Introduction
Risk management is crucial for organizational resilience and success in the ever-evolving business landscape. It involves continuously identifying, analyzing, evaluating, treating, and monitoring risk in an organization’s operations and strategy. As risk issues are identified, risk managers must make difficult decisions on which issues to prioritize and what to do about them.
This article introduces an approach that uses a powerful decision-making framework called Cynefin to characterize issues in a way that can improve decision-making, ultimately saving time and resources.
ISO 31000 Risk Management Guidelines
The proposed approach is based on the ISO 31000 guidelines released in 2009 by the International Standards Organization (ISO) to help organizations of any industry, size, or location manage risks to achieve objectives and improve decision-making.
Risk Management Process
The graphic shows that the ISO 31000 guidelines detail a Risk Management Process that includes Defining Scope, Context and Criteria, Risk Assessment, Risk Treatment, Monitoring and Review, and Communication and Consultation.
Defining Scope, Context, and Criteria is essential to the effective governance of risk within an organization and to ensuring alignment with its mission, goals, and values.
Risk Assessment includes three activities designed to improve decision-making about the need to treat a risk.
- Risk Identification: Identifying risks that could impact an organization’s ability to achieve its objectives by causing harm or loss.
- Risk Analysis: Determining the probability and impact of a risk on the organization
- Risk Evaluation: Comparing the results of analysis against the pre-established criteria to decide if treatment is required and with what priority.
Risk Treatment: Selecting and implementing a suitable treatment for addressing the risk that may include avoiding, accepting, transferring or mitigating the risk.
Monitor and Review: Continuously monitor and review the risk management process and its outcomes to ensure their relevance and effectiveness.
Communication and Consultation: Engaging internal and external stakeholders to ensure the communication of risk information and the consideration of their views.
The Risk Triage Process
It is common for risk managers to simultaneously deal with multiple identified risk issues arising from audits, security reviews, etc. In this situation, it can be valuable to have a documented process to triage those issues to quickly prioritize them based on a predefined set of criteria. While the ISO 31000 guidelines do not explicitly call out a risk Triage process, it is an element in the Risk Evaluation process. It should be noted that Risk Triage is not a substitute for Risk Analysis and that it may be necessary to recharacterize and reprioritize issues over time.
Using the Cynefin Framework to Characterize Risk
Dave Snowden developed the Cynefin Framework in 1999 to help identify the appropriate decision-making approach in different environments. The framework can be applied to understanding the nature of risks and the environment in which they occur. Specifically, the risk issues organizations face can be divided into five distinct domains: Clear, Complicated, Complex, Chaotic, and Disorder.
Understanding and leveraging these domains as part of the triage process can significantly enhance an organization's ability to characterize issues more effectively, saving resources and leading to better prioritization.
Clear Domain: Risks are straightforward and easily identifiable in this domain. Solutions are well-known, and best practices can be applied. For example, compliance with regulatory requirements falls into this category. The focus here is on standard operating procedures and ensuring that these procedures are diligently followed.
Complicated Domain: Risks in this domain require expert analysis and expertise to identify and mitigate because the relationship between cause and effect may not be immediately obvious. Organizations should rely on subject matter experts to diagnose issues and implement solutions.
For instance, technological upgrades and cybersecurity measures often fall into this category.
Complex Domain: The complex domain is characterized by risks with no clear cause-and-effect relationship. These risks emerge from dynamic interactions within the system. Organizations should adopt an experimental approach, testing different hypotheses and learning from outcomes to inform future decisions and directions.
For example, the risk of losing market share may depend on market trends and complex customer behaviors that require additional information to make appropriate decisions. are often complex.
Chaotic Domain: The lack of a clear relationship between cause and effect makes traditional analysis futile. However, the risks are apparent and require immediate restoration of order in the chaotic domain. The priority is acting swiftly to stabilize the situation, then identifying patterns and restoring order.
Examples include natural disasters or sudden market crashes.
Disorder Domain: This domain represents situations where it is unclear which of the other four domains applies. In such cases, the primary goal is to break down the problem and categorize it into the appropriate domain so that the relevant strategies can be applied.
Applying Cynefin: A Three-Step Process
Applying the Cynefin framework to characterize identified risks during triage can improve decision-making, save time, and ensure appropriate actions are taken.
