Global standards organizations and associations are adjusting their guidance and advice to emphasize risk management is not just about addressing specific risk events. The updated COSO and ISO risk management standards now highlight the need to consider risks in association with business objectives and decisions.
The past focus on standalone risks gave rise to business practices and tools that created risk identification exercises for employees to populate risk registers used to assign governance responsibilities, set controls, and ensure compliance with regulatory requirements. These tools and practices still fulfill a purpose and add value within enterprise risk management systems but integrating risk considerations with decision-making processes across an organization calls for a new perspective of what qualifies as pertinent and valued risk management resources.
Concepts of business risks, risk management, and risk sharing date back to the very beginning of economic activity with the most explicit examples involving the financing of new ventures and the transport of goods. Over time, risk specialists and insurance products emerged to help identify, assess, mitigate, and financially minimize specific risk exposures.
While the study of business management as a modern discipline took hold at the turn of the twentieth century, the value of risk management for an enterprise was not explicitly advanced until 1963 when Robert Mehr and Bob Hedges asserted the objective of risk management is to maximize the productive efficiency of the enterprise. In this view, the purpose of risk analysis is not just to identify ways to avoid or mitigate the consequences of risk events, but also to inform decision making to help optimize the value of an organization.
The enterprise-wide perspective elevated risk management to a business function that could assess an integrated portfolio of organizational risks. This analysis has helped streamline insurance coverage, set controls, and satisfy regulatory requirements, but the practical integration of risk management with decision-making processes has been a challenge.
The challenges derive from the differences in enacting risk management as a risk-centric discipline versus embedding risk management practices within decision-making processes. A risk-centric approach focuses on identifying, assessing, and addressing enterprise risks with an end goal of minimizing the overall consequences of risk exposures to the organization. A decision-centric approach, in contrast, focuses on identifying and assessing the risks associated with specific decisions with the goal of optimizing the risk-reward balance and the potential of achieving a certain objective.
The key distinction in practice is a risk-centric approach can be a periodic activity while a decision-centric approach requires a continual assessment of changing conditions as a decision is made and executed. Not only do market conditions, resources, and other external variables change, but stakeholder expectations and decisions themselves are subject to change and adjustments.
The dynamics of decisions and the systems in which they are made have ramifications for the processes, individual roles, information, and tools necessary to integrate risk management with decision-making processes.
Every employee across business functions makes decisions under different contexts that carry varying degrees of weight to an organization’s objectives and value. Companies should analyze decision dynamics throughout their organization to understand where risk management is critical and how best to integrate it in decision-making processes.
Strategic, resource, financial, and operational decisions involve unique information, processes, and decision makers. While strategic decisions may align most closely with past risk management practices in terms of analytical frequency and information requirements, operational decisions need a more dramatic shift in resource considerations.
Given current assertions that frontline workers are critical for managing risks, risk management cannot be a standalone periodic exercise. It must seamlessly meld with ongoing decision processes. Daily operational decisions should always incorporate ongoing risk analysis that leverages past evidence, monitors real-time dynamics, and quickly assesses the range of potential future outcomes to help select an optimal path toward stated objectives.
A wide range of monitoring and analytical tools play critical piecemeal roles in ongoing risk management systems, but technology advancements are accelerating the ability to explicitly, and quickly, integrate more risk information and analysis with decision-making processes. These resources will carry risk management practices well beyond today’s risk registers and compliance programs and will help raise the value of risk management.
The shift from a risk-centric to a decision-centric approach for managing risks includes an overall repositioning of the value that risk management brings to the enterprise.
Stakeholders, from government regulators, ratings agencies, and activists to partners, suppliers, and shareholders, are raising expectations for the ability of businesses to manage all varieties of risks. Strategic and operational enterprise decisions now carry tremendous business and social expectations. Executives are supposed to make timely and deliberative risk-informed decisions to not only achieve enterprise goals but also meet social obligations. A single misstep can create immediate and damaging backlash from customers, regulators, shareholders, and the public.
