Risk Treatment Options and Resourcing Needs
A risk value depicts the risk level which is the size of the risk in comparison to the company’s risk mindset, appetite and risk impact severity categorization should the risk occur. Managing known risks takes many iterative stages but the most complex stage is risk assessment which requires the values for the key risk decision elements to be computed and the implications of the results well interpreted and communicated to the relevant stakeholders or risk information users. Most beginners in the GRC space find this risk assessment stage challenging because of the rigor and complexity involved in estimating the likelihood of the risk occurring, the severity of impact should the risk occur and the effectiveness of the established controls in mitigating the risk probability and impact severity.
The business leaders rely on the accurate values of the key risk decision elements to pass objective judgements and decisions on the best choice of actions and resourcing needs to navigating risks in achieving the company’s strategic pillars.
The information about the risk events, computed risk levels (sizes) and implications on the organizations help the business leaders to make great decisions and choices of actions on the following areas:
• Risk treatment options – which risks to accept, tolerate, share or control. Risks are controlled to reduce the probability of the risk occurring and severity of impact. Risks are accepted or tolerated when the company leaders are not worried about the current size of the risk or the harm the risk event may cause but will only worry if the risk size or harm gets bigger. The inherent risk size and tolerance limit help to determines the choice of the best risk treatment options.
• Level of efforts – man hours, competencies and staffing capacities that will be required to implement the preferred risk treatment option.
• Resourcing levels – what funding levels and sources, tools, methodologies and digital technologies that are needed to implement the preferred risk treatment option.
• Scope of transformational operational changes and focus areas – business areas that require improvement changes, replacement or introduction of new ones. Leveraging the Mckinsey 7S factors that help organizations to navigate risk exposures are, the business operational areas that may need procreational changes include the following seven (7) business areas:
• Strategy – Corporate level and departmental level strategies including products and services
• Structure – Hierarchical reporting lines, delegation of authorities and competency frameworks.
• Systems – organizational processes, policies and procedures both at entity, departmental and business unit levels .
• Skills – Corporate level and staff competencies required
• Staffing – Staffing capacity levels and mix.
• Style – Robust engagement and communication with the stakeholders
•Shared Value – Core Values that drive corporate culture and that the two are tightly integrated, felt and seen to be walking the talk.
The effectiveness and efficiency of the reviews of the above 7S and timely implementation of the recommendations will ensure that the identified known risk are well managed and the company continues to progress.