This article builds on the concept of discrete risk management processes within an enterprise, which was supported by some examples. It identifies two perspectives on the risk in any given area of activity, or risk theme—risk ‘to’ and risk ‘from’. This is apparently an original observation, so the argument is entirely enclosed in a blue box, and is an excellent subject for comments and queries.
This observation about ‘to’ and ‘from’ perspectives is a stepping stone to the the Clear Lines on Audit and Risk recommendation for building up an enterprise view of risk from discrete and independent risk management processes within the enterprise.
There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.
If we take an area of enterprise activity as the subject for risk management, there are two valid classes of on risk.
In the case of a risk theme within an enterprise, there are also two classes of risk.
The risks in the ‘to’ class and in the ‘from’ class can be very different, or at least look very different. Most often, a risk to the area of activity can look serious from the point of view of the activity itself, yet the same scenario looks fairly minor as an enterprise risk coming from the activity. The same applies to defined risk themes. At times the opposite can be true, when local managers or specialists do not appreciate the wider impacts their activities or themes might have. A common example is the risk of a total network outage resulting from a small ICT project working to delivery deadline. ICT projects on a deadline are motivated to take risks to save time, not necessarily thinking of the dire business consequences of an unforeseen disruption to the network. Enterprise-level managers of risk need to be vigilant for that kind of case, and if necessary to educate and motivate ‘local’ managers about their broader responsibilities. In the case of an ICT project, the important change is in the priorities of the project board, the management authority that controls the forces that control the project team.
The ‘to’ and ‘from’ classes of risk are built into the layered model of enterprise risk management to be presented in a later topic.
Main articles on the topic: 1. Discrete risk management processes within an enterprise (Everyone) 2. Shapes for discrete risk management processes (Everyone) 3. Examples of discrete risk management processes (Everyone) 4. Risk ‘to’ an area of activity and risk ‘from’ the activity (Everyone)
Some other main topics
Coming soon: Scoping a risk management activity; ERM and RM; RM across an organisation, without a central register; Context setting, Objectives, expected and acceptable outcomes, priorities and tradeoffs.
All pages on ‘Discrete risk management processes within an enterprise’