Risk Profile Development – Analyze the Risks
Last month we described how to identify the risks organizations face, and how to create a framework for analyzing, measuring and managing them. In this next article of the series, we will explore how to analyze the organizational risks that have been identified.
The Enterprise Risk Management (ERM) analysis process generally begins with qualitative research approaches that give the organization a better understanding of the threats being faced. Examples of ERM organizational qualitative questions may be:
• How do we face the competitive pressures of a certain product with our existing infrastructure?
• How do we improve our competiveness by removing all unnecessary costs?
• How do we protect our reputation and client data from cyber threats?
The ERM analysis process supports the organization’s mission by producing resiliency in core strengths, and ultimately allows the organization to withstand adversity and uncertainty over the long run. As the organization and its leaders review and question the threats to “who we are and what we do”, more detail and greater understanding is normally required to create a set of criteria for further risk analysis. Thereafter, a quantitative framework and detailed financial analysis will naturally follow the qualitative phase. By completing both phases, the organization will gain an appropriate response and approach to fit the threat.
In many organizations, there is a single person or a small group who are trained and experienced in the qualitative and quantitative risk analysis process. The main objective of risk analysts and managers is to gain all of the information they need to fully comprehend the risk priorities. Additionally, they should seek to understand what investments are required to produce the current and future value of the organization. The best role for risk analysts and managers is to listen carefully to the business leaders and “risk takers”, thoroughly question them about all agreed qualitative and quantitative elements, and completely document the findings for further review and revisions.
So, when should you start the risk analysis process? Naturally, the risk analysis process may start at any time, and be completed in many different forms. For example, if the organization needs to analyze an immediate threat to its continuity and reputation, like the cyber risks recently encountered by Anthem Health or Target Corporation, then the analysis should commence immediately to review all potential information technology “holes”, and fix them. Otherwise, the analyses may take a more orderly course such as reviewing potential risks at the start of a project, on an ongoing basis, or as a study of a potential risks after treatments have been executed.
Clearly once you start the risk analysis process, you will come to the conclusion that you will be unable to address everything that has been identified. This is a natural condition in all organizations as they face an uncertain world with significant risks and limited risk analysis resources. The best approach is to measure the most significant risks by calculating the total magnitude and likelihood of an event (or series of events), and then determine how the events are currently controlled or strategically managed. This continuous practice will help prioritize, quantify, and employ the resources to eliminate or limit any impact of the risk.
Finally, by utilizing predictive analytical tools and professional services that measure risk costs for each existing or future Risk Profile, the organization can ultimately save 20-40% of costs associated with each potential existing or new threat. The next subject in our series will address the Risk Evaluation and Treatment phase…so stay tuned for how to evaluate and treat Risk Profiles once you have analyzed and measured the key components.