We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Effective Risk Prioritization is Key to Effective Risk Mitigation

Vote 0 Votes
A big mistake in risk management, especially when it comes to companies with newer programs, is underestimating the importance of standardized risk prioritization. Diving into identification and assessments without a sufficient framework inhibits prioritization. This can result in ineffective risk mitigation activities and duplicate work across departments, or even serious risks flying under the radar. The possibility of "missing" a serious risk is a disturbing one, but it's impossible to be completely certain about everything that touches your business.

Understanding Risk vs. Uncertainty

This is why thinking about risk versus uncertainty is important. They are closely related, but are not one and the same; "uncertainty" has a broader scope. It is the lack of knowledge about a particular event's outcome, and exists for every individual and every organization. Part of a risk manager's job is to evaluate those uncertainties and determine which ones are likely enough and could have a serious enough impact to warrant mitigation. When an uncertainty reaches a particular threshold of likelihood and impact, the company recognizes it as a risk that needs to be mitigated.

Enterprise risk management is the best way of quantifying and preparing for an uncertain future, or in other words, Managing Tomorrow's Surprises Today®. Rather than being too conservative with risk identification and assessments (a dangerous practice) to avoid wasting resources, it is best to instead improve the processes' efficiency and effectiveness.

A taxonomy framework, which you can read more about in another blog post, will standardize each department's approach to risk prioritization. Using the same criteria and scale enables information to be collected, aggregated and compared enterprise-wide in a manner that is accessible and understandable to previously uninvolved personnel. A standard scale and common root-cause library will also reveal high-level risks that do affect multiple business areas, making prioritization systematic.

How Standardized Assessments Support Risk Prioritization

When assessing identified risks, we recommend a scale that provides as much detail as possible. Consider the following risk matrix (adapted from a Wikipedia page):

5 Point Risk Matrix.png

Even with criteria assigned to each "tier," some ambiguity remains. A risk with a score of "Likely x Minor," for example, may warrant less mitigation effort than a risk with a score of "Unlikely x Serious." The reverse might also be true, but neither reality is reflected by the matrix.

For greater insight into your risk register, consider the next matrix, which is the most frequent scale used by LogicManager customers:

10 Point Risk Matrix.png

Breaking each impact and likelihood "bucket" into two options makes it possible to think about risk in a more dynamic manner, and enables users to select the high or the low of each category. This makes risk prioritization easier and more specific, which in turn allows for more targeted resource allocation.

The key is implementing a level of granularity that makes sense for your business and that assists with prioritization.

For a more detailed look at how to improve your organization's risk prioritization strategy, download our free eBook: 5 Steps for Better Risk Assessments.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives