In Issue 102 of Security Solutions, (June 2016) an article was published around Risk Management which related to work the Australian Risk Policy Institute (ARPI) is doing in the complementary but separate space of Risk Policy. In response, I would like to take this opportunity to elaborate on the subject and inform readers about the difference and benefits of Risk Policy, not only to the security profession, but generally to leadership as well as other business professions.
APRI was founded in response to a call by the World Economic Forum, to revise and enhance risk management to provide greater benefits in decision-making at higher organisational levels and earlier in decision making process. More often than not, risk management advice is reactive, later than optimal and sometimes does not get to key decision-makers either at all or unfiltered. The Global Financial Crisis was just one example of this type of situation.
ARPI is an independent and not-for-profit organisation aimed at senior professionals, with the specific aim of developing and publishing material around the need for paradigm change in leadership and risk. More specifically, our focus is on the need for strategic action earlier, and at executive/decision-making levels, addressing ‘vulnerabilities’ or potential risks. In the case of Risk Policy, the focus is on the response required to protect against vulnerabilities while often also generating strategic opportunities, rather than in the case of risk management where the focus is often around waiting to identify and manage actual risks.
Risk Policy is thus designed to operate before risk management is involved, and is intended to actually inform and authorise the process of risk management, and head a new ‘risk trilogy’ comprising risk policy, risk management and risk governance.
ARPI enjoys engagement with all sectors of society, including an academic partnership with the Australian National University as well as a range of partnerships and relationships with peak professional bodies and in the public, corporate and community sectors. Word has spread globally and the creation of affiliated Risk Policy Institutes has begun with the European Risk Policy Institute (ERPI) in full stride across Europe. The ERPI will convene the first Global Risk Policy Conference in September 2017.
A call for special purpose Risk Policy Networks resulted in the creation and successful operation of networks at a senior level in the areas of security, cyber security, complex project management, fraud, counterfeiting and anti-money laundering. Leading security identity, Jason Brown, National Security Director of Thales Australia, is the inaugural convenor of the Global Security Risk Policy Network.
ARPI’s Risk Policy Model 2016 is freely accessible at the ARPI website – not to be confused with a further publication titled Strategic Risk Policy (to which the previous article refers) which supplements the Risk Policy Model especially to help risk management practitioners develop a better understanding of Risk Policy.
The essence of Risk Policy, promoting paradigm change by leaders, is as follows (full details are contained in the Risk Policy Model):
• Viewing the environment in ‘whole systems’ comprising (horizontal) networks and no longer living in (vertical) silos – nations, governments and organisations;
• Paradigm change to a network-centric approach rather than the former organisation-centric approach;
• Appreciating that in today’s interconnected world (like never before), information resides in networks;
• Mapping stakeholder networks has become a critical exercise and source of information to identify strategic vulnerabilities (i.e. potential risks) plus consequential opportunities;
• Obtaining the right information at the right time on the right matter from those networks – possibly through formal protocols where required e.g. confidentiality, privacy, etc;
• Protecting against vulnerabilities will result in fewer and lesser risks to manage;
• Recognising and engaging both internal and external networks;
• Changing leadership paradigm so that Risk Policy authorises and informs risk management;
• Articulating a Risk Policy Statement – e.g. defining and measuring risk appetite and tolerance; and
• Ensuring that risk is now a trilogy of operations – risk policy, risk management and risk governance – the three arms being inter-dependent.
Two critical areas where ARPI considers improvement in risk management is needed are:
1. Recognition, identification and different treatment of ‘Systemic’ risks having multiple legal ownerships requiring plural, formal management and not just liaison to achieve results. Failure to so recognise and manage issues can lead to Wicked Problems: that is, Systemic risks are the precursor to Wicked Problems (e.g. the GFC); and
2. Revision of the traditional risk equation because today some consequences are so unthinkable that consequence must dominate the equation, particularly when faced with financial pressure to rely on likelihood. Consequence is the conjunction of vulnerability and threat.
In response to growing interest, ARPI can announce it is developing an educational suite comprising vocational and tertiary courses – from a Certificate in Risk Policy through to a Masters’ Degree in Risk Policy. In addition, ARPI is currently providing Master Classes and strategic consulting arrangements at critical levels across all societal sectors.
ARPI recognises the importance of security to society, hence the strong Risk Policy interest in this field and invites continuing contact and interaction with security professionals.