We are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like.
But is that sufficient?
Let’s imagine we are planning a trip from our home in Paris to Lyon. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.
You and your spouse assess the risks.
There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.
Strikes in Paris are always a possibility and you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike finding a taxi will be hard. Again, you accept the risk but agree to monitor it.
Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.
Overall, though, the risks are each assessed as low but need to be watched.
The week before the trip, two of your children start to show the symptoms of a bad cold. You are at home looking after them and have to make a decision. Will there be time to treat them so that it’s ok to travel rather than stay home? You decide that more likely than not they will recover in time and the risk is acceptable.
But meantime, your spouse is hearing from a manager that there’s a decent chance (maybe 30%) that a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides that the risk is acceptable.
That evening, you get together and share your assessments of the individual risks.
While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30% chance of rain in Lyon for each of the days you will be there.
Overall, you decide it is better to cancel. The overall situation is not to your liking. You are not going to take the risk.
The same thing can happen with a business situation.
If your company is considering opening an office in Japan, you might identify a number of risks such as:
- Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
- The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than their traditional Japanese vendors
- The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
- The level of competition from your competitors, including the possibility of their lowering prices to keep you out
- Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
- The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
- The additional cost of providing materials in the Japanese language
- The ability to find warehouses with the necessary conditions to support sales in Japan
Each of these might be assessed separately, perhaps by different teams.
While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.
Why is this important?
A risk register or heat map that focuses on individual risks does not easily support business decisions like this.
Your thoughts? How do you address this?
Norman D. Marks, CPA, CRMA
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021
- Talking sense about the audit committee - July 21, 2021
