I commend Marco Nutini for his recent LinkedIn post, Risk and decision: egg or chicken?
He asks:
In your opinion, which of the two alternatives best represents the Enterprise Risk Management process?
1) From an Objective >> Identify a Risk >> Analyze and prioritize >> Decide how to treat it; or
2) From the need to make a Decision >> Analyze the existing Options, weighing Risks and Gains >> Select an Option >> Monitor the risks taken to review the decision.
Marco suggests:
If you answered 1, you are being consistent with the main standards (ISO 31000 and COSO) on Risk Management and you are concerned about structuring of the system.
If you answered 2, you are thinking strategically and considering risk management (in lower case) as something natural that does not need to be very structured.
If you answered that 1 and 2 are important and simultaneous, your opinion agrees with mine, that is, people might drive you to a shrink.
ISO 31000 and COSO present the Risk Management process as a linear sequence, with no feedback loops, whose mission is to mitigate risk, one-on-one. Lenders, regulators and customers are demanding Risk Management in capitals, in compliance with these standards, as a basic matter of improving trust on companies.
While his questions are challenging, I prefer option 3:
3a) When setting…
