Systemic Risk Management is a discipline familiar to the financial world, having been born out of the systemic failures which resulted in the 2008 financial crisis. Since November 2019, a small team has been working within the UK Ministry of Defence (MOD) to develop a pragmatic interpretation of Systemic Risk Management which can be applied to technical risks. The approach is complementary to both traditional programme/project risk management (which tends towards bottom-up escalation), and contemporary Enterprise Risk Management (ERM) which tends to look top-down for risks to objectives. Systemic Risk Management provides a means to identify and manage cross-cutting and transverse risks which could be impacting multiple areas of the organisation, and risks within one area of the business that could have a disproportionate effect elsewhere. Currently these could slip though unnoticed and potentially recur across the enterprise. The team took inspiration from a variety of sources, including ERM, Viable Systems Model and Cynefin, before settling on an indicator-based approach that could be readily understood by risk management practitioners without needing to bombard them with seemingly abstract theoretical constructs. The result has been the production of guidance material for identifying and managing Technical Systemic Risks which has been tested through significant stakeholder engagement, and is being piloted within the UK MOD. Whilst this approach has been developed for use within UK MOD to manage Technical Systemic Risks, it can extend to Systemic Risks in general, and has utility for any large organisation grappling with complex interdependencies between disparate technical and organisational activities.
The following conclusions have been drawn from the transformation initiative described in this presentation:
• Traditional risk management practice tends to overlook Systemic Risks, often due to lack of vision beyond project and programme focus or organisational and functional boundaries.
• Technical Systemic Risk management allows risks that may be common to, or impacting upon, several areas of the business to be identified, and managed. This will allow common and consistent risk mitigation to be applied in a “best for the business” way.
• Technical Systemic Risk management is complementary to existing P3M and ERM approaches, providing an almost orthogonal view on the same problem-spaces and solution-spaces.
• Technical Systemic Risk management is equally applicable to business-as-usual activities as it is to projects and programmes. LFE reviews are a rich source of potential Systemic Risks.
• The approach outlined above is an accessible and useful approach which risk practitioners should find easy to adopt and can be readily adapted for non-technical Systemic Risks.
• This approach should be readily applicable in any enterprise which is grappling with the issues outlined in this paper.
This presentation is based upon material previously presented at the INCOSE UK Annual Systems Engineering Conference 2021, but will be updated where appropriate to reflect the current situation.