Traditional risk management does not come trouble-free. This is mainly owed to the fact that it relies on the so-called periodic review of certain list of risks. This is known as a Risk Register or what COSO refers to as the Risk Profile of an organisation. The “trouble” here is that the risk specialist is bound to consider one risk at a time.

In practical risk terms, there will be more than one risk that might have an impact on the organisation’s objectives – if you think retrospectively, it is extremely difficult to identify a business objective where there is only one single source of risk associated with it.

Here come two central questions:

  1. How do we consider the aggregate effect of multiple risks?
  2. How do we know whether the level of a certain risk is acceptable to our business objective?

Well, one might argue that the level of risk for each individual source of risk may be within what we define as “acceptable” based on the criteria of our organisation’s risk appetite and risk tolerance.

However, the level of risk to an objective could be unacceptable when you consider all the sources of risk.

Business sense dictates that when there are multiple sources of risk, that is, even if each individual source is acceptable, we are less willing to take the risk.

So, what are the elements of common sense to employ under such circumstances?

  1. Accept that a single objective, project, or business plan has multiple sources of risk.
  2. Understand the level of each and whether it is acceptable – but enquiry into “why”.
  3. Set out whether there is a common point of failure.
  4. Analyse carefully if all the information about what might happen makes business sense to take that risk.

The ECA welcomes your thoughts, views and contributions.