IDENTIFYING RISKS AND THE VALUE OF MITIGATION
The process of risk assessment may differ, depending on the nature of the activity or project into which it is integrated.
No matter the activity, however, assessment should begin at the intersection of business activities and risk categories. Business
activities include development, production, facilities/equipment, materials, laboratories, packaging/labeling, and sales/marketing.
Risk categories include legal/regulatory, financial, policy, safety, quality, process, environmental, and business continuity.
Through structured working sessions, workshops and meetings, the project team can define the risks, decompose them into actionable
elements, and quantify them through the use of company data, team knowledge and quantification tools. The team, which may
consist of process leaders as well as risk specialists and, often, external experts, reviews the risks identified, defines
mitigations, and recommends a set of responses that are clear, actionable, and well justified. Such recommendations should:
- Understand growth, risk, and return through a clear linkage of risk action, ROI, and business opportunity
- Include rough project plans and budgets for mitigation alternatives
- Provide integrated responses linked to the enterprise risk efforts and resources.
These value-based recommendations permit the organization to evaluate risk-mitigation actions alongside other investments,
balance them with new investments, and capture additional value.
It is essential that risk-mitigation projects be able to stand up to comparison of value with other types of actions. In the
end, a business manager must be able to review a portfolio of actions, all of which generate or protect value. Revenue-enhancement
projects, for example, generally show a clear ROI starting from a zero balance, with return versus expenditure increasing
over time. Similarly, cost-improvement projects show an ROI starting from a negative cost point, with the investment over
time showing added value to the organization's bottom line.
Risk-mitigation projects often present a nebulous investment picture. Risk managers may characterize mitigations as "must
do" projects for a variety of reasons and, in some cases, that judgment is correct. But the case for most risk-mitigation
actions must stand up to financial scrutiny. Business value includes the evaluation of risks, starting as a negative cost
point appropriate to the type of risk evaluated (e.g., sales impact, litigation risk, material risk).
Being able to evaluate and communicate the value of mitigation actions in clear financial terms can bring to fruition the
aim of the kind of risk management being proposed: better decisions framed in the overall context of the business. Organizations
that shake free of misconceptions about risk management, integrate risk-based decision-making into project and planning activities,
and regularly evaluate mitigation actions against other investments are likely to find that those better decisions have become
a matter of routine.
Greg T. Plante is a principal at Tunnell Consulting, Inc., firstname.lastname@example.org