GRC Tuesdays: Finding the Risks Worth Having
The risk literature is full of promises that adopting risk management practices will prevent risk. There are, in fact, areas where risks are destructive and have little value-adding potential and should be avoided or minimized. There are other areas where deliberate risk taking is necessary even in the face of high inherent risk. How do we tell them apart?
Some Risks Are Worth Having
Risks are worth having if they’re undertaken consciously in the anticipation of gain. I’d estimate that no more than 20% (and probably far fewer) of the activities undertaken by any business are intended to create value. So the willing acceptance of high risk levels should be restricted to these areas.
The balance of an entity’s business activities might support the core value-adding activities, while not adding any value themselves. Still other activities support regulatory compliance.
Here’s an example. An aircraft manufacturer decides to invest heavily in a new technology and develop a completely new class of airplane, one that is lighter, faster, more spacious, and more fuel efficient. The business processes designed to design and build the new aircraft are undertaken to add economic value and drive share prices higher. But the risks are enormous. It’s never been done before but the upside is huge.
High levels of risk undertaken in the course of developing and manufacturing the new aircraft are worth taking if the return on investment (ROI) is favorable.
Some Risks Are Not Worth Having
Supporting the core value-adding processes in any business are countless other essential, but non-value-adding activities, such as procure to pay, building management, IT management, and many more.
If any of these activities fail, the consequences can be catastrophic. But even if they’re well managed, they’ll add little value. The risk is entirely downside. There is no upside.
Managing these risks well gets the company to zero, but not beyond. The goal is to manage the risk to an acceptable level at the lowest possible cost. Governance, risk, and compliance (GRC) won’t add value if it doesn’t start where the value lies.
Why the Difference Is Important
Understanding this difference is important because a huge proportion of GRC resources are consumed identifying, assessing, and managing risks that don’t add value. Risks that exist in non-value-adding activities by definition have no potential to add value. For example, there is no upside in accepting any significant cyber risk in a non-core activity. There is no upside in maintaining an accounts-payable system that allows duplicate payments or an unreliable inventory system.
Figure 1 below illustrates the problem. Strategic losses account for 86% of significant losses in market value. Auditors spend 6% of their time examining strategic risk.
Finding the Risks Worth Having
Figure 2 below is a variation of a diagram that has appeared and been explained in my blogs over the last several years, most recently in last year’s Three Lines of Defense blog. It’s explained even further in our free SAP GRC Strategy Selector App available from iTunes. (This app is being updated and is still in an experimental state. It was designed specifically to help drive the right GRC resource to the right risks. I’d be happy to explain it further in person if you’re interested.)
The graph below requires an assessment of the level of a risk and managements willingness to accept a risk event resulting from the risk. Risks worth having are in the top right hand quadrant.
Risks in the red zone depicted here should have upside value and should be managed with sophisticated risk management techniques and tools. Any risk in this quadrant that does not have upside value is an invitation to catastrophe. Any risk with upside value or opportunity that isn’t managed to achieve that value is an opportunity lost.
This is a little heavier content than I normally put in a blog. But we’re at the point where we really need some input and validation of our thinking.
Let me know what you think. Better yet, register for our SAP GRC Insider Conference in March and hear all about this approach and how it relates to the Three Lines of Defense. I look forward to getting your feedback there.