Page 101 - IRMSA Risk Report 2020
P. 101

As  long  as  decision-makers  believe  they  are  dealing  with  complicated  systems  they  will  assume  that  they  can
            control outcomes,  find permanent  solutions  to  problems,  and  call  on  experts  to  provide  them  with “answers”.  In
            reality,  our organisational contexts are never purely complicated or complex. We will always have to deal with both of
            these  contexts.    The  problem  is  that  for  the  last  few  decades,  we  have  assumed  that  we  are  only  dealing  with
            complicated systems and problems.  For  this  reason,  the  mindsets,  approaches  and  tools  we  have  been  using  are
            typically  suited  to  complicated environments.  While we could get away with this in the past, in today’s VUCA world,
            that is no longer the case. To increase the resilience of our organisations, we have to build a repertoire of new skills and
            approaches to help us manage risk in complexity.

            Risk management is defined as “the effect of uncertainty on objectives”. Risk management in the context of governance,
            risk, and compliance (GRC) tends to focus on “solving  the problem” of  uncertainty by using techniques applicable to
            a complicated realm, i.e. we assume that causes of uncertainty can be identified, and controls implemented to mitigate?
            these. If we assume that we can identify the causes of uncertainty and establish controls to address them, complexity
            presents us with an interesting challenge. If we cannot isolate individual causes (some of which may be undiscoverable),
            what can we control?  If we can’t implement controls, how then do we manage risk?




            W H AT     A R E   T H E  S K I L L S  W E   N E E D T O     C U LT   I V AT E   I N
            O R D E R    T O   M A N A G E     R I S K   I N  C O M P L E X I T Y ?


            A  “problem-solving  mindset”  traps  us  in  linear  thinking,  which  is  appropriate  to  complicated  context  but
            not complex  ones.  If  we  apply  linear  thinking  and  ordered  approaches  such  as  root  cause  analysis;  traditional
            scenario  planning  and  typical  management  best  practices  to  complex  problems  we  invariably  end  up
            making  things worse. In complex  contexts  we  need  to  adopt  a  sense-making  approach,  where  we  explore
            patterns  and  how things  are  connected.  Here,  we  need  to  engage  with  the  system  to  gain  an  understanding
            of  how  things  are connected,  we run safe-to-fail experiments and learn and adapt as we go.
            One framework that enables us to distinguish between ordered or complicated aspects (where we can find root causes; do
            problem  solving,  involve  experts;  apply  best  practice;  keep  risk  registers  etc)  and  complex  aspects  where  we  are
            dealing with emergent patterns with no clear linear causality is Dave Snowden’s Cynefin framework.





                             I F   C  O  M  P  L E X  I T Y    I S   N  O  T   J U  S T   A    S T A  T E
                              O F   “ G R E AT E R     C O M P L I C   AT E D N E S S ”,
                             R I S K  M A N A G E M E N T       R E Q U I R E S    M O R E

                                T H A N   “ B E   T   T E R  R I S K  R E G I S T E R S ”.
























                                                                                                               1  0  0
   96   97   98   99   100   101   102   103   104   105   106