I recently listened to a new video by my friend, Alex Sidorenko. In How often [should] the risk assessments be performed, he makes some solid points, including:
- Our environment is volatile and performing risk workshops that take days and result in a risk assessment on an annual basis is not very useful.
- Even risk assessments that are more frequent, from quarterly to monthly or weekly, can also be out of date when risk is changing every day.
- The consideration of risk should be integrated into every business process, and performed at the speed of those processes.
- The consideration of risk should be part of every decision made every day across (my words) the extended enterprise.
- The risk practitioner needs the tools to help decision-makers consider risk at speed, within minutes if possible.
The comment I left on his related LinkedIn post was that risk should be assessed at the combined speed of risk and of the business. Let me explain:
- If your organization operates in a very stable environment, then changes may be few and slow to appear. Therefore, the need for considering and assessing what might happen (a far better term than the 4-letter ‘r’ word, risk) arises less frequently.
- But if either the external or internal environment (context, in ISO language) changes frequently, or if significant decisions are made pretty much daily, then that look forward needs to happen at least as often and as fast as the decisions are being made.
You are running a booth, showcasing your products and services, at a trade show. If the traffic is slow, you can relax to a degree and watch for potential visitors or trade show staff as you drink your coffee. But, if there is a lot of traffic, you have to be on high alert, both for potential customers that you can engage and for trade show staff who might want to curtail your operations because your signage is not in compliance with their rules.
If there is a lot of traffic, you need not only to be watching continuously but you might need to bring in additional resources so you can either seize opportunities or respond to threats.
Unfortunately, Alex’s video doesn’t tell the entire story. (Sorry, Alex).
I encourage everybody to subscribe to and watch his videos because he has an aptitude for challenging traditional practices and making you think. This time, he has good points but there is much more to say on this topic.
- His video only focuses on potential harms. If a decision is to be informed and intelligent, it needs to be based on reliable information on both the opportunities and threats. Decision-makers need to be able to balance the ‘risk and reward’ scenarios under each option.
- There is value in a periodic assessment of all the potential events and situations that may happen and their potential effect on the achievement of objectives. Changes in one source of risk may mean that the total picture has changed. The change has moved the potential threat (or opportunity) past a tipping point such that the overall situation has become unacceptable.
Let me clarify the second point.
In Making Business Sense of Technology Risk (which I recommend for all practitioners, not just those involved with technology-related risk), I have extended my discussions in earlier books to address the point that you can’t afford to assess individual sources of risk separately.
Here’s an excerpt:
Malcolm Gladwell made the term ‘tipping point’ famous with his 2000 book, The Tipping Point: How Little Things Can Make a Big Difference, although the term has been in use for much longer.
The Merriam-Webster dictionary defines it as:
The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place
It has a significant meaning, although rarely discussed, when it comes to risk management, specifically when there are multiple sources of risk. Adding one more source of risk, even if it is considered low and acceptable, can change a decision,
Imagine the board is considering the acquisition of CZY Inc. The discussion with the CEO and her team is drawing to a close.
They have reviewed the projected benefits of the acquisition, including the likelihood of each.
They have also reviewed all the risks identified by the executive management team, assisted by the CRO.
The lead independent director comments:
“It looks like a close call. There is a good chance that this will be a success and help us achieve our long term strategies. But, there is no certainty.
“What have we not considered?
“I don’t see anything in here about information security. Would the acquisition increase the risk to our intellectual property or our customer information?”
The CEO turns to the CRO, who replies:
“We looked at cyber risk and how well information security is managed by CZY. While I don’t think it’s up to our standards, they are doing an acceptable job. We should be able to upgrade the combined network’s security to our standards within six months.”
The lead independent director is not pleased.
“I can appreciate that CZY’s cyber security risk may be low and generally acceptable; but when you consider our own cyber situation (which we decided earlier needs improvement), this may be ‘one risk too far’.”
The CEO looks around the table at the directors and summarizes what he sees them thinking.
“Before we considered the additional cyber risk from the acquisition, I was inclined to move forward with it. It was a close call. But, even though the additional risk is small, I am starting to think we should wait. Hopefully, we can address the risks and have another look at the acquisition in six months.”
The cyber risk has taken the total level of risk to and over the tipping point.
Now let’s consider an example in a more dynamic environment.
A customer has just called to say that they would like to delay their $500,000 order for your products by three months. The executive in charge of Sales is considering whether to try to hold the customer to their contract or allow the delay. He determines that if he allows the delay, then the results for the quarter will be affected, but that will be made up in the next quarter and the full year’s revenue and profits will remain as forecast. But, if he holds the customer to the contract, that might impact customer retention and the possibility of further large sales next year. An option is to offer a discount to the customer for proceeding on schedule, but he knows that senior management will be unwilling to accept the reduction in profits.
He decides to allow the customer to delay, but gains their agreement that they will open negotiations for a second major purchase next year.
The trouble is that the executive is not seeing the big picture.
The delay in executing the contract will also impact cash flow. The company has a major construction project that consuming a large amount of funds. The $500,000 delay could create a major problem when considered together with other issues, such as an unexpected increase in payments for vital materials.
The Sales executive doesn’t know that cash flow is tight and a major source of risk to the completion of the construction project – and that project is essential to the achievement of the company’s longer-range plan.
If decision-makers like the Sales executive were able to ‘add’ changes in specific sources of risk to the big picture (one that takes each objective and assesses, after considering what might happen, the likelihood of their success), a different decision might have been made. Even if the same decision was made, additional actions would have been taken to address the increased cash flow risk.
What I am saying is that a change in one source of risk can take the aggregate so-called ‘level of risk’ over the tipping point.
A periodic review that provides leadership with a perspective on whether objectives are likely to be achieved has great value.
- It can identify the need for strategic and, often, tactical decisions to address the situation – including changing strategies and plans.
- It enables tactical decisions to be made with a understanding of the big picture and how a change in a single source of risk can affect the aggregate acceptability of the situation.
I welcome your views and comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021