It can be integrated with the existing risk management processes and involves three steps:
- Step 1: Determine the Domain
- Step 2: Select the Course of Action
- Step 3: Monitor and Adjust
Step 1: Determine the Domain
After identifying a risk, assign it to one of the five Cynefin domains by asking specific questions that help clarify the nature of the risk and its context. Here are some example questions that can help guide you:
Clear Domain
- Are the cause-and-effect relationships well understood and predictable?
- Can a best practice or a known solution be applied?
- Can the problem be easily categorized and addressed using standard procedures?
Complicated Domain
- Is expert knowledge or analysis required to understand the problem?
- Are there multiple potential solutions that need to be evaluated?
- Can the cause-and-effect relationships be understood with thorough analysis?
Complex Domain
- Are the cause-and-effect relationships unclear or emerging over time?
- Does the situation involve numerous interacting variables and unknowns?
- Is experimentation and probing necessary to understand and address the problem?
Chaotic Domain
- Is the situation volatile and rapidly changing?
- Are immediate actions required to prevent further damage or restore order?
- Is it difficult or impossible to determine cause-and-effect relationships at this moment?
Disorder Domain
- Is it unclear which domain the situation fits into?
- Is there confusion or disagreement about how to approach the problem?
- Do you need to gather more information to classify the situation correctly?
By answering these questions, you can better understand the nature of the risk and its context to identify the appropriate Cynefin domain. This then informs the most suitable approach for managing the situation effectively.
Step 2: Select The Course of Action
After identifying the Cynefin Domain, the next step is selecting the appropriate course of action. Here are some suggested actions and examples for each domain.
Clear Domain
Actions: Sense - Categorize - Respond
- Assess the facts of the situation and categorize them.
- Apply best practices.
- Follow standard operating procedures.
- Ensure compliance and consistent execution.
Example: In a manufacturing plant, ensuring all safety protocols are followed to prevent accidents. This involves routine checks and adherence to established guidelines.
Complicated Domain
Actions: Sense - Analyze - Respond
- Conduct thorough analysis and diagnostics.
- Bring in subject matter experts to provide insights.
- Evaluate multiple potential solutions to find the best one.
Example: Implementing a new IT system requires experts to analyze requirements, evaluate different software options, and select the most suitable one.
Complex Domain
Actions: Probe - Sense - Respond
- Engage in experimentation and safe-to-fail probes.
- Encourage diversity of perspectives and brainstorming.
- Adapt and iterate based on feedback and emerging patterns.
Example: Developing a new marketing strategy for a product launch. The team might try various approaches, analyze customer responses, and adjust the plan accordingly.
Chaotic Domain
Actions: Act - Sense - Respond
- Take immediate, decisive action to establish order.
- Communicate clearly and frequently to manage the situation.
- After stabilization, identify patterns and make sense of the chaos.
Example: Responding to a cybersecurity breach. Immediate actions include isolating affected systems, communicating the breach to stakeholders, and starting recovery procedures.
Disorder Domain
Actions: Categorize
- Break down the problem to understand its nature.
- Gather more information and perspectives.
- Categorize parts of the problem into Clear, Complicated, Complex, or Chaotic domains and address them accordingly.
Example: A company facing a sudden drop in market share might initially be in disorder. They need to analyze the situation, gather data, and determine whether the issue is due to predictable factors (Clear), requires expert analysis (Complicated), involves unpredictable market trends (Complex), or is due to a crisis (Chaotic).
Step 3: Monitor and Adjust
The goal is to move risk toward the Clear domain whenever possible. It may be necessary to do this in steps. If the risk is in the Chaotic domain, the goal would be to move it to Complex, then Complicated, then Clear. The dynamic nature of situations and the genuine risk of mischaracterizing a risk as to its nature means that organizations need to monitor them to determine if they should be recharacterized.
Watch the recording of the HIPAA Security 3.0 educational session "Deciding When to Perform a Quantitative Risk Analysis - When Is the Juice Worth the Squeeze?" to see how Cynefin improves the risk triage process.
Conclusion
Applying the Cynefin Framework in a triage process can enable organizations to more appropriately tailor their risk management strategies to the nature of the risks they face. This approach ensures that responses are appropriate given the context or character of the risk, enhancing the organization's management amidst uncertainty. Embracing the Cynefin Framework gives leaders the understanding to confidently navigate their risk portfolio, fostering a proactive and adaptive risk management culture.
References
ISO. (2018). ISO 31000:2018[E] Risk Management - Guidelines. ISO.
ISO. (2021). ISO 31000:2018 - Risk Management - A Practical Guide.
Deciding When to Perform a Quantitative Risk Analysis - When Is the Juice Worth the Squeeze?