Home > Risk > The risk is assessed as high. So what?

The risk is assessed as high. So what?

January 12, 2023 Leave a comment Go to comments

While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.

Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.

It doesn’t answer the questions of:

  1. Should I take the risk?
  2. How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)

These are simple questions to ask, but not so simple to answer.

They are essential questions to answer.

If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.

There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.

People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).

But in real life, whether personal or business, you need to answer both of my questions.

Resources are limited.

Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.

Every penny spent on mitigating risk comes at the expense of investing in opportunity.

Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.

So I end this short post with another question:

Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?

  • Cybersecurity
  • Regulatory compliance
  • Safety
  • Marketing
  • Product development
  • Employee morale and development
  • Sales
  • Acquisitions
  • And so on

I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.

I welcome your thoughts.


There seems to be some confusion about this post. Let me clarify with an example.

At Tosco, our Marketing division (which operated about 6,000 Circle K convenience stores and and Union 76 gas stations) had a monthly meeting of its executive team to review and approve capital spending requests. They ranged from $10,000 to $10,000,000.

Management at lower levels would prepare a request that would be reviewed by a team in Finance to make sure that the numbers were correct. Let’s assume (because I don’t remember) that each had a section on assumptions and risks.

A request could come from any one of the stores (such as spending to improve the facility that would generate revenue or improve compliance), or from any of the corporate functions (such as IT, Marketing, and so on).

Each month, there could be fifty of more requests.

The management team had to decide:

  • How much, in total, could they spend
  • Which, if any, of these requests would generate an acceptable return
  • How they should allocate the available funds among the requests
  • Whether any of the requests should be partially funded or modified
  • Whether they should defer spending, even on ‘profitable’ requests, to save funds for requests they knew were coming, or because there was uncertainty about cash flow, etc.

Coming up with a risk quantification (a number or a range) for each request is only a step in the process. It is not sufficient to evaluate each request by itself. The business decision is complex and requires judgment as well, considering the big picture not just the pieces.

I hope that clarifies my point.

  1. January 12, 2023 at 6:58 AM

    Knowing the level of risk quantitatively (loss curve) exactly answers the questions 1 and 2

    • Norman Marks
      January 12, 2023 at 7:12 AM

      No, Alex, it does not. Knowing the level of risk in buying a new car doesn’t tell me whether I should buy it or spend the money on a boat.

      • January 12, 2023 at 7:16 AM

        I assure you, it does exactly that, it is the core of quant risk analysis

        • Norman Marks
          January 12, 2023 at 7:28 AM

          Sounds like a debate opportunity, because you need to quantify every one of the thousand alternative uses of the penny.

          • January 12, 2023 at 7:50 AM

            Totally sounds like a good debate and of course we do not need to quantify thousands alternative uses

            • Norman Marks
              January 12, 2023 at 7:53 AM

              If you have a thousand alternative uses of the dollar, you need ways to compare them

              • January 12, 2023 at 7:54 AM

                Only in theoretical debate, in practice there dozen or less alternatives, usually much less that are quantified

                • Norman Marks
                  January 12, 2023 at 7:59 AM

                  It’s somewhere in between, far more than a dozen! Just think of the expense budgeting process and the capital authorization process. Even then, there are alternative levels of investment in different projects within an area. It typically has hundreds of opportunities of its own, then there sales and marketing investments, product development options, and so on.

                  • January 12, 2023 at 8:04 AM

                    Not in the 100+ investment deals and projects I have modelled. In any case, we are deviating from the original point, the whole purpose of quant risk analysis is to answer questions 1 and 2

                    • Norman Marks
                      January 12, 2023 at 8:09 AM

                      That’s the point, Alex. You have modeled the project and not the opportunity cost. You are not answering my questions if you are not considering the opportunity cost.

                    • January 12, 2023 at 9:02 AM

                      That’s not how decision science works Norman

                • Norman Marks
                  January 12, 2023 at 9:07 AM

                  See the addition to the post. In real life, understanding opportunity cost is essential in decision-making.

  2. djallc
    January 12, 2023 at 8:32 AM

    And – not every risk response requires significant investment. We need to give more attention to the wide range of potential ways to modify risk in making decision #2. I had examples where we spent very little extra time/cost and significantly affected the risk profile of a decision.

  3. Norman Marks
    January 12, 2023 at 9:06 AM

    Please see my addition to the post.

  4. Norman Marks
    January 12, 2023 at 9:11 AM

    Please see my addition to the post.

  5. January 13, 2023 at 10:10 AM

    Norman, you raise an important issue, not usually addressed by internal audit. You are right, it’s a very complex issue which demands good information from those best qualified to give it and a properly briefed board. The other important issue is contingency planning to be prepared for the worst.
    On the subject of decision making this article may be of interest

  1. January 12, 2023 at 6:41 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: