ERM Chapter 4 Risk Treatment

ISO 31000:2018 35 Minutes

You need to use proper controls to handle and reduce risks to an acceptable level. Monitoring and reviewing processes ensure these controls work well and that any changes in the situation, risks, or risk management process are noticed and addressed. This helps with risk reporting, making sure important information is shared clearly and supporting decisions based on risks. Setting up and using real controls to manage risks within an organization’s risk appetite and tolerance is a key step in risk management. Monitoring, reviewing, and reporting on these risks and controls gives confidence that the organization can meet its goals, given its context and the risks it faces. If this isn’t possible, the organization can decide to put more effort into managing the risks or, if that’s not practical, adjust its goals. The Orange Book (HM Treasury, 2020, page 20) explains risk treatment as choosing the best option by weighing the benefits of achieving goals against the costs, effort, or downsides of putting those options in place. It says the reasons for designing risk treatments and using internal controls go beyond just financial factors and should consider the organization’s duties, promises, and stakeholder opinions. But this focuses more on the “why” and “what” rather than the “how.” ISO 31000:2018 says the goal of risk treatment is “to select and apply options for dealing with risk.” The Orange Book builds on this ISO guidance but gives less detail.

Looking at the COSO ERM (2004), the “risk treatment” step fits into two stages:

  • Risk Response: Management picks responses like avoiding, accepting, reducing, or sharing risk, and creates actions to match risks with the organization’s risk tolerance and appetite.
  • Control Activities: Policies and procedures are set up and used to make sure the risk responses are carried out properly.

Lastly, the COSO ERM (2017) model talks about “Implementing Risk Responses.”

After understanding our working context and objectives, identifying and analyzing risks to see their impact on those objectives, and evaluating if more action is needed to make the risks acceptable, the next step is to manage, respond to, treat, or control those risks. Organizations use some kind of risk prioritization—like likelihood versus impact, action versus impact, or another method—to decide which risks to tackle first. Keep in mind that while organizations want to remove all major threats and seize all big opportunities, this might not be practical or cost-effective. Also, mistakes in the risk analysis process can lead to overly negative or positive risk ratings, causing us to focus on less important risks. We’ll explore this more in Unit 5 on risk culture. For the risk management process to work well, we need to include a feedback loop, like this:

  • We treat a risk by comparing its current rating to the target rating (usually our risk appetite). If the current rating is above the risk appetite, we take action to manage it.
  • After treatment, we re-analyze the current risk. If it still exceeds the risk appetite, we treat it again to bring it closer to the target.
  • We re-analyze the risk again. We stop adding new actions only when the current rating matches the target rating. If we can’t reach the target rating in a practical or affordable way, we might need to rethink our objectives and restart the whole risk management process.

This feedback loop should be ongoing because the context, risks, controls, and risk appetite are always changing. This feedback step is part of the monitoring and review stage in the full ISO 31000 risk management process. In the simple four-step process, the final arrow highlights this feedback loop, as shown in the four easy steps.

Considering the situation we’re in, the risks we face (whether opportunities or threats), and how well they’re managed (or can be managed), can we still achieve the goals we set earlier?

If the answer is “yes,” the system is balanced, and no changes are needed.
If the answer is “no,” there are two choices: a) Put in more effort and resources to manage the risks better (like adding more controls). Or, if that’s not possible or not wanted, b) Adjust the goals (if we can), because the current ones are either too hard or too easy to achieve for the best balance.

During the Covid 19 pandemic there were many controls developed to try to prevent people from contracting the disease and the spread of the disease. These controls were mainly of two types:

  • Data collection – for example, lateral flow test results, hospital admission data.
  • Guidance – for example, advice on self-isolation, training for vaccination staff.

However, if no use were made of the data collected or no one followed the guidance given then the controls highlighted would have changed the risk of the spread of Covid 19.

