First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Business / The risk is assessed as high. So what?

By | 2 Minutes Read

The risk is assessed as high. So what?

risk management

While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.

Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.

It doesn’t answer the questions of:

  1. Should I take the risk?
  2. How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)

These are simple questions to ask, but not so simple to answer.

They are essential questions to answer.

If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.

There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.

People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).

But in real life, whether personal or business, you need to answer both of my questions.

Resources are limited.

Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.

Every penny spent on mitigating risk comes at the expense of investing in opportunity.

Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.

So I end this short post with another question:

Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?

  • Cybersecurity
  • Regulatory compliance
  • Safety
  • Marketing
  • Product development
  • Employee morale and development
  • Sales
  • Acquisitions
  • And so on

I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.

I welcome your thoughts.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

Main Menu

Stay Connected