GRC Tuesdays: Is it a Risk, a Cause or a Consequence?
Recently a midsize company, who had just embarked on a risk management journey and had started creating a risk register, shared their main concerns with me. After a couple of months running the program, they had already listed more than 500 risk events and they felt overwhelmed by what looked like a tidal wave.
After a rapid analysis it was clear that their risk register was not just recording risks, but also individual consequences, causes, and even previous incidents.
In my experience, this is very common of organizations who decide to implement a risk management process. It’s like the chicken and egg dilemma applied to the GRC area: what do you list first?In order to avoid such a situation, I often recommend a simple technique – start with a root cause analysis and make your way to an assessment of the potential negative effects. This way you will only list the risks, but will also be able to document their associated causes and consequences.
To do this, why not try to use a “what-if” type of approach by answering the three questions below:
Three questions for a complete risk scenario
1. What could happen if a driver occurs? This will give you the potential negative situation you face, otherwise known as the risk.
i.e. if you lose your key project manager, then you face the issue of a project delay
2. If the risk manifests, what would the consequence be?
i.e. if there is a project delay, you face penalties of 10.000 EUR per day
3. Should this consequence occur, what objective would be endangered?
i.e. if you lose 10.000 EUR per day, you would not be able to reach your targeted profitability
Based on the answers to these questions, the risks can be identified and entered in the risk register and their associated drivers, consequences, and endangered objectives documented.
Take into account the materiality level
There is still the possibility that you might record all potential negative events, even the ones that are not a real threat to you. The result could be that you are drowning in too much information. Here’s where I believe a risk management policy and framework can bring the appropriate response.
Many companies decide to record only the risks that have a certain materiality – also called level of significance – or if they endanger at least one of their corporate objectives.I would strongly suggest inscribing the materiality level in a risk management policy distributed to all stakeholders. Setting this materiality level could be part of the discussion from the board on the risk appetite as these would be two important thresholds to help management take appropriate actions. Then, simply by comparing the materiality level and the consequences documented earlier on the risks, you can determine whether the risk deserves to be recorded or not.
Have you ever encountered a situation such as described above? If yes, how did you resolve it?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!