Most of us are familiar with the concept of limited resources. More specifically, we are all well aware that resources are not unlimited. We must ensure we derive the greatest value from the limited resources we have available to us.
In financial terms, Net Present Value (NPV) is a long-standing analysis technique that calculates the current value of a future stream of payments from a company, a project, or an investment. By application of a discount rate NPV enables us to identify the project or investment that offers the greatest value. This in turn enables us to prioritise projects / investments to be undertaken or pursued – assuming we do not have available resources to undertake everything that offers us a positive NPV.
So how does the NPV concept apply to risk management? The easy answer to this question is that we don’t have unlimited resources to reduce every risk across the organisation, so we must prioritise the application of our resources to ensure we optimise our cost v benefit, measured as reduction in risk.
When we analyse risks we determine the need for risk treatment, which involves influencing the potential for the risk to arise, or the outcome of it does. For threat risks this is about development and / or enhancement of preventing controls that reduce probability (likelihood), and mitigating controls which reduce impact (consequence). Importantly, as we should all now completely understand, risk isn’t just about protection of value, it’s also about the creation of value. So, for opportunity risks modifying the risk is about enhancing the probability and maximising the benefits.
The actions and responsibilities to modify risks are captured in a risk treatment plan, and for material risks these should form a focus for risk management governance.
But it’s important that we don’t lose sight of the relevance of limited resources when we are developing risk treatment plans. Many directors and executives fail to grasp the very simple concept that some risks may be acceptable at their current levels. These risks may already fall within risk appetite or be at a level where the cost of further risk reduction is not practicable – ALARP (as low as reasonably practicable). Even fewer understand that some risks may be overcontrolled when considering the approved risk appetite.
It is therefore an important part of the risk management process to consider where the application of resources will maximise the return on investment. A target risk rating considers the introduction of additional, or enhancement of existing controls, measured as a reduction in risk from its current level. The consideration of the cost of proposed controls / enhancements enables an organisation to determine the “return” achieved on investment.
There is really only one question to be asked here - does your annual budget process specifically consider the cost of risk reduction? If it does not, then you are missing an important element of the risk management process.
Or perhaps you’ve achieved the desired risk profile across your material risks and see no upside in additional control improvements. If that’s what you have achieved, well done.
ABM Risk Partnership are experts in the development and implementation of effective risk management frameworks and functions. We believe that from risk comes opportunity. If you haven’t achieved the desired risk profile across your organisation and want to enhance your organisational risk management capability and maturity, we can help.