Have you ever asked 10 people the same question and received 10 different answers?
It may seem funny in hindsight or on your favorite sitcom, but I can attest personally that it can be incredibly frustrating.
In a previous article outlining the elements of a clearly articulated risk statement, I discussed how not having a clear understanding of a risk makes it difficult to know what the proper response should be.
Besides providing a basic structure for this statement in my article, there were two other methods briefly mentioned, one of which I want to dive into more today.
CASE is an alternative tool developed for helping companies better articulate and clarify risks and opportunities.
Broken out, CASE is the acronym for:
- Consequence – likely impact(s) from a risk; typically operational or strategic
- Asset – impacted company assets due to the risk; can be tangible or intangible assets
- Source – the root causes and other factors that could lead to the risk occurring
- Event – types of incidents being considered
Australian-based risk and security consultant Julian Talbot, creator of the CASE approach, explains that the main problem with risk assessments isn’t due to shortcomings of one method over another, but rather more fundamental issues around how a risk is articulated in the first place.
Julian has a diverse background working across 5 continents as a risk and security advisor, logistics manager, and even a CEO.
His main motivation for developing CASE was because of the confusion that stems from one-word descriptions that are not useful. It can be very difficult, if not impossible, to analyze and rate risks if we only have the event and asset.
I could relay stories of my own on how inadequate risk descriptions lead to confusion, but Julian’s story about facilitating a risk workshop for a $100 million IT security project illustrates this quite well. In spite of there being a “mature” risk register, the company was having trouble agreeing on the risks. He explains:
When I got there and had my first look at the risk register, my heart sank. It was immediately obvious not only why they were having trouble agreeing on the risk ratings, but also that they would never attain any agreement. The ‘register’ was an Excel spreadsheet with 300 line items on it. Most of them were one word or a few words long.”
After grouping similar risks together and using the CASE approach to develop more specific and actionable risk statements, the company was finally able to more forward with its IT security project.
The main point Julian makes in his article about CASE is that one word descriptions don’t really tell anyone much of anything. Saying “terrorism” or “climate change” or “inflation” or “solvency” is way too vague and meaningless. Everyone is going to have their perception of what these mean and how it impacts the company.
Therefore, a method like CASE is needed so everyone in the organization can reach an agreement on the severity and priority of risks.
When illustrating CASE, Talbot uses the example of “compromise of sensitive information” in his article, which of course is something that could cover a lot of ground. An issue or risk I run into a lot with my target industry of Florida property insurance companies is financial solvency. Below are two example risk statements using this approach. The first one was developed by Julian while the other one might apply to companies I work with (although I hope it doesn’t materialize!):
- Failure to protect information (Asset) in transit from theft (Event) by opportunistic criminal elements (Source) resulting in adverse impacts on reputation (Consequence).
- Inability to scale people resources (Asset) in response to a catastrophic event (Event) due to lack of contracts with third-party providers (Source) results in delays in adjusting and resolving policyholders’ claims (Consequence).
The CASE approach isn’t only for risks in the negative sense, but opportunities as well. Again, the first example comes directly from Julian:
- The business case analysis shows a potential NPV of $1.2 million (Consequence – positive in this case) financial benefit (Asset) if we tender (Event) the facilities management contract in the open market (Source) this year.
- The company could experience a 5% increase in net income (Consequence) on its income statement (Asset) if we tighten our underwriting criteria for certain products (Event), so we do not insure properties with multiple major losses. (Source)
As one who is always looking for how to improve risk management processes, Julian builds on CASE with the SERCL approach, which is short for…
- Source – root causes and other factors.
- Event – types of incidents that could occur.
- Resource(s) – specific assets, tangible or intangible, that could be impacted.
- Consequence(s) – possible effects on operations or objectives
- Likelihood – probability of the event occurring.
Two notable differences between these two approaches: 1) SERCL includes the likelihood of the event occurring and 2) changes “assets” to the more broader term “resources,” which is helpful considering that an increasing portion of a company’s value is being driven by intangible assets like reputation.
The SERCL approach also reflects the layout of ISO 31000’s basic framework (see image below), so it also can easily overlay with any current processes if you use that standard. Julian explains though that it many circumstances, it may be best to consider resources first, thus changing the acronym to RSECL.
CASE, SERCL, and other approaches are just options for identifying and classifying risks and opportunities.
As stated earlier and in many other posts, including my most recent, any processes must absolutely fit the company’s needs and culture. If CASE, SERCL, or Julian’s forthcoming REVSCO approach don’t seem like they would be a good fit, then certainly don’t feel pressured to try and make them work.
However, with some creativity, strong executive support, and a growth mindset, you can harness methods like CASE and SERCL to help your company create a strategic advantage through robust risk and opportunity management.
What methods for identifying and classifying risks and opportunities have you found helpful at your company?
As always, we’re interested in learning what customized processes others use to better inform decision-making around risk and strategy. Leave a comment below or join the conversation on LinkedIn.
If you prefer to remain private, you can email me directly at firstname.lastname@example.org.
The importance of proper identification and classification of risk cannot be overstated. If your company is experiencing confusion as to what a particular risk means and the best way to move forward, please don’t hesitate to email me directly or schedule a meeting today to discuss your specific situation.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More