Norman Marks on Governance, Risk Management, and Internal Audit

These are three of today’s buzzwords. My good friend, Michael Rasmussen, has shared an article that was recently published by the Institute of Risk Management. (I am an Honorary Fellow of that institute and Michael has received other honors from them.)

I like what he has to say about agility:

Agility is a thing of beauty. I love watching acts of agility. Take parkour for example, how these athletes can leverage and use their surroundings to navigate and seem to do the impossible . . . simply amazing.

Agility is the ability of an organisation to move quickly and easily; the ability to think and understand quickly. Good risk management is going to clearly understand the objectives of the organisation, its performance goals, and strategy, and continuously monitor the environment for 360 situational awareness to be agile.

To see both opportunities as well as threats so the organisation can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organisation and its objectives.

Organisations in 2022 need to be agile organisations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, and harms. Agility is also the ability to understand the environment and engage to advance the organisation and its goals. Organisations need to be agile and resilient. Risk management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organisation so it can seize on the opportunity as well as avoid exposures and threats.

Let me make one important and often overlooked point.

You can be ready and even able to move with agility, but if you don’t know when, where, how, or why you need to move, agility is somewhat useless.

Reliable, timely, and current information is necessary!

You also need decision-makers to be alert to changes in the information and use it!

I have seen surveys that say 80% of managers do not know what information is available. As a result, they fail to obtain the information before making a decision based on their gut instinct.

They also fail to understand that others may have the information they need, and/or may be affected by their decisions.

Have you asked your key decision-makers whether they have the information they need, when they need it? Have you asked whether they are included in decisions that affect them or where they could make a difference?

Some time back, I was presenting at the Harvard Club in New York to a group of CFOs. I asked them how long it would take them before they could put a number to their level of free cash, should their CEO call them right there and then asking for it. The answers ranged from a week to a month or even more.

Michael also talks about resiliency.

Now I have to tell you that the word grates for me. I had never heard it used until recently, as although it is acceptable, for me the proper word is resilience. There are several articles about the difference, calling ‘resiliency’ a “needless variant”. (Just as some people were talking about compliancy a few years ago instead of compliance.) Anyway I will let that pass for now and just talk about resilience.

As Michael says:

There has been a lot of focus on [resilience] in 2021 and moving into 2022 as we deal with the waves of the pandemic and ramifications from it. [Resilience] is the capacity to recover quickly from difficulties/events, the ability of a business to spring back into shape from an event.

What I like about this, based on my personal experience with IT disaster recovery and business resumption planning reporting to me when I was a vice president in IT, is that a focus on being resilient can help you be able to recover from the unexpected. It didn’t matter what caused the data center to be lost (e.g., a fire, earthquake, or terrorist incident), we had to be able to recover at speed to maintain the business.

In risk management (including opportunity management, or even my concept of success management), you are anticipating what might happen to affect your achieving enterprise objectives.

But surprises happen, coming at you in different ways and from different directions from anything you had anticipated.

If you think about being prepared for the unexpected, being resilient, then you are less likely to be seriously damaged.

From a business resumption perspective, which Michael also talks about in his piece, I believe the most important piece is a Crisis Communications Plan.

Who will you contact to address an issue, when, and how?

Michael loves the data: structured data and analysis. I am less enamored than he.

However, I agree that you need to use your imagination; for me that translates to setting aside what others have deemed ‘best practice’ and figure out what is best for your organization.

That is a great topic for facilitated workshops and table-top drills. Gather line management to discuss how they would be affected and how they would respond, moving on to how they can improve preparedness. In my IT shop, in addition to a disaster recovery plan and a business resumption plan, we also had a disaster preparedness plan.

What do you think?