Risk consequences and enterprise success

‘Consequence criteria’ ‘Objectives’ Choices about consequence criteria Representing ‘all’ dimensions of success in consequence types Ignoring success in consequence types Conclusion

Sidebars: Reasons for ignoring success Representing selected success dimensions other than the main purpose Representing only the unique purpose in consequence types Consequence types that carefully step around the main purpose

In the last post, I asked whether risk consequences are impacts resulting from risk events. My other idea was that consequences might be the extent to which organisation objectives are achieved after risk events. Either way, it seemed that ‘risk consequences’ were often not about the effect of uncertainty on objectives (the ISO 31000 definition of risk).

I was talking specifically about enterprise risk management (ERM), risk in enterprise work units and project risk management. I was not talking about risk management focused on specific concerns, such as health and safety.

Your answers illuminated my understanding of ‘consequences’. I have stopped using the word ‘generic’ to describe consequence criteria I don’t like. The extra illumination also revealed more questions. These are some results from the conversation started by my question. It’s a deep dive, even for the Clear Lines, and rather long. A short version appears on LinkedIn.

This post was greatly improved by lengthy offline conversations with Steve Daniels FMS, FIOR, FBCS, CITP, who commented on the previous article (specifically on the shorter LinkedIn version of the previous article).

‘Consequence criteria’

ISO 31000 uses the term ‘risk criteria’. Among the risk criteria there will be consequence measures, so these can be called ‘consequence criteria’.

The most common way to define consequence criteria is in an ‘impact table’, which has impact types on one axis and levels of impact on the other. It is not the ‘risk matrix’ which has likelihood along one axis.

I query the underlying image of an ‘impact’, which suggests something that is over in an instant. Others query the idea of discrete levels, preferring quantitative measures. For those reasons, and in line with the standard, I’ll stick with ‘consequence criteria’ in this article.

All of us seem to accept that the consequence criteria should have a collection of consequence types, with degrees of consequence defined for each type. For very tightly focussed ‘risk management’– the opposite of enterprise and project risk management – there might be only one type of consequence, perhaps injury, or a monetary gain or loss.

The degrees of consequence might be numerical quantities. More often they are discrete levels. We agree that consequences can be positive, but we spend more time on the negative.

‘Objectives’

The word ‘objectives’ causes some superficial confusion. Let’s avoid it for now.

Every organisation will have a unique positive purpose. The organisation must achieve that purpose to be successful. Success will also always involve achieving other goals and avoiding pitfalls.

For a typical commercial enterprise, the unique positive purpose will be to generate a return on investment. The investment return and investment security must be attractive within the investment market. Usually the enterprise will have a time-scale for returns, and a defined focus on particular activities and markets. While ‘making money’ is not unique, the full combination of all these details will be unique to that enterprise.

The other dimensions of success for a commercial enterprise will usually represent sustainability, legal compliance, adequate investor reporting, and investor confidence.

The enterprise is aiming to make an attractive return for its unique investors (unique purpose) while also protecting sustainability, compliance, investor reporting, and investor confidence (other dimensions of success).

The ‘other’ dimensions of success are critical whether or not the unique purpose is achieved. Success only in those dimensions would not justify the continuation of the organisation, but failure on them can bring the organisation to an end.

Some of us understand ‘objectives’ to mean only the unique positive purpose of the organisation. Others understand ‘objectives’ to mean all the dimensions of its success. (ISO 31000, HB 436, Tim Leech, Norman Marks.)

To get around the ambiguity of ‘objectives’, I am avoiding the word ‘objective’ for now, despite its central place in ISO 31000 and in COSO ERM. I’m substituting one of ‘achievement of the organisation’s unique purpose’ and ‘organisation success in all dimensions’. They are very different things, and I’m focusing on that difference in this article.

