I'm following an interesting thread on one of the risk management lists.
One of the posters suggested that there simply are too many risks to worry about them all.
Pick two or three and ignore the rest.
Admittedly this list's audience is comprised mainly of external and internal auditors and their concerns generally are limited while ERM practitioners (should) have an enterprise (ergo the "E" in ERM), all-risk approach.
Still, the idea that a risk management practitioner would suggest ignoring risks because there were "too many" boggles the mind.
In my world, we look at all risks.
We look at ways to avoid or mitigate risks - some we "transfer" or "absorb," but most we try to avoid or mitigate.
Once we identify all the risks - and the ways to deal with them - then they are prioritized as we think they should be based on what we know about the organization's current and - if we're privy to it - future operation.
Since the ERM practitioner is always a "consultant," even when in a captive, staff, in-house, "permanent" employee role, we give management our findings and recommendations.
Management, not the practitioner, reviews the recommendations and determines which recommendations to implement, in what order, on what schedule, and then sets up the budgets to implement the decisions.
Some practitioners suggest first working on the "low hanging fruit," risks that offer an easy, inexpensive fix. I dislike that approach, but if the risk management budget is sufficient for only that type risk . . . well, it's better than nothing and may help instill a risk management mentality in the organization's staff.
To my Winnie-the-Pooh mentality, ignoring the presence of risks - versus giving them a low priority - is not risk management, it is risk ignorance.
This is akin to the practitioner who suggested that organizations simply allow a risk to run its course and then pick up the pieces (http://tinyurl.com/3jh9ddr). This is neither risk management nor business continuity; at best it is disaster recovery.
If practitioners in the U.S. were licensed, as are doctors, lawyers, and numerous other professionals, they might be liable for ignoring risks. Unfortunately, or for many, fortunately, an organization would be hard pressed to prevail in court claiming the practitioner failed to consider all risks; in other words, there's no penalty for ignoring threats.
I consider it my mandate to diligently seek out risks from all points, and to related those risks to management.
No comments:
Post a Comment