I recently came across a YouTube video post on risk management that piqued my interest. I don’t usually scour social media for risk management posts, but this one claimed to be a controversial stance, as emphasized Risk Management 1 and Risk Management 2 as competing methodologies. Controversy in risk management and categorizing activities into Risk Management 1 and Risk Management 2!? — I’m sure you’re intrigued. Now that I’ve got your interest (oh right, I’m sure I had you at “Risk Management 1”), let me explain…
Risk Management 1 & Risk Management 2
Risk Management 1 is the risk management that most of us are familiar with. It is comprised of activities like risk identification, top-down risk assessments, populating the risk register, bottom-up risk assessments, control self-assessments, audience-based reporting via charts and heat maps, and other similar activities.
Risk Management 2 focuses on decision support, and uses complex risk management modeling techniques like Scenario Analysis, Sensitivity Analysis, Monte Carlo simulations, Tornado Diagrams, and other similar techniques.
The Controversial Claim
The author of the video claims that while most risk management departments and professionals spend 80+% of their time on Risk Management 1 activities and 20% or less on Risk Management 2 activities, they should be doing the exact opposite. He goes on to state one basic reason for this — decision support. He says that the driver of Risk Management 1 activities generally come from outside the business and include auditors, regulators, credit rating agencies, board members, and other external forces. The resulting materials from Risk Management 1 activities, things like risk appetite statements, risk registers, risk scores and heat maps have very little impact, or are rarely used in the business decision making process. Risk Management 2 activities provide meaningful and actionable data and should be the priority.
Is this claim correct?
Like most controversial things, there’s a bit of truth to the claim, but it fails to fully explain the big picture. Yes, it’s true that most GRC departments, audit departments, and compliance departments spend their time almost exclusively on Risk Management 1 activities. It’s also true that organizational leadership seeking out decision support on macro decisions, (i.e. situations where a single decision can have a large impact on the business) will more likely want to engage in Risk Management 2 activities. They’ll want calculations, scenarios, hypothesis testing, key assumptions analysis, ranges of possible outcomes, etc.
Typically, the resources and expertise needed for Risk Management 2 level of analysis on business decisions are limited to very mature risk environments, typically found in large organizations or in the financial industry. Further, the ranges, variables, and assumptions that go into these models impact the results wildly, and while variable identification and assumption analysis can attempt to limit this, all variables are rarely identified. Of those that are identified, causation vs. correlation is very hard to determine and the assumptions can’t be considered ironclad. Additionally, large ranges of outcomes can make decisions hard and ultimately still leaves the burden on the leader making the decision.
What he’s missing is the value proposition of Risk Management 1 activities: lowering risk for everyday business operations. Business operations are full of micro decisions and automated processes, or instances where risk occurs without an active decision. These micro decisions and automated occurrences introduce risk that we mitigate with things called controls. These are often set during system design and implementation where application controls will dictate repetitive operations, and occur manually everyday with low level process reviews and approvals of things like financial transactions and user access changes. These micro decisions won’t get the attention of the single macro decision the author’s referring to. No leader will run a Monte Carlo analysis on an application control that limits the dollar amount a procurement officer can approve. Cumulatively, though, these can impact the business just the same as the macro decisions. Just ask any organization dealing with the ramifications of a data breach or other negative consequence resulting from poor control.
What does this mean for us GRC / IRM professionals?
What I take this to mean is pretty simple. Risk Management 2 activities need to be a part of your tool-belt. No matter where you are, it would probably be useful to educate yourself on them and to introduce leadership to these techniques so that they know you can provide macro decision support. Is it right, though, to say that it should take up anywhere near 80% of your time and effort at most organizations? Absolutely not. We all know the time and effort it takes to build an effective risk management program primarily comprised of Risk Management 1 activities supported by market leading eGRC systems. Risk Management 1 leads to a more mature control environment, business management’s ownership of risks in their areas, better process and control design, and ultimately, lower risk. We don’t need any less of that.