Skip to main content
Risk Management

Speaking in Risk Management Tongues

Yemi Adesanya (FCA, CISA) Enterprise Risk Management

Abstract

A critical step in building an effective risk management culture is understanding the organizational context and speaking a shared language. Driving the right response to risk events requires a common understanding of the potential consequences of outcomes and the criticality of timely response. Without a shared understanding of what is being communicated, risk response efforts may not be appropriate, timely or effective for preventing losses.

Speaking in Risk Management Tongues

Paulo Coelho, a renowned Brazilian novelist and author of The Alchemist, once said that “culture makes people understand each other better. And if they understand each other better in their soul, it is easier to overcome the economic and political barriers”[i]. To understand each other, people must communicate in a shared language. Similarly, building an effective risk management culture requires the adoption of a shared risk language and an understanding of responsibilities for risks and risk events at every organizational level.

Risk is defined as the “effect of uncertainty on objectives”[ii], in other words, the possibility that an incident will occur and adversely affect the achievement of objectives. Variance from objective can be positive or negative, but this article focuses on the negative deviation that we all prefer to prevent or avoid.

Driving the right response often depends on communicating risk phenomenon in the right language. Saying “A risk exists in Branch X” requires a different response from “An issue exists in Branch X” or “An incident is underway in Branch X”. Apart from the everyday connotations of the keywords, material differences exist between these situations and the responses they should trigger.

 

Having identified and assessed risks in a process, project, product, or system, attention must be paid to relevant events, be they negative outcomes we would prefer to avoid, or changes to the operating environment or risk profile that increase susceptibility to unfavourable outcomes. The table below shows the differences between risk, issue, and incident.

Table showing the differences between risk, issue, and incident

 

For example, the likelihood of a fire outbreak in a branch is a risk; Manager discovers that the fire alarm in the branch has stopped functioning, that is an issue; fire outbreak in a branch is an incident! Now try this: Risk of data privacy breach via a service provider is ….? No Non-Disclosure Agreement in place for vendors is…..? Confidential data leaked on Facebook is……..?

Issues and incidents are interrelated – an unresolved issue can lead to an incident and an incident can lead to an issue that must be resolved to prevent future incidents. Take the example of the risk of power outage and theft of a branch’s power generator. An incident has occurred here – generator theft. The incident has also created an issue – the branch no longer has a generator, which was one of the mitigants to the risk of power outage. Incident response therefore also requires root cause analysis to unearth underlying and resulting issues that indicate potential future vulnerabilities, changes to initial risk profiles or even new risks.

Conscious path mapping is important to ensure that risks, issues, and incidents receive the appropriate treatment. Risks need to be proactively identified and managed. Issues need to be discovered and resolved as soon as possible, to prevent loss events. Incidents need to be responded to with the required sense of urgency to prevent, or at least minimize, losses. Issue resolution should be driven by the criticality of exposure and magnitude of potential impact while incident response should focus on timely intervention to prevent or limit an imminent loss, or to ensure a quick recovery therefrom. Incident responses should be defined in advance as much as possible while most issue resolutions would require idiosyncratic responses. Without a separation of the response and resolution paths for incidents and issues, organizational resources may be overstretched leaving significant and more imminent losses without the attention required to address or curtail them.

To speak a language is to take on a world, a culture”; do you even speak a uniform operational risk language in your organization? How does your organization respond to risks, issues, and incidents?

 

ENDNOTES

[i] Paulo Coelho in conversation with UN’s New Centre. Available online at http://paulocoelhoblog.com/2015/03/13/intercultural-dialogue/

[ii] ISO 31000: 2018 Definition of Risk.

 

 

Featured image by ijeab / Freepik

 

 

Yemi Adesanya (FCA, CISA)

I am a Chartered Accountant and Certified Information Systems Auditor with over 18 years managerial experience covering financial accounting, regulatory reporting, management accounting and control, business process engineering, ERP implementations, Enterprise Risk Management and Internal Controls. I currently work as a risk & control manager in Nigeria’s financial services industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox GDPR is required

*

I agree