  • In the case of a Government service organisation, the unique purpose might be to provide specified services to eligible individuals at government expense. A corresponding consequence type might be the extent to which services are limited to eligible individuals and limited to the legislated entitlement. A typical negative consequence of that type might be a service provided to an ineligible individual.
  • That same Government service organisation will have many ‘other’ success dimensions. One of those might be to maintain community confidence in the organisation and in the Government as a whole. A corresponding consequence type might be the level of compliance with sensitive legal requirements, such as privacy guarantees and integrity rules. A typical negative consequence of that type might be a breach of privacy. Maintaining citizen privacy is essential for each government organisation, regardless of whether it succeeds brilliantly or fails dismally on the unique purpose, in this case providing services.

Choices about consequence criteria

There are at least three choices to make about consequence criteria, before deciding specific consequence types and levels.

The first choice is the range of consequence types to recognise, relative to the full range of success dimensions for the organisation. The second part of this article is about that choice.

The other two choices are about when the ‘consequence’ is understood to follow from a risk event, and about whether consequences of different types will be compared. I’ll discuss those decisions in later posts.

In each of these decisions, the methods most often chosen don’t match our aspirations for risk management. I can’t explain why the chosen methods are good ones. Perhaps you can.

Choosing the range of consequence types

You probably agree with me that ERM consequence types should be built around achieving the unique purpose of the organisation, the purpose for which it was created. You almost certainly agree that consequence types should recognise the other essential dimensions of an organisation’s success, beyond its reason for being. Yet consequence types often ignore both.

The popular options for ERM consequence types are:

  • to represent all success dimensions, including the purpose of the organisation, or
  • to disregard the organisation’s purpose and success concept, and use a few consequence types common to everyone.

Common consequence types look ‘important’ to everyone, but are not the main thing for anyone: Finance, Reputation, Safety, and so on. They are very much the same themes as appear in ‘other’ success criteria, but critically, no-one has thought about what ‘success’ would mean for any of the common consequence types (or ‘failure’, for that matter).

Picking out specific aspects of success is normal for risk management focused on specific concerns, separate from ERM. The status of that style of risk management is questionable, and I’ll be addressing that question in future posts. While I’m a supporter, Steve Daniels is not. We agree that if special-purpose risk management is to be undertaken as a separate process, it should recognise the context of the enterprise, its stakeholders, its goals, and its tolerances for risk to specific stakeholder interests. It should not be ‘stove-piped’ in the sense of responding to conflicting specialist ideas about what is right for the enterprise. Common examples of special-purpose risk management include security risk and health and safety risk. ‘Legal risk’ is also a thing, with a proposed standard (ISO 31022), but I really can’t explain what that is.

My conclusions about these choices are that:

Representing ‘all’ dimensions of success in consequence types

HB 436 includes ISO support to recognising all dimensions of success as consequence types, along with Steve Daniels (on LinkedIn), who provided an important comment based on personal experience developing BS 31100:2011.

‘All’ dimensions of success include achieving the organisation’s unique purpose, and minimisation of costs and harms. For profit-driven organisations, there will be both financial and non-financial dimensions of success. In not-for-profit organisations, financial goals will appear somewhere, but perhaps not within the organisation’s unique purpose.

The views of Norman Marks and Tim Leech are also consistent with representing all dimensions of an organisation’s success in consequence types.

All of these sources are referring to enterprise risk management. They may even give the impression that risk management is the same thing as enterprise risk management. I don’t accept that as either factually true or useful.

Recognising all dimensions of success is my own preference for constructing consequence types, particularly for wide-scope risk management, for enterprises, work units, and projects.

(Example of consequence types linked to success dimensions)

Ignoring success in consequence types

Consequence types separated from success usually look like Finance, Reputation, Safety, Environment … with a few others added. An influential example appears in Sobel & Reding (Chapter 5, Risk Evaluation > Impact, and Figure 5.5, quoted online here).

