In the GRC space, one of the hallmarks of a well governed organization is embracing strategic risk management thinking and timely decision making, planning, resourcing, execution, reporting, monitoring, issues follow-ups, resolutions and feedback in driving business operations and performance excellence.
Demonstrating strategic risk management practices requires a focus on the “top key” risk exposures, ranking and prioritizations of actions and resources. This is because every risk exposure certainly cannot be of the same level. Some will be higher or lower than others.
The key question is:
What is the ideal number for the top key risks that an organization can focus on to align its risk governance, management and assurance functions to the company’s strategic goals and objectives?
I get the above question very often in most risk governance, management and assurance conversations.
My perceptions
(1) Finding the ideal number for the top key risks an organization should focus on is best determined by the business leaders – the governance and executive management inclusive because they know their business in and out better than any other outside person. They understand what matters most and the criteria for the priority ranking. Achieving this requires that the business leaders should combine inputs from multiple credible sources with their own knowledge and experience before passing judgement on the number to use. This will involve embedding output of data analytics and reviews of relevant internally generated data and documents and also output of robust research from external resources and getting the pulse of selected key stakeholders’ groups within and outside the company and these include key customers, suppliers, external auditors, regulators, credible research organizations like World Economic Forum (WEF) Global Survey, Association of Certified Fraud Examiners (ACFE) Pulse of the Nation and Risk Landscape Surveys from the global Big Auditing and Consulting Firms like PricewaterhouseCoopers (PwC). The company can also consider hiring the services of credible independent consulting firms to complement with their own staff to conduct the risk assessment and setting the parameters for the appetite and key risks prioritization.
(2) To make it simple and ensure uniformity of the applications of the criteria for determining the numbers across all levels (from corporate group level down to divisional and departmental levels), the Pareto 80/20 principle can provide a rule of thumb.
Applying 80/20 Pareto Principle, the ideal number for the top key risk exposures that the risk governors, managers and assurance functions may focus on to achieve 80% of the company’s strategic goals and objectives should not be more than 20% of the company’s total risk exposures or risk universe as contained in the company’s risk registers. However, it is important to note that risk events, tolerance levels and priorities differ across industries and organizations. As a result, a one-size-fits-all cut-off point of 80/20 may not apply to every organization. To avoid overlooking potentially impactful risks that could cause compounded problems in the medium or long term, organizations should use the 80/20 Pareto Principle as a guide only for benchmarking and starting point which may be altered subject to the organization’s unique circumstances.
The biggest Challenge
One of the biggest challenges in determining the ideal number for the top risk exposures is that most times, the risks some of the organizations carry in the company’s risk register may be inappropriate risks. Some may be mere activities or lack or absence of controls which have been identified and described as risks. When the risk exposures to the company are not properly identified, the risk classifications, ranking, prioritization, governance, management and assurance efforts become mere waste and cost centers.
To read more of my other blog posts, click https://sallyogwookeyumahi.com/
Please, drop your comment and reactions to help me get better at my writing.