No ERM process that is effective at helping a company understand threats and opportunities to achieving objectives is going to just create a list of risks. While that may be sufficient for a regulator, it means absolutely nothing for helping executives run the organization better.
After identification, companies then take the vital step of assessing risks to understand which ones they should prioritize. After all, how will you know the company is focusing on the right risks and opportunities?
Broadly speaking, there are two methods for assessing risks – qualitative and quantitative.
Qualitative assessment uses descriptive elements to rank a particular risk, usually in the form of a 1-5 scale or high, medium, or low, while quantitative uses hard numbers such as a dollar impact or some other metric.
Qualitative methods are by far the most commonly used, but as many risk management thought leaders contend, it is fraught with bias and only provides a static view of risk and is therefore not useful for decision-making. Quantitative methods are considered to be more objective and provide a better understanding of how risks impact the organization, but they do require some level of data analysis and modeling capabilities that many organizations simply do not have.
However, this is not the primary reason why many organizations shun quantitative risk assessment methods.
It’s a common perception that only select industries, like numbers-based financial services and manufacturing companies, are equipped to take advantage of quantitative risk assessment.
Banks have a treasure trove of metrics to pull data from such as loan default rate, interest income, reserve ratios, and more. Second to that, manufacturing has a variety of metrics they use for understanding performance and efficiency, including throughput, capacity utilization, reportable health and safely incidents, and much more.
While financial firms have the most experience with quantitative assessment, the truth is every organization, regardless of industry or sector, is going to have data they can use…
Unless you are strictly paper-based (I sincerely hope you are not in this day and age), every organization in every sector and industry will have numbers. This can include numbers around financial performance (fundraising in the case of a non-profit), employee retention and turnover, and customer service metrics (such as calls per week or what is known as a Net Promoter Score).
If used and communicated properly, these numbers can tell a more robust, actionable story about risks than any qualitative 1-5 or low-medium-high ranking.
Let me elaborate…
In a typical, qualitative risk assessment, executives and business unit leaders are asked to rank the impact and likelihood of a risk. With these static scores in hand, a heat map can be developed, which according to COSO, is simply “…a graphical representation of likelihood and impact of one or more risks.”
The problem with heat maps and other similar graphical representations is that they assume risks exist in one spot on a graph. This can be misleading and even dangerous to an extent since impacts can change based on the likelihood of an event.
The ultimate goal of quantifying risks is to understand likelihood of success…
In his latest book Decide to Succeed: Why and How to Apply Effective Decision Risk Management, Hans Læssøe explains:
The purpose of risk managing a decision is to enhance the outcome, and hence your focus is not to be focused on the uncertainty, risk or opportunity itself – but on the performance parameter of your decision/project.
As I explore in this post and repeat often, risk professionals must communicate in a language decision-makers can appreciate and understand. Therefore, the measurement of risks must be done in a way that matters to executives. When used correctly and in the right context, data can support this process.
Here’s how it should roughly work…
Your organization has a goal (e.g., increase revenue) and different objectives for reaching this goal (e.g., develop new products, repurpose existing products to new market).
You as the risk professional, in coordination with relevant stakeholders, can develop scenarios around these objectives. As I explain in a previous post on essential questions for effective scenario planning, the high-level purpose is to ensure goals and objectives are the right ones.
Risks can then be identified around these scenarios. Any relevant data can be used to develop models or Monte Carlo simulations that can then determine the likelihood of a particular objective being met.
Here’s one example from Hans’ book that provides some concrete numbers on the likelihood of meeting specific targets of a project:
From this chart, we can see that there is a 57% chance a project will be finished within the desired time frame and an 82% chance the project will come within acceptable budget targets. Executives can take this information to determine if the project should move forward as-is, be modified, or abandoned.
But how can I get data?
In order for models and simulations to work though, you must have data, which gets us back to the heart of today’s topic.
Like I said earlier, every organization is going to have data. However, even without direct numbers like revenue or customer satisfaction, it is possible to assign numerical values to a variety of intangibles, including reputation. Other examples of intangibles besides reputation include management effectiveness, research productivity, political uncertainty – the list is endless.
The book (…and accompanying workbook) How to Measure Anything: Finding the Value of “Intangibles” in Business by Douglas Hubbard provides tools and methods organizations can use to put numbers to a variety of metrics.
As his book explains though, the purpose of measuring and analyzing for decision-making isn’t to produce a perfect result, but to reduce uncertainty so executives can make the best decision possible.
While it would be wise to not rush into modeling, quantitative methods are increasingly becoming more essential, especially as the world continues moving toward more and more automation and society has less tolerance for problems or missteps.
How does your organization overcome the data challenge to assess risks for executive decision-making?
To share your thoughts on this interesting topic, feel free to leave a comment below or join the conversation on LinkedIn.
And if your organization is struggling to understand how it can use number-based, quantitative assessment methods to make better informed decisions, please reach out to me to schedule a call.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More