Risk Identification: Root Cause
Strong Risk Identification Techniques: Starting With Root Cause
LogicManager provides organizations with a pre–built root–cause risk library. This library is entirely flexible, allowing organizations to use the risk identification techniques best suited to their organization. A centralized, accessible risk library simplifies the risk identification process. When multiple business areas identify the same issue, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also identifies areas that would benefit from centralized controls, which eliminates the extra work of maintaining separate activity-level controls.
Centralized controls are extremely important from an efficiency standpoint; the more you can accomplish with a set number of controls (rather than designing a larger number of unique controls), the fewer tests and metrics you’ll need to run and collect, respectively.
LogicManager’s complete root-cause library also includes best-practice compliance and performance-balanced scorecard indicators. You can add to your library over time, receiving updates on emerging risks or new standards.
What Is Root Cause?
The most effective risk identification techniques focus on root cause, which tells us why an event occurs. Identifying the root cause of a risk provides information about what triggers a loss and where an organization is vulnerable. Using root source categories provides meaningful feedback: What steps should be taken to most effectively mitigate risk? Identifying risk based on the effect or outcome often leads to ineffective mitigation activities.
Mitigation activities should be aimed at root cause and will differ depending on the source of risk. If illness is causing us to have headaches, seeing a doctor is the appropriate mitigation activity. However, if headaches are caused by a lack of sleep, we should try going to bed earlier.
For example, a risk event may be that you have a headache and one way to mitigate a headache is to take a painkiller. The painkiller will make the headache go away, but it does not help prevent future headaches. In order to prevent a headache, we need to know why we have one. Armed with the knowledge of the source of a risk, we can proactively manage risk and avoid future risk events.
In this simple example, it’s easy to see why creating control based on risk event/outcome (not root cause) can lead to very ineffective mitigation activities.
Download Our Free eBook
Discover the 5 characteristics the best ERM programs have in common.