Risk management provides a path to better management, but it is a relatively young business discipline. Initial enterprise-wide implementation efforts focused on identifying the top organizational risks, establishing processes to set controls, and ensuring regulatory compliance. The vision is now set on creating resilient organizations that thrive and gain value through risk exposure.
Overall enterprise risk management efforts should aspire to
The maturity and effectiveness of risk management programs naturally progress from initial practical limited-scope efforts to its potential as a core principle and driver of enterprise decision making. The convergence of advancements in risk management practices, technology, and new and expanding risk information sources is supporting the transition from a defensive risk protection stance toward a more proactive opportunistic role that raises enterprise value.
Risk management emanates from the business principle that good decision making involves assessing the uncertainties associated with achieving an objective. Risk management principles implicitly underlie just about every decision an individual makes in their daily life with an intuitive process of identifying, assessing, and acting upon a set of options, tradeoffs, and uncertainties. Effectively extending this principle and process to the complexity of enterprise decision making requires explicit standards for frameworks and programs.
Standards organizations provide guidance on translating risk management principles into an enterprise framework including the overall objectives of risk management and establishing common terminology and structural guidelines. Risk management programs then set the specific policies, roles, processes, reporting, and resources required to enact the framework.
While an individual can, in effect, define their own personal risk management framework and program, methodical implementation across a group or an enterprise increasingly tests the capacity and the efficiency of an organization’s risk management resources and communication capabilities.
Expectations for structured risk-informed decision-making frameworks begin at the individual level. Even freethinking entrepreneurs must identify and present their assessment and quantification of risks to justify business plans for potential customers and investors. As applied risk principles extend from individual analysis and decision making to group and enterprise decision settings, demand for more sophisticated vendor risk management solutions broadens.
Individual workers generally carry out routine tasks guided by established company decision rules which should incorporate enterprise risk appetite considerations. When the task or decision falls outside the routine, individuals typically conduct risk management analysis and reporting using basic spreadsheet, word processing, and presentation tools. As the specific risk considerations become more complex, they may seek specialized analytical tools, risk information sources, and external risk experts for support.
Temporary project groups and single corporate functional units tasked with specific business objectives introduce new framework requirements, especially for risk communication and role clarification. Risk management in this context calls for explicit agreements on objectives and standards that emphasize a clear process with assigned tasks and risk owners. While group meetings and email communication may suffice, project managers increasingly seek project management platforms that incorporate risk considerations and offer more efficient communication and process controls. In cases where distinct functional units, such as human resources, finance, and legal, manage a high volume of risk events in a specific risk source category, they may strive to improve processes and standardize decision making and risk responses utilizing software tools to more efficiently identify, record, assess, and address specific risk events.
At the enterprise level, multiple objectives, unlimited and complex uncertainties, and unique risk measures across functional units require an overarching framework to consider the enterprise risk portfolio for more efficient strategic, financial, operational, and resource decisions. The complexity at the enterprise level raises demand for (1) risk management standards, (2) support for organizational change, role definition, and training, and (3) efficient ways to identify, analyze, report, and compare risks, risk response actions, and decision tradeoffs in an enterprise view.
Risk management is not a standalone role, program, function, process, or technology but a management principle applied to a framework integrating people, processes, technology, and information resources across an organization to explicitly address the uncertainties associated with achieving enterprise objectives.
The demand for external risk management services and products is limited when one person or a few individuals conduct risk analysis or when the analysis focuses on a narrow set of risks. Many small companies and individual risk managers tasked with risk responsibilities still get by with spreadsheets, word processing, and presentation software, but these resources quickly prove to be inadequate when addressing the volume, variety, velocity, volatility and vitality of risks in a broader enterprise context. The limitations and inefficiencies of internal resources drive demand for vendor solutions that help identify, assess, record, address, and communicate risks within an enterprise and externally with shareholders, ratings agencies, government agencies, and partners.
Wherever a risk management system resource (people, process, technology, or information) is scarce or inefficient, suppliers introduce solutions. A wide range of vendors, including risk management advisors and consultants, software vendors, and risk information providers, are quickly advancing their offerings to help raise the value of risk management systems for enterprises.
