Наши популярные онлайн курсы
One of my LinkedIn followers asked the question:
I’m fully onboard with a quantitative approach and RM2 principles. However, our parent company insists on RM1, especially using Likelihood (1-5 score) and Consequence(1-5 score) criteria to assess risk on the 5×5 Risk matrix. They request quarterly status reports on “Red” level risks, and there’s no way to avoid this. As a compromise, I’m willing to do matrix-based assessments to satisfy the parent company’s requirements but focus most of my attention on ensuring risk-informed decisions. The problem is the clash between the 5×5 matrix and quantitative assessment results. While I know which one to trust, other people in my organization may be confused by 2 different assessments of the same risk. Do you know any way to translate quantitative assessment results to Likelihood & Consequence scores so that at least the risk matrix has a basis for a solid quantitative assessment? Or is there another alternative to mitigate this confusion/clash between 2 methods?
I though this was a great question and a common challenge, that has multiple simple solutions. If you face the same dilemma in your organisation, hopefully this article will help.
Understand the end game
First you have to understand how the risk information received from your company is being used by the parent risk management team. Simple rule of thumb, if it is not used for any serious decision, has no implications for planning, budgeting or performance management, then your wouldn’t care as much. If it is indeed used for something meaningful, then you will be more motivated to do the right thing.
Check your assumptions
RM1, qualitative risk scales and risk matrices are all examples of astrology, horoscopes, at best. The assumption that “there’s no way to avoid this” is simply false. Take the time to build a business case to move away from qualitative risk scores, use research, arguments and better alternatives I mentioned in the article here. In my last 3 roles at holding company level, I cannot even begin to imagine a situation where somebody from a subsidiary would bring a better approach to managing risks and I would reject it. Risk managers who insist on RM1 despite good examples of RM2 should be fired and you would do a great service to shareholders by getting such parent company risk managers fired. Getting rid of RM1 is the ultimate objective and something I personally did in the last 3 companies.
Keep RM1 and RM2 separate
If all else fails and you are not ready to resign from such company, then create 2 parallel worlds, risk management 1 for the parent company and risk management 2 for the management. Become the owner of RM1 and don’t waste too much management’s time on updating RM1 documents for the parent company. Do the RM1 reporting yourself with management validation from time to time or use it as a channel to escalate issues that management wants escalated.
Or combine RM1 and RM2, no one will care either way
Or start with qualitative risk register first and as you progress with RM2 implementation into various important decisions, you will discover that you now posses risk exposure calculations that can be used to improve original RM1 scores. Slowly replace original RM1 scores with new scores derived from RM2 implementations. This is not the objective of RM2 and really just a side benefit. Going back to the question from my follower, I see a misunderstanding of RM1 and RM2 distinction. The objective of RM2 is not to have a detailed quantitative risk register, in fact in RM2 you will probably never have a quant risk register, nor do you need one. In RM2 you analyse risks for whatever important decision is at hand and sometimes it overlaps with some of the risks in the register. So would be a shame to not reuse it.
How would you resolve such a dilemma?