One of the most important aspects of being a strong Risk Leader is helping ensure those you are guiding are assessing the right risk. Here is a simple example:
You are conducting a short risk assessment with a team tasked with relocating to a new head office. During the risk assessment physical risks to the new building are identified. It is not uncommon for these all to be listed, controls assessed and risks rated. For a modern building each one is likely to be a fairly rare occurrence of its own so your risk assessment may look something like:
Consider these issues in a different way by asking a different question. The higher and in fact more strategic question, is how resilient is this building in terms of providing a place of work for our staff. When considering this question the risk can be described as "Unable to access building for more than fourteen days" and all of the risks that were rated above (plus a whole lot more around civil riot, power outages and the like) become sources to the higher level risk. When we rate the more strategic risk, the risk rating is higher and demands a response. In this simple example the response is obviously a business continuity plan as a contingency in case any of these unlikely or rare "sources" of risk eventuate. The risk assessment would now look something like this:
Although this is a relatively simple example, the principle is the same no matter the subject of the risk assessment. The time when this is most important for you as a Risk Leader is when conducting strategic risk assessments. Your role is to ensure the risk assessment is sufficiently high level to ensure the big questions are being answered. Be sure you can answer questions like:
- Do we understand our business environment?
- Do we have the right strategy?
- Do we have the right people to execute the strategy?