We hear time and time again about the importance of a “common language of risk” as an essential element of risk management. It is certainly true that people need to express their thoughts and concerns about risk and to communicate properly.
My experience with risk management is that what is needed is really more grammar and syntax. Grammar is what gives language meaning. We have the language. We don’t have the grammar.
Here is an example of what I mean: The example below contains 4 distinct pieces of data about risk. Yet time and time again, all of this data is gathered and lumped into a risk library as if it was all the same. All of this information is about risk, but not all of the data describes what the risk is.
My argument is that the risk event that needs to be managed above is the “trip and fall”. We need to understand the root causes of trips and falls (and there are many more than broken shoelaces) and we need to understand the direct and indirect consequences of trips and falls. This is the grammar of risk management – the study of cause/effect relationships. Risk language without structure does not create information or knowledge.
Root Cause/Control
Control models such as COSO or CobIT (or many others) do a good job of classifying what controls should exist. Controls are the inverse of root causes. COSO Integrated Control came about through an analysis of causal factors of the bank failures in the late 1980′s.
Risk Event
The best risk event taxonomy I have seen is the Standard & Poor’s sample risk types contained in their 2007 paper proposing the evaluation of ERM practices as part of the credit rating process.
Consequences
Risk taxonomies help us classify the risk events into logical groups so we can manage them better. By classifying risks as Strategic, Operational, Reporting or Compliance, COSO ERM is recognizing areas of consequence (or business objective) of enterprise risks.
If we don’t structure our risk information, we will never understand cause/effect relationships. If we don’t understand cause/effect relationships, risk management will not link to business performance. If risk management does not improve performance, or reduce avoidable losses, it has no value.
Risk management really isn’t that complicated. It just requires thoughtful approaches, sound tools and consistency.
All comments are appreciated.
Enjoyed the article Bruce. Your diagram and breakdown of the data pieces of risk are useful. We provide decision/governance modelling services that ultimately help manage organizational risk. Understanding better the “data in the risk library” helps me see the places we can position ourselves more effectively, because for us as a company, the challenge is not how does it work, but where does it fit.
Look forward to reading more of your articles.
MCS
Excellent Mr McCuaig. This explanation complete perfectly the idea exposed in your WP “Fundamentals of GRC:Mastering Risk Assessment”
Thank you
Thanks Nancy. We are working to develop as many practical ideas as we can. I hope you find it useful in working with your clients.
What a perfect summary describing ERM! I think that we generally are intimidated by all of the potential attributes associated with various levels of business risk that we lose sight of the foundational risk principals. I believe this clarity can help us align and position our products to help our clients manage risk around these principals.
I think this is brilliant. You are spot on, so many risk registers are jumbles of things from root cause to downstream effects. Thank you very much for this article.