I was reading a risk management blog today and was very impressed with the technical article covering various aspects of solvency and valuation of insurance industry. As I was reading it, my mind analyzed the information with respect to various laws, sections, cases etc. After finishing reading it, I took a breath and thought- "I actually felt like referring to various Risk Management books to understand the article, will a regular business operation employee actually understand it?" This resulted in a depressing thought- "I do the same, to show my knowledge; I mention sections and case laws of various acts which leave business people stumped." Well, in my defense I will say, it gives a heightened sense of satisfaction and success.
Somewhere I feel risk managers ( referred to as RM) are having their cake and eating it to. The primary responsibility of managing risks is of business operation team. The RM's role is of a support function, a facilitator to the business. The business managers are not being provided with the necessary information, knowledge and tools to proactively manage their risks. Let me explain why I am making this statement.
In their role as auditors, they are focused on what went wrong in the past rather than equip the business managers to how to deal with the future. It is a feedback rather than feed-forward system working. The other aspect is that they in their role as advisors issue guidelines and policies without the complete involvement of the business people.
Scenario 1: Let me take a scenario here of implementation of information assurance policies. The RM will discuss the overall requirement with the business managers, prepare the policy, take feedback regarding it and then issue the final policy. Then they will tell business users to implement it. Since in quite a few areas implementation may not be possible, exceptions will be granted to the business users. In nutshell, around 75% of the policy only will be implemented.
In both these roles the involvement of business operations team is minimal at the commencement of the project. They are expected to implement the recommendations.
Considering the above mentioned short comings in the above mentioned approach, I wished to explore the concept of collective intelligence and its applicability to risk management functions.
As a first step, let us understand the nature of information and intelligence which risk managers require to conduct their jobs:
1) Organizational Intelligence- Information regarding processes, structure, culture and technology. These they normally get from the business managers through interviews and review of standard operating procedures.
2) Commercial Intelligence- Information regarding the external environment- customers, suppliers and competitors. This information they obtain from interviews with business managers, customers and suppliers. Other sources are various media and research reports published.
3) Technical Intelligence - Information regarding the various laws, acts, methodologies and tools applicable for risk management. RMs have the knowledge on how to conduct the risk management while using this information appropriately.
As can be seen business managers have more information and knowledge on two of the three intelligence capabilities required for conducting risk management. In a more collaborative approach the risk managers should be able to impart their skill specialization to the business managers effectively.
The question is how can this collaborative model work? Let me take the example again of preparing information assurance policies.
Scenario 2: In this scenario the RM puts up the objectives of preparing and implementing information assurance policies along with a table of contents and broad outline on the intranet. Now it is open to the employees to contribute and decide how it should be developed and implemented. The employees comment on what is applicable, how the process works, what are the bottlenecks and challenges, who should review it, how it should be implemented etc. The RM identifies the major contributors and meets them up to interview them. Based on the web interactions and meetings, the RM prepares a draft policy document and uploads it on the intranet. Again the employees are invited to review the same and provide feedback. After incorporating the feedback, the risk manager proceeds to obtain approval of the senior managers.
In this approach the RM has the buy in of the employees before the finalization of the policy. Hence, implementation will be easier since employees feel a sense of collective ownership and responsibility. This will enable adoption of information assurance polices as part of organization culture.
To further delve on the approach, I am adding the example which I read in "Collective Intelligence- Creating a Prosperous World of Peace" fore-worded by Yoachai Benkler and remixed by Hassam Masum. I have adapted the example "Three ways to storytelling" to the risk management function.
Three Ways of Story Telling- Risk Management Adaption
Let us formulate three societies for risk management: Red, Blue and Green. Each society has specific procedures on how to conduct and discuss risk management activities.
Red: In Red society hierarchical top down approach is followed. All the risk issues/ observations can be reported by the risk management department to the CXO's. Business operation manager is required to go to their respective RMs to discuss their issues. A business process team member has to route their risk issue/ query through the business operation manager to the respective risk manager.
The senior management issues the guidelines, policies and reports to the business operation team. The business operation team members hear regarding the issues only from the senior management and implement accordingly. In this case, an employee's understanding of risk issues is at an overall level controlled by the senior management. An employee's perceptions and knowledge are based on the information provided to him/her by the seniors.
Blue: In Blue society again hierarchical top down approach is followed however with a slight difference. Here the business operation manager can bring up the risk issues directly to the CXO's attention. Then the risk management department and business operation manager work in collaboration to address the issue. In this case, a change agent from business operation team can be nominated to address the risk issue.
In this scenario, the business operation team members hear about the risks which senior managers, RMs and their elected change agents inform them about. The employee's perception, knowledge and awareness on risk issues are governed by this select group. Though information is not controlled as in the completely top down approach of Red, it is controlled by the major key players in the business operation team.
Green: In Green society the approach adopted towards risk management is of collective intelligence. Business operation team members can put all their concerns, Risk Management suggestions and problems regarding risk management on the intranet. The other team members including the risk members would discuss the same on intranet and meetings, to suggest a solution to the issue and mitigate the risk.
In this scenario, the business operation team members discuss the issues which concern them. There is no control from a senior manager regarding the topics to be discussed, and no permission is required for the same. The flow of information regarding risk management is through multiple channels- team members, business managers, RMs and CXO's. The information which an employee has is extensive and he/she is well informed regarding the subject. The perceptions and awareness is built through multiple sources of information.
The problem with the collective intelligence approach can be that employees have extensive information and on what basis will they decide the relevance and applicability of the information. How will the risk management function operate? The adjacent diagram depicts the steps for using collective intelligence in risk management activities.