4.1 Risk Control

ISO 31000:2018 defines a control as a “measure that maintains and/or modifies risk,” with two additional notes:

  • Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice, or other conditions and/or actions which maintain and/or modify risk.
  • Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.

The accompanying flowchart highlights the distinction between genuine controls and mere data collection or guidance, helping organizations assess the true effectiveness of their controls. Risk checks (sometimes referred to as tests, verification, or reviews) should confirm that an active control is performing as expected and designed. This process provides insight into how well the control is working and whether it has successfully modified the risk as intended. Thus, controls are intended to manage and adjust risk—either by addressing its root causes to alter the probability of it happening or by mitigating its effects to reduce the impact if it does occur. However, in practice, many controls assigned to risks are merely data-gathering efforts or advisory measures. While both data collection and guidance play a role in actively managing risks, they must be applied effectively to actually alter the risk. A simple online search can uncover numerous cases where individuals, teams, or organizations failed to act on available data or adhere to provide guidance.

ISO 31000 emphasizes that choosing the best strategies for managing risks involves conducting a benefit analysis to ensure a well-rounded approach. Risk management should not come at an excessive cost. The standard highlights that multiple strategies can be employed simultaneously, potentially incorporating one or more of the following methods:

  • Steering clear of the risk by opting not to initiate or persist with the activity causing it.
  • Accepting or amplifying the risk to seize a potential opportunity.
  • Eliminating the source of the risk.
  • Adjusting the probability of occurrence.
  • Modifying the potential impact.
  • Distributing the risk (e.g., via contracts or insurance).
  • Retaining the risk through a deliberate, informed choice.

Certain methods are better suited to threats—such as risk avoidance—while others align more with opportunities, like embracing or heightening the risk. The central idea is that all these approaches should actively alter the risk, whether it represents a threat, an opportunity, or a combination of both.

The 4Ts

Different strategies are applied to threats and opportunities. For threats, response approaches are often grouped into the “4 Ts”:

  • Terminate: To eliminate a risk, an organization might need to stop the activity linked to it. Termination is typically a last resort, chosen reluctantly when the remaining risk severity is deemed too high after exploring other cost-effective options (like transfer or treat).
  • Transfer: This involves shifting risk exposure to a third party, such as an insurer, thereby allowing an organization to mitigate potential losses associated with various liabilities and uncertainties. However, fully offloading a risk is rare, which is why “risk sharing” is a more accurate term that reflects the collaborative nature of managing risks. Examples include joint ventures, outsourcing arrangements, and innovative risk financing strategies, topics covered in later modules that delve deeper into effective risk management practices.
  • Treat: Here, an organization keeps the risk internally and takes steps to adjust its severity, likelihood, or impact. Treating risks is the most widely used response strategy.
  • Tolerate: An organization may accept a risk if its perceived severity falls below the risk appetite. Low-severity risks are commonly tolerated, though some high-severity risks might also be accepted—such as when risks are unrecognized or their severity is underestimated. Tolerating high-severity risks leaves an organization particularly exposed, and some argue it’s the unrecognized, quietly tolerated risks that pose the greatest threat to an organization’s survival.

For opportunities, some organizations adopt a “take” strategy, akin to tolerate but more proactive, involving deliberate engagement with a risk to pursue a reward. In certain cases, terminating even the most severe threats isn’t feasible—especially in public services, where obligations persist despite high risks, or when abandoning an activity could trigger reputational damage seen as a greater risk. When termination isn’t an option, organizations may have no choice but to tolerate risks that exceed their risk appetite. The 4 Ts are often mapped to a risk matrix, but this method can be seen as overly simplistic and is best viewed as an initial step before exploring more tailored solutions. It struggles particularly at the boundaries of high and low risk levels, especially near the matrix’s center, where distinctions blur. Moreover, the idea of transferring risks with low likelihood but high impact—such as through insurance—may work for financial risks, but transferring management to a third party doesn’t always shield an organization from the fallout if that party underperforms. Increasingly, the 4 Ts are considered outdated as a framework for crafting risk response strategies.

