Too few risks are identified, too many are managed

We don’t want to know what can go wrong

When I’m looking at a risk management implementation from an audit point of view, I often worry about two fundamentally opposite problems. On the one hand, I note that quite often the risk identification exercise is not conducted to ensure completeness. Often heard excuses are: “we don’t have the time” or “getting all the risks captured is not really relevant, now is it?” However, incomplete risk identification can lead to fundamental errors in judgment on priorities because not all the risks that may impact that judgment are known nor understood.

When we know what can go wrong, we assume it will go wrong

A second, almost opposite risk, is the attempt to manage too many of the identified risks. First, as stated in a number of prior posts, risks ideally should be managed by those responsible for the processes in which they can occur, the process owners. However, process owners may become overwhelmed by the perceived exposure to the multitude of risks identified.

Let’s be very clear. It is not by ignoring the risks because we refuse to spend time identifying and understanding them, that we will optimize the work of the process owner because he is exposed to less perceived risks. No, we create an illusion that all will be fine if only the identified risks are managed.

However, I have seen instances where the process owner or the risk manager tried to manage too many risks. Risk management then becomes a priority over actually achieving the objectives. In those situations, the tool has become dominant over the purpose it was aimed to achieve, i.e. allowing the process owners to better achieve their objectives.

Key tools to optimize risk exposure

There are three important tools that can be used to mitigate these problems. Two of these are real tools to be used by the process owners, while one is a decision process conducted by management. Let’s explore them a bit more in detail.

Risk trigger lists

Risk trigger lists are lists of potential risks that can occur in specific activities, processes, divisions or organisations. I’ve even seen instances where a risk trigger list had been developed for a sector. A process owner can review the risk trigger list on a regular basis to ascertain he has a complete view of what is likely to go wrong in his area of responsibility. The risk trigger list aids the process owner in improving the degree of completeness in risk identification.

Root cause analysis

A root cause analysis allows a process owner or a group of process owners to assess how different identified risks (by means of the risk trigger lists) can impact one another. While the analysis of the interdependency between risks is interesting in its own right, the purpose of the exercise is to identify the minimal number of risks that need to be managed to optimize risk exposure. If information about costs of risk management measures is included, this tool can be used to assess the expected total cost of mitigating the risks to the optimal exposure level.

Risk management trade-off decision taking

As process owners go around identifying and understanding risks (by means of the risk trigger lists) and developing plans to reduce their exposure to optimal levels, management will be confronted with a multitude of calls for means. The call for means will likely be significantly higher than the number of available people or experts and budgets. Management cannot cover all of these needs. Management will need to make choices and assume responsibility for those choices. It is the responsibility of the process owners to indicate his needs to optimally achieve his assigned objectives. If he needs more means to optimize his exposure, and management cannot give him access to these means, he needs to be able to show his due diligent behavior.

In conclusion

By combining these three elements, an organization will know which risks it is exposed to, how to best deal with those risks in order to optimize its exposure and it will have made choices based on available means. This is due diligent behavior by both managers and process owners.