We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Why are Risk-Informed Activities Crucial for Organizations?

Vote 0 Votes

Performing risk-informed activitiesWhen it comes to Enterprise Risk Management, there is a lot of jargon floating around, mostly because it's a unique, rapidly growing industry. Not all of that jargon is necessarily industry-wide; organizations will sometimes use different terms for the same concept.

One example is the phrase risk-informed activities. We haven't used this exact phrase in the past, but it certainly lines up with our central tenets; risk should be assessed across the enterprise and be a part of everyone's job description. Employees on the so-called "front lines" are exposed to business risks every day, so it stands to reason that their day-to-day activities should be informed by risk.

In order to make risk-informed decisions, organizations must first use a risk-based solution to identify, assess, and evaluate organizational risks. These risks are often apparent to personnel on the front lines, so it's a matter of aggregating data through a risk taxonomy and linking risks to goals and processes. The more comprehensive the taxonomy, the smaller the chances that critical risks will run undetected.

The United States Nuclear Regulatory Commission (NRC), for example, undertakes risk-informed activities; this means that before certain activities, like transporting and storing spent fuel, relevant parties are informed of the probability and consequences of potential risks. The answer to the question, "What can go wrong?" determines whether and to what degree an activity needs to be altered before execution.

LogicManager provides those same capabilities, permitting business owners to start with "What can go wrong?" Users can then associate those concerns with a common risk library, and prioritize them with standardized criteria for impact, likelihood, and control effectiveness.

Many approaches that qualify as "risk-informed" share a common characteristic; they emphasize the importance of identifying multiple organizational impacts (across different departments) that one risk may have. Since most risks affect multiple departments, calculating impact naturally factors in different touchpoints across the organization. LogicManager, for example, allows users to classify data by root cause, department, control, or performance goal. The value in a system is its ability to reveal commonalities - which might have gone undetected by linear spreadsheet analysis - and automatically pass notifications through to those responsible or affected.

One last element common to many "risk-informed" approaches is a focus on the cost of mitigation activities. All mitigation activities require money and time, and a risk manager needs to weigh that cost against the risk being mitigated. This is called a risk/reward tradeoff. As illustrated below (and adapted from this document by Steve Unwin and Pacific Northwest National Laboratory), controls must demonstrate a positive risk reward trade-off (the "green" area of our chart).

risk-informed activities and cost

No matter how effective a control is, as operating costs increase, the positive effect is negated. In the long run, the best way to determine whether a control is closer to point A or point B is through monitoring activities such as risk-prioritized testing, metrics, and incident reporting.

As more industries, geographies, and disciplines adopt risk-based standards for solving common business challenges, we continue to be impressed by ERM's return on investment..


To learn more about how a risk-based, software-as-a-service solution is used in practice, read our three-page customer case study.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives