ERM Objective:
Allocate resources to the correct risks based upon strategic priorities.
The Trap:
After completing your risk assessment you will have a prioritized risk register, typically using Impact and Likelihood criteria. Many firms then focus on the Top 10, 5, or even 3 risks on the list. The issue is that your Top 10 risks are typically not the most important risks to address. The third key question has not been answered, which is, “Which risks should we manage differently than we do today?”. Not answering this third question potential causes you to apply more resources to the incorrect risks.
The Solution:
Determine Risk Tolerances:
After your risk assessment, set a target level for each risk (a tolerance). This determines where the risk needs to be on the Impact and likelihood scales. You can now give the risk owner a clearer idea of what the risk looks like when successfully managed (within tolerance). You will also clarify if you are reducing the likelihood, impact, or both (and why?).
In my experience, 40-60% of risks in the Top 10 list do not require additional mitigations.
