How do you maintain precise risk trigger descriptions when you aggregate risk profiles from low organizational levels to higher level summary risks? It becomes difficult to know which trigger event is monitored to determine when a risk response should be executed.
Question asked by
AFERM Experts Say...
A risk trigger is an event or series of events that activate the execution of a particular action, usually associated with mitigation strategy or execution of contingency plans. Risk thresholds define the boundaries of fluctuation for those triggers.
This is a difficult challenge. It is almost impossible without first defining an actual risk event scenario, because risk triggers exist to respond to risk events within a threshold of an actual scenario. It is especially difficult where risk action is defined at a very detailed level across large portfolios of disaggregated risks. This is where we rely on the expertise of our Risk Management professionals to prioritize risk actions, and by doing so, prioritize risk triggers and thresholds.
For example, not all risks are created equal, and although we have defined impact and severity probabilities (if quantitative), not all risks contribute similarly to the overall risk of a risk pool. Overall, risks assessed at “high” matter more. Then, if the Risk Management professional can either 1) provide anecdotally the risk triggers that control risk actions for “a majority” of the risk or 2) leverage risk management software to determine which risk triggers are specifically associated with risk actions in that scenario. This provides an opportunity to then aggregate the profiles from the bottom up, and give meaningful risk trigger information.
Without specific scenarios to discuss, a Risk Management professional could have the challenging task of either discussing an endless list of “if/then” scenarios or providing an inert dictionary of all the risk triggers in the portfolio. Risk management software can be very helpful in the case of the latter.