In order to build a successful enterprise risk management practice, one must effectively navigate organizational
politics, manage long-term projects, and gain widespread organizational support. However, the true art and science of risk management lies in the methods chosen to measure risk. Because you can’t manage what you can’t measure, risk management collapses without high-quality measurement.
Despite the proven success of risk measurement efforts in organizations all over the world, skepticism persists – even among the world’s largest companies and top consulting firms – as to whether formal risk management programs are worth the time and resources they require. This skepticism usually relates to common misconceptions about the risk management process: It’s all subjective, it’s overly complicated, and it’s a lot of effort to confirm what is already common knowledge.
To gain much needed support from your colleagues, it must be understood that risk measurement is not just based on subjective estimates, but can be supported by facts and data without being overly complicated. It’s also necessary to explain that even in successful, knowledgeable organizations, good risk management processes will always uncover useful information and perspectives beyond what is already known.
In order to design an effective risk management process, it is important to stay flexible and make sure your plans are compatible with business goals. An enterprise risk assessment methodology must reflect the specific resources, requirements and maturity level of different parts of the organization, while still meshing together at a high level, so each risk domain can be compared across the business. In fact, the biggest challenge in risk analysis is often building a measurement model that is practical enough to enable broad organizational participation, while still providing enough sophisticated information to support better executive-level decision making.
The type of information and the level of detail by which you measure risks will depend greatly on available resources and the information needs of your key stakeholders. Factors that may be considered when analyzing risk and formulating your own enterprise risk assessment template include the following:
- Risk impact - A risk’s impact is the effect it will have on the asset, process, objective or other target listed in the risk identification phase. A risk may be defined as having a single impact, such as financial loss, or a number of impacts, which may include operational, regulatory or strategic.
- Risk likelihood - You may use probability to measure likelihood, giving a score of 1 to an event that is certain to occur and a 0 to an event that will likely never occur. Risk likelihood may also be measured as the number of times the risk event is expected to occur within a certain period, or simply judged using a scale of high, medium or low.
- Control effectiveness - Many organizations look at both the magnitude of the risk itself (inherent risk) and the magnitude accounting for controls that may alter its impact and/or likelihood (residual risk). More sophisticated control measurements may also examine design and operational effectiveness as well as the percentage of risk reduced by each control.
- Risk preparedness - You may use preparedness as a control measurement, focusing specifically on reactive controls to lessen the impact of the risk. “Risk vulnerability,” often seen as the opposite of preparedness, is also a way to measure how susceptible an organization is to a risk event or condition.
- Risk urgency - Although not a traditional risk measurement, some organizations expand their likelihood measurements with a measurement of urgency. Urgency metrics consider how much time is likely to pass before a risk event in order to help prioritize treatment efforts. You may also consider the time over which a risk’s impact occurs.
- Cost/effort to treat - Measuring the costs and efforts required to treat a risk can also help prioritize treatment efforts. For example, if two risks have similar scores for each of the other measurements, the one with the lower cost to treat can be prioritized first in the response plan.
When choosing which factors to incorporate into your risk analysis, be sure to provide enough information to confidently decide whether to accept, avoid, mitigate, transfer, share or increase each risk. Keep in mind that the way risks are measured and visualized will vary greatly depending on the needs and expectations of those who will be consuming the information. For example, the criteria for risk scoring and visualization may range from basic qualitative analyses to a detailed financial breakdown. Conversations with executives or other business managers are necessary in order to discover your organization’s risk scoring needs. Ask stakeholders to describe the most important objectives and success metrics of their business unit or function, discuss the risks that will affect their abilities to achieve these objectives, then finally decide what risk information should be provided (along with more common factors like cost, performance, etc.) to improve the decision-making process.
If you think risk management is too complicated for your organization, rethink your assumptions. For simple domains of risk, the risk identification and analysis stages may be able to be collapsed into a single 30-minute conversation. However, in domains involving large-scale investments and risky opportunities, more sophisticated measurement is necessary. This variance is why it’s so important to understand the needs of key stakeholders and the types of decisions you hope to support across the business.
About the author:
Chris McClean is a senior analyst at Forrester Research, where he serves security and risk professionals. He will be speaking at Forrester’s upcoming Security & Risk Forum, Nov. 9-10, in Miami.