The 5Es

For opportunities, a framework of 5 Es is to categorize response strategies. Unlike the likelihood-versus-impact matrix used for threats, these strategies align with a simplified business lifecycle:

  • In start-up operations, opportunities are Explored to evaluate whether the risk is worth taking.
  • During the growth phase, the operation Expands the opportunity—perhaps by securing investment or boosting sales—keeping the risk level steady while increasing the potential reward.
  • The operation might then choose to Exit the opportunity, either by profitably selling it off (“cashing out”)—maintaining the same risk but reaping a substantial reward—or by abandoning it entirely if the investment exceeds the risk appetite.
  • In a mature operation, the opportunity is Exploited further, such as through investors or acquisitions, reducing the risk while the reward remains constant.
  • For operations in decline, opportunities merely Exist due to a failure to adapt to market changes, resulting in both low risk and low reward, with dwindling sales in a contracting market.

Similar to the 4 Ts for threats, this model offers a fairly basic perspective on handling opportunities, as not all organizations or opportunities follow this sequence or trajectory. You may notice that your organization has distinct procedures for managing risks in project activities versus operational ones, with project processes often emphasizing hazards over opportunities. In contrast, strategic risk management is typically a separate, possibly less formal process, driven by the board of directors. To address this effectively, consider examining whether your organization has specific procedures in place for managing risks at the strategic level

Preventive, Corrective, Directive and Detective Controls

According to ISO 31000, controls can be implemented to adjust either the probability of a risk occurring or the extent of its impact if it does occur, applicable to both threats and opportunities.

When addressing threats, loss control is a treatment approach divided into three components:

  • Loss Prevention: Controls aimed at stopping a risk from happening by tackling its causes.
  • Damage Limitation: Controls that minimize the impact of a risk immediately after it occurs, focusing on consequence management.
  • Cost Containment: Controls that lessen the long-term effects of a risk, such as through business continuity planning.

A related framework, known as control theory, offers an alternative way to classify responses to threats, organizing them into a hierarchy: preventive, corrective, directive, and detective (abbreviated as “PCDD”). This model suggests when each type of control might be suitable. Though PCDD was featured in the 2004 version of the Orange Book, it’s no longer mandated in the updated version and isn’t widely applied in enterprise risk management. Here’s a brief summary:

  • Preventive Controls: Hopkin and Thompson argue these are the most critical, but they may not always be cost-effective, particularly for low-probability risks. For risks beyond our control—like certain external factors—prevention might be unfeasible, leaving only the other three options viable. Thus, a cost-benefit analysis is essential for preventive controls, which work before a risk materializes.
  • Corrective Controls: These step in when preventive measures aren’t practical, desirable, or cost-effective, though they can also serve as a backup if preventive controls fail. Their value, adequacy, and effectiveness must be evaluated. Corrective controls are prepared in advance but activate after a risk occurs.
  • Directive Controls: A common approach, these involve issuing instructions to individuals or parties on how to act in specific situations. Their reliability hinges on human behavior, making them less dependable. As noted earlier, directive controls alone don’t qualify as true controls. Contracts, for instance, are directive, as they outline expected actions in defined scenarios.
  • Detective Controls: These identify when a risk has occurred, such as a fire alarm or an audit revealing a project veering off course six months in.

PCDD aligns with the 4 Ts framework, where it’s categorized as a method to treat risks. However, neither the 4Ts nor PCDD are recommended by standards or industry best practices for direct integration into the risk matrix.

