In our latest posts on Enterprise Risk management (ERM), we addressed the three phases of Risk Assessment: Risk Identification and Risk Analysis and Risk Evaluation. In this post, we turn our attention to Risk Treatment.
The Range of Risk Treatments
In the post regarding Risk Evaluation, we introduced the range of risk treatments and included examples of each. Before we revisit that roster of treatments and examples we should underscore an important principle.
It’s important to think in terms of Risk and Opportunity Treatment. A hallmark of ERM is the balancing of risk and reward.
One of the differences between traditional risk management and Enterprise Risk Management (ERM) is that traditional risk management tends to single-mindedly pursue the eradication of risk. ERM, on the other hand, embraces the concept that prudent risk-taking is a legitimate path to reward. For example, taking on the risk of introducing a new product may be the wise bet to augment revenue and profit.
With that in mind, let’s flesh out the previous introduction of the range of treatments. For any given risk, an organization may choose from the following treatments.
Accept the risk
A company may choose to accept the risk. To be accepted, a risk would have to pass two tests. The risk would have to be both a type and an amount of risk that is deemed acceptable.
Some types of risk are almost universally deemed unacceptable such as the risk of death or serious injury. Other types of risk may be acceptable in one industry or company but not in another. For example, a software company may accept a certain amount of reputation risk to revamp a product while a social services firm may determine that any amount of reputation risk is unacceptable.
As for an amount of risk that may be acceptable, that is a matter of balancing the potential loss with the gain or savings. Consider the decision of whether or not to buy a maintenance plan for a set of new laptops. The organization may be planning to replace the laptops long before they are expected to break down. The savings from not buying the maintenance plan may justify accepting the risk. In this example, the risk of having to replace a portion of the laptops early is an acceptable amount of risk as well as an acceptable type of risk.
Reduce the risk
What if the amount of risk is not acceptable? The organization may then consider ways to reduce the risk. Consider a manufacturer that is purchasing the majority of its raw materials from just one provider. The manufacturer has to be concerned about that provider increasing prices, withholding product, curtailing production or going out of business. Arranging to spread out purchases over a number of providers will reduce the concentration risk.
Transfer the risk
An organization may also transfer the risk. The most common method of transferring risk is by purchasing insurance. In return for the premiums that it is willing to pay, an organization is able to transfer the risk of a variety of events to an insurance carrier: slips and falls, errors and omissions in its services, employee theft, flooding of the premises, etc.
An organization can also transfer risk by “contracting risk away.” A good example is outsourcing. The firm taking on the outsourced services typically takes on the risk of providing those services. This is not a matter of foisting risk onto an unsuspecting victim. Rather, this is a matter of transferring risk to a firm that is specifically organized to focus on and manage the type of risk. An example of such a transfer of risk by contracting is that of an appliance dealer that employs a separate firm to install the appliances. The risk of installation errors passes to the installer whose core business is efficient, satisfactory installation. Meanwhile, the appliance dealer is able to concentrate on its core business, selling the products. In this arrangement, each firm retains and focuses on the risks it is best enabled to manage.
Avoid the risk
An organization may also choose to avoid the risk by not engaging in the proposed activity. Take as an example a proposed rollout of a new product where a majority of the projected scenarios show the product to be unprofitable. It may be prudent to forgo the opportunity and avoid that large risk of loss. Note, however, that this is “letting go with confidence.” When the rigor of well-executed ERM process leads you to avoid a risk, you are assured that you did not leave an opportunity on the table. Rather, reworking the old adage concerning a wolf in sheep’s clothing, you sensibly rejected a probable loss in opportunity clothing.
Inherent Risk, Residual Risk, and the Risk Register
In our previous post regarding Risk Analysis, we illustrated the difference between inherent risk and residual risk and that difference was, indeed, due to Risk Treatment. In that post, we used as an example the risk of losing a shipment of inventory as it was sent from a warehouse to a retail site and we considered the mitigation of insuring the shipment. We imagined a shipping route that posed a moderate likelihood of losing the shipment but a major potential impact due to the high value of the shipment. The moderate likelihood and the high impact indicated a significant risk. That significant risk was the inherent risk of sending that amount of inventory, the impact, over a route with that particular probability of mishap, the likelihood. The inherent risk is the likelihood and impact as measured before consideration of any Risk Treatment. Then we considered the effect of the insurance coverage, the Risk Treatment. The insurance coverage had no influence on the likelihood of loss; however, it did greatly reduce the impact. Instead of having the entire value of the shipment at risk, the company now only had the amount of the deductible at risk. The resulting moderate likelihood of the risk combined with the much lower impact of the risk leaves the company with a much smaller amount of risk, the residual risk.
The difference between the inherent risk and the residual risk is a measure of the value of the Risk Treatment. This “bang-for-the-buck” measurement allows the organization to prioritize treatments in favor of the most effective ones - - another hallmark of ERM.
That prioritization of treatments is actually the second stage of prioritization in ERM. It comes as no surprise that the first stage is the prioritization of risks so as to treat the biggest risks first.
Treating the biggest risks first and employing the most effective treatments first are common sense ideas but they are only enabled by the discipline of rendering inherent and residual risk scores. The inherent risk scores reveal what the biggest risks to the organization are. The residual risks scores enable the organization to survey what treatments yield the biggest “bang-for-the-buck.” This method of prioritization is one of the values of ERM.
The Risk Register is the ERM tool that captures and reports these two important risk scores. In the chart below, we excerpted selected columns from a sample Risk Register to illustrate how several of our examples of Risk Treatments might be reflected this tool.
The Roles in Risk Treatment
In a previous post, we examined the roles of ERM. So, how do those roles fit specifically into Risk Treatment?
- The Risk Management Committee (RMC), the chief decision-making body for the ERM program, prioritizes the risks, selects the treatments and allocates the resources (budget and people) needed for the treatments. The RMC also assigns Risk Owners.
- The members of the Workgroup, drawn from the business units and operational support functions of the organization, render the inherent and residual risk scores for each risk.
- The Risk Management Program Office trains and guides the RMC and the Workgroup in applying a common and consistent methodology to render the inherent and residual risk scores and properly characterize risks and treatments.
- The Risk Owners manage, monitor and document the effectiveness of the Risk Treatments.
- Internal Audit tests the Risk Treatments as part of its annual audit. Specifically, Internal Audit will test for compliance with the adopted risk treatments and the effectiveness and efficiency of the risk treatments.
- Effective Risk Treatment is really Risk and Opportunity Treatment that balances prudent risk-taking with reward.
- Effective Risk Management selects appropriately from the strategies of accepting appropriate types and amounts of risk, reducing risk, transferring risk through insurance or contracts, and avoiding risk by not engaging in excessively risky activities.
- When the rigor of ERM is applied, avoiding a risk is “letting go with confidence.”
- The difference between the inherent risk and the residual risk is the “bang-for-the-buck” a measurement of the value of the Risk Treatment.
- Inherent risk scores allow for prioritizing and treating the biggest risks first. Residual risk scores allow for prioritizing and employing the most effective treatments first.
- The Risk Register is the tool that collects the risks, the treatments, the inherent risk scores and the residual risk scores in one place for comparison and prioritization.
- The thumbnail of the roles of Risk Treatment:
- the RMC selects the treatments and allocates the resources,
- the Workgroup renders the inherent and residual risk scores,
- the Risk Management Program Office ensures a common and consistent methodology,
- the Risk Owners manage, monitor and document the effectiveness of the Risk Treatments and
- Internal Audit tests the Risk Treatments.
Contact us for assistance with any aspect of your ERM program.