There is no fixed list of common consequence types, and there are many variations. The common key feature is that the consequence types are not linked to anyone’s unique purpose, nor to any positive vision of success.

Creating consequence types separate from organisation’s idea of success can be logical and successful – if your idea of ‘risk management’ is confined to minimising unpleasant surprises incidental to your core mission. That idea of ‘risk management’ competes with planned achievement of the primary purpose. In other words, it works if your idea of risk is confined to the pink quadrant in this map of ‘risk’. On a good day, your idea of risk might be confined less strictly, to the whole right column, show in pink and green.

Intended outcome Unintended outcome
Positive effect from uncertainty Success in reaching an intended outcome that had otherwise been looking doubtful: While looking for oil, you find some and make a good profit. Unexpected gain (windfall): While looking for oil, you stumble across gold.
Negative effect from uncertainty Failure to reach an intended outcome that had been expected: While looking for oil, you don’t find any, and end up broke. Unintended consequence (side-effect): While looking for oil, you die from malaria.

That confined idea of risk management is historically normal, and it probably lives on in the bulk of non-specialist managers, even though it is contradicted by formal standards.

The contradiction is particularly clear in ISO 31000:2018 Principle A: Risk management…contributes to the achievement of objectives, encourages innovation and improves performance.

Confining ‘risk’ in this way is much better than ignoring all risks. At least the risks in the pink box get some attention. A lot of good decisions have been made inside that box. It just isn’t the full scope of risk management. It is definitely not ‘enterprise’ risk management.

I’d like to say that ignoring the question of organisation success is a definite mistake in the risk management process. ISO 31000 almost says that. It defines risk as the effect of uncertainty on objectives. It demands that risk management contribute to the achievement of objectives. But there are examples of consequence types that disregard organisation success in very respectable places, such as Sobel & Reding. In Sobel & Reding, the organisation’s concept of success is explored very thoroughly (as ‘objectives’), which I definitely like. Yet the concept of success is forgotten during the development of consequence criteria.

Some reasons for ignoring success

Conclusion

The unanswered question left in this post is why risk consequence types are so often remote from the purpose and success vision for the organisation.

Yet we all know that the chosen consequence types for ‘enterprise’ risk management often ignore the primary purpose, and bypass any defined vision of success.

You may believe in standardised risk criteria throughout your organisation, including consequence types and levels. That standardisation may involve setting aside the unique purpose for each part of the organisation. You may have a way to make that work. If you do, please let us all know how you do it.

Reasons for ignoring success

I suspect that consequence types disconnected from any specific vision of organisation success are used in the numerical majority of risk assessments. The reasons may vary. The reasons I can think of come from the organisation not really wanting enterprise risk management.

  • ‘Risk managers’ are considered unworthy to share in the organisation’s vision of success. The conversations developing the success vision take place in high-level meetings, probably over an extended time. Risk specialists won’t be in those conversations and meetings. Possibly even the Chief Risk Officer is asked to leave at critical moments. There may be some risk specialists who think this way themselves.
  • Risk management that addresses the organisation’s overall success level also puts a light on the possibility of organisation failure. When defining success, the possibility of failure has to be faced. There is also an added focus on the possibility of failure resulting from the intentional decisions of organisation management. In other words, risk is no longer just about accidents and external events, for which management is not responsible. It may also identify limits on upper management’s wisdom and foresight. That may be an uncomfortable step for both managers and risk specialists. (This uncomfortable place is in the blue quadrant of the diagram.)
  • Another possible reason for disconnected consequence types is the decision to standardise consequence criteria across the organisation, while risk is managed independently in different departments and specialities. Standardised criteria must set aside the differing purposes, success criteria, ‘risk capacities’ and tolerances for different parts of the organisation. The consequence types that can be standardised under these circumstances will represent a bland selection of measures, disregarding the uniqueness of the organisation and the uniqueness of its parts.

Better versions of ERM have closer integration and collaboration between departments and specialities, such that there is no artificially imposed standardisation that works against the separate departments. That’s a topic for a later post.

