Column: Risk Management
Apples to Oranges
I was recently sandwiched in a middle seat on a long haul flight. Impossible not to strike up a conversation with both seat mates. On my left was the head of human resources, responsible for the health and safety of 10,000 employees.
On my right, was the CFO of that same company charged with all things finance, but also responsible for IT. Inevitably they asked me what I did – all things risk management – and as usual they wanted to talk of risks they face.
From the left, I heard HR concerns about the next virus or disease that could make employees sick. From the right, I heard fears of hacking.
How does one compare two different risks and assess priority?
To provoke, I asked, Which risk is bigger? More important? If you had only $500,000 for a solution, which risk would you choose to mitigate?
Life safety is always the priority, the left proclaimed. But a nasty breach could paralyze the company leaving us potentially bankrupt, the right argued. Frustrated they proclaimed: “You can not compare them. It is like comparing an apple to an orange.”
It is not the first time I heard that statement. In the risk management proficiency reviews, it is a common concern. How does one compare two different risks and assess priority?
Answer? Set context for risk assessments before starting a risk evaluation. This is an essential step. Set context by answering questions like this:
Which corporate performance objectives could the risk event compromise? Are all objectives equally important to achieve? If not, which are the most important? What timeframe bounds the risk assessment? Will the risk events happen within the next quarter, year or over five or 10 years?
Does the organization have a common scale that can inform the organization as to what is considered a high impact? In other words, a compromise of one or more objectives?
For example, if an objective for safety performance is “to ensure less than five lost time employee injuries annually,” or if an IT security objective states that “less than three IT systems penetrations shall be allowed annually,” what is considered to be a high compromise of those objectives? Twenty or 100 lost time injuries, or system penetrations?
Conversely, what is considered a low compromise of those objectives? What score will we give a high or low compromising risk event? Will the scores reflect how a risk event can compromise multiple objectives? What do we do if a risk scenario impacts none of our corporate objectives?
By answering these questions, you build a “risk ruler” system.
Risk rulers assure that you have pre-negotiated tools and context around your pending risk assessment. It sets the ground rules for what the risk assessment will tell you, and how the risk events will be prioritized.
Most importantly, risk rulers allow you to establish common criteria that link performance objectives to risk events. If an “apple” can cause more damage to objectives than an “orange,” keep an eye on that apple.