It’s good to see all the conversations around risk management today. More and more people are realizing that having a list of risks and reviewing it occassionally is not really the purpose. What risk management is about is trying to help the organization achieve objectives, and risk management is one part of that.
In effect, risk management is simply a component of performance management. That doesn’t mean a list of risks might not be useful, but at a minimum the list should identify which of the objectives each risk is aligned to.
And a major weakness I’ve seen over and over is a lack of aggregating risks. That is, there might be several risks that could have the same impact. While the probability of each of them occurring might be let’s day 10%, if you have four risks that can have the same impact the probability one of them occurring is 40%. And while the probability of all of them occuring may only be .01%, the total exposure is the sum of the individual exposures.
And think about this … we say we have a 10% chance of the risk occurring and the impact would be $1,000,000, so our exposure is $100,000. Well not really, because if it actually occurs, the impact will be $1,000,000.
We have a long way to go towards developing better risk management mechanisms.