A simplified version of PCDD can be outlined as follows:

Preventive Control: An internal mechanism designed to avert unwanted incidents, mistakes, or other events that a company identifies as potentially harmful to a process or final outcome.
Corrective Control: A measure intended to address and fix errors, oversights, or unauthorized actions and breaches after they’ve been identified.
This simplified model also notes that preventive and Directive Controls take effect before an event occurs (pre-event manifestation), while Corrective and Detective Controls activate afterward (post-event manifestation). This approach aligns with ISO 31000, which distinguishes between controls that address causes to alter the likelihood of a risk and those that manage consequences to adjust the impact on objectives. These strategies can be further grouped as proactive (pre-event, requiring action to establish controls before a risk emerges) or reactive (post-event, activating after a risk occurs). This proactive-reactive split is reflected in tools like the risk bow-tie.

Additionally, some control theorists introduce the concept of anticipatory controls. These are forward-thinking, akin to directive controls but with a longer-term, strategic focus. Set in place ahead of potential future scenarios, anticipatory controls aim to equip an organization to adapt effectively and promptly if those scenarios unfold. They’re particularly useful for risks with a distant time horizon (long risk proximity). The key distinction between anticipatory and directive controls lies in their scope: directive controls respond to the organization’s current internal and external context, while anticipatory controls look ahead, preparing the organization for anticipated shifts in those environments.

For example, Considering the controls in the case of fraud risk:

  • Proactive controls could include suitable vetting of candidates’ backgrounds at job interview stages, or a range of penalties that could be invoked on any members of staff who are found to be defrauding the company, thus reducing the incentive to be fraudulent
  • Reactive controls could include a review of new suppliers set up by staff on the organization’s accounting system, to try to detect any false or ghost suppliers to which money could be channeled.

Another example would be the encouragement of confidential whistleblowing arrangements and fraud hotlines. Additionally, media handling activities, designed to mitigate any damage that might arise through reputation and bringing in the police to take charge of the fraudsters to remove the cause of the fraud from the business. Many businesses will find it much easier to estimate the cost of risk management rather than the benefits that come from managing risks.

The costs are here and now. We can estimate much of them by the amounts we spend on staff who spend time managing risks, administering the ERM (Enterprise Risk Management) framework, providing assurance and the payments for running controls or paying for insurance. So, while the total cost of risk might be not too difficult to calculate, calculating the costs of managing individual risks will be much harder to compute because of the need to allocate those total costs to the management of individual risks. (Think, for example, how you would allocate your time to all the individual risks that the organisation faces.) Assessing the risk management benefits are more elusive than the costs because risks are future events: they may never actually occur (in which case the value of the control is zero). Moreover, it may be impossible to calculate how much any individual control helped to reduce the likelihood or impact of a risk,      since you never know what would have happened if the risk had occurred and you had no controls in place. Nor can you isolate the individual contribution of one control if one risk is managed by several controls. Even if the risks do or do not occur, the sense of assurance that people feel that things are under control is very valuable, but it is also extremely hard to calculate. It is therefore most likely that the weighing of the risk cost-benefit scales is an intuitive one, like so much in risk management.

Role of insurance and business continuity

When a threat becomes reality, it carries a cost for the organization, but there’s also a cost tied to addressing or mitigating that risk. Even the process of identifying, analyzing, and assessing the risk (risk assessment) comes with expenses. The lower an organization’s risk appetite, the more risk-averse it becomes, leading to a lower acceptable target risk—and, consequently, higher costs for risk responses. However, this increased cost is balanced by a reduced exposure (or expected loss) from the risk itself. Likewise, when pursuing an opportunity, there’s a cost to investing in or managing it. The higher the target risk, the more expensive the response becomes. For threats, at the inherent risk level—before any controls are applied—the organization’s total risk exposure is extremely high, while the cost of response is zero. As controls are implemented, the expected risk exposure decreases (often rapidly at first, as efforts target the most severe risks), but the cost of these responses rises. Eventually, the cost of additional responses reaches a point where further investment becomes impractical: the added expense of controls no longer justifies the reduction in threat exposure or the potential gain from an opportunity. This reflects the concept of diminishing returns in threat response investments—a persuasive idea due to its logical foundation and the need for judgment in deciding when to stop spending on responses and accept some level of risk exposure. This cost-benefit analysis is key to evaluating control effectiveness. As highlighted earlier, the goal isn’t to manage all risks regardless of cost, nor to control all costs regardless of risk.

