Historically, companies have tended to list risks as separate, independent events. Risks are usually given a score for likelihood, another for potential financial loss, and those scores are combined to give a composite ‘severity score’. The risks that have the highest severity score are the ones that the senior management are presented with and invited to focus on.
There are many deficiencies to this approach – deficiencies that are revealed when one switches to a quantitative evaluation, and when one recognizes that the causes and impacts of risks are inter-connected.
Switching to a quantitative approach makes it possible to aggregate – so one now asks questions like ‘what is the total financial exposure’ we have, instead of just ‘which is the largest risk’.
Recognizing the causes and impacts of risk, and that impacts extend beyond the purely financial to other measures of value like environmental or health and safety, opens up a far richer understanding which can change the role of risk management from one of compliance and process to one that includes real strategic decision-making tools to help protect and grow a business and improve its corporate citizenship in line with emerging ESG rules.