Things That Ruin a Submariner’s Day
This photo shows USS SAN FRANCISCO pulling into her new home port after four years of repairs following a collision with an uncharted seamount in the South Pacific. One sailor was killed and 24 others injured when SAN FRANCISCO slammed into the seamount at flank speed. The damage to the submarine was horrendous, yet within a few seconds, SAN FRANCISCO had blown to the surface and was recovering.
Submarine operations are inherently risky- they occur at great depths, at high speeds with a nuclear reactor and high-pressure systems, and often in hostile territory. Yet, despite the dangers, submarine operations are conducted for the most part safely and securely. Very good risk management is an inherent part of these operations, and risk management is built into all processes and procedures, from design to the most seemingly trivial activities like cooking.
Risk management enables us to achieve objectives that would otherwise be impossible, such as operating a nuclear submarine in hostile environments in support of national security objectives. Action Item: List your business objectives that would be unattainable without effective risk management.
Key Issues
1. Why does business strategy depend on effective risk management?
2. How does effective risk management and compliance improve governance?
3. What are the strategic considerations in designing Governance, Risk and Compliance (GRC) programs?
Innovation, Disruption-What Is It That You Really Want to Do?
This picture of the S-1 HOLLAND entering dry dock followed by a Russian battleship illustrates disruptive change. Did anyone at the time envision that the submarine would be the replacement for the battleship? Managing the risks of undersea operations made it possible.
The mantra for Enterprise Risk Management (ERM) is that it enables business objectives- it is an element of performance management, enabling the achievement of strategic objectives. But besides doing better than your peer competitors at similar objectives, what if you could do things differently from them? What if you could change the game and make their investments obsolete? Such strategies are called disruptive- they mean that you are not just innovating upon accepted processes, but innovating objectives. Doing this requires you to be better than them at managing the risks of change. Business change governance is a new term that Gartner is introducing, but it’s certainly not a new concept.
Action Item: Make being better at enterprise risk management a strategic initiative, to enable business change.
Risk Management 101 – # Surfacings =#Dives
All submariners know that the first key performance indicator (KPI) is that the number of surfacing must equal the number of dives. In their book, IT Risk: Turning Business Threats Into Competitive Advantage, Gartner’s Richard Hunter and MIT’s George Westerman set out a hierarchy of risk categories: availability, access, accuracy and agility. In other words, to enable business change, or agility, first you must establish the foundations for the other three categories, starting with availability- if systems are not available, none of the other risks really arise.
Enabling business change is the penultimate goal of risk management. It is typically not where risk management starts- in fact, it can’t be. For submarines to change the practice of warfare they first had to become reliable military platforms. The first submarine to sink a warship was the confederate submarine HUNLEY, which sank USS HOU SA TONIC in Charleston Harbor in 1864. After the engagement, HUNLEY sank with all hands and was not found until 1995. And before its first successful mission, HUNLEY was lost twice with all hands during sea trials. Availability, in other words, had not been established, and it would be another 50 years before the submarine’s ability to change the practice of warfare was proved.
The lesson to learn from HUNLEY is that availability is the first consideration. Once availability is established, then it is possible to establish more direct linkages of risks to business objectives. We can also see that if a K.PI becomes a key risk indicator (KRI)-if surfacings don’t equal dives- then other K.Pls are unachievable.
Action Item: Determine your most critical performance met- ric, and the risks to that metric.
Obviously, just managing availability risks is not enough to contribute to business advantage. We need to look at the business objectives, and determine the risks to those objectives. So, let’s step back to the days of the Cold War and imagine we have gotten hold of this smuggled photo. We ask ourselves “where’s the propeller?” Obviously this is some new type of jet propulsion. So, as an objective, we must understand as much as we can about this new submarine, which is an addition to the Black Sea Fleet. Knowing the objective, we must understand the risks and take measures to mitigate them. And the risks are many- just to get into the Black Sea, we have to pass through the narrow and dangerous Bosporus, which means we will be seen on the surface. We must approach the Crimean peninsula and evade Russian and Ukrainian warships, not to mention the radar installations that can detect us whenever we raise the periscope above the water’s surface. So, now we are starting to link risks to the business objective. We are also starting to link the controls that mitigate those risks- most of which are already part of our operational processes- to the business objective.
