I have been giving a lot of thought to this recently.
Knowing your risks is just the start.
Acting, making informed decisions and taking the desired amount of the right risks, is the point of the spear.
Once you have identified a risk, what are you going to do about it?
It’s a lot more than simply saying you are either going to accept, avoid, pursue, reduce, or share a risk (the COSO ERM 2017 options).
You have options and each carries with it its own set of risks – things that might happen.
COSO ERM 2017 talks about strategy selection, which is a very important decision, and how you need to assess each option. The selection process includes understanding what might happen under each option (risks and opportunities in their language), weighing all the pros and cons, and then choosing the one that makes the most business sense.
It’s not just which option is most likely to bring the risk to desired levels (lower or higher) at the least cost.
The decision-maker needs to understand how each option might affect other risks, perhaps to other objectives.
For example, if additional resources need to be dedicated to addressing risk A, that might weaken the organization’s ability to address risks B, C, and D. Requiring sales personnel to undergo a three-day training class on compliance could delay completion of deals, diminish (more than desired) their attitude towards risk-taking, and lower their morale because they believe bonuses will be reduced.
I am pleased that COSO talks about the issue (although their discussion is limited) but disappointed that they failed to realize that every decision requires the same level of thought.
Many ERM programs stop when they have identified a risk, determined its level, assigned an owner, and said what will be done about it.
But they usually don’t provide a disciplined process for evaluating the options and identifying the new or modified risks that result from the decision on how to address the original risk – and, essentially, factoring that into the selection process.
COSO is silent on this. The ISO 31000: 2009 global risk management standard says, “Risk treatment can also introduce secondary risks that need to be assessed, treated, monitored and reviewed.” But it does not explain how the assessment of those secondary risks should affect the risk treatment selection process. The current draft of the ISO update doesn’t include any additional guidance either.
That’s my experience and understanding. Is it yours as well?