Should agencies automatically focus resources on risks with the highest levels of residual risk, or should more energy be placed on those that may exceed established risk tolerances (regardless of residual risk level)?
Question asked by Anonymous
AFERM Experts Say...
As with most questions of discretion and management choice, the appropriate course of action is dependent upon considerations beyond residual risk rating or exceeding the agency’s established risk tolerance boundaries or risk appetite level. ERM informs the resource allocation and internal decision-making processes and should not necessarily trigger the focus of resources in any one direction. There may be a range of other factors that agency leaders must consider when deciding where and how to address key risks. For example, the risk may stem from entirely external factors beyond the control of the agency and may require extensive deliberation and negotiation before an acceptable course of action to influence these factors is set and resources focused to respond. There may be broader political considerations that motivate leaders to elect to apply resources to one risk over another. The decision of where to focus may also be influenced by the resources at hand. It may be the better decision to apply existing resources to one risk over another because the agency has those resources available but needs to attain the resources needed to address another risk. Finally, the actions available to the agency may have already been exhausted, and nothing else can be done to reduce the likelihood or minimize the impact if the event materializes, but the residual risk still exceeds the established risk appetite level. Simply monitoring leading key risk indicators may be the only option.