Risk Management Isn’t a Silver Bullet

By: George Spafford

November 20, 2006

Risk Management is meant to provide a systemic means to identify threats, assess their probability and impacts, and then track their mitigation and levels of residual risks in such a manner that management decisions can be made. Unfortunately a number of groups have attempted to implement a formal risk management process only to find that it does not work – at least not for them. As a result, they have declared that risk management is flawed and not worth pursuing. This is alarming as the truth is just the opposite – they need risk management but they must also understand that there must be supporting measures in place for it to be effective.

Risk Management is vital to organizations. As entities confront an increasing number of risks they must have a means to rank them and identify what needs attention, the current level of residual risk, and so on. To be efficient, it must be at the entity level because in the end, there is only business-risk. Information Technologies represent threat vectors but IT is not the business overall and hence doing isolated “IT Risk Management” will have limited success. What we are really talking about is the need for Enterprise Risk Management (ERM), but we will generically refer to it as “Risk Management” for now.

Organizations need to optimize risks across functional areas versus an over emphasis on local optimization that can result in an unbalanced system. For example, IT can unplug all the servers from the networks, turn the power off, lock the doors and post guards. In this absurd scenario the servers are secure but the business overall is placed at risk. For this reason, risks are managed based on business decisions that have inputs from informed stakeholders.

With that said, there are reasons why groups are having problems with Risk Management. Let’s take a moment and review some considerations at a high level.

Process Design

Risk Management is a process that needs to be properly designed and implemented for the organization in question. As such, there are a number of points for consideration:

• What is the objective of the process? If you don’t know what is desired then the process design is flawed, if not impossible, from the start.
• Who are the stakeholders and what are their requirements?
• In order to achieve the process’ objective, what inputs from other areas are needed?
• Similarly, what outputs are needed?
• How will we calculate risks in a manner meaningful to the stakeholders?
• Given the inputs and outputs, what activities are needed?
• What are the roles and responsibilities associated with the process?
• There are many best practice reference sources that can be used for comparison. How the process is designed and implemented depends on the needs of the organization.

Requires Organizational Change

Implementing any process necessitates organizational change. The Risk Management process is no different. Stakeholders need to be identified, management support given, proper funding allocated, effective training and so on. The “soft” people skills are very much needed to rollout a new process and ensure it is adopted and achieves its intended objectives.

Effective Communication

Risk management must be teamed with effective communications upwards to senior management, across functional areas and downwards to the rank and file. If the risk data just disappears into a seeming black hole and is never dealt with then the value proposition of risk management will fall apart. If risks can’t be identified, scored, reviewed and acted upon along with those actions being communicated, then there’s very little value.

Incidentally, one of the benefits accrued by organizations who implement Risk Management is improved communications and understanding both vertically and horizontally within the organization. Risks that had formerly been identified and addressed in a silo are communicated across groups and mitigation options and their status can be discussed as well.

Risk Model

The method used to assess risks must be carefully thought out based on the objective of the process. Will it be the probability of the risk multiplied by the impact to the organization? Will it use a weighted average across several impact areas?

There are many ways to calculate risk scores but it is very important that the model be understandable and that stakeholders agree not just on the model but also on the numeric values used as inputs to generate the risk score. For example, one equals low probability and five means the risk is extremely likely to occur.

Without understanding and agreement on fundamentally how risk scores are generated, then the risk management process will break down. We need risk management to help us understand priorities and if the values aren’t supported then the scores are moot.

Common Sense

Some argue that risk management is no substitute for common sense. Actually the two must work together. Risk management is a formalized method that relies on sound judgment to identify, then score, review and decide mitigating actions on how to address risks. Risk management enables organization to identify what do first, second and so on and answer the question “How much mitigating activity is good enough?” That answer is driven by what level of residual risk is deemed acceptable by management.

In conclusion, risk management isn’t a silver bullet that groups enact and then magically everything is solved. The implementation of risk management takes a lot of work to foster understanding, commitment and ultimately organizational change. The benefits of risk management include a shared understanding of risks and priorities and, best of all, a reasonable expectation that functional area objectives and organizational goals will be attained.