I will start today’s post with an assertion.
Some will find it controversial.
It flies in the face of traditional practices.
Here it is:
Measure risk in a way that enables informed and intelligent decisions.
Assessing the level of risk in monetary terms[1] more often than not, IMHO, does not provide the useful, actionable[2] information needed by decision-makers.
Leaders of the organization are trying to achieve objectives (as recognized by both ISO and COSO).
Decision-makers have objectives as well.
They need to know how what might happen (i.e., risks and opportunities) would affect the likelihood of their achieving those objectives.
I am usually talking about the enterprise objectives set by management and approved by the board. But very often there are more micro-level objectives (hopefully the result of cascading enterprise objectives down to business units and functions) that decision-makers are trying to achieve.
For example, we might be talking about:
- The procurement manager’s objectives of obtaining quality materials at a reasonable price that will be delivered when they are needed.
- The hiring manager who is trying to recruit the talent needed by management.
- A project manager working to complete a system implementation on time, within budget, and delivering the required functionality.
- The sales…
