The risk is assessed as high. So what?
While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.
Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.
It doesn’t answer the questions of:
- Should I take the risk?
- How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)
These are simple questions to ask, but not so simple to answer.
They are essential questions to answer.
If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.
There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.
People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).
But in real life, whether personal or business, you need to answer both of my questions.
Resources are limited.
Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.
Every penny spent on mitigating risk comes at the expense of investing in opportunity.
Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.
So I end this short post with another question:
Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?
- Cybersecurity
- Regulatory compliance
- Safety
- Marketing
- Product development
- Employee morale and development
- Sales
- Acquisitions
- And so on
I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.
I welcome your thoughts.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There seems to be some confusion about this post. Let me clarify with an example.
At Tosco, our Marketing division (which operated about 6,000 Circle K convenience stores and and Union 76 gas stations) had a monthly meeting of its executive team to review and approve capital spending requests. They ranged from $10,000 to $10,000,000.
Management at lower levels would prepare a request that would be reviewed by a team in Finance to make sure that the numbers were correct. Let’s assume (because I don’t remember) that each had a section on assumptions and risks.
A request could come from any one of the stores (such as spending to improve the facility that would generate revenue or improve compliance), or from any of the corporate functions (such as IT, Marketing, and so on).
Each month, there could be fifty of more requests.
The management team had to decide:
- How much, in total, could they spend
- Which, if any, of these requests would generate an acceptable return
- How they should allocate the available funds among the requests
- Whether any of the requests should be partially funded or modified
- Whether they should defer spending, even on ‘profitable’ requests, to save funds for requests they knew were coming, or because there was uncertainty about cash flow, etc.
Coming up with a risk quantification (a number or a range) for each request is only a step in the process. It is not sufficient to evaluate each request by itself. The business decision is complex and requires judgment as well, considering the big picture not just the pieces.
I hope that clarifies my point.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Knowing the level of risk quantitatively (loss curve) exactly answers the questions 1 and 2
No, Alex, it does not. Knowing the level of risk in buying a new car doesn’t tell me whether I should buy it or spend the money on a boat.
I assure you, it does exactly that, it is the core of quant risk analysis
Sounds like a debate opportunity, because you need to quantify every one of the thousand alternative uses of the penny.
Totally sounds like a good debate and of course we do not need to quantify thousands alternative uses
If you have a thousand alternative uses of the dollar, you need ways to compare them
Only in theoretical debate, in practice there dozen or less alternatives, usually much less that are quantified
It’s somewhere in between, far more than a dozen! Just think of the expense budgeting process and the capital authorization process. Even then, there are alternative levels of investment in different projects within an area. It typically has hundreds of opportunities of its own, then there sales and marketing investments, product development options, and so on.
Not in the 100+ investment deals and projects I have modelled. In any case, we are deviating from the original point, the whole purpose of quant risk analysis is to answer questions 1 and 2
That’s the point, Alex. You have modeled the project and not the opportunity cost. You are not answering my questions if you are not considering the opportunity cost.
That’s not how decision science works Norman
See the addition to the post. In real life, understanding opportunity cost is essential in decision-making.
And – not every risk response requires significant investment. We need to give more attention to the wide range of potential ways to modify risk in making decision #2. I had examples where we spent very little extra time/cost and significantly affected the risk profile of a decision.
Please see my addition to the post.
Please see my addition to the post.
Norman, you raise an important issue, not usually addressed by internal audit. You are right, it’s a very complex issue which demands good information from those best qualified to give it and a properly briefed board. The other important issue is contingency planning to be prepared for the worst.
On the subject of decision making this article may be of interest
https://www.icaew.com/technical/corporate-governance/new-boardroom-agenda/helping-the-board-make-better-decisions