Representing selected success dimensions other than the main purpose

Looking only at selected ‘other’ success dimensions is normal, and even necessary, for thematically focused risk management. Familiar examples of thematic risk management include health and safety, security, and fraud risk. In each of those examples, the recognised range of consequence types is consciously narrowed to one important requirement for organisation success. That important requirement is not the reason why the organisation exists, but it definitely matters. No-one is calling it ‘enterprise’ risk management.

Thematically focused risk management may be a step toward enterprise risk management. If special-purpose risk management is to be undertaken as a separate process, it should at least recognise the context of the enterprise, its stakeholders, its goals, and its tolerances for risk to specific stakeholder interests. It should not be ‘stove-piped’ in the sense of responding to conflicting specialist ideas about what is right for the enterprise. Consensus building, via collaboration, and progressive integration are always to be preferred.

Thematic risk represents important branches of risk management in the real world.

My preference is to narrow the assessment scope, and to then look at all the success dimensions within the scope. Those success dimensions are then reconciled with the success dimensions for the enterprise as a whole.

In the example above, my preferred security risk assessment would develop its own vision of success, and its own consequence types reflecting that vision.

Full example of government organisation success dimensions

I would start by understanding why the organisation, and particular stakeholders, are concerned with security.

Taking that wider picture into account, I would define ‘success’ in relation to satisfying those security interests. The re-defined idea of success would have its own multiple dimensions, perhaps something like these:

  1. Actual compromises of information assets are kept to comfortably low levels.
  2. Implementation of leading security protection practices and regulations can be demonstrated (auditability).
  3. Continuous effectiveness of protection practices is demonstrated through challenges and tests (e.g. ‘penetration’ tests, incident response drills, red teams).
  4. Effective detection, response and investigation for any real incidents that occur.
  5. Security implementations do not interfere unduly with the achievement of the organisation’s main purposes or other elements of success.

These five dimensions of success in security did not appear among the dimensions of organisation success. They are effectively a second- or third-level breakdown of the organisation’s success. At the organisation level, the whole world of security was only one aspect of the success dimension Maintain community confidence in the organisation and in the government as a whole. That was itself just one organisation success dimension out of eight. Yet there may be separate risk management of security. There are separate ISO standards and handbooks for it.

If there is no good mapping between the levels of success, there is something wrong with the organisation’s list of success dimensions, or there is something wrong with what you are trying to do at the specialty level. Changes might be needed at either end.

The five new dimensions of success in security are an amplification of a small detail in the organisation’s vision of success. They should be developed on the basis of the organisation’s purpose and stakeholders. Even though the risk management process for security might be separate, the context for the security risk assessment is the organisation and its context. It would be counter-productive or even dangerous to define success in security in conflict with success for the organisation.

More detailed or specific expression of these criteria might be required for particular application of the process (e.g. for assessing the risk related to a project). However, any such amplification must be consistent with the overarching criteria. SA/SNZHB 436, 5.3.5 (page 58).

Security consequence criteria would be developed from these five dimensions of success, by adding levels of success and failure for each dimension.

Representing only the unique purpose in consequence types

The ‘unique purpose’ enthusiasts in the community include thought leaders such as Norman Marks (World class risk management) and Tim Leech (objective centric risk management). Some of their explanations, and exhortations, might give the impression that they care only about the unique purpose of the organisation. However, I don’t think anyone actually means that.

It’s clear enough that Marks and Leech understand ‘success’, and ‘purpose achievement’, to include and imply avoiding negative outcomes that no-one would want. In their view, what we need to get right always includes avoiding what we don’t want to get wrong. ‘What we don’t want to get wrong’ does not then need separate recognition in risk consequence types, because it’s already recognised as a dimension of success.

