Stefan Hunziker recently wrote an excellent piece on LinkedIn. He wrote:
As clear as mud: Do risk managers or decision-makers manage risk?
I congratulated him for his post, but I want to go into his question in more detail here.
Let’s consider the ISO 31000:2018 diagram of a risk management process.
Within the context of the organization, its environment, and what it is trying to achieve, the process outlined in the diagram includes these activities, which I will consider in turn:
- Identify the risks to objectives
- Analyze to understand them and their level
- Evaluate whether they are acceptable or not
- Treat them where necessary
- Record and report the risks in a way that is integrated with both strategy-setting and execution, enabling informed and effective decision-making
- Communicate throughout the process
- Monitor and adapt as risks or business conditions change
That’s actually a lot of work. But let’s start at the beginning.
Does the organization and its leadership rely on the risk officer to identify all risks of significance to enterprise objectives?
If they do, they are in deep trouble!
There are only so many risk officers in any organization, a very small percentage of the total number of employees. Yet, risks are everywhere. They are created or modified (i.e., increased, reduced, or otherwise…
