Anyone who knows me well knows how much I enjoy murder mystery TV shows and books.
And IF I’m able to manage some TV time, something that is getting more difficult all of the time it seems, shows like Rizzoli & Isles, CSI, and Criminal Minds are some of my current faves. In years past, you could add Law & Order and The Closer to this list. Shows like this really grip me – I’ve caught myself saying I’ll only watch 15 minutes then I end up watching the whole episode!
So you can imagine I was intrigued when reading how Hans Læssøe, former strategic risk manager for LEGO, described one facet of risk identification in his book Prepare to Dare.
Hans explains how identifying risks and opportunities for projects and specific initiatives is pretty straightforward.
But this isn’t quite the case when it comes to business strategies as descriptions of these risks and opportunities tend to be rather vague. While this vagueness doesn’t necessarily mean these risk statements are useless, the statements do require further analysis.
To do this, the first step is to ask “what is the problem/benefit?” then “why is this a risk/opportunity?” to understand the context.
The next question from here is to ask “why/how could this materialize?” which in effect means conducting a root cause analysis to identify what will ultimately trigger the risk and thus what can actually be managed. Hans then explains:
As a frame of reference, a coroner often states that the cause of death is “cardiac arrest,” and true, if the heart stops beating, the person dies. To the criminal investigator, it is necessary to get more insights as to “why did the heart stop beating?” – to him, “cardiac arrest” is inadequate as cause of death.”
Simply saying a person’s heart stopped beating is inadequate and useless as a root cause. If I were a detective investigating someone’s death, I’m going to want to dig further to understand why the heart stopped beating.
To translate this for the purposes of risk identification, Hans describes a situation where a CEO may say the company has a reputational risk, but as he explains, simply saying something is a reputational risk is too broad and not helpful for decision-making.
As I discuss in this article, looking at reputation as a stand-alone risk comes with many drawbacks. (I highly recommend reading the reputation risk article to understand those drawbacks and more.) It can be difficult to explain to the executive team, audit committee, or board, and it’s likely any scenarios you develop will end up being duplicative of risks you’ve already identified.
Instead of lumping reputation into one big risk, you can instead examine risks and specific events or triggers and how they may impact the company’s reputation.
In a previous article comparing a toddler’s “why” to root cause analysis, there are several methods organizations can use to do this, including brainstorming, flowcharting, 5 whys, fishbone diagrams, and affinity diagrams.
Ultimately, getting to the root cause means asking “why” until you can go no further. Once you reach this point, you will then understand what needs to be done to address the risk.
Police investigators do this intuitively.
Not only are they interested in fully understanding the cause of someone’s death, they also want to fully understand the “why” or the motive. It’s with this information in hand that detectives can unravel a plot, find the person or persons responsible, and bring them to justice. Without this clear understanding, it’s highly likely the person(s) will just walk or the perpetrator(s) remain free.
In the case of risks and opportunities to achieving strategic objectives, not having a clear understanding of the “why” or root cause of a risk or opportunity will lead to confusion as to what the appropriate response should be. And by the way, if you don’t have the trigger, root cause, and potential consequence(s), you will not have the three necessary components of an effective risk statement.
I find it fascinating how seemingly unrelated concepts or ideas can be used to understand ERM concepts and processes, as well as how these concepts are actually tied together.
What concepts or analogies have you discovered to better understand risk and opportunity management?
Today’s article was a little bit on the lighthearted side. After all, ERM doesn’t have to be dry and difficult to read! Hans’ book is a great entry-level resource for learning how to build an effective, value-enhancing ERM process.
If you’re experiencing difficulty in identifying root cause or any other aspect of ERM, please reach out to me or schedule a meeting today to discuss your specific situation and a possible path forward.