Friday, December 16, 2011

The role of the business case in risk management

Well-conceived and thoroughly researched business cases can play a pivotal role in improving the quality of organizational decision-making. The business case does not however, stand by itself as a risk management tool. It is simply part of a toolbox for analyzing and making decisions about proposed risk treatments.

Whatever risk treatment you’re considering, and whatever means you used to identify it, the business case is designed to determine and enunciate the value of that treatment. In Figure 1, we’ve used the ISO31000:2009 Risk Management Standard process to illustrate the role of the business case. Quite simply, it supports analysis, selection and implementation of risk treatments.
Figure 1: The Role of Business Cases in the context of ISO31000 Risk Management Process
At the risk of stating the obvious, lets go back to basics for a moment. Any proposed risk treatment should relate directly to a specific risk or risks. For example, if risk number one in your risk register is “Failure to deliver organizational outcomes within budget due to inadequate financial reporting” you might end up with a range of risk treatments, each of which will have different merits.  It’s worth pointing out at the moment that ‘risk’ includes both opportunities and threats (benefits and costs). Accordingly, you might also choose to rephrase the above risk in as an opportunity, such as “Increased profitability due to cost reductions resulting from improved financial reporting”.

Irrespective of how you phrase this risk, lets say that in our hypothetical example, you have identified two main treatments to address it. You’ll note from the examples in Table 1, that we’ve included a reference to which risk(s) each treatment addresses.

Table 1: Example of Risk Treatment Plan
In this hypothetical treatment plan (Table 1) each treatment has a reference to the risks it addresses. Risk Treatments number 1 and 2, primarily address risk number 1 but they also contribute to reducing the risks associated with risks 5 and 8. It’s not important what risks 5 and 8 actually are (it’s a hypothetical example remember). Risk number 8 may in fact be addressed primarily by Treatment number 4 and potentially also be improved by Treatments 1 and 11. It’s a complicated scenario but it’s worth remembering when you are defining the benefits of treatment number one, that you should consider it’s impact on risks number 5 and 8. You never know, it could be the indirect benefits of your proposed risk treatment that sways the decision makers in favor of supporting it. Add in ALL the intangible and indirect benefits. They all count.

No comments:

Post a Comment