It is important to anticipate risks and to build controls into operational processes. It is much too expensive and challenging to build new controls for each new objective.
Action Item: Include the steps that you take to manage risks in tire operational processes that are critical to achieving your business objectives.
Risk Management Priorities and Business Priorities Are the Same
The broom lashed to the bridge as the submarine returns to its home port means the crew has fully achieved the mission objectives- a tradition that began in the Pacific War. The crew faced the risks associated with their mission and returned safely. There are a few lessons to learn in relation to this- first, that there are metrics, such as availability, that are applicable to all business objectives. If surfacing do not equal dives- that is, if the platform is unavailable- then none of the business objectives are achievable. But as we escalate up the Hunter-Westerner hierarchy of risks to accuracy and agility, we see that the risks become tied more closely to the specific mission objective. Ideally, we would anticipate all the objectives and associated risks when designing our platform, and we would build all the necessary controls into that platform. But in practice this is not the case- we can be sure that there will be unanticipated objectives and unanticipated risks. This takes us to our next key issue: Does this submarine example translate to the civilian world? It certainly does. In a 20 I 0 survey of CFOs (http://www.cfo.com/article.cfm/ 14502409) by a group of academics, CFOs listed their top four risk priorities as preventing a large loss; meeting shareholder expectations; increasing cash flow ; and increasing firm value. Notice that the first priority is similar to our core submarine priority- if losses exceed revenue, the boat doesn’t float. But the other four risk categories are business objectives as much as they are risk categories.
Action Item : Sort through your most significant risks, and categorize them in terms of the ”four A’s.” Then, to ensure alignment and that there are no gaps, start with your most important business objectives as risk categories and identify the risks to them.
Key Issues
1. Why does business strategy depend on effective risk management? ,
2. How does effective risk management and compliance improve governance?
3. What are the strategic considerations in designing GRC programs?
Key Issues
1. Why does business strategy depend on effective risk management? ,
2. How does effective risk management and compliance improve governance?
3. What are the strategic considerations in designing GRC programs?
Commander’s Intent
“No captain can do very wrong if he places his ship alongside that of the enemy.” –
Admiral Horatio lord Nelson
The goal of managing risks effectively is to improve governance. And good governance means that our governance supports our business objectives- governance sets the goal. But no matter how much we may want to take the human out of governance, it is just not possible. We can mechanize and digitize controls and the monitoring of risks, we can automatically collect intelligence and use it to drive some automatic changes in direction, but the setting of objectives and how those objectives will be achieved is a human function. As a recent U.S. president said, 1’m the decider. But governance is not just the setting of decision rights- it also refers to the setting of objectives, the inputs and allocation of assets for the achievement of objectives, and the disposition of those assets and the characteristics of the environment once those objectives are achieved. Military leaders convey their understanding of how governance relates to objectives through intent statements. No matter how the environment changes in the course of battle, subordinates understand the end goal and can adjust their actions to achieve it. Admiral Nelson would share his intent over dinner with his captains well ahead of the battle. They understood not just the desired end state but his thinking in how it could be achieved. He also anticipated risks- knowing, for instance, that his unorthodox tactics for the Battle of Trafalgar could lead to a melee, he painted his ships in a yellow and black checker to distinguish them clearly from the enemy. But his most essential risk management technique was to ensure a shared understanding with his captains, so that unanticipated risks would not lead to defeat.
Action Item: Share not just your business objectives, but your desired end stale, including the disposition of your assets and the business environment upon achieving your objectives.
While governance sets the goal, risk management determines what is good enough to ensure that objectives are achieved. If pursuit of our goal takes us through hazardous waters, we must understand our risk tolerances. In this example, the captain has taken into account the shallow waters and the intended movement along the track to establish a moving box of water in which the officer of the deck must keep the submarine- going outside the box could result in an unacceptable level of uncertainty. Yet the box itself is designed in a way that permits the officer of the deck to achieve interim objectives, such as receiving essential naval messages at periscope depth, without undue restrictions. Essentially the captain has set a policy that is guided by risk tolerance.
Action Item: Ensure that risk tolerance guides policy, and not tire other way round. Any chief petty officer in the Navy will tell you that you get what you inspect, not what you expect. Governance sets objectives, risk management establishes tolerances, and compliance sets controls to manage risks within tolerances. Therefore, good governance depends on effective controls. Effectiveness is measured through testing. Submarine crews face almost daily testing though self-assessment in drills, inspections of operations and documentation, and observations of performance. External independent testing is carried out as well through many different types of tactical and operational readiness examination. In preparation for external examination, the captain may decide to go for the highest standard possible- the Battle “E.” This is an optional goal, but one that, if achieved, establishes a level of readiness that will ensure above-average performance scores in all independent tests and examinations. The lesson to learn here is that aiming for the minimum means that sometimes you may hit it. By contrast, if we aim for higher goals, such as an International Standards Organization (ISO) certification, this will prepare us for all kinds of contingency- making good performance on periodic audits and assessments less intrusive, and sustainable performance against objectives more assured.
Action Item: Use organizational certijications as means to maintain an ongoing self-assessment and compliance regime that improves operations and preparedness for audits.
Key Issues
1. Why does business strategy depend on effective risk management?
2. How does effective risk management and compliance improve governance?
3. What are the strategic considerations in designing ERM programs?
Strategic Principles
A submarine can conduct coordination operations with both aircraft and surface ships. Despite the variances in military platforms, they all follow a common set of principles of war- a fact that makes integrated forces possible.
A common set of governance, risk management and compliance (GRC) principles can enable an integrated approach to GRC activities. This is especially important when trying to establish an ERM program in support of overall strategic business objectives. Consider the following GRC strategic principles: accountability, consistency, effectiveness, alignment and simplicity.
Action Item: Use Gartner’s “Toolkit: Statement of Govern- ance, Risk and Compliance Principles” (G00173340) to establish the guiding principles for your GRC activities in support of overall corporate governance and enterprise risk management.
Accountability Starts With the Tone at the Top
“Responsibility is a unique concept: it can only reside and inhere in a single individual. You may share it with others, but your portion is not diminished. You may delegate it, but it is still with you. Even if you do not recognize it or admit its presence, you cannot escape it. If responsibility is rightfully yours, no evasion, or ignorance or passing the blame can shift the burden to someone else.
Unless you call point your finger at the man who is responsible when something goes wrong, then you have never had anyone really responsible. – ADM H.G. Rickover
Accountability is at the core of GRC- while almost everyone wants credit for their role in achieving objectives, almost no-one wants to be held accountable for the risks associated with those objectives, and particularly for any incidents associated with those risks. The tone at the top will determine how well the principle of accountability can be instilled in any organization. In the nuclear submarine program, tone at the top was set very clearly by Admiral Rickover. Rickover stories are the stuff of legend- he personally selected every officer in his program, and there was nothing more important to him than ensuring accountability.
Note: Often the terms accountability and responsibility can be used interchangeably. Equally, though, it is often helpful to distinguish between who actually owns a risk (accountability) and who helps to manage that risk (responsibility). Building a RACI (Responsible, Accountable, Consulted, Informed) chart can be a useful exercise not just for establishing who is accountable for a risk and who is responsible for providing risk management services (controls), but also for communicating the need for change in how risks are considered in operational processes in support of objectives.
Action Item: Identify the critical process that support a business objective. Build a RAC/ chart for risks associated with that process, and fill in the “A ” column first.
Submarine qualifications require a mix of operational knowledge and risk management. A submariner must not only understand systems, but also understand the controls in those systems, and what to do when those controls fail. All submariners must qualify for their dolphi1as- a grueling process that takes a year or more. But submarines are similar in design and their implementation of processes for re qualification need not to be necessary when a submariner goes to another boat. This is also the case when the mission changes, as, for example, when switching from patrol to attack. Certainly to operate the systems, the submariner must learn the new boat’s systems, but that should merely entail learning about the differences from systems familiar from the previous boat- the use of common principles means there is enough consistency in design, procedures and controls.
