a Resilient Organisation!