A big mistake in risk management, especially when it comes to companies with newer programs, is underestimating the importance of standardized risk prioritization. Diving into identification and assessments without a sufficient framework inhibits prioritization. This can result in ineffective risk mitigation activities and duplicate work across departments, or even serious risks flying under the radar. The possibility of “missing” a serious risk is a disturbing one, but it’s impossible to be completely certain about everything that touches your business.
Understanding Risk vs. Uncertainty
This is why thinking about risk versus uncertainty is important. They are closely related, but are not one and the same; “uncertainty” has a broader scope. It is the lack of knowledge about a particular event’s outcome, and exists for every individual and every organization. Part of a risk manager’s job is to evaluate those uncertainties and determine which ones are likely enough and could have a serious enough impact to warrant mitigation. When an uncertainty reaches a particular threshold of likelihood and impact, the company recognizes it as a risk that needs to be mitigated.
Enterprise risk management is the best way of quantifying and preparing for an uncertain future, or in other words, Managing Tomorrow’s Surprises Today®. Rather than being too conservative with risk identification and assessments (a dangerous practice) to avoid wasting resources, it is best to instead improve the processes’ efficiency and effectiveness.
A taxonomy framework, which you can read more about in another blog post, will standardize each department’s approach to risk prioritization. Using the same criteria and scale enables information to be collected, aggregated and compared enterprise-wide in a manner that is accessible and understandable to previously uninvolved personnel. A standard scale and common root-cause library will also reveal high-level risks that do affect multiple business areas, making prioritization systematic.
How Standardized Assessments Support Risk Prioritization
When assessing identified risks, we recommend a scale that provides as much detail as possible. Consider the following risk matrix (adapted from a Wikipedia page):
Even with criteria assigned to each “tier,” some ambiguity remains. A risk with a score of “Likely x Minor,” for example, may warrant less mitigation effort than a risk with a score of “Unlikely x Serious.” The reverse might also be true, but neither reality is reflected by the matrix.
For greater insight into your risk register, consider the next matrix, which is the most frequent scale used by LogicManager customers:
Breaking each impact and likelihood “bucket” into two options makes it possible to think about risk in a more dynamic manner, and enables users to select the high or the low of each category. This makes risk prioritization easier and more specific, which in turn allows for more targeted resource allocation.
The key is implementing a level of granularity that makes sense for your business and that assists with prioritization.