Explaining What High Risk Means​

Comments Views

Boards and management teams are provided with reports from risk management, internal audit, information security, and others that label areas of concern as high risk.

Maybe they are provided heat maps, dashboards, or other visualizations that explain that these are risks where the potential impact and likelihood are high.

I have a problem with that.

Risk is about the effect of uncertainty on the objectives of the organization. It doesn't matter whether you are an advocate of the COSO ERM Framework or the ISO31000:2009 global risk management standard.

They both talk about risk as something that affects the achievement of objectives.

COSO's 2013 Internal Control Framework gets it right when it talks about assessing deficiencies based on their impact on the achievement of objectives. For example, a "major" deficiency is one where there is a significant risk to the achievement of objectives.

Talking about something as high, medium, or low risk without referring to which business objectives are "at risk" is, I suggest, a poor practice with limited value.

What is better is talking about whether there is a high, medium, or low risk to the achievement of defined and specific objectives.

What is even better is talking about whether the risk to defined and specific objectives is at an unacceptable level.

So, when an executive is told something is high risk she should ask "risk to what" and "is the risk acceptable"?

When an professional is assessing something as high, medium, or low risk he should complete the picture by explaining the business impact in terms of the achievement of specific objectives.

Do you agree?

I welcome your comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.​

 

 

Comment on this article

comments powered by Disqus
  • IIA GRC_APril 2019_Blog 1
  • IIA Guidance_April 2019_Blog 2
  • IIA CIA_April 2019_Blog 3