4.2 Control Effectiveness

When a threat becomes reality, it incurs a cost to the organization, but addressing or mitigating the risk also comes with expenses. Conducting risk assessments—identifying, analyzing, and evaluating risks—carries its own costs. The less risk an organization is willing to accept (lower risk appetite), the more cautious it becomes, leading to a lower acceptable risk threshold. Consequently, the cost of managing the risk rises. However, this increased cost is balanced by a reduced likelihood of loss from the risk itself. Similarly, pursuing opportunities involves costs to seize or manage them, and as the desired risk level increases, so does the expense of the response. For threats, an organization’s total risk exposure starts extremely high at its inherent level, with no initial cost for response. As resources are allocated to controls, the expected risk exposure decreases—often rapidly at first, as efforts target the most critical risks—while the cost of implementing these measures rises. Eventually, the expense of additional responses reaches a point where further investment becomes impractical, as the added cost outweighs the benefits of reducing risk exposure for threats or enhancing it for opportunities. The idea of diminishing returns from threat management is persuasive due to its straightforward reasoning. It suggests that a judgment call is necessary to determine when to stop pouring resources into risk responses and accept some level of risk. This cost-benefit evaluation is key to assessing control effectiveness. As highlighted earlier, the goal isn’t to eliminate all risks regardless of cost, nor to minimize costs at the expense of all risks. Control effectiveness shouldn’t be judged solely on financial metrics. Many organizations take a broader view, with The Open University emphasizing that controls should first be well-designed. Beyond that, factors like the ease of designing, implementing, and sustaining controls matter—harder-to-manage controls tend to be less effective. A comprehensive checklist for control effectiveness should evaluate the design, implementation, and upkeep of controls, their impact on the probability and consequences of risks (both threats and opportunities), and the associated costs.

Hierarchy of controls

From a health and safety standpoint, there exists a structured hierarchy of controls. The personal protective equipment (PPE) should only be used as a final measure to safeguard against risks. The HSE identifies elimination (either by terminating or preventing the risk) as the most effective strategy, followed by four other control methods ranked in descending order of effectiveness. These include:

  • Elimination – completely removing the hazard.
  • Substitution – swapping the hazard for something less dangerous.
  • Engineering controls – separating individuals from the hazard.
  • Administrative controls – modifying how people perform their tasks.
  • PPE – equipping workers with protective gear.

The top three controls—elimination, substitution, and engineering—do not depend on human interaction with the hazard, making them more reliable at preventing risks from materializing.

The Swiss cheese model of control effectiveness

Another angle on evaluating control effectiveness in health and safety is the Swiss Cheese Model, developed by James Reason in 1991. Originally designed to analyze accidents, this model can also assess the strength of any set of controls. It has its strengths and limitations, but at its core, it views all controls as having flaws (or “holes”) and emphasizes the need for multiple layers of controls to manage a risk effectively, in case one or more fail. Take the risk of contracting Covid-19 as an illustration: the Swiss Cheese Model highlights various controls to lower the chances of infection and others to limit its impact and spread. Vaccines, for instance, serve as both proactive and reactive measures, offering protection before and after exposure. The model also encourages organizations to explore alternative controls. For example, while most organizations maintain strong cybersecurity measures, some go further by hiring ethical hackers to probe for vulnerabilities. Similarly, in securing physical assets, certain organizations enlist former thieves to test the robustness of their security systems.

