Why It's Too Late to Manage One Risk at a Time
On paper, risks can be slotted into tidy, individual categories. In reality, enterprise risks are complex and interconnected and should be managed accordingly.
Industry leaders the world over are waking up to the fact that managing risks (including safety exposures) is a key method of controlling loss. However, managing enterprise risk is not a simple endeavor. It is an evolving specialty that has to keep pace with a rapidly changing landscape.
The conventional approach to risk management sought to parse, enumerate, and categorize risks, treating them as individual and separate entities. Across industries, organizations attempted to sort these risks into tidy loss control categories like Safety, Health, Security, Environment, and Quality.
This proved inadequate for managing the complex risks every company faces. While risks can be neatly sorted into separate boxes on paper, in reality they are indivisible and influence each other, often quite significantly.
While risk management has adopted more holistic methods that consider the way various factors interact, many companies still have organizational structures that keep the departments that oversee these categories segregated - or worse yet, totally siloed and rarely interacting. In some cases, companies have attempted to clumsily reintegrate these categories back into a single Frankenstein's Monster of a super department boasting cumbersome, unpronounceable initialisms like HSSEQR.
No Risk Is an Island
Taking a siloed approach to individual risks (or even risk types) prevents an Enterprise Risk Management (ERM) program from performing effectively. No matter how we want to classify them, identified risks are not discrete units – they are interconnected and interdependent. Moreover, the categories themselves are interrelated. Thinking of Quality and Safety, or Regulatory and Environmental, as separate is a bit like the fable of the blind men and the elephant - each one sees a piece but lacks an understanding of the whole because of their limited perspective.
We have seen this clearly on the macro scale. The global-level risks that have impacted organizations may fit neatly under the rubric of health and safety risks (pandemic) or financial risks (recession fears), but viewing them this way overlooks the obvious ways in which these two trends influence and aggravate one another. To manage them effectively, an organization must understand how these various elements impact each other, weigh their relative risk levels, and use that information to better anticipate issues and take a strategic, proactive approach to dealing with them.
Doing so, however, requires a lot of information.
From Data to Insight
As technology improves, so does our ability to gather data. In fact, data collection has become so advanced that it has outpaced our understanding of what to do with it.
With more data being tracked and stored, industry leaders have leveraged emerging technology to manage this mountain of information: determine confidence and relevance, sniff out trends, and interpret meaning. Until recently, these solutions were based on rudimentary input/output models, but the rise of APIs and enterprise software that utilize AI has given us outputs that were previously onerous to derive or so labor-intensive as to be impracticable.
Even the best modelling is prone to missing information, however. We are still quite far from developing a technological crystal ball. For all our fancy approaches, attempts at control are just best guesses based on past data, which we can use to continuously improve.
When managing safety risks in particular, there is a strong responsibility to get this right - "guess and check" isn’t going to cut it! Being active in sourcing and curating data, applying tested and proven methodology, and making use of the available data is imperative. AI will be a boon to this process, since it has the potential capacity to learn from a large body of data, detect connections, and output models with actionable insights.
Why Laggards Will Continue to Struggle
We’re moving away from the conventional whack-a-mole approach to risk management to a more holistic one. The sphere extends into the institutional and cultural aspects of an organization, such as their ESG and DEI initiatives. Leadership in these areas helps to mitigate some of the broad and fuzzy risk categories through culture and empowerment, rather than trying to address the symptomatic effects downstream.
It’s difficult to illustrate these concepts in ways that encourage uptake at the highest levels of an organization, because they don’t follow a linear cost-benefit relationship. The relationship is much more effectively communicated as a cloud or bubble map – something that is thoroughly unpalatable to many industry executives who see it as neo-management fluff.
This is a challenge that needs to be overcome, since those who continue to rely on risk relationships that are easily charted and quantifiable are being left behind and losing ground more quickly than they realize.
In their 2023 State of Risk Report, Origami Risk surveyed nearly 300 safety and risk professionals and found that only 47% considered themselves to be leaders in risk management. The remaining were either operating without a centralized risk program (40%) or were laggards who relied on ad hock risk programs (14%). Those laggards also tend to be late adopters who are declining to spend money on ESG and DEI initiatives, or even research and training in AI and other new technologies. Their continued reliance on old-school modalities may be working for now, but soon it will be too late to catch up. With other companies already investing in and developing advanced approaches to risk management, the laggards will have lost the race before they even start getting up to pace. Uncontrolled exposure to risk will make those companies increasingly vulnerable to competitive pressures.
As our understanding of risk grows, it's clear that explanations like "A caused B" aren't going to cut it anymore. It's too simplistic. Sooner or later, we have to leave behind dominoes, ladders, and even fishbone diagrams in favor of webs and weighted bubbles. The companies who can adopt this understanding of risk will rise to the top, because they will be able to rely on superior models that can handle risks the way they exist off paper and in reality - interconnected, interdependent, and complex.