Where are there more homicides? Detroit or Michigan?
Most people would say Detroit, even though every murder in Detroit also takes place in Michigan. Our initial impressions, even those we have the utmost confidence in, can quickly and easily lead us astray. Avoiding such misconceptions is the value that risk assessments provide ERM programs.
Many risk managers we hear from rightfully criticize risk assessments designed around impact and likelihood to be too subjective, high level, and “fluffy” to provide meaningful analysis. These are accurate criticisms if high level risk assessments are the first and last step of your ERM process, but true Enterprise Risk Management encompasses a great deal more, such as the monitoring of incidents & key performance metrics, development of controls and contingency plans, as well as the integration of governance functions like vendor management and business continuity.
Those that recognize the need for ERM to encompass more than risk assessments are likely to ask: If risk assessments are only a small piece to the puzzle, why then is it even necessary to conduct them?
That is where perception vs reality comes in. Higher level risk assessments, when conducted with a standardized assessment criteria and evaluation template, are designed to align organizational priorities and point you to the risks and controls that require more detailed analysis and monitoring.
The problem is organization’s resources are limited, and conducting deep analysis of all enterprise risk is both resource intensive and ineffective. But as we’ve shown, using intuition to determine the most critical business areas and functions is also a risky assumption.
Risk assessments provide a method for risk owners to elevate their concerns so that they can be handled appropriately and escalated in accordance with their relative risk. Even the process of relating risks to strategic objectives can unveil hidden dependencies and leading indicators that would have otherwise slipped through the cracks.
Their role in formalizing priorities is why Risk Assessments are one of the most critical first steps in establishing an ERM process.
For the Risk Management programs that have moved beyond risk assessments, we encourage the more holistic, detailed analysis that accompanies all mature ERM programs. Be wary, however, of the trap that bypassing these assessments can have.
Risk assessments are not a waste of resources, they’re a more effective way of allocating them.