Home > Risk > Identifying, assessing, and evaluating risk is the easy part

Identifying, assessing, and evaluating risk is the easy part

December 27, 2017 Leave a comment Go to comments

I have been giving a lot of thought to this recently.

Knowing your risks is just the start.

Acting, making informed decisions and taking the desired amount of the right risks, is the point of the spear.

Once you have identified a risk, what are you going to do about it?

It’s a lot more than simply saying you are either going to accept, avoid, pursue, reduce, or share a risk (the COSO ERM 2017 options).

You have options and each carries with it its own set of risks – things that might happen.

COSO ERM 2017 talks about strategy selection, which is a very important decision, and how you need to assess each option. The selection process includes understanding what might happen under each option (risks and opportunities in their language), weighing all the pros and cons, and then choosing the one that makes the most business sense.

It’s not just which option is most likely to bring the risk to desired levels (lower or higher) at the least cost.

The decision-maker needs to understand how each option might affect other risks, perhaps to other objectives.

For example, if additional resources need to be dedicated to addressing risk A, that might weaken the organization’s ability to address risks B, C, and D. Requiring sales personnel to undergo a three-day training class on compliance could delay completion of deals, diminish (more than desired) their attitude towards risk-taking, and lower their morale because they believe bonuses will be reduced.

Falling dominoes

I am pleased that COSO talks about the issue (although their discussion is limited) but disappointed that they failed to realize that every decision requires the same level of thought.

Many ERM programs stop when they have identified a risk, determined its level, assigned an owner, and said what will be done about it.

But they usually don’t provide a disciplined process for evaluating the options and identifying the new or modified risks that result from the decision on how to address the original risk – and, essentially, factoring that into the selection process.

COSO is silent on this. The ISO 31000: 2009 global risk management standard says, “Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed.” But it does not explain how the assessment of those secondary risks should affect the risk treatment selection process. The current draft of the ISO update doesn’t include any additional guidance either.

That’s my experience and understanding. Is it yours as well?

  1. Hans Læssøe
    December 28, 2017 at 2:41 AM

    Agreed – Neither COSO nor ISO are very thorough – and appears to assume that once you have understood the basic approach, you are good to go, and be thorough yourself.

    The issue becomes more complicated when you, as one would in real life, have not one, but a set of risk tolerances to work within. You may take some mitigating actions to safeguard your financial performance, but by doing that – increase your reputational risk, which then exceeds your risk tolerance.

    It is a balancing game, and sometime a tricky one. Compromises are needed as in all “political” decisions.

  2. December 28, 2017 at 11:11 AM

    You are right, Norman. Many internal controls require decisions which have to be analyzed for the risks involved. I gave the credit control example in your October 7 blog, ‘Getting Risk Management right’.

    Another example might be:
    Objective: Deliver food to refugee camps
    Risk: Bandits steal food
    Control: Choose route least likely to attack and have an army escort.

    So more decisions have to be taken: which is the route least likely to attack? Is it passable in the rainy season? How reliable is the army escort? These aren’t really secondary risks which can be, ‘assessed, treated, monitored and reviewed’. The decisions may have to be made in minutes and lives may depend on the decision reached. The only real controls over this type of risk are the recruitment of competent staff who are properly trained and motivated and who are provided with information which is relevant, timely and accurate. (My website at http://www.managing-information.org.uk gives some ideas).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: