Resources – whether they are time, financial, human, or natural – are limited. You only have so many hours in the day or only so much money, which is why all of us prioritize our activities for the day or how much money to spend.
The same process we subtly do each day is definitely applicable to any enterprise risk management activity at your organization.
While many resources out there will combine the assessment phase with enterprise risk analysis, I prefer to keep these ideas separate. Risk assessment looks at risk one-by-one, measuring such things as likelihood, impact, and velocity, whereas enterprise risk analysis gets into the bigger picture that determines the right risks to focus on.
The reality is that you can only focus on a limited number of things at a time due to a couple of reasons:
- Resource constraints (i.e. time, money, people). The fact is that no organization is going to commit a significant portion of its revenue to managing risks. Choices have to be made on which risks present the biggest threats or opportunities.
- Trying to focus on every identified risk will lead to stagnation. Resources will be spread thin to the point that the organization will not realize any value from its risk management activities, and realizing noticeable progress will be almost impossible.
Before getting into more details regarding enterprise risk analysis, I want to explain why I think analyzing and prioritizing during the assessment can be problematic.
Combining Assessment with Analysis: Common Problems
The first reason is the temptation to get things over with quickly. …
You’ve certainly been in meetings that you were eager to get over with. The risk assessment can be a lengthy discussion to start with, so there is a strong temptation to rush through the analysis so participants can move on to other things or leave for the day.
Next, taking a step back to analyze all of the risks from your assessment will provide an opportunity to uncover additional information or interdependencies among risks and further consider the organization’s objectives, etc. For example, after analysis and additional conversation, executives may decide to abandon a certain objective if it’s determined the risks are too great.
Keeping the assessment and analysis separate helps ensure your organization is putting its limited resources to their best use.
In order to ensure you are using your resources in the most effective manner, enterprise risk analysis uses a variety of tools to determine the appropriate response to a risk…
Tools for Successful Enterprise Risk Analysis
In the assessment phase, factors such as likelihood, impact, velocity and other dimensions were assigned to a particular risk. In the analysis phase, this information is evaluated using various tools so decisions can be made on where the organization should focus its efforts.
One tool organizations use to compare risks is risk appetite and risk tolerance. This alone is a hot topic among risk professionals since many have struggled to develop risk appetite and tolerances that are useful for decision making.
As I explain here, risk appetite is a high-level statement on how much risk in what areas that leadership is willing to take. Risk tolerance drills down deeper to establish boundaries around the risk appetite that is acceptable to the organization’s leadership.
A quick note on risk tolerance: it can be expressed in different ways, including financial, reputation, customers, and so on. It is vital that risk tolerance be flexible and adaptable.
Getting back to the actual analysis, risks are compared to the applicable risk tolerance to determine the appropriate response, keeping in mind that comparing risks to the tolerance only tells you where it falls in terms of severity.
Although risks that fall below the tolerance levels can be “accepted,” further analysis is needed to determine if resources are being used effectively.
Even if your organization is new to ERM, it has been managing and accepting risks all along. However, after assessing a risk and analyzing it against the tolerance, you may find that it is being over-managed and that efforts can be scaled back. This will free up resources to use for risks found to be above the tolerance.
To illustrate, I ran into this with a client in the public transit industry. After evaluating risks against the tolerance, we learned that its operations department overseeing service providers was going far beyond what was needed. While it was positive that risks associated with the third-party service providers were being managed so well, further analysis allowed the agency to scale back its efforts in this area and shift its focus to more urgent needs.
For risks above the tolerance, other tools need to be brought in to determine the appropriate response.
Before getting into difficult or complex risks, can you find any risks that are above the tolerance but in the end are easy fixes? These quick wins are another way executives can realize value in having a formal ERM process. Changes to an organizational process or product offering are a couple of examples.
It’s inevitable that at least some risks are going to be complex enough or so far above the tolerance level that more analysis will be needed to prioritize and respond appropriately.
Earlier, I mentioned that enterprise risk analysis uses a variety of tools. Risk appetite and tolerance was one tool, but for more complex or urgent risks, other tools are needed to prioritize and respond appropriately, including:
Root cause analysis
As I explain here, the simplest description of root cause analysis is literally asking “why?” until you reach the root cause of an issue. This resource from Protiviti uses the term “risk sourcing” (p. 69) and explains these as the ultimate source of uncertainty.
Root cause analysis is especially helpful when examining risks that are out of your organization’s control. While you may be unable to do anything about this risk, you may be able to dig into its root causes, address those, and take steps to reduce the likelihood of the main risk occurring.
In their eBook Enterprise Risk Management: Frameworks, Elements, and Integration, Drs. Paul Walker and William Shenkir offer the example of a grain company identifying weather as a risk.
Now we all know, sadly at times, that the weather is out of our control. However, instead of just abandoning or accepting this risk, the company determined that grain volume for shipping was the real risk to be concerned with, not the weather. Factors within the company’s control that could affect grain volume include product waste and product loss during shipping and handling. By examining the root causes of reduced grain volume besides the weather, the company was able to take steps to reduce this risk.
Although you probably determined the velocity for a particular risk in the assessment phase, it is still a useful tool in the analysis phase for identifying which risks you should focus on first. Put simply, risk velocity is how soon a risk will affect the organization.
In his book World Class Risk Management, Norman Marks gives the example of different weather events for a refining company with facilities throughout the U.S. One facility is in an earthquake zone, while another is susceptible to tornadoes, and another in an area at risk for hurricanes. Earthquakes occur with virtually no warning, but there is usually some warning with a tornado. For hurricanes, there are usually several days to prepare. Marks explains that “…if you have more time to respond to a potential event, then you may be more able to accept the possibility of that event.”
I can personally attest to this mindset, since my family prefers to live in Florida, where we frequently have the threat of a hurricane. My thought is I prefer having several days to prepare instead of an unexpected earthquake or ice storm that comes out of nowhere. But what you are willing to accept also depends on what you are used to. Me, I am used to hurricanes since I grew up in Florida.
In my experience and from other resources I’ve read, many risks will have the same likelihood and impact. In cases like this, the velocity of the risk needs to be considered before determining which risks require your immediate attention. A particular risk may have a devastating impact to the enterprise, but if it isn’t going to occur for many years, then it can be addressed after the more urgent, time sensitive risks are handled.
Often referred to as scenario analysis, scenario planning develops hypothetical risk events that could impact the organization. More specifically, these events could present a risk to the achieving long-term strategic objectives or shorter-term project goals.
You have probably seen scenario planning mentioned as part of risk identification, especially during strategic planning when executives are developing possible paths (i.e. favorable, neutral, negative) for a strategic goal. In this instance, risks to achieving the objective are being identified.
In the enterprise risk analysis phase, it should really be considered reverse scenario planning since the risks are already known. In this case, you and the organization are considering possible scenarios that could trigger a risk to occur. If it’s determined the scenario has a strong likelihood of occurring, measures will need to be taken, which can possibly involve a change in the core objective connected to the risk.
Risks to achieving strategic objectives or mission
The last tool for prioritizing risks is to carefully examine which ones represent threats and opportunities to achieving the organization’s strategic goals or mission. I say mission because many organizations do not have formal strategic goals, but they do have a fundamental reason that drives what they do.
The purpose of this kind of risk analysis is to get executives and management out of the day-to-day minutia and think “big-picture” of what the organization is trying to achieve. Risks to achieving these objectives or the mission are the most important ones to focus on since they can affect the central purpose of why the organization exists to begin with.
Objective-centric ERM is a term coined by consultant and thought leader Tim Leech to describe this way of thinking. Often times, organizations will simply have a list of risks, with the top ones having nothing to do with the “…company’s top value creation objectives.” Instead, the “top value creation/strategic objectives” and “top potential value erosion objectives” should be the foundation of ERM, Leech explains.
To put my spin on it, this is what makes ERM different from traditional risk management.
This analysis also provides additional opportunity to consider and discuss the organization’s goals. You, executives and the board may determine that an objective needs to be seriously modified or even abandoned. On the flip side, an opportunity for achieving an objective faster or with better results may present itself, which means resources will need to be shifted to ensure the organization realizes these benefits.
As I mention in the introduction, resources are limited, so you have to pick and choose the most important risks to focus on. No organization is going to spend limitless amounts of money, time, and energy on risks.
Besides, casting such a wide net ends up diluting your ERM efforts and causing stagnation, which is never good.
The process of enterprise risk analysis ensures you’re focusing on the right risks at the right time for maximum value to the organization.
What has been your experience with enterprise risk analysis? Do you include it as part of the assessment phase, or make it a separate process?
I’m interested to hear your thoughts on this important part of the ERM process – leave a comment below or join the conversation on LinkedIn.
And if your organization is struggling to analyze risk information and prioritize risk responses, please don’t hesitate to contact me today to discuss your trouble spots.