The primary purpose of risk management is to handle the possible effects of uncertainty against specified objectives. This handling involves establishing risk treatments where effectiveness is measured by the difference in risk levels between treated and untreated risk. This difference is often referred to as, “residual risk.” It is the objective of risk managers to establish risk treatments so that residual risk is below an organization’s risk tolerance.
To accomplish this an organization first needs to know the level of risk they will, should, or can tolerate. This is defined by the level of risk below which an organization is willing to accept the positive or negative outcomes of not meeting their obligations. In other words, they will tolerate whatever happens for all risk below this level.
The next step in establishing risk treatments is to understand the nature of the compliance risk which involves evaluating the uncertainty associated with an organization’s capability to meet each obligation.
Risk is always associated with uncertainty as defined by ISO 31000 where risk is, “the effects of uncertainty on objectives.” We can therefore classify risk treatments according to the nature of this uncertainty as follows:
risk due to epistemic uncertainty; lack of knowledge or know how; this risk is reducible.
risk due to aleatory uncertainty; caused by inherent randomness or natural/common variation; this risk is irreducible.
Reducible risk is treated by buying down uncertainty to improve the probability of meeting each obligation. In some compliance domains this is called preventable risk.
Irreducible risk is treated by applying margin in the form of contingency, management reserve, buffers, insurance and other measures to mitigate the effects of the risk.
In practice, many organizations buy-down what they can afford and accept the consequences for the residual risk should it become a reality. Companies tend to consider any residual risk as if it were irreducible and treat it with margins. This begs the question of why not treat all compliance risk as irreducible which by-the-way many do.
The answer can be found by considering the factors that contribute to an organization’s financial margin. A company's margin is significantly and negatively impacted by the cost of realized reducible compliance risk. These costs are associated with such things as defects, incidents, breaches, violations, emissions, and other non-conformance. All of these are sources of waste which for the most part can be and should be reduced or eliminated. This waste not only hurts the bottom line but also a company's reputation.
Organizations that do not address reducible will never have enough margin to pay for the effects of irreducible risk let alone fund business growth or pay out to shareholders. Saying it another way, the more a company invests in buying down reducible risk the more margin they will have to use for the things that really matter.
For the risks that are it is incumbent on risk managers to effectively buy-down this risk to avoid unnecessary and preventable waste (i.e. the effects of uncertainty), to improve margins and increase the probability of mission success. For everything else, they should ensure there is sufficient margins to cushion the effects when and if they are realized.