Verification of real controls

As mentioned earlier, genuine controls are those that actively manage and alter risks. On their own, data collection and guidance don’t qualify as real controls—only when that data informs decisions and the guidance is put into action do they influence risks. Yet, in many organizations, efforts to verify or assess control effectiveness are often limited to reviewing the quantity and nature of collected data, along with existing procedures, manuals, and training programs. These checks are straightforward to perform, but an excessive focus on testing the wrong or incomplete controls has historically contributed to numerous incidents. The tougher task is confirming whether controls are being applied effectively, not just whether they exist. Revisiting the Covid-19 example, deeper questions are needed to evaluate the true impact of a control. For instance, in 2021, the UK provided free lateral flow tests to all. To gauge this control’s effectiveness, one might ask:

  • Are enough tests available?
  • Is requesting tests a simple process?
  • Are tests delivered promptly?
  • Are results reported to the UK government?
  • Are individuals with positive results contacted by phone?
  • Are physical inspections conducted at the locations of those testing positive?

If any of these elements fall short, additional effort is needed to address the gaps and ensure the control works as intended. It’s worth noting that a control might perform perfectly if a risk unfolds as anticipated, but if the risk emerges in an unexpected way, the control’s effectiveness could be uncertain—or it might fail entirely, potentially even worsening the situation. Experts on unintended consequences suggest that all risk responses generate side effects for organizations, much like medications do for patients. A measure designed to reduce exposure to one risk might inadvertently heighten exposure to another. The severity (or benefit) of these side effects isn’t always immediately clearThis discussion ties into risk assurance and the role of internal audits, which independently evaluate the efficiency and effectiveness of controls. This is a critical field, and it’s important to grasp how internal audit activities contribute to successful risk management.

4.3 Monitoring Risks

ISO 31000 (2018) integrates the concepts of monitoring and reviewing risks, explaining that their goal is to ensure and enhance the quality and efficiency of the design, execution, and results of risk management processes. The standard highlights that monitoring is a continuous activity, while reviews occur at set intervals. Although many authors and organizations use “monitoring” and “reviewing” as if they were the same, we will distinguish between them and examine them individually. Monitoring involves continuously observing the state of risks, controls, causes, effects, and any shifts in these elements, as well as changes in the surrounding context and goals. Reviewing, on the other hand, entails evaluating the success of existing controls and the overall risk management process, typically conducted less frequently. Consistently monitoring risks enables us to adapt to updates in the condition of risks, controls, causes, consequences, context, and objectives. To detect changes in our risks, we might ask:

  • What is currently happening in our internal and external environments?
  • What changes do we anticipate?
  • What recent events offer lessons for us?
  • Answers to these questions can be gathered from various sources.

Three fundamental approaches to risk monitoring include employing key risk indicators, key control indicators, and tracking the overall risk status.

A) Key Risk Indicator

Risk managers continually strive to validate the resources allocated to risk management by emphasizing how it enhances organizational performance. Typically, they aim to rely on concrete, quantifiable metrics, such as financial outcomes or other measurable results. However, assigning a monetary value to the benefits of risk management can be challenging, especially when it involves assessing the worth of preventing a risk event. Various methods exist to evaluate improvements in business performance, including key performance indicators (KPIs)—like retail sales growth or passenger increases in aviation—which have evolved into key risk indicators (KRIs). Risk reporting is a vital component of the risk management process, and organizations tailor their KRIs to meet their specific requirements within this framework. Beyond customized KRIs, there are also universal risk indicators that can be adapted to suit any organization’s needs.

Examples of generic and industry specific KRIs

Staff turnover can serve as an example for multiple types of risks. For instance:

  • Threat: We may struggle to hire and retain enough qualified staff in area A. If staff turnover hits a critical threshold in any of the example organizations, it could signal an increased likelihood of this threat materializing.
  • Opportunity: We could attract new employees who introduce fresh, innovative coding ideas. However, if staff turnover stalls, it might indicate a reduced chance of seizing this opportunity.

The key point is that the risk control measures in place must prove effective in keeping the risk profile aligned with the board’s expectations, and these controls should be rigorously evaluated for their performance. The perceived benefit lies in ensuring safe, compliant, lawful, and competitive operations that drive organizational success—however that success is measured—while far outweighing the costs of implementing risk management practices.

