How many risks should be managed and often should you do so?
An experienced practitioner made an interesting comment in a discussion group to which I belong. He said that “a focus on too many risks has diluted risk management’s effectiveness”.
I am quite concerned at the belief by so many that you only need to monitor 10-20 risks, and then only once a quarter or perhaps at most monthly. Just as my colleague is concerned with managing more than you can handle or that add value, I am concerned with managing too few!
I think you need to monitor the risks that:
- might have a significant effect on your ability to achieve your strategies and objectives, and
- affect your ability to make decisions and how you run the business.
Those risks need to be managed “at the speed of business” (see related blog).
What does this mean? I suggest that companies assess certain attributes of each risk (in addition to likelihood and impact) to determine how often they should monitor it. These attributes include:
- Volatility: how often risk levels change to a significant degree
- Velocity: the speed at which risk levels change
- Clockspeed: the speed with which risk is identified, and the time available to respond (Keith Smith). For example, the speed at which an earthquake is noticed and the time until the tsunami hits)
- The speed of the business: if decisions are made rapidly and action has to be taken quickly, they will benefit from more timely, current, reliable, and useful risk information
- The ability to respond quickly: the longer it takes to respond, the more notice you need
Once these attributes are known, management can determine how often they want and need risk information to enable better decisions and management of the business. It then becomes a matter of designing ways to obtain that information.