The broadly defined field of risk management is still quite fragmented, even considering the otherwise noteworthy advances brought about by growing embrace of enterprise risk management (ERM) frameworks, notably COSO and ISO 31000. The value of ERM frameworks notwithstanding, current practice of risk management is primarily concerned with identification, estimation and response to known risks that lend themselves to statistical estimation; separately, business continuity management, disaster risk reduction, change management and agility also address different aspects of the totality of threats confronting business organizations, but in a largely uncoordinated, stand-alone fashion. Our research leads us to conclude that business organizations can transform their historically cost of risk focused practices into a source of competitive advantage by thoughtfully combining the distinct disciplines of enterprise risk management, organizational resilience and change management into a singular, Total Exposure Management framework.
Threat Exposure Management as a Source of Competitive Advantage
Historically, business organizations approached management of risk as expense minimization function, aiming to secure the greatest amount of risk protection for the lowest possible cost. In fact, even the state-of-the-art enterprise risk management (ERM) practices are still primarily focused on risk economics of known risks that lend themselves to statistical estimation, thus effectively overlooking rare (those that do not exhibit mathematically-estimable properties) and emerging threats. It could be argued that root causes of the Great Recession, the financial crisis that began with the 2007 US housing market collapse and eventually spread worldwide, could be traced to a succession of discernible developments: Starting with the gradual deregulation of US commercial banks, followed by the rise and rapid growth of highly speculative and complex financial derivatives, the emergence of credit default swaps – a de facto insurance, though not subject to insurance-like regulation and mandated reserving discipline – and lastly, the wide-scale embrace of an esoteric mathematical formulation – the Gaussian copula function – as the basis of risk estimation. The ultimate consequence of those developments, coupled with the outright failure of public and private oversight mechanisms ultimately resulted in the greatest risk management failure of the modern era. The Threat Exposure Management (TEM) framework developed through our research is aimed at correcting the over-reliance on known, estimable risks, while at the same time extending the definition of enterprise-wide risk management to also include the now stand-alone disciplines of Business Continuity Planning, Emergency Management, Organizational Resilience (formerly known as Disaster Risk Reduction), and Change Management. Using growth of organizational assets as the overall target, the TEM framework conceptualizes the role of Risk Management to serve as a 'shield', the goal of which is to deflect (primarily via risk transfer, but also through risk reduction and mitigation) organizational threats. It further depicts Organizational Resilience (comprised of Business Continuity Planning, Disaster Risk Reduction, and Emergency Management) as a 'buffer', the goal of which is to absorb the impact of threats that cannot be deflected; lastly, it conceptualizes Chance Management as a potential source of growth of organizational assets. The overall total exposure management process rests on three key foundations of knowledge, agility, and communication. Our recently released book, Total Exposure Management: Risk, Resilience, Change, offers an in-depth overview of the proposed framework.
Our latest research suggests that the pursuit of true enterprise-wide organizational danger abetment (not be be confused with the narrowly focused conventional risk management practices) can become a source of competitive advantage, for two distinct reasons: First, it leads to securing the greatest degree of coverage at the lowest possible cost, which typically results in economically-superior protection. Second, and in many regards more important reason is the more thorough treatment of unknown threats, particularly an explicit inclusion of self-imposed organizational change. More specifically, that means focusing all organizational threat abetment efforts on protecting organizational assets via deployment of a three-pronged strategy: 1. management of known risks by means of deflecting their impact (through economically-sound risk reduction, mitigation or transfer choices), 2. reduction of organizational vulnarability to unknown threats through the development and maintenance of shock-absorbing buffers, and 3. instituting of effective change management practices to support ongoing organizational reengineering focused on growing of organizational assets.
The Predicates of Organizational Survival
Although as an abstract idea 'risk management' encompasses the threat of any adverse event, in practice it is often reduced to only those events that exhibit mathematically-estimable odds of occurrence. Any organization that is truly interested in managing its exposure to the totality of internal and external threats needs to take a more expansive view of risk, in order to be better prepared to respond to adverse events it might have anticipated, as well as those it might not have anticipated. The research summarized here offers a very broad conceptualization of threat-oriented predicates of organizational survival, meant to encourage a broader risk management mindset.
Organizational Change as a Source of Risk
Change in general, and planned organizational change in particular have been the focus of considerable amount of theoretical and applied research, as evidenced by numerous change management frameworks and the emergence of an applied business discipline of change management. While change management frameworks and practices are overtly aimed at reaching the stated goals of organizational self-transformations, the process and outcome threats that tend to accompany those initiatives are yet to be explicitly included in organizational enterprise risk management (ERM) planning and efforts. It is the purpose of this article to compel an explicit treatment of risks emanating from planned organizational change by contributing a process and a supporting operationalization geared toward systematic identification of individual threats, objective estimation of change initiative failure probability, and the delineation of clear risk response alternatives.