“If the only tool you have is a hammer, it is tempting to treat everything as if it were a nail.” This old adage, known as the Law of the Instrument, or alternatively as Maslow’s Hammer (named after its originator, Abraham Maslow in 1966) captures the influence of cognitive bias toward the tools with which we have greatest familiarity. As stated in the prior blogs in this series, culture focuses the organization on the big picture of resiliency, and proper methodology is tool-agnostic. Myopic allegiance to a tool can lead risk managers to overlook better options for addressing a specific risk. More insidiously, a tool-centric perspective can obscure the nature and severity of the risk exposure. Just as the skilled artisan has a product vision that determines the tools required, a resiliency-focused culture and methodology will clarify which tools and processes will manage risk best in each case.
Comfortable Tools Eventually Wear Out
According to a report by Productiv, a Silicon Valley-based SaaS management solution company, the average organization has 254 SaaS applications, but on average less than half (45%) are being used on a regular basis. McKinsey & Company hit the nail on the head by pointing out in 2022 how easy it is to ‘become numb’ in the face of a seemingly never-ending stream of technologies… and this was before ChatGPT usage became commonplace. With the power of AI being introduced into risk management for the purpose of risk sensing and event forecasting, the pace of new software tool introduction has accelerated dramatically. McKinsey shared in its year-end 2022 review of the State of AI that, while in 2018 the greatest AI application value was seen in manufacturing and risk management, in 2022 the biggest AI value was being seen in sales and marketing, product and service development, strategic planning, and supply chain management. Who knows where the biggest impact is being felt today in the third quarter of 2023? The point here is that tools and their usage patterns change rapidly.
In the arena of risk management tools, the tendency was, and still somewhat is, to focus on things outside of the organization: news alerts and supplier data. Most risk managers gravitate to the old faithful focus on suppliers and external news as the telltales of important risk. These have been the alpha and omega of supply chain risk over the decades.
With the breadth, depth, and speed of risks faced by modern organizations, these risk parameters are just the tip of the iceberg. Risks crop up not just on the supply side of logistics, but from anywhere laterally and vertically along the entire value chain – from tier-N supplier through your own internal sites and operations and out to tier-N customers. Regulations, ESG and reputational issues, personnel, cybersecurity threats, and myriad unpublicized internal organizational issues can meaningfully disrupt resiliency at strategic, tactical, and operational levels. As such, tool selection needs to evolve as your needs evolve at all these levels. Fortunately, this is easier to manage with SaaS subscriptions being easier to start and end than their on-premise predecessors.
Regardless of where you stand in your tool selection – late-adopter or new platform pioneer – the broad realm of risk types mandate that your risk management toolbox is equally broad and deep. What are the tools and processes a resilient organization needs?
Key Resiliency Processes
Capturing Diverse Risk Perspectives: Expand the inputs and ownership across the entire organization for risk analysis and response.
Planning for the Possible: Ideate hypothetical risk event scenarios for simulation and quantification of organizational impacts.
Putting Risk into Context: Generate risk scores that are enriched with financial or other value elements (profit, revenue, budget, mission, etc.) to ensure risks can be weighted by their tangible impact to the organization.
Looking Inside and Outside: Facilitate real-time capture of risks arising both from outside the organization and from inside the organization.
Simulating vs Real-world Models: Simulate and evaluate the pros and cons of proposed risk mitigation activities to avoid incurring significant new risks while dealing with existing risks.
Managing Risk Management: Automate the assignment, notification, execution, and tracking of risk management activities.
Ranking Risks: After mitigations have been completed, it is highly useful to quantify the value of the risk impacts avoided. By aggregating those over time, the organization can begin to quantify the organizational resiliency achieved.
Building the Organizational Risk Library: While culture and methodology set the stage for resiliency, the retention of all relevant data regarding risks faced, mitigations executed, outcomes achieved, and lessons learned are the keys to achieving persistent resiliency.
Key Tool Types
Without being prescriptive of specific tools, several tool types that are necessary to achieve persistent resiliency:
Risk alerting engines, also referred to as digital threat monitoring systems, utilize filters to curate relevant and meaningful content from news feeds, public financial reports, social media, the dark web, and any accessible online sources. The capability of computing solutions to process vast quantities of information in far less time than human beings without fatiguing is perhaps one of the greatest value propositions for the use of risk alerting engines. This is invaluable to become quickly aware of vulnerability of key suppliers, shortages of vital components, or possible legal or regulatory incidents. It is quite important to note that algorithms make mistakes, and they can’t factor in the knowledge and intuition of the people that run the organization – thus, they should be a processing supplement to decision making, not a replacement of the human element.
Scenario simulation is the heart of proactive resiliency: you need to think ahead to be able to act optimally in the face of risk. This is often achieved through ideation sessions – either digitally or through good, old fashioned whiteboarding to exhaust the realm of the possible risk events. After ideation, the next step is simulation of the event and its impact on organizational operations and value creation. The goal is to understand the potential impacts of potential risk events, and to prioritize, define and execute mitigation activities before the events occur.
File storage is an important part of achieving persistent resiliency: you can only really learn from the past if you retain information about it for review in the future. Retaining documentation about strategic risk management plans, risk events and their mitigations enables the organization to provide a searchable risk registry. A registry enables an organization to seek continuous improvement by ensuring that all current and future risk management decisions are enriched by knowledge of what has occurred and what has been decided in the past.
Digital twin modeling is focused on manufacturing floor-level evaluation of the impact of potential events and adjustments on operational costs, efficiency, throughput, and other key process and value metrics. Such modeling helps ensure that your proposed risk mitigations don’t spawn other significant problems themselves.
Strategic risk management planning provides the North Star to tactical and operational risk management functions. When it comes to things like regulatory compliance, there needs to be a comprehensive, organization-wide mindset and approach to how these risks should be handled to prevent inconsistent or non-compliant responses to regulatory issues.
Collaboration is so important when it comes to comprehensive risk management. More parties providing insight or support to the analysis and action of managing risk reduces likelihood that the response is slow, siloed, subjective, or sub-optimal.
Workflow notification is a critical tool in managing risk. If the tree falls in the woods without anyone around, they still need to know that it happened – and they need to be alerted about their role in picking it up, the status of the job, and when it has to be completed.
Tool selection matters greatly in the achievement of the organizational cultural vision of resiliency, and the execution of the resiliency methodology. As the available tools and technologies evolve, they still should satisfy the needs set forth in the tool types above. But even as technologies proliferate and fatigue starts to set in, embrace the challenge for picking out what tools meet your organizational needs… until they don’t. Learn how to stop worrying and love the tool… but don’t let your allegiance to it block the achievement of meaningful, lasting resiliency by keeping it in the toolbox too long. This article brings a close to the RAADblog series on the Three Pillars of Resiliency, which focused on the tools and approaches that help organizations become resilient. Another hurdle still exists – whether your organization is properly aligned to become resilient. Coming shortly is a new RAADblog series focused on the necessary hierarchy engagement required to spark and sustain the organizational “Resiliency Revolution”.