Is your to-do list so long that you wish there were two or three of you?
I know I do, but I also know how that would scare the daylights out of my family and my consulting team.
The fact is there are only 24 hours in a day, and as both risk professionals and collectively as an company, we can’t spend that entire 24 hours focusing on a list of random actions (or risks) with varying levels of impact and likelihood.
Choices must be made on how we prioritize our activities. We all do this on a personal level without even realizing it. What’s a better use of my time – vacuuming the living room or attending my son’s baseball game? (Baseball game wins hands-down every time.) We base these decisions, at least in part, on where our efforts will yield the most benefit. While a clean floor is highly desirable, is it worth missing the chance to see my son get a big hit to center field or throw the perfect pitch?
There are literally dozens, if not hundreds, of things tugging at us for attention…the same is true with risks.
Therefore, we need a way to sift through all the noise to understand how to focus our efforts to get the most bang for the buck in relation to finite amounts of time, financial, human, and other resources.
This analysis and prioritization step is another stop along the ERM journey. While many resources will combine this with enterprise risk assessment, I don’t advise doing so, reasons for which I will talk about below.
Below are 8 questions aimed at helping you not only understand what risk analysis and prioritization is, but also the best way to approach it for ensuring maximum benefit to the organization.
#1: What is risk analysis and how is it different than risk assessment?
As we imply in the introduction, the best and most basic way to define risk analysis and prioritization is that it’s:
“The process of identifying the most critical risks to the company so the risks can be communicated and addressed by the appropriate level of management to take action.”
Imagine your company’s risks are related to buying a bushel of apples at the grocery store. Now, you’re in no way prepared to buy the whole bushel and use it before all the apples go bad, so you’re going to pick out the best ones suitable for your needs.
Risk analysis is similar in that you have your bushel of risks (linked to objectives of course!) from the identification phase.
Some combine, or rather, confuse this with risk assessment, but these are not the same. As we explore in more detail in that article, assessment is about gathering information to understand the current state of the risk. Using the risk assessment information in hand, you and the decision-makers can then determine the best steps forward for the company.
#2 Why does my company need to prioritize risks in the first place?
The fact is there is not only so much time in the day, no matter how much we may want a few more hours. But a company, no matter the size, has a finite amount of resources at its disposal. Choices about which risks to focus on must be made amid competing priorities.
Overall, without any formal prioritization, business functions can waste valuable time on risks of little consequence at the expense of other ones that could put the entire company in jeopardy.
When you have risks linked to objectives, whether mission-critical objectives or strategic objectives, you are really focusing on which objectives are the highest priority for the company, then which objective has the most risk.
Prioritization is also necessary for executives because they only have so much capacity in their schedule. Anything we as risk professionals can do to relieve this burden will not just be helpful from a professional courtesy perspective, it will also improve ERM’s reputation as a valuable partner in ensuring the company’s success.
A third reason for prioritizing risks is that attempting to manage every risk identified in previous phase(s) will just lead to stagnation. Similar to the law of diminishing returns, the more you focus or channel resources to a broad group of risk(s), the less effective these efforts will be over time.
#3 What is the end goal of this analysis and prioritization?
The end goal of risk analysis and prioritization is to determine a most-to-least critical ranking of risks so as to enable management to make informed decisions about allocating resources (people, time, and money).
This prioritization breaks risks down into three different buckets, which include:
- Which risks do we need to focus on? – the number of risks in this bucket should be the lowest out of all three since these will be the ones relevant business units will have to take time, money, and people to address. These risks likely exceed the company’s tolerance and could put objectives or even the entire company in jeopardy.
- Which risks do we need to monitor? – the number of risks in this bucket should be more than the focus bucket above, but not too much because you and business units can only monitor so much without a very large team or a lot of automated workflows for data management. Also, a process and metrics will need to be established, some of which we discuss in this previous article.
- Which risks can we accept? – this bucket should constitute your largest number of risks for a couple of reasons. One, these will be risks your company is taking in pursuit of goals. Remember, ERM shouldn’t only be about risk mitigation or avoidance. Companies in any era, but especially today, have to be willing to take risks to be successful. Secondly, there are likely risks that have been mitigated to an acceptable level through everyday business activities.
Each of these three buckets are placed within each objective.
Establishing the risk priority within an objective should rest on two elements – one is the likelihood of occurrence and potential impact, and two, the extent to which the risk exceeds the target risk.
#4 Is this simply prioritizing the company’s list of top risks?
No.
The general consensus in the past was that all of the risks identified and assessed were put on a list, then sorted based on risk score – a company’s very own top risk list if you will. From there, ERM would work with executives and business units to determine which of the “top risks” would get attention (a/k/a money, people, and/or time).
Put simply, the risk(s) would come first, but the objectives were never really discussed.
The approach I’m suggesting here puts the objective first, then the risks into the three buckets mentioned earlier. What we’re doing is linking a risk to an objective right out of the gate, which is the essence of what we mean by ‘objective-centric’ ERM.
While “first generation ERM” was a vast improvement over the siloed approach typical of traditional risk management, this objective-centric approach provides a way for ensuring the company is focusing on the risks that will have the greatest impact to objectives that are critical to it achieving its mission.
But it doesn’t stop there…
#5 How are objectives prioritized to arrive at the company’s most critical risks?
