Risk / Threat vs. Risk Issue

risk_risk_issue_091026

***
Up front props:
1.    In the “risk universe” square, I used the “evolving change categorizations” from a Joshua Corman blog post found here.
2.    I heard the term “risk ecosystem” from Microsoft’s Mark Curphey in a video related to a risk repository web app they recently released called “Risk Tracker” (either here or here). I found the term to be valuable in the context of this blog post.
3.    The approach to the image above was not solely mine, I just embellished and sanitized on someone’s idea here at my employer.
***
Some terminology declarations:

I am using the word risk in a variety of capacities in this post.

In some cases, it is being used in the context of a threat (storm heading in my direction).

In other cases is being used in the context of a derived value; the probable magnitude and frequency of loss; $.

I am using the term “risk issue” or “risk finding” to mean a documented risk that requires a decision from management to either assume or mitigate.

Finally, in the database symbol titled “Risk Rep.” – that is short for “risk repository”.
***

I have recently been in a few conversations related to when a “risk” (or threat) becomes a “risk issue”. Most of these conversations have been with information security risk management executives; which implies “philosophying”, evangelizing, white boarding, and of course – excessive use of non-risk management analogies to reflect risk management concepts. In the end, these conversations turned out to be valuable because if forced the group to really understand when a risk (threat) becomes a risk issue in our environment. In other words, what are the various lenses we analyze threats or risk through to determine that we need to document a risk finding?

I will let you noodle the image and underlying concept on your own. However, below are a few parting points I would like to make.

1.    There is a difference between grandstanding on risks (threats) that pose no threat to your company versus managing risk issues within your own risk ecosystem. Think “solar storm heading directly to Mars” versus “a storm cell that is 10 miles away with 65 mile per hour winds headed directly towards us”.

2.    If a risk (threat) is important enough to grandstand on AND to begin mitigating – then it is no longer a risk, but a risk issue – and should be managed as such.

3.    Emerging risks – or threats – somewhat fall in between the two above. You may want to let management know about some potential exposure – but there is nothing that needs to be addressed today.

Feel free to share any thoughts you have!

Advertisements

5 Responses to Risk / Threat vs. Risk Issue

  1. shrdlu says:

    Very true. You might say that “risk” = “possibility” while “risk issue” = “probability worth paying attention to” 🙂

    This is especially important when the elevation from “risk” to “risk issue” is being caused by something your organization (or its staff) is doing.

  2. […] on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization? Risk / Threat vs. Risk Issue << Risktical Ramblings Tags: ( risk […]

  3. Saso says:

    Sounds much like the reasoning we used at my current employer to get everyone on the same page w.r.t. issues and risks; things to worry about and address and things that we can’t influence one way or another: things to live with and monitor.

    Ended up with the following definitions to make it easier for everyone to see where we’re coming from:

    risks: assessed (guesstimated) PLM and LEF. Not necessarily eventuating in the next 6 – 12 months even if their LEF hints at this;

    issues: risks that are bound to come and bite you in the behind in the coming 6 – 12 months unless something is done about them right now. Stuff raised by auditors usually falls in this category. You ignore them at your own peril. (The quality of issues they raise is up for discussion, but ignoring them is usually not the smartest thing to do.)

  4. M. Wallace says:

    I’d like to noodle the diagram. But I’m over 40. The text on the diagram is below the “greeking” level.

  5. Chris Hayes says:

    Thanks for the comments everyone!

    @M. Wallace – You should now be able to click on the image and it should open a new browser window and be easier to view. Thanks for catching that!

%d bloggers like this: