The perfect storm of Systemic risks
Risk is trying to control something you are powerless over. ~ Eric Clapton
Well…. not totally correct…… Organisations do have the potential to identify likely risks, implement countermeasures, hope that the risks never eventuate and when they do that the countermeasures work.
The spectrum of risks in running an organisation are well studied and there are numerous risk management frameworks in place which are, for the most part effective – or we would like to believe.
The almost absolute dependency on technological in our organisations adds another dimension to the risk landscape. The pervasive adoption of business technology is a given – illustrated by the accelerating adoption of smartphone, Cloud and similar technologies. Much of this technology is new, emerging, disruptive and can crash through conventional enterprise risk management processes and frameworks.
Do you rely on your IT consulting firm to guide you and your organisation through the technologically altered risk landscape? That may in fact introduce further risks! The best mitigation is to own, understand and manage the risks – after all, it’s your organisation at risk.
Let’s explore these in a bit more detail:
The meticulous identification, categorization and ranking of all likely technical and functional risks is at the heart of conventional IT risk assessment frameworks and certification models such as ISO 2700X. This is where the IT consulting firm can assist if appropriate. The underlying model is based on:
Risk of a specific event = (Impact x Probability of that event occurring) + Risk Adjustment
Certification does not necessarily equal security or effectiveness of your risk management model, however it may provide some comfort that there is a system in place to identify, mitigate and frame your response should the risk materialize.
Often focusing primarily on the diverse range of functional and technical risks, does not account for the interaction between risks.
In the context of your business, taking a broader perspective of risk will give you a better perspective of the actual risk, rather that what you think the risk might be.
Systemic risks are those with the greatest potential impact as they affect the entire system (ie: Organisation, government, country, world…)
Case in Point: Why was the financial sector, being one of the most regulated industries, invests heavily in risk management technologies and processes, the cause of the 2008 global financial crisis (GFC)?
Systemic risk for the enterprise is the silent killer and is often the hardest to identify.
Organisations that think that the catalogue of risks – known as the risk register – is a true measure of the systemic risks may be taking a risk!