B) Key control indicators

While key risk indicators (KRIs) track shifts in risk levels, key control indicators (KCIs) assess the performance of controls and how they evolve over time. This connects to earlier discussions about control effectiveness, where controls are established and evaluated to either maintain risks at their current state or play a role in altering their magnitude. Examples of key control indicators might include tracking:
• The number of unauthorized trades.
• The proportion of staff under supervision.
• The frequency of disaster recovery plan testing.

Key control indicators can complement compliance and internal audit assurance processes, offering a potentially quicker alert that risks might be shifting due to controls becoming more—or more often, less—effective.

C) Leading and lagging indicators

KPIs, KRIs, and KCIs are all performance metrics, each serving a slightly distinct role. Some indicators reflect past performance, while others signal what might happen in the future. Leading indicators, which focus on future trends, offer early alerts about potential shifts—examples include metrics like customer engagement or brand reputation. Lagging indicators, by contrast, analyze historical data and measure results, such as financial outcomes like profit and loss, recurring audit findings, or findings concentrated in a specific organizational area. Typically, KRIs lean toward being leading indicators, while KCIs are more lagging in nature. Nonetheless, both types play a valuable role in identifying changes in risk levels.

D) Different datasets

When tracking risks, it’s ideal to leverage all available datasets to detect shifts in risks, controls, context, objectives, and more. These datasets can be organized into four quadrants based on two axes: internal versus external data and human versus machine-generated information, as outlined in Risk Datasets. Most organizations rely on a limited pool of data, primarily from the top-left quadrant—internal, human-sourced information. Some expand to include external data from the top-right quadrant. However, as technology matures, data mining advances, and information needs evolve, more organizations are tapping into diverse, complex, and voluminous sources like the Internet of Things (IoT) or Big Data.IBM describes the Internet of Things as the practice of linking any device to the internet and other connected devices, facilitating the collection and exchange of data about device usage and their surrounding environment. This is particularly helpful for organizations gathering internal data, though some also use it for external insights. Oracle defines Big Data as information characterized by variety, growing volume, and higher velocity—commonly referred to as the 3 Vs. This data is often so extensive that traditional processing methods fall short, yet it holds immense value for organizations equipped and motivated to harness it for risk understanding. Key steps to leverage Big Data include integrating internal information systems, providing technology to store and manage the data, and analyzing it effectively.

E) Risk Status

We’ve explored monitoring changes in risks, controls, context, and objectives, and there’s an additional method to keep attention on risks needing active oversight. This method involves analyzing the lifecycle or status of a risk. The risk status approach outlines the different phases a risk goes through, and by slightly adjusting key status levels, it helps prioritize risks appropriately across their lifecycle:

  • Draft: The risk is newly identified and requires evaluation to confirm its validity and relevance to the activity in question.
  • Active: The risk is confirmed as real and demands ongoing efforts to reduce it to an acceptable level. Active risks and their controls should be frequently monitored to verify control effectiveness and progress toward the target risk level.
  • Ongoing: The risk has been brought to an acceptable level but remains open and subject to potential shifts. These risks are reviewed less often, with KRIs and KCIs developed to detect subtle changes.
  • Closed/Managed: The risk is resolved through effective management, allowing lessons to be drawn for handling similar risks in the future.
  • Closed/Occurred: The risk has materialized and can now be closed, with lessons learned to improve future management of similar risks.

Additional risk status categories include:

  • Rejected: Risks identified as mere issues or problems rather than true risks.
  • Escalated: Risks that don’t impact the current activity’s objectives but affect other parts of the organization, requiring reassignment to the relevant team.
  • Deleted: Risks that can no longer occur due to shifts in context, scope, or objectives.
  • Expired: Risks that are no longer relevant because their time frame has passed.

4.4 Reviewing Risk Management

Reviewing involves evaluating the effectiveness of controls implemented to manage risks and assessing the risk management process itself, typically conducted less frequently than monitoring. Unlike monitoring, a review is a structured, formal evaluation of risks and risk management practices, aimed at prompting changes when deemed necessary.

