In our most recent blog we discussed how some organisations are reluctant to invest in Risk Management despite the fact that managing risks using inexpensive and inflexible spreadsheets often prevents effective risk management. When risk is seen as a cost centre, the positive opportunity value in investing in risk management is overlooked.
How can organisations measure risk management value?
Firstly I must say that there is no one right way to measure risk management value, however there are some general guidelines you should consider. Remember, the end objective from this exercise should be to demonstrate the value of your risk management activities and their efficacy in reducing the impact of risk on your organisation. Use the following steps as a guide:
- Carefully consider the KPIs you will measure. What are your risk management and broader organisational objectives? What does good look like in your organisation?
- The KPIs you choose to monitor should be monitored consistently.
- This exercise should be part of a bigger organisational process, ensure you consult with all risk owners and periodically revisit to check progress over time
- Consider both qualitative and quantitative approaches to measuring value. While some risk impacts can be captured numerically using process and rules, others will need capturing using a more subjective, principle-based measurement.
Quantitative measurements could include:
- How many risks have been identified
- Percentage of process areas involved in risk assessments
- Percentage of key risks mitigated
- Percentage of key risks monitored
- Cost of regulatory fines or penalties
- Number of customer complaints
- Use Monte Carlo analysis to plot the impact reduction over a period of time
Qualitative measurements could include:
- Include qualitative assessment results
- Carry out random checks on risks logged in the risk register to check quality - simply being up-to-date doesn’t guarantee that risks are relevant