One of the preliminary things you want to do when establishing an Integrated Risk Management approach is establish your guidelines for how you identify, evaluate, and communicate risk. This establishes your common definition of risk measurement across your enterprise allowing for stakeholders make relevant comparisons across various business units across the enterprise. This will allow your various risk minded to teams to discuss risk and risk mitigation in a meaningful way, so your risk ranking terminology has the same definition if you are in IT, Finance, HR, Legal, etc.
First things first, you need to define the risk philosophy of the enterprise. This includes defining what risk the organization will accept and tolerate in pursuit of organizational objectives, one example might be that you organization is willing to trust proprietary data to a business partner outsourcer in order to cut operating expenses.
Once you have a handle on your risk philosophy, you need to start thinking about risk appetite which is the translation of risk philosophy to guiding principles for your organization. This part can be tricky as people (risk managers) operating at the front lines of risk mitigation can interpret these principles differently, but the goal here is establish concrete examples that can be easily quantified or qualitatively measured and used as a benchmark which to measure other risks against. Using our same example above for business processing outsourcing with the goal of cost reduction your appetite might look something like - willing to invest $150 million into business process outsourcing to achieve long term cost savings, must have full return on investment in 5 years, and any workforce reduction media/news must not damage brand reputation.
Once your risk appetite has been defined the enterprise should figure out risk tolerances. Your risk tolerance is your risk limit--the maximum amount of risk you are willing to take on. This is the threshold which decision makers use to determine if they will or will not accept the risk. An example here might look your company not taking a risk on compliance -- for a hospital onboarding a new system that might jeopardize HIPAA compliance is not tolerable.
Next part is defining your risk assessment criteria, and this will go a long away toward establishing the terminology you use on a day to day basis. Using your risk appetites and risk tolerances, you need a terminology of how these translate to impact and vulnerabilities. Here establishing and defining what "low", "medium", "high" mean for your business will help risk managers across the enterprise help to assess risk in their respective areas. This is easier said than done especially if you have a large group of people trying to define the risk classification scheme. Which ever risk classification model you decide on it should fit for your business.
Check back next week, we'll be talking about strategy and risk identification.
