You know, strategic and operational risk management as concepts are all very well, but something is missing … and I’ve been meaning to put my finger on it. Reading through David Allen’s excellent “Making it all work”, I understood there were two levels missing.
I have adapted some of his concepts to function in an extended risk management context. Here goes:
First horizon – Activity Based Risk Management
First, we need to be aware that we practice very concrete risk management on a natural level every waking moment of the day (and probably the non-waking moments of our lives as well. This risk management occurs in our day-to-day activities, and involves very practical aspects such as “Did I make sure I put a lid on that saucer?” or “Did I make sure that person gave me all the required documents to process?” It’s mostly intuitive, but it comes to the foreground as a risk often when responsibility transfers go wrong, or when people trained for a task without understanding the purpose of the task need to deal with exceptions.
Applying risk management in this context would be below the traditional operational risk management level, which I’ll discuss below, and can be referred to as Activity Based Risk Management. If we make sure we do not overburden the process of risk management at this level, using ABRM can be very beneficial to optimizing the results of individual activities.
Second Horizon – Project and Process Risk Management (or Operational Risk Management)
This traditional risk management delves into issues which can be found in either processes (ongoing activities) or projects (one shot activities) … and is quite often blended with some aspects of Activity Based Risk Management. High level process flows are designed and analyzed for risks. In essence, this second horizon presents the link between the actual execution, the concrete next action, which is assessed for risk at the level of the first horizon, and the strategic level. This type of analysis is familiar for most traditional consultants. An example would be all potential risks threatening the correct registration of vehicles, or the risks related to the disposal of a license tag.
Third horizon – Strategic Risk Management
All processes and projects should be related to a set of strategic objectives to be reached. We execute processes and projects (each containing multiple activities) to make sure these strategic objectives are reached. Strategic risk management then focuses on risks which can interfere with achieving these objectives. Again, this horizon can be found in most ERM and integrated risk management texts.
However, it does not end there each strategic intent integrates and rolls up into an overarching vision.
Fourth horizon – Vision related risk management
At this high altitude level we aim to gain perspective on risks threatening the realization of our ultimate goal for the organization and even beyond the organization.
How does this translate to public sector?
Below you will find a table which gives you an overview of the four horizons, the responsibles at each level, what we aim to achieve with risk management at this level and what a suggested frequency interval for dynamic risk management would be.
| Horizon | Responsible | Aim of risk management | Frequency interval | How formal? |
| Fourth | Minister and President of the FGS | Identify and manage risks related to the established political agenda | Yearly to ad-hoc | Very formal |
| Third | President of the FGS and management team (N and N-1) | Identify and manage risks related to the management plans | Every six months to yearly | Formal |
| Second | Members of the management team and operational leads (N-1 and N-2) | Identify and manage risks related to the processes and projects | Bi-weekly to every six months | Reasonably formal |
| First | Operational collaborators | Identify and manage risks related to the daily activities | Daily to bi-weekly | Informal |
I will extend some more on this, since there is more to this, as it is the first time we can integrate top to bottom without starting from the assumption that all risks roll up to the higher or highest level or roll down from there to the lowest. Each horizon has its own risks and challenges.
Let’s hear for it in the comments.
