The point of risk management is to understand and react to the threats and opportunities that might affect your business. The problem is that risk management can often becomes dislocated from the mainstream business processes. Instead of being integrated in the organization, risk management takes place in a parallel but separate workstream: one that decision-makers dip into occasionally but generally look at as a specialized, technical process.
I’ve seen a similar thing happens with cybersecurity. Despite the fact that almost every business is now wholly dependent on a robust, secure and effective IT infrastructure, cyber security is still often seen as a ‘thing that IT does’. Even though cyber security is effectively supply chain security (plus a lot more), it isn’t thought of that way.
One way to solve this conundrum is to think of a risk assessment like a P&L statement or balance sheet: it’s a data set that supports decision-making. And, taking that one step farther, you risk data can support the decision-makers if it’s linked to your overall objectives.
If you map out how threats or opportunities are linked to your objectives, you can link your assessment directly to what the organization is trying to achieve.
However, there’s not going to be a direct link between a threat and the objective in a lot of cases. Even if there is, it might not be specific enough to make a meaningful decision. So instead, need a middle step to identify the critical factors that enable you to reach your objectives.
Top-level objectives —> Factors for success —> Threat / opportunities
Moving from the strategic (objectives) to the operational (factors for success) to the details (individual threats) will help you link everything together.
Then, reverse the process and map the threats / opportunities to success factors before looking at how a risk might affect that objective.
Threat / opportunities —> Factors for success —> Top-level objectives
This makes it easier to link the risk data to your objectives and to make better, more informed decisions.
Here’s the whole thing sketched out
However, you have to keep in mind that the threat category might not always line up with the description for the objective.
For example, your top level objective is to deliver the highest quality of widgets in your industry. To do that, you need to recruit and retain the top talent which you class as a People item.
However, you face a Reputational risk because of the behavior of the previous CEO which makes attracting good people difficult.
So a Reputational threat causes a risk that affects your People success factor. This in turn affects your quality objective.
So get your stakeholders and decision-makers to start thinking about risk data as another data-source to help with decision-making. At the same time, ensure that what you produce is clear and tied to objectives: be effects-led, not threat-led.
This apparent simplification doesn’t mean that there’s still not a lot going on behind the scenes. This simplification requires a lot of work but that’s not unusual: just think about how many hours go into producing a one-page P&L statement for a big organization. However, you will be more effective if you present your results as clean, clear, useable data that directly link to what your organization is trying to do.