This post discusses risk to objectives in terms of risk management.
I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.
I have urged practitioners to:
- Use the language of the business instead of risk techno-babble;
- Try to stop using the R word entirely! Try to talk instead about what might happen, is that OK, and what are we going to do about it?; and
- Focus on enabling intelligent and informed decision-making rather than a periodic list of risks (enterprise list management)
Now I have a new suggestion.
If you have to use the R word, add two more.
Instead of talking about risk, talk about risk to objectives.
Review of a list of risks to objectives and consider how much risk to objectives you are willing to take.
If you have to talk about risk appetite, talk instead about the appetite for risk to objectives.
Those simple two words make you focus, not on risk for its own sake, but how enterprise objectives might be affected.
Which objectives are “at risk”? Be specific if you want to drive the necessary actions.
Are you more or less likely to achieve them? Is that OK?
It’s not about managing risk – it’s about achieving objectives.
What do you think?
Would this improve the discussion?
It’s a simple thought but I think it can make a huge difference.
Do you agree?
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023