Intentional Control Design: Pillar 2 of the CRF for Cybersecurity and ERM
Minimizing Risk Through Design
by JAMES BONE
Cognitive governance is the first of five pillars making up the cognitive risk framework; the second is intentional control design. James Bone discusses chief considerations around intentional design.
The five pillars of a cognitive risk framework are designed to provide a three-dimensional view of enterprise risks. In the last installment, cognitive governance (CogGov) was introduced as the first pillar. Its five disciplines reimagine risk governance as a path toward enhanced assurance through a more rigorous view of the dual roles of risk assessment and risk management.
Cognitive governance is the driver of the other four pillars through a continuous process of exploration of risk behavior and uncertainty. Think of CogGov as a formalized Kaizen approach to improving risk governance:
- CogGov is structured to clarify the roles of risk governance and recognize that new processes are needed to reconcile inherently different perceptions of risk.
- The new insights that emerge from this approach inform the other four pillars in ways that are dynamic, simple and based around the human element.
- CogGov is responsible for developing templates for sustainable solutions to complexity in operations, people and technology risks using a multidisciplinary lens on blind spots that lead to errors in judgment.
The next four pillars are additional levers of risk governance
The worst kept secret in many organizations is the lack of forward-looking investment in back office operations. Legacy infrastructure, manual risk processes, layers of confusing policies and procedures and changing demands from management make operations less nimble and resilient over time, requiring a series of “break-fix” maintenance actions simply to maintain the status quo.
Unfortunately, organizations become accustomed to workarounds, building them into operational preparedness as opposed to evaluating the net impact to long-term performance. Intentional control design (ICD) is a cognitive risk governance lever to build nimble and resilient operational excellence into risk management.
A Fundamental Approach to Reduce Risk
Intentional design (ID) is not a branch of design research, which originated out of a need for new methodologies to solve increasingly complex problems in organizational design. Intentional design is a more fundamental approach that involves reducing risks by relieving cognitive load, streamlining processes and enhancing situational awareness in business performance.
Emerging research in design highlights the opportunity as summarized by Bruce Archer, “the most fundamental challenge to conventional ideas on design has been the growing advocacy of systematic methods of problem-solving, borrowed from computer techniques and management theory, for the assessment of design problems and the development of design solutions.[i]
Archer’s challenge is no less daunting today. As organizations seek to integrate competing mandates that streamline security, enhance human decision-making and reduce operational complexity, good design becomes critical. The good news is, advanced technology is evolving to achieve breakthroughs in smart design to empower employees with situational awareness, risk management tools and straight-through processing workflows.
Intentional design, like any creative process, requires a clear vision of strategic objectives, which will be different for all organizations. Why position strategic objectives as key outcomes? Because when organizations fail to direct the right level of energy to achieving strategic objectives, outcomes become less certain over time.
The purpose of this paper is to provide a multidimensional approach to risk management and move away from one-dimensional solutions driven purely either by data analytics or qualitative evaluations of risk. Combining the two views of risk assessment is not sufficient. Risk professionals must become designers of risk solutions that facilitate risk awareness in each layer of the organization. Designing situational awareness into business operations reduces risk through insights into data with tools that anticipate and respond to emerging and present threats.
I offer an example of resiliency not as a standard, but to present a model for thinking about defining outcomes. Resiliency is one of many attributes used in considering intentional design.
Resiliency is developed through a consistent focus on the following elements:
- Clear goals and objectives that optimize performance
- Investment in people
- Nimble operations
- Financial agility
- Smart IT/cybersecurity
- Appropriate and balanced risk-taking/management
- Risk management tools
- Stable and robust relationships (customers/stakeholders)
- Strategic analysis
- Ethical behavior
The design of elements in an intentional design model should be formed through a rigorous process of collaboration within the organization. Each element is a design project and will require scope development. In the process of developing a scope strategy the following steps should be considered:
- What are the synergies among all elements?
- What are the bottlenecks to building synergy among elements?
- What conflicts exist among or between the elements?
- Which element(s) impact resiliency — positively or negatively?
- What are the considerations around a full or partial implementation of each element?
- Which element depends on support from one or more other elements?
Pay attention to and leverage each intersection between the key elements.
Intentional design represents a range of solutions designed to manage risks writ large and small. Intentional design begins with a clear set of strategic objectives, leverages empirical risk-based data, then clarifies optimal outcomes. Simplicity in design is the guiding principle in intentional design.
I earlier referred to cognitive load and situational awareness as outcomes to intentional design. Very few will be familiar with the term cognitive load, but if I mentioned the impact of stress on performance, you would understand the concept that developed out of a study of problem-solving (Sweller, J June 1988).
Stress is created by situations requiring task completion under tight or shortened timelines in which the consequences are significant, resulting in either peak performance or failure. Stress factors increase the risk of failure when normal operating procedures must be discarded and improvisation is required. However, lessons can be learned — from design solutions to situational stress — to improve performance when the real thing occurs. In other words, performance is a product of good design.
More current research is needed on the impact of job performance and the design of the work environment. Studies have, however, found correlations between job performance and satisfaction and poor design of work processes. Most of these studies have focused on workplace ergonomics, health impacts and insurance costs, yet missed opportunities to evaluate how good workplace design contributes to better efficiency and work performance overall.
The synergy between the five principles of cognitive governance and intentional design become even more powerful when taking work design into account. A simple example may help clarify the point. For the first time in history, the medical industry is transforming to a digital environment. Medical data is revolutionizing how doctors diagnose patient care and monitor patients remotely. Patients are also benefiting by being empowered with medical devices, reducing visits to the doctor for routine checkups.
As data continues to be democratized across industries, workers will be empowered to manage risks in real time with access to a range of data to support better decision-making about risks and performance. Collectively, these processes improve situational awareness of risks and responses to risks much more proactively. The synergies must, however, be designed specifically to address risks that matter by creating tools to respond in kind.
The same types of models can and should be deployed to provide stakeholders — from front-line managers to the board of directors — with the same level of situational awareness to address threats in organizational fields of operation.