9-12-2012.jpg?width=300When it comes to Enterprise Risk Management, there is a lot of jargon floating around, mostly because it’s a unique, rapidly growing industry. Not all of that jargon is necessarily industry-wide; organizations will sometimes use different terms for the same concept.

One example is the phrase risk-informed activities. We haven’t used this exact phrase in the past, but it certainly lines up with our central tenets; risk should be assessed across the enterprise and be a part of everyone’s job description. Employees on the so-called “front lines” are exposed to business risks every day, so it stands to reason that their day-to-day activities should be informed by risk.

In order to make risk-informed decisions, organizations must first use a risk-based solution to identify, assess, and evaluate organizational risks. These risks are often apparent to personnel on the front lines, so it’s a matter of aggregating data through a risk taxonomy and linking risks to goals and processes. The more comprehensive the taxonomy, the smaller the chances that critical risks will run undetected.

The United States Nuclear Regulatory Commission (NRC), for example, undertakes risk-informed activities; this means that before certain activities, like transporting and storing spent fuel, relevant parties are informed of the probability and consequences of potential risks. The answer to the question, “What can go wrong?” determines whether and to what degree an activity needs to be altered before execution.

LogicManager provides those same capabilities, permitting business owners to start with “What can go wrong?” Users can then associate those concerns with a common risk library, and prioritize them with standardized criteria for impact, likelihood, and control effectiveness.

Many approaches that qualify as “risk-informed” share a common characteristic; they emphasize the importance of identifying multiple organizational impacts (across different departments) that one risk may have. Since most risks affect multiple departments, calculating impact naturally factors in different touchpoints across the organization. LogicManager, for example, allows users to classify data by root cause, department, control, or performance goal. The value in a system is its ability to reveal commonalities – which might have gone undetected by linear spreadsheet analysis – and automatically pass notifications through to those responsible or affected.

One last element common to many “risk-informed” approaches is a focus on the cost of mitigation activities. All mitigation activities require money and time, and a risk manager needs to weigh that cost against the risk being mitigated. This is called a risk/reward tradeoff. As illustrated below (and adapted from this document by Steve Unwin and Pacific Northwest National Laboratory), controls must demonstrate a positive risk reward tradeoff (the “green” area of our chart).

risk-informed activities and cost

No matter how effective a control is, as operating costs increase, the positive effect is negated. In the long run, the best way to determine whether a control is closer to point A or point B is through monitoring activities such as risk-prioritized testing, metrics, and incident reporting.

As more industries, geographies, and disciplines adopt risk-based standards for solving common business challenges, we continue to be impressed by ERM’s return on investment.

 

To learn more about how a risk-based, software-as-a-service solution is used in practice, read our three-page customer case study.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead