February 10, 2017
Risk in the Digital Age
By Hassan "Hash" Qureshi
I saw Sean Murphy’s post about “What is digital?” and it made me realize that it probably makes sense to talk about “risk” in the digital age. Recently, a client asked me to help assess their internal risk journey where they had completed a multi year journey and they had fully implemented ISO 31000. Similarly, I had clients describe their journey with the risk management platforms and describe their challenges.
Digital goes beyond technology and is about how we organize products and services create a new and valuable client experience with new behaviours, capabilities and risks.
Before we go on, and if we have worked together, some of you might be thinking – whoa – is Hash talking about me? Don’t worry this article isn’t about you, but it is about how after a full implementation of ISO 31000, many organizations still can’t answer the following basic questions:
1. How do the risks that we have identified are linked to each other? (what is the sequence, trigger and downstream impact of risks being realised)
2. How do I map these risks to the services I provide, the activities we do to deliver those services and how do I manage the risk versus performance ?
3. How can I managed these risks across the enterprise, in my programs and my projects?
4. How do I track these in a way that allows me to design and implement a risk management system that can evolve with the business, adapt to the changing regulatory environment and be as agile as my organization needs to run?
5. Is there a way to use what I know about my risks rather than always needing a fully complete picture before I get value from my risk management system?
6. How can I have a base of risk information so that each of the “three lines of defence” are enabled to develop their independent and objective views while also having these views being coherent, consistent and cohesive?
7. How can I demonstrate what revenues, assets and profit canters are at risk and what relative risks are there?
What is needed is a new framework that evolves over time, that adapts without having to rebuild the underlying underpinning data structures (not tied to a specific schema and therefore is “schema-less”) and “enables” and not “constrains” the business.
I would love to hear from anyone that is struggling with these same challenges.
Hassan (Hash) Qureshi is a Partner, Enterprise Risk Services and Technology Solutions at MNP. Hash has 25 years of experience in strategic planning, risk management, information security, and enterprise architecture. He has extensive experience as an operational IT professional, security lead, enterprise architect and network engineer. Hash is a Professional Engineer, a Certified Management Accountant and holds professional designations in corporate governance, program risk, information systems audit, risk management and IT governance. To continue the conversation, drop Hash a line at firstname.lastname@example.org