When it comes to Enterprise Risk Management, there is a lot of jargon floating around, mostly because it’s a unique, rapidly growing industry. Not all of that jargon is necessarily industry-wide; organizations will sometimes use different terms for the same concept.
One example is the phrase risk-informed activities. We haven’t used this exact phrase in the past, but it certainly lines up with our central tenets; risk should be assessed across the enterprise and be a part of everyone’s job description. Employees on the so-called “front lines” are exposed to business risks every day, so it stands to reason that their day-to-day activities should be informed by risk.
In order to make risk-informed decisions, organizations must first use a risk-based solution to identify, assess, and evaluate organizational risks. These risks are often apparent to personnel on the front lines, so it’s a matter of aggregating data through a risk taxonomy and linking risks to goals and processes. The more comprehensive the taxonomy, the smaller the chances that critical risks will run undetected.
The United States Nuclear Regulatory Commission (NRC), for example, undertakes risk-informed activities; this means that before certain activities, like transporting and storing spent fuel, relevant parties are informed of the probability and consequences of potential risks. The answer to the question, “What can go wrong?” determines whether and to what degree an activity needs to be altered before execution.
LogicManager provides those same capabilities, permitting business owners to start with “What can go wrong?” Users can then associate those concerns with a common risk library, and prioritize them with standardized criteria for impact, likelihood, and control effectiveness.
Many approaches that qualify as “risk-informed” share a common characteristic; they emphasize the importance of identifying multiple organizational impacts (across different departments) that one risk may have. Since most risks affect multiple departments, calculating impact naturally factors in different touchpoints across the organization. LogicManager, for example, allows users to classify data by root cause, department, control, or performance goal. The value in a system is its ability to reveal commonalities – which might have gone undetected by linear spreadsheet analysis – and automatically pass notifications through to those responsible or affected.
One last element common to many “risk-informed” approaches is a focus on the cost of risk mitigation activities. All mitigation activities require money and time, and a risk manager needs to weigh that cost against the risk being mitigated. This is called a risk/reward tradeoff. As illustrated below (and adapted from this document by Steve Unwin and Pacific Northwest National Laboratory), controls must demonstrate a positive risk reward tradeoff (the “green” area of our chart).
No matter how effective a control is, as operating costs increase, the positive effect is negated. In the long run, the best way to determine whether a control is closer to point A or point B is through risk monitoring activities such as testing, metrics, and incident reporting.
As more industries, geographies, and disciplines adopt risk-based standards for solving common business challenges, we continue to be impressed by ERM’s return on investment..