At this point, we have our objectives, and within those objectives, we have our risks. These risks are placed into one of three buckets within its respective objective.
However, as should have been made clear in the previous question, an objective-centric approach to ERM is going to focus on the risks that will either help or hinder the company’s highest priority (mission-critical or strategic) objectives.
Again, even when we place our risks with its respective objective, we can’t focus on them all. We must prioritize which objectives are the most important.
As discussed in the article on establishing context for risk identification, and consultant Tim Leech argues extensively, objectives can be segmented into value creating and value preserving. Right off the bat – if the particular objective does not fall into either one of those categories, then it can automatically be stricken as a top objective.
This is where tough choices on the part of leadership will need to be made. If there are 5 objectives for example, executives may need to actually force rank their importance.
One way to perhaps do this is to ask: “If you could only do 2 out of 5 objectives, what would they be?” Pictured below is a flow chart or cheat sheet if you will on prioritizing objectives.
This is where the filtering of risks really begins.
That’s because if you say a particular objective is #5 in a list of five objectives, then risks in the other objectives are going to be a higher priority, even if the risk score is lower for the other objectives.
Think of this part as something similar to college basketball’s March Madness. Objectives represent buckets or teams that are competing against one another. Which objective bucket is going to make it to the Final Four and go on to be “declared” the champion, or in this case, the most important?
#6 Is there anything that needs to be done before separating risks into their respective bucket within an objective?
Before risks within an objective can be prioritized, there needs to be a clear understanding of the level of risk the company is willing to accept and how much it can sustain.
I’ve discussed these in-depth elsewhere, including one on the fundamentals of risk appetite, steps for handling risks that exceed the company’s appetite, and even an interview with one of the titans of ERM.
But as a refresher, risk appetite, tolerance, and capacity can be defined as the following.
What I want to discuss here are two ways a company can go about determining its risk appetite, tolerance, and capacity.
The first is to use performance metrics where you have the actual target you want (appetite), then other thresholds indicating where the company should start getting nervous (tolerance), and another indicating the company’s no man’s land (capacity). If a metric begins to approach a threshold, the risk owner should then go and analyze trends, understand root causes of these trends, and develop response plans in the event the metric continues its current trajectory. Below is a visual example of this in action:
The other method involves taking risk assessment criteria for likelihood and impact and asking: for Objective A, what are we comfortable accepting the risk up to? This can consist of you saying, “for this objective, we’re comfortable with accepting X amount of impact on the financial side, or X amount for operational, or another number from a legal perspective.”
Regardless of which method you use to arrive at the company’s level of appetite, tolerance, and capacity, you are now ready to prioritize the risks into the buckets mentioned question #3.
#7 Whose responsibility is it to prioritize objectives and risks within them?
It’s a common misconception that ERM is in charge of actually prioritizing and managing risks.
What ERM does is gather information, analyze it, and then piece it all together to provide executive leaders and business units with a holistic view of risks within the company’s objectives.
Executives and business leaders are the individuals responsible for prioritizing which objectives are most important. They are also responsible for setting the risk appetite, tolerance, and capacity. ERM can make recommendations, but the business must make the decisions on the levels to determine acceptability.
It’s up to someone assigned earlier on, the risk owner, to actually monitor and take action as needed. ERM is there to support the business, but absent a couple of exceptions, it is not ERM’s responsibility to actually manage risks. This is not to imply that one person, the risk owner, has to shoulder this responsibility all on their own.
A previous article on assigning a risk owner discusses this in greater detail.
#8 Why not simply merge risk analysis with risk assessment?
While a lot of resources suggest combining risk assessment and risk analysis, and many companies do just that for the sake of time, this combined approach is rife with all kinds of drawbacks.
This could really take up an entire article on its own (idea!), but the reason why these processes should remain separate really boils down to exhaustion.
When we do something for a while, like our everyday jobs, it becomes easier over time. Our brains essentially become used to a certain task and therefore aren’t terribly taxed by it.
However, when bringing people together for risk assessment or analysis, you’re asking them to think in ways they’re not used to thinking, which eventually creates exhaustion. By their nature, ERM processes are very mentally taxing because they largely employ what Daniel Kahneman refers to as Systems 2 thinking in his book Thinking Fast and Slow, which explains…
“System 2 allocates attention to the effortful mental activities that demand it, including complex computations. The operations of System 2 are often associated with the subjective experience of agency, choice, and concentration.”
If participants are exhausted, they will likely not put in the effort needed to get the best results possible, and the quality of insights that are ultimately produced will suffer. System 2 thinking exhaustion can lead to poor decision-making, impulsive behavior, and other negative outcomes.
As you can probably tell, analyzing risks to determine where your company should focus its efforts is a pretty tall order but is necessary for ensuring future efforts have the maximum benefit as possible.
And like we said earlier, the best way to do this is to consider risks in the context of the company’s top drivers for value creation and preservation. Any other way carries a greater chance of wasted resources that ultimately yields nothing.
Does your company assign risks to objectives before prioritizing them based on impact only, or do you prioritize a list simply based on risk score?
To share your thoughts on this topic, we invite you to join the conversation on LinkedIn.
If your company is struggling to make sense of risk analysis in an effective and efficient way, please reach out to discuss your current status and steps you can consider for helping you get unstuck.
Featured image courtesy of Craig Pattenaude via Unsplash.com
