Have you ever asked 10 people the same question and received 10 different answers?
It may seem funny in hindsight or on your favorite sitcom, but I can attest personally that it can be incredibly frustrating.
In a previous article outlining the elements of a clearly articulated risk statement, I discussed how not having a clear understanding of a risk makes it difficult to know what the proper response should be.
Besides providing a basic structure for this statement in my article, there were two other methods briefly mentioned, one of which I want to dive into more today.
CASE is an alternative tool developed for helping companies better articulate and clarify risks and opportunities.
Broken out, CASE is the acronym for:
- Consequence – likely impact(s) from a risk; typically operational or strategic
- Asset – impacted company assets due to the risk; can be tangible or intangible assets
- Source – the root causes and other factors that could lead to the risk occurring
- Event – types of incidents being considered
Australian-based risk and security consultant Julian Talbot, creator of the CASE approach, explains that the main problem with risk assessments isn’t due to shortcomings of one method over another, but rather more fundamental issues around how a risk is articulated in the first place.
Julian has a diverse background working across 5 continents as a risk and security advisor, logistics manager, and even a CEO.
His main motivation for developing CASE was because of the confusion that stems from one-word descriptions that are not useful. It can be very difficult, if not impossible, to analyze and rate risks if we only have the event and asset.
I could relay stories of my own on how inadequate risk descriptions lead to confusion, but Julian’s story about facilitating a risk workshop for a $100 million IT security project illustrates this quite well. In spite of there being a “mature” risk register, the company was having trouble agreeing on the risks. He explains:
When I got there and had my first look at the risk register, my heart sank. It was immediately obvious not only why they were having trouble agreeing on the risk ratings, but also that they would never attain any agreement. The ‘register’ was an Excel spreadsheet with 300 line items on it. Most of them were one word or a few words long.”
After grouping similar risks together and using the CASE approach to develop more specific and actionable risk statements, the company was finally able to more forward with its IT security project.
The main point Julian makes in his article about CASE is that one word descriptions don’t really tell anyone much of anything. Saying “terrorism” or “climate change” or “inflation” or “solvency” is way too vague and meaningless. Everyone is going to have their perception of what these mean and how it impacts the company.
Therefore, a method like CASE is needed so everyone in the organization can reach an agreement on the severity and priority of risks.
When illustrating CASE, Talbot uses the example of “compromise of sensitive information” in his article, which of course is something that could cover a lot of ground. An issue or risk I run into a lot with my target industry of Florida property insurance companies is financial solvency. Below are two example risk statements using this approach. The first one was developed by Julian while the other one might apply to companies I work with (although I hope it doesn’t materialize!):
- Failure to protect information (Asset) in transit from theft (Event) by opportunistic criminal elements (Source) resulting in adverse impacts on reputation (Consequence).
- Inability to scale people resources (Asset) in response to a catastrophic event (Event) due to lack of contracts with third-party providers (Source) results in delays in adjusting and resolving policyholders’ claims (Consequence).
The CASE approach isn’t only for risks in the negative sense, but opportunities as well. Again, the first example comes directly from Julian:
- The business case analysis shows a potential NPV of $1.2 million (Consequence – positive in this case) financial benefit (Asset) if we tender (Event) the facilities management contract in the open market (Source) this year.
- The company could experience a 5% increase in net income (Consequence) on its income statement (Asset) if we tighten our underwriting criteria for certain products (Event), so we do not insure properties with multiple major losses. (Source)
As one who is always looking for how to improve risk management processes, Julian builds on CASE with the SERCL approach, which is short for…
- Source – root causes and other factors.
- Event – types of incidents that could occur.
- Resource(s) – specific assets, tangible or intangible, that could be impacted.
- Consequence(s) – possible effects on operations or objectives
- Likelihood – probability of the event occurring.
Two notable differences between these two approaches: 1) SERCL includes the likelihood of the event occurring and 2) changes “assets” to the more broader term “resources,” which is helpful considering that an increasing portion of a company’s value is being driven by intangible assets like reputation.
The SERCL approach also reflects the layout of ISO 31000’s basic framework (see image below), so it also can easily overlay with any current processes if you use that standard. Julian explains though that it many circumstances, it may be best to consider resources first, thus changing the acronym to RSECL.
CASE, SERCL, and other approaches are just options for identifying and classifying risks and opportunities.
As stated earlier and in many other posts, including my most recent, any processes must absolutely fit the company’s needs and culture. If CASE, SERCL, or Julian’s forthcoming REVSCO approach don’t seem like they would be a good fit, then certainly don’t feel pressured to try and make them work.
However, with some creativity, strong executive support, and a growth mindset, you can harness methods like CASE and SERCL to help your company create a strategic advantage through robust risk and opportunity management.
What methods for identifying and classifying risks and opportunities have you found helpful at your company?
As always, we’re interested in learning what customized processes others use to better inform decision-making around risk and strategy. Leave a comment below or join the conversation on LinkedIn.
If you prefer to remain private, you can email me directly at firstname.lastname@example.org.
The importance of proper identification and classification of risk cannot be overstated. If your company is experiencing confusion as to what a particular risk means and the best way to move forward, please don’t hesitate to email me directly or schedule a meeting today to discuss your specific situation.