One thing I realized since I moved to Australia is that black swans are pretty widespread here. Not the unforeseen—or silent—type of risks, that is. No, the bird itself. It just made me think about the European belief that held true until the 17th century that all swans were white because no contradictory observation had invalidated this hypothesis.
In recent exchanges I’ve had with executives, a lot of the focus has been on so-called “black swans.” And understandably so, since these are the threats that can take a company the way of the dinosaurs if they aren’t adequately mitigated.
But what about all the other “swans?” White, green, yellow? Are they getting the attention they deserve by the executives?
Going back to a previous blog from my colleague Bruce McCuaig, Finding the Risks Worth Having, I would argue that only the risks in the categories labeled as human behavior and control focus are really getting sufficient oversight. Risks in the loss management and risk focus categories are often either deemed appropriately managed and thus not deserving more attention, or the common belief is that some sort of monitoring would suffice.
Due to this attitude, risks in these categories often fall through the cracks because there’s a perception that they’re no longer real threats to the organization.
What can be done to ensure that they aren’t forgotten?
This is where I believe lies one of the key advantages of the Three Lines of Defense approach. It’s risk-agnostic! It reconciles views from all three lines (operational, risk and compliance, and audit) regardless of the risks’ criticality, status, or category.
As a result, all “swans” are included in this approach, and their residual aggregated exposure can be reviewed. To me, this precision is important. Taken in isolation, some of these risks might not be life-threatening to a company. But together, they might amount to a significant exposure that could very well be above the organizational risk appetite and even above its ability to operate.
A coordinated response will therefore be needed, and a three lines of defense approach will help ensure that this is the case and that different departments work jointly to provide an effective response. Hence, we can break down typical departmental silos that we continue to encounter in many organizations.
A risk is a risk is a risk
Don’t get me wrong: it’s absolutely not the intent of my discussion to say that black swans shouldn’t get attention. But with resource constraints that all companies inevitably face, a sound balance is always necessary, in my view. I personally believe that three lines of defense, in addition to helping companies ensure sustainable compliance and correct reporting of the risk context, also supports such balance by enabling prioritization with regard to the company’s objectives and the real assessment level. As such, it sheds light on all swans irrespective of their color.
What about you? How does your company deal with white and black swans? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard.