Effective Risk Prioritization Is Key to Effective Risk Mitigation
Steven Minsky | March 15, 2016
A big mistake in risk management, especially when it comes to companies with newer programs, is underestimating the importance of standardized risk prioritization. Diving into identification and assessments without a sufficient framework inhibits prioritization. This can result in ineffective risk mitigation and duplicate work across departments, or even serious risks flying under the radar.
The possibility of “missing” a serious risk is a disturbing one, but it’s impossible to be completely certain about everything that touches your business. This is why the risk identification process is so important.
Understanding Risk vs. Uncertainty
This is why thinking about risk versus uncertainty is important. They are closely related, but are not one and the same; “uncertainty” has a broader scope. It is the lack of knowledge about a particular event’s outcome, and exists for every individual and every organization.
Part of a risk manager’s job is to create a risk assessment plan to determine which ones are likely enough and could have a serious enough impact to warrant mitigation. When an uncertainty reaches a particular threshold of likelihood and impact, the company recognizes it as a risk that needs to be mitigated.
Enterprise risk management is the best way of quantifying and preparing for an uncertain future, or in other words, Managing Tomorrow’s Surprises Today®. Rather than being too conservative with risk identification and assessments (a dangerous practice) to avoid wasting resources, it is best to instead improve the processes’ efficiency and effectiveness.
A risk taxonomy framework, which you can read more about in another blog post, will standardize each department’s approach to risk prioritization. Using the same criteria and scale enables information to be collected, aggregated and compared enterprise-wide in a manner that is accessible and understandable to previously uninvolved personnel. A standard scale and common root-cause library will also reveal high-level risks that do affect multiple business areas, making prioritization systematic.
Utilizing a Risk Prioritization Matrix For Standardized Assessments
When assessing identified risks, we recommend a scale that provides as much detail as possible. Consider the following risk assessment matrix (adapted from a Wikipedia page):
Even with criteria assigned to each “tier,” some ambiguity remains. A risk with a score of “Likely x Minor,” for example, may warrant less mitigation effort than a risk with a score of “Unlikely x Serious.” The reverse might also be true, but neither reality is reflected by the matrix.
For greater insight into your risk register, consider the next risk prioritization matrix, which is the most frequent scale used by LogicManager customers:
Breaking each impact and likelihood “bucket” into two options makes it possible to think about risk in a more dynamic manner, and enables users to select the high or the low of each category. This makes risk prioritization easier and more specific, which in turn allows for more targeted resource allocation.
The key is implementing a level of granularity that makes sense for your business and that assists with prioritization.
Frequently Asked Questions
What is Risk Prioritization?
Risk prioritization is the process of determining which risk you should act upon first. This should be based on the likelihood of a risk and the impact that it would make.
How To Prioritize Risks?
Risk prioritization can be achieved by evaluating the risks against your business to determine which are more likely to occur and which will have a higher impact. A risk prioritization matrix can be used for evaluation.