Читать книгу The Failure of Risk Management - Douglas W. Hubbard - Страница 43

The first and simplest test of a risk management method is determining if it answers the relevant question, “Where and how much do we reduce risk and at what cost?” A method that answers this, explicitly and specifically, passes this test. If a method leaves this question open, it does not pass the test—and many will not pass.

For example, simply providing a list of a firm's top ten risks or classifying risks into high, medium, or low doesn't close the loop. Certainly, this is a necessary and early step of any risk management method. I have sometimes heard that such a method is useful if only it helps to start the conversation. Yes, that may be useful, but if it stops there it still leaves the heavy lifting yet to be done. Consider an architectural firm that provides a list of important features of a new building such as “large boardroom,” “nice open entry way with a fountain,” and then walks away without producing detailed plans much less actually constructing the building. Such a list would be a starting point but it is far short of a usable plan, much less detailed blueprints or a finished building.

Relevant risk management should be based on risk assessment that ultimately follows through to explicit recommendations on decisions. Should an organization spend $2 million to reduce its second largest risk x by half, or spend the same amount to eliminate three risks that aren't in the top five biggest risks? Ideally, risk mitigation can be evaluated as a kind of “return on mitigation” so that different mitigation strategies of different costs can be prioritized explicitly. Merely knowing that some risks are high and others are low is not as useful as knowing that a particular mitigation has a 230 percent return on investment (ROI) and another has only a 5 percent ROI or whether the total risks are within our risk tolerance or not.