The purpose of reviewing risks and their controls is to ensure that risks are being managed successfully. Reviews are backward-looking, asking, “How did we perform?” They are generally scheduled based on organizational level or the timeline of the activity involved. Key factors influencing the timing of risk reviews include:

  • Is this a planned review?
  • Has monitoring revealed any changes?
  • Have control enhancements been proposed?
  • Have incidents or near misses occurred?
  • Have internal or external reports or concerns been raised?

For instance, the UK Corporate Governance Code mandates that Boards review the effectiveness of a company’s risk management and internal control systems at least annually, encompassing all significant controls. Within this system, audits may assess controls across various business areas as part of annual audit planning. Many projects and operational tasks also require formal reviews aligned with project milestones or team updates.

While we’ve previously assessed whether controls are well-designed, risk reviews focus on whether those controls are being applied effectively. The verification of actual controls emphasizes their execution, not merely data collection or guidance provision.

Risk reviews complement data from key control indicators (KCIs) and are often guided by them. Many organizations, particularly in financial services, conduct “self-reviews” of controls and key risks using structured methods like Risk Control Self-Assessment. Others rely on internal risk experts to evaluate risks and controls, while most engage internal audit for an independent assessment of control effectiveness. Some organizations combine all three approaches. The UK Corporate Governance Code reiterates the need for an annual Board review of risk management and internal control systems, including the risk management process itself.

Principle 17 of the COSO:2017 ERM framework emphasizes the need for organizations to continuously improve enterprise risk management, while ISO 31000:2018 Principle (h) stresses ongoing enhancement through learning and experience.

Beyond being a requirement, regularly reviewing the risk management framework and process is a best practice adopted by many organizations, often on a three-year cycle. This timeline allows for the review, identification and agreement on improvements, their implementation, and sufficient time to observe their impact. Longer intervals might fail to keep pace with evolving risk management practices as organizations and professionals refine their approaches.

Such reviews are frequently conducted by external, independent experts, either in place of or alongside internal audit reviews. These assessments are typically benchmarked against:

  • Applicable regulations, such as those for health and safety, environmental protection, or financial stability.
  • Risk management standards and frameworks like ISO 31000:2018 and COSO:2017.
  • Industry or sector-specific best practices, informed by the expert’s expertise and experience.

The review process generally involves a desktop analysis of relevant risk management documents and interviews with key personnel across all organizational levels, using a tailored set of questions to evaluate the framework, process, and implementation. Surveys may also be employed, depending on the review’s scope. Outcomes typically include:

  • The purpose of the review.
  • Benchmarking standards relevant to the organization.
  • Interview and/or survey questions.
  • Key findings, including notable discussion points.
  • Opportunities or suggestions for improvement.
  • Primary recommendations.

Lessons learnt and near misses

Learning from both successes and setbacks is crucial. When we initially design and apply a control, its ability to mitigate a risk is uncertain, and the range of possible residual risk outcomes can be broad and hard to predict. By monitoring and reviewing these controls, we gain insight into their performance, allowing us to refine them for greater effectiveness and more consistent residual risk results. During a control review, we should address two core questions:

  • Is the chosen control truly the best option for managing this risk?
  • Is it working effectively in practice?

A third question could also be considered:

  • Does the control offer good value relative to its cost?

The primary goal of monitoring and reviewing is to foster learning and enhance our risk management efforts. However, just as developing and implementing responses incurs costs, so too does the process of monitoring, reviewing, learning, and improving them. With limited resources, we can’t continuously assess every control. This raises the question: Which controls are most critical to learn from? Key controls—sometimes called “critical” controls in certain industries—are those that address the organization’s most significant risks. If these fail, the consequences could be severe, making it essential to monitor, review, learn from, and improve them more often than less critical controls.

Learning through review shouldn’t be confined to controls alone. