Boards and management teams are provided with reports from risk management, internal audit, information security, and others that label areas of concern as high risk.
Maybe they are provided heat maps, dashboards, or other visualizations that explain that these are risks where the potential impact and likelihood are high.
I have a problem with that.
Risk is about the effect of uncertainty on the objectives of the organization. It doesn't matter whether you are an advocate of the COSO ERM Framework or the ISO31000:2009 global risk management standard.
They both talk about risk as something that affects the achievement of objectives.
COSO's 2013 Internal Control Framework gets it right when it talks about assessing deficiencies based on their impact on the achievement of objectives. For example, a "major" deficiency is one where there is a significant risk to the achievement of objectives.
Talking about something as high, medium, or low risk without referring to which business objectives are "at risk" is, I suggest, a poor practice with limited value.
What is better is talking about whether there is a high, medium, or low risk to the achievement of defined and specific objectives.
What is even better is talking about whether the risk to defined and specific objectives is at an unacceptable level.
So, when an executive is told something is high risk she should ask "risk to what" and "is the risk acceptable"?
When an professional is assessing something as high, medium, or low risk he should complete the picture by explaining the business impact in terms of the achievement of specific objectives.
Do you agree?
I welcome your comments.