Consistency is a challenge for any organization: can you come up with a common set of principles that work across multiple business units with multiple business objectives? Many organizations have found that they can. Doing so reduces the cost of compliance and improves agility, as a common set of controls supports governance whatever the objective.
Action Item: Identify redundancies and overlaps in policies and controls, and start to rationalize them.
Policies
While a common set of core values can certainly help to establish consistency in controls, consistency also depends on policies that reflect risk tolerance (rather than risk tolerance being set by policy). Policies that are rigid and inflexible when risks are relatively low can impede the ability to meet business objectives. One submarine Admiral once said that “policy is guidance to be followed in the absence of any other intelligence, including human.” He meant that policy should be guided by risks, and therefore knowing and accepting the risks is an important element of good governance.
Action Item: Ensure policies are consistent with the risks associated with the objectives. This is especially important as both the business environment and the objectives change.
Monitoring and Control
Although policies are established to meet objectives, there must be controls to ensure that policy objectives are met- and these controls must be monitored to ensure they are effective. The parameters being monitored in the propulsion spaces are actually KPis associated with the operation of a nuclear submarine’s engineering systems. If the parameters stay within set risk tolerances, the operators are assured that many hundreds of controls are working. This integration of performance monitoring, risk monitoring and control monitoring is possible because of the alignment of design, policies and objectives.
Action Item: To reduce the invasiveness of risk management and compliance to daily operations, link risks to business objectives, and controls to risks and mandates.
Many risks are associated within internal processes, but changes to the business environment can also have an impact on objectives. Perhaps you remember sonarman Jonesy from the film “The Hunt for Red October.” He was skillful at scanning the environment and the enemy, and analyzing the impact on the mission. Similarly, businesses must scan the business environment, public sentiment, legal and regulatory developments, and their competitors. If the analysis concludes that objectives must change or that there must be changes in how they are pursued, then an assessment of risks and control effectiveness should also be made.
Action Item: Set up a “weather bureau” to monitor the legal and regulatory environment in the context of competition and the business climate. Ensure that controls remain effective as the environment changes.
Associated with monitoring and control is a lot of operational reporting. But if the objective of risk management and compliance is actually better governance in support of objectives, then there also need to be reports that capture opportunities for performance improvement. This photo shows the cover page of the first war patrol report of USS TANG, which was skippered by Dick O’Kane. O’Kane was known for his aggressiveness and risk- taking, and he has been criticized for the loss of TANG on its third patrol.
The boat was sunk, however, due to a torpedo failure- a torpedo fired from TANG circled back and hit it. Furthermore, in his patrol report, as well as detailing TAN G’s operations, O’Kane includes recommendations that could improve future operations for the submarine fleet. See the patrol report at http://issuu.com/hnsa/docs/ss-306 tang?mode- a p.
My Gartner colleague Paul Proctor has focused on this requirement to relate risks and performance in his presentations and research on reporting to the board (see “Eight Practical Tips to Link Risk and Security to Corporate Performance” G00173779). It i
s also an underlying theme of The Real Business ofJT by Richard Hunter and George Westerman. Action Item: When reporting on risk and compliance, make recommendations and describe actions taken to improve the ability to meet business objectives.
GRC architecture principles establish the guidance for the development of GRC architecture. These principles envision a GRC strategy that moves from a variety of disconnected compliance and risk management activities to a future state by:
- Aligning with business goals and risks .
- Meeting multiple requirements with a common set of controls and IT support.
- Establishing a common reporting infrastructure for a single version of the truth.
- Being as noninvasive as possible, using automation of controls, where possible, instead of manual testing and surveying.
- Ensuring roles, responsibilities and accountability are clear.
Action Item: Use these reference principles as a starting point to develop a set of GRC architecture principles that relate governance, risk management and compliance for your enterprise .
