When asking a question, isn’t it awkward when all you get is a blank stare in return?
It certainly felt awkward at points when asking different business units specific risk questions in my early career as an ERM practitioner. Whenever I would use risk terminology with an executive or manager, all I would frequently get back is a confused look.
As risk professionals, there are probably several areas where we could relate, which it is so important to speak in a language the business can understand.
One such term/concept my colleagues found especially baffling was the concept of inherent risk. I briefly mentioned this term in a recent article on the low-hanging fruit of identifying opportunities but felt it warranted further explanation.
One of the first steps in the risk assessment process is understanding where a risk currently stands.
Inherent risk refers to the number of existing risks in the absence of any controls or actions that are implemented to address or reduce their impact, i.e. the raw risks.
As a theory or concept, this definition makes sense to risk professionals like you and me, but in real-world practice…
Inherent risk is just too confusing for business units to understand, much less provide anything useful for a risk assessment.
Basically, what inherent risk is asking is what would a specific potential event look like if there were no mitigations or controls in place whatsoever. Dr. Carl Gibson of the Australian Risk Policy Institute explains why this is problematic when he says:
If we cannot accept that risk (as a concept that we are most familiar with) is a social construct (i.e. risk is created in the mind to explain certain aspects of uncertainty and possible futures), then how can risk be inherent? It is just risk.
Most business areas can’t really imagine a situation where no mitigations or controls are in place as it would mean having to consider a situation where the person(s) role did not exist.
Consider this first-hand example from asking my (former) company’s IT department about inherent risk.
The IT Security personnel were bewildered when asked to consider a risk of being hacked without a firewall, penetration testing, and other common security measures. He had to assume that standard practices for a company using a computer network didn’t exist, which was impossible since no one in their right mind would open their network to the world like that.
Another example is talent – most companies promote a positive culture and focus on having competitive pay/benefits. If we try to apply the “inherent risk” lens to this, it can be construed that the company promotes a toxic culture and pays their workers next to nothing.
Besides confusion, what sometimes happens in this situation is the business will just grab a number out of thin air. This approach is not only useless, but potentially dangerous, or as Dr. Gibson puts it:
If all controls are removed then any modelling of risk will tend to the highest possible consequence with an almost certain probability. How does this add value to any risk assessment?
I completely agree with Dr. Gibson’s statement and have been thinking it for years!
However, this isn’t the only issue with using the inherent and residual risk assessment approach. (Residual risk is what is left over after any mitigations or controls.)
Typically, companies try to insert calculations to demonstrate the effectiveness of mitigations and controls on a specific risk. However, what kind of effectiveness calculation can be uniform across the organization regardless of the risk?
As Dr. Gibson hints at above, how can you obtain a realistic figure for residual risk when it is so challenging for the business to understand the concept of inherent risk in the first place?
Understanding a risk’s current status is a vital prep step of any risk assessment; it’s all in how you ask the question(s).
After speaking with my company’s IT department and getting that awkward feeling that comes with someone’s blank stare at you, it became clear that a different approach was needed.
Instead of trying to make a square peg fit into a round hole by asking the business area to rate inherent risk, questions were modified to ask “where are we today?”.
In the end, that’s what we as risk professionals need to know to do our jobs effectively, namely:
- Where are we today?
- Does this align with where we want to be?
- If not, what do we need to do to get it there and is that worth the effort?
This approach gets into some really complicated subjects like risk appetite, but when presented in a way the business can relate to, a robust conversation that yields valuable insights is the result.
The business can speak fluently about what they are experiencing, what they are already doing, and whether anything needs to change to get the risk to where they and company leaders want it to be. If the risk is in a good place, then the conversation can then shift to risk monitoring.
As you can see, the concept of inherent risk is a prime example of why following best practices can do more harm than good in many cases. Trying to get a business area to visualize and explain a risk without any controls whatsoever can lead to confusion and information that is not only useless, but potentially harmful.
Scrapping the idea of inherent risk and instead just approaching the business with basic questions about where things currently stand and where they need to go will produce much better insights for helping ERM fulfill its role.
Have you ever tried discussing inherent risk with business units at your company? What methods have you tried to better understand the current state of a risk?
To share your thoughts and insights on this topic, please feel free to leave a comment below or join the conversation on LinkedIn.
And lastly, if you’re struggling to determine the best way to understand the current state of risk(s) in your company so you can conduct a proper assessment and analysis, please don’t hesitate to reach out to me today to begin discussing your current status and where things need to be.
Featured image courtesy of Cotton Bro Studio via Pexels.com