Norman Marks on Governance, Risk Management, and Audit

Do we understand what a Risk Event is?


People talk about a risk event as if it is obvious what it is and what it means.

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization.  (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

Most often, people are thinking of a negative effect, something harmful that is the consequence of the event.

Examples of so-called risk events include:

One of the things that concern me is that these events may have multiple effects or consequences, not just one.

Some of those effects might be positive.

For example, a new regulation might mean that sales are disrupted and additional costs incurred to bring a product into compliance. There is an increase in cash flow risk, revenue risk, customer satisfaction risk, and compliance risk. But, if the organization is sufficiently prepared and agile, it may be able to release a compliant product earlier than its competitors and gain market share. In fact, some competitors may not be able to adjust at all.

The loss of a key employee may be a risk to a project or other key activity, but it is also an opportunity to hire somebody with greater or different skills, making other things possible. It may even be an opportunity to reorganize for agility or efficiency.

The loss of a data center due to fire or flood may have multiple and diverse effects, but is also an opportunity to build a better one, financed by the insurance proceeds.

There are times when it may be to a company’s advantage to get new regulations passed, simply because they are better prepared to respond than their competitors! It also helps the company’s reputation to be seen as sensitive to the demands of the community – for example by adding safety features.

All of this needs to be considered: the likelihood of an event, the range of potential consequences and the likelihood of each, how the organization can be prepared, and how advantage may be taken.

The other thing that gives me cause for concern is that events are not the only source of risk.

Decisions have an effect as well. The action taken following a decision, for example the decision to read this article, can have an effect as well.

But let’s come back to events.

Years ago, when I was a VP in IT, I was responsible for data center disaster recovery and corporate contingency planning.

I learned that rather than building a plan for every event that could cause the data center to be out of commission, it was better to build a plan that addressed how to deal with the effect of those events.

In other words, we had a plan for the loss of a data center, rather than separate ones for loss due to fire, flood, and so on.

Similarly, many things can happen that might affect the achievement of an objective.

Shouldn’t we have plans that address how we respond to the effect rather than to every event?

If we are monitoring the likelihood of achieving an objective rather than simply the levels of individual risks, won’t that help the organization run the business to success?

Just thinking.

What do you think?