This post discusses risk to objectives in terms of risk management.
I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.
I have urged practitioners to:
- Use the language of the business instead of risk techno-babble;
- Try to stop using the R word entirely! Try to talk instead about what might happen, is that OK, and what are we going to do about it?; and
- Focus on enabling intelligent and informed decision-making rather than a periodic list of risks (enterprise list management)
Now I have a new suggestion.
If you have to use the R word, add two more.
Instead of talking about risk, talk about risk to objectives.
Review of a list of risks to objectives and consider how much risk to objectives you are willing to take.
If you have to talk about risk appetite, talk instead about the appetite for risk to objectives.
Those simple two words make you focus, not on risk for its own sake, but how enterprise objectives might be affected.
Which objectives are “at risk”? Be specific if you want to drive the necessary actions.
Are you more or less likely to achieve them? Is that OK?
It’s not about managing risk – it’s about achieving objectives.
What do you think?
Would this improve the discussion?
It’s a simple thought but I think it can make a huge difference.
Do you agree?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- A twist on risk appetite - September 21, 2022
- Upgrade to effective GRC - August 24, 2022
- Common sense on cybersecurity - July 20, 2022
