A recent article by Carol Williams of Strategic Decision Solutions carried this title and had some wisdom to share.
For example, she said:
Enterprise risk assessment can be defined as:
“the practice of gathering information to understand risk to the organization achieving its objectives and affect how uncertainty is taken into account.”
As I explained in my last post, risk is not created by a lack of knowledge (which is how ISO defines “uncertainty”). It’s created by events and situations that may happen as you seek to achieve those objectives.
But Carol is 100% correct when she talks about the need to understand “how what might happen” (rather than “uncertainty”) might affect the likelihood of achieving enterprise objectives.
As she says:
ERM’s primary goal needs to be about helping the company achieve its objectives and not simply avoid failure. As former LEGO strategic risk manager Hans Læssøe states in his book Decide to Succeed:
“Business leaders and executives focus on performance, not on risks – and hence, they do not care whether you have 5 or 25 risks, each with some impact. They do, and should, care about performance.”
Therefore, every identified risk must be linked with a strategic or business objective as doing so shifts ERM from a rear-view to forward facing…