Vendor offerings provide value by either (a) improving the efficiency of existing internal resources, or (b) adding new resource capabilities for enterprises. Offerings enhancing the efficiency of existing resources typically are in the form of organizational consulting services or software tools focused on process, role clarification, communication flow, decision making, and the use of standards. Suppliers of supplemental resources generally offer software technology to support data collection, monitoring, risk analytics, predictive analysis, scenario analysis, decision support, and reporting. These offerings increasingly focus on managing a higher volume, velocity, and variety of risk information with greater speed and consistency on an ongoing basis.
Current risk management market offerings can range from niche risk analytics tools and information to broad-reaching GRC software suites and organizational consulting. Applying the concept of a market to risk management is intrinsically more complex than identifying and valuing widgets since risk management systems include an amorphous variety of services, software, and information resources.
The following definition sets parameters to identify market vendors supporting risk-informed enterprise decision making:
The Risk Management Resources Market includes services, software, and information vendors addressing enterprise demand for enhancing or adding people, process, technology, or information resources that explicitly help address the uncertainties associated with achieving enterprise objectives. Vendor offerings support the following enterprise needs:
While the risk management resources supply market broadly includes services, software, and information vendors, the specific types of vendors within these segments vary widely. They include management consultants, insurance advisors, analytical software tool providers, enterprise resource planning (ERP) software vendors, as well as specialists in crisis management, reputation, social media, geopolitics, physical security, cybersecurity, and information security, among many others.
Some suppliers are pure play risk management vendors, while others may only have a few risk management offerings within a broader portfolio of products and services. Some offer holistic enterprise risk management (ERM) solutions while others focus more narrowly on specific risk process elements or risk source niches.
Intelligent Management Trends has analyzed enterprise decision making processes, risk management standards, and vendor resource offerings and has identified three top factors to use for a simple taxonomy system that can directly connect the value of risk management vendor offerings to enterprise resource needs:
No single vendor can provide all the people, process, technology, and information resources required for a complete enterprise risk management solution that addresses all risk source categories using each risk management process element. ERM software vendors provide broad platforms to help manage the flow of information and enable many of the risk management process elements, but additional risk source expertise, process support, and risk information sources are necessary to complete a holistic risk management system.
The marketplace includes a wide variety of software and services vendors using the enterprise risk management (ERM) and governance, risk management, and compliance (GRC) labels. These terms can create market confusion when used too broadly for offerings that address only a specific risk management process element or a specific risk source.
Intelligent Management Trends offers a simple taxonomy structure, based on the three primary factors above and four specialization factors, to help categorize the capabilities and value of risk management vendor offerings in relation to the resources necessary to build risk-informed decision-making processes across an enterprise.
It is time to transition from a risk-centric to a decision-centric perspective of risk management processes and resources. A perspective that includes a greater emphasis on real-time risk monitoring, risk analytics, predictive solutions, and information sources that meld with decision-making processes.
The age of digital enterprises is here. This includes making changes to your risk management practices to build more resilient and antifragile organizations.
Don't have time to read this page now or you want to take save it for later reference? No problem. Just download a free PDF copy.
Get to know John Farrell, the author of this market analysis. He is a business researcher and advocate for advancing business decision making through the use of risk management principles and advanced analytics. His background with IDC, Kennedy Information, and IBM includes managing custom research projects, building market demand models, analyzing leading edge market trends, and assessing vendor capabilities in the information technology and management consulting markets.
Whether you are a business assessing vendors to help you improve your risk-informed decision-making processes, or a vendor interested in building your competitive value, contact John to see how he and his network of researchers with Intelligent Management Trends can address your top challenges.
John Farrell Intelligent Management Trends
The analysis on this page is a compilation of excerpts from Intelligent Management Trend’s report “Risk Management Resources Taxonomy, Trends, and Vendor Classification.”
The report presents a holistic categorization of services, software, and information resources for risk-informed decision making and includes market drivers, trends, and extensive vendor examples to substantiate all market categories and definitions.
Use the following link to find out more about this report and its value for enterprises, risk management vendors, and the advancement of decision-centric risk management practices.