Editorial
Knowing your risks is just the start.
Acting, making informed decisions and taking the desired amount of the right risks, is the point of the spear.
Once you have identified a risk, what are you going to do about it? It’s a lot more than simply saying you are either going to accept, avoid, pursue, reduce or share a risk — the options shared in COSO Enterprise Risk Management (ERM) 2017 report (pdf).
You have options and each carries with it its own set of risks — things that might happen.
The Domino Effect in Risk
COSO ERM 2017 talks about strategy selection, which is a very important decision, and how you need to assess each option. The selection process includes understanding what might happen under each option (risks and opportunities in their language), weighing all the pros and cons, and then choosing the one that makes the most business sense.
It’s not just which option is most likely to bring the risk to desired levels (lower or higher) at the least cost. The decision-maker needs to understand how each option might affect other risks, perhaps to other objectives.
For example, if additional resources need to be dedicated to addressing risk A, that might weaken the organization’s ability to address risks B, C and D. Requiring sales personnel to undergo a three-day training class on compliance could delay completion of deals, diminish (more than desired) their attitude towards risk-taking, and lower their morale because they believe bonuses will be reduced.
Learning Opportunities
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Jun
13
Learn How to Deliver Dynamic Video Experiences at Scale
Learn how to convert existing assets into video experiences in near real-time.
Webinar
Jun
20
3 Steps to Unlock Your Customer Data and Drive Revenue
Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.
Webinar
Jun
21
Retail Reinvented: A Masterclass in Creating Digital Experiences That Click
Hear how online retailers architect their digital experience infrastructure for peak traffic and demand
Webinar
Jun
21
The Feedback Loop: Accelerating Personalization for Exemplary Customer Experiences
Are you ready to harness the power of feedback in your personalization strategy?
Webinar
Jun
22
How to Succeed in Today's Engagement Economy
Doing true personalization at scale with marketing automation
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Jun
13
Learn How to Deliver Dynamic Video Experiences at Scale
Learn how to convert existing assets into video experiences in near real-time.
A Process to Understand All the Risks
I am pleased that COSO talks about the issue (although their discussion is limited) but disappointed that they failed to realize that every decision requires the same level of thought.
Many ERM programs stop when they have identified a risk, determined its level, assigned an owner, and said what will be done about it.
But they usually don’t provide a disciplined process for evaluating the options and identifying the new or modified risks that result from the decision on how to address the original risk — and, essentially, factoring that into the selection process.
COSO is silent on this. The ISO 31000: 2009 global risk management standard says, “Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed.” But it does not explain how the assessment of those secondary risks should affect the risk treatment selection process. The current draft of the ISO update doesn’t include any additional guidance either.
That’s my experience and understanding. Is it yours as well?
Learn how you can join our contributor community.
