GRC Tuesdays: When Is It OK to Have High Risks in Your Heat Map?
We all know those “red risks,” right? Those red risks that, high probability or not, systematically carry a significant negative impact if they manifest themselves and that scare everybody. Well, I was recently asked the question whether it was ever all right to accept them as they are or whether all attempts should be made to lower them—at any cost.
Being by nature quite risk adverse myself, as you can imagine my first reaction was to say that they should be mitigated with a sound response strategy. And then I gave it some more thought…
As a matter of fact, I now think that in some cases you may have to accept that some events are high risk and that you can’t really lower them. And this is what I want to discuss in today’s blog.
What Are “Red” Risks?
First, let’s agree on what these “red risks” are. They are the events that, if they happen, will durably impact your business and may even jeopardize its sustainability in the short run.
They can be of two sorts:
- High Probability and High Impacts
- You really shouldn’t have many of these if at all. This would indicate that your business is extremely risky and that impactful incidents can occur at any time. If that’s the case, sustainability is de facto endangered.
- For these, I don’t think that it’s ever alright to accept them. Attempts should be made to lower the probability of occurrence or impact.
- Low Probability but Catastrophic Impact
- Now these are the ones I want to talk about. In many industries there can be a “disruptive event” that could cause them. Natural disasters of course come to mind, but with recent events, political and terrorist risks are also a reality that needs to be included in the context.
- Here you can’t lower the probability, so you can only work on the impact. But even there, in some cases, it will be more economical to accept the risk than to try and mitigate it.
When Is It Appropriate to Simply Record and Monitor High Impact Risks?
As for any other risk, you have to ask yourself the questions. If it happens, what could be its impact on our objective? And what would this objective bring the company if we successfully achieve it?
In essence, what I am trying to convey is that there are two sides to the coin (here the objective). There is a positive aspect—usually referred to as the opportunity, and a negative one—the risk.
If your opportunity outruns your risk, then it’s worth taking it. Otherwise, it most definitely doesn’t make sense.
Now, once you have determined that taking the risk is justified from a business standpoint, you have to assess whether it’s possible to lower its negative impact. Indeed, the original question that I was asked was whether all attempts should be made to lower them at any cost.
You really have to do a return on investment (ROI) type of analysis on your response strategy. If the cost of the responses is higher than the potential impact of the risk itself, does it really make sense to mitigate it? If not, since we already agreed that you can’t lower the probability, you only have one choice—monitor occurrences and prepare for the worst case scenario.
Preparing for the Worst Case Scenario
Here, of course, I refer to business continuity plans. If there is a chance that the risk will manifest and impact you, prepare for this disruption and design your contingency plan. You will have to work in a degraded mode for some time.
Don’t Wait for It, Look for It!
Like the storm when on a boat, it’s always better to see it beforehand even if there is nothing you can do about it. Key risk indicators that I have already mentioned a few times in these blogs are you best friends here.
For example, is your catastrophic risk a typhoon-type natural event? Survey and monitor weather information so that you are alerted in time and can trigger your continuity plan i.e. evacuate your employees and shut down production of the concerned site, and so on.
As you’ve already gathered, I do think that there can be “red risks” that you have to accept. Simply because they may be from an external source and there is nothing you can do about them. Nevertheless, whatever the case, not only do you have to know (and report it) but you also have to plan for the worst case scenario to be prepared in case it occurs. This includes continuously monitoring the threat so as not to be caught by surprise.
How about you? Do you agree that there can be acceptable “red risks”?
I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!