Recently I visited a shopping mall that I hadn’t visited in a while. The below ‘feature’ caught my eye and caused me to scratch my head. Multiple water fountains and statues, surrounded by an imposing fence, and a stern warning that you are under surveillance. Not exactly inviting:
What’s going on here?
I don’t know for sure what happened, but here is a plausible sequence of events:
- A decision was made to improve the visual appeal of the entryway to the shopping mall in order to attract more customers
- Of the options considered to improve the visual appeal, they chose the fountain
- The fountains were installed, rejoice at its glory!
- Someone raised concerns about the safety of the water, or possibly there was an incident
- Management decided they needed to address the risk of injury or drowning, and installed the fence and its imposing signs
It appears that someone pursued their objective without considering the risks that would be introduced by the alternative chosen. At Protecht, we call this ‘delivered risk’; the risks that are introduced or existing risks that change after a project or decision is executed.
The fountains look appealing to me. However, in this case, safety risks changed to the extent that additional controls (and extra investment that probably wasn’t accounted for) needed to be installed. But in doing so, the objective of an appealing entryway was no longer achieved.
When delivered risk matters
Delivered risks need to be considered at the time a decision is made, which also means they need to be identified and understood before that decision is made. If they aren’t considered upfront, how can the decision be informed? How can the ROI of a business case be considered complete or accurate if it doesn’t include the potential investment required in additional controls?
In this example, perhaps instead of fountains, statues and a small garden may have been a better option. A more common example in a corporate setting might be the introduction of new products or services where personal data of customers is collected.
This might require some additional investment in ongoing cyber security controls to manage new systems. If delivery of those products requires third parties, what risks do those third parties introduce? What investment in ongoing controls and assurance do you need to be comfortable that those risks are effectively managed?
In less mature project frameworks, delivered risks – the ones that the organization will continue to face long after the project is complete – are often ignored upfront, or even during execution. The business may scramble towards the end of the project to address them, or worse, remain exposed.
Closing thoughts
Some questions to consider when making strategic decisions and implementing projects:
- Do risk assessment processes for projects or strategic decisions include how operational risk profiles will change after the decision is made or project is executed?
- If yes, do those processes occur before a decision is made, or after?
- Who is going to be responsible for risks that are likely to be delivered? Are those stakeholders involved in the risk assessment processes?
- Is investment in controls considered in upfront decisions, particularly when comparing multiple alternatives for investment?
We hope your strategic decisions and projects realise their intended benefits – without their ROI being eroded by unexpected future investment.
Do you want to ensure your risk assessment and controls process is fully engaged with your business in order to deliver real return on investment? Watch our recorded Risk & Control Self-Assessments: How to unlock enterprise value webinar to find out more.