The Marks and Leech views would imply recognising all dimensions of success in consequence types, as advocated in the Clear Lines. Unlike the Clear Lines, Marks and Leech rarely discuss ‘consequence types’ directly with their boardroom audience.

Consequence types that carefully step around the main purpose

Consequence types that represent a full range of success dimensions except for success in the primary purpose of the organisation would be odd from the perspective of ISO 31000 and COSO ERM. ISO 31000 and COSO ERM say that risk is about effects on objectives, so the consequence types would reflect the objectives. ‘Objectives’ is a confusing term, but it cannot be taken to leave out the main purpose to be achieved.

I haven’t come across anyone actually suggesting that ERM should include consequence types representing all and only the ‘other’ dimensions of organisation success, stepping around the main purpose of the organisation. What happens is that common consequence criteria resemble the ‘other’ dimensions of success, and the gulf between them is not seen.

Apart from what the standards preach, segregating ‘risk’ from ‘purpose’ is clearly not going to put ‘risk management’ into a central place in strategic management and enterprise leadership. If risk is about purpose, then the purpose needs to be represented in risk consequence types.

Qualifiers

1. This post is mostly equating ‘risk management’ with organisation or enterprise ‘risk management’, in the same way as ISO 31000 and HB 436. This equation was made to bring out the main question clearly. Elsewhere the Clear Lines emphasise that ‘risk management’ is not only enterprise risk management, but can be applied thematically and to layered discrete units of activity within a larger enterprise. Risk management can also cross organisation boundaries. Discrete units of activity include projects. ‘Risk management’ can also be used at a microscopic scale, to an individual event or transaction. In each case, the context of the risk assessment includes the larger organisation and its own context. The problem discussed in this post is real, but less obvious, when the scope of the risk assessment is very narrow.

2. If special-purpose risk management is to be undertaken as a separate process, it should recognise the context of the enterprise, its stakeholders, its goals, and its tolerances for risk to specific stakeholder interests. It should not be ‘stove-piped’ in the sense of responding to conflicting ideas about what is right for the enterprise. Common examples of special-purpose risk management include security risk and health and safety risk.

3. For ‘unique purpose’ substitute ‘business goals’, ‘project outcomes’, or other ultimate reasons for your ‘organisation’ to operate at all.

4. The explanation also assumes that uncertainty is the possibility of an identifiable event occurring. Elsewhere the Clear Lines spell out that uncertainty can take many forms, of which the occurrence of an identifiable event is only one. Uncertainty can also take the form of assumptions that may be incorrect, or the possibility of something happening that no-one would have been able to describe (or even imagine) before it happened.

SA/SNZ HB 436:2013 Risk management guidelines – companion to AS/NZS ISO 31000:2009 describes an approach in which the consequences are effects on objectives. In HB 436, the consequences may have their effect along the organisation’s journey, well before the (final) objectives are achieved or not. In the HB 436 examples (Tables C2, C3), the consequence types still resemble generic types such as ‘financial’, ‘reputation, and ‘safety’. However, those consequence types are supposed to be derived from unique organisation objectives, and should represent those objectives (C1-C2). The consequence types are not simply adopted, or adapted, from a pre-existing consequence matrix, nor from any other universal management model.

Reference

Sobel, Paul and Reding, Kurt (2012) Enterprise risk management: achieving and sustaining success. Altamonte Springs, Florida: Institute of Internal Auditors Research Foundation (IIARF). This book is a major source for the CRMA Study Guide, available from the same IIARF bookstore.

Tim Leech is active online mainly on LinkedIn (https://www.linkedin.com/in/tim-leech-01950013/). Norman Marks is also seen on LinkedIn, though the best conversations are on his own blog. Steve Daniels is on LinkedIn as “Steve Daniels FMS, FIOR, FBCS, CITP”.


Drill-down articles

Example of consequence types linked to success dimensions

Index to the topic Risk in work unit business planning

Leave a Reply

Your email address will not be published. Required fields are marked *