Key message: You cannot eliminate all risk!
In a previous article I talked about setting your risk appetite by understanding and separating the wants from the actually needs. Risk prioritisation is linked to risk appetite. Many readers I am sure have undertaken risk assessments. In my work in this field, as a risk consultant, I have found the final step of the risk assessment process, being risk prioritisation, often is neglected. If you follow the ISO 31000 approach, having completed the risk analysis and determined the level of risk, the final step in the risk assessment is risk evaluation.
Many practitioners move directly onto looking for and evaluating risk controls as part of the risk treatment process without pausing and undertaking the risk evaluation step. This I can only assume works well for a risk assessment with very few risk events. In my world a risk assessment with a handful of risks actually seldom occurs.
Courtesy of Getty Images
I would contend that for any risk assessment, and regardless of the number of risk events identified, the risk evaluation step is critical. I say it is critical for a number of reasons. Firstly, you cannot eliminate all risk, so there is a need to determine what level of risk is acceptable and what is not, at least initially. This point was driven home to me when I completed a risk assessment that identified several hundred risk events. It was not going to be possible to mitigate or put in place treatment plans for all of these risks. Secondly, the cost of treating all of these events naturally would have been prohibitive.
There was a need to apply the organisation’s risk appetite to determine in the first place what level of risk was acceptable; and what was not! Those events deemed acceptable reflected the known fact that all risk could not be mitigated and should that risk event occur, the organisation would have accepted the predicted impact. Those events that were not acceptable (outside of our risk appetite) were then noted. The number of risk events remaining still numbered about 80.
The third reason is the risk evaluation step assisted the organisation to prioritise those unacceptable risk events so that it could focus its effort on the most critical of these. The organisation understood that if a significant list of unacceptable risk events was in evidence it probably would be cost prohibitive to mitigate them all. Hence I believe there are three compelling reasons presented on the need to prioritise the risks.
Note: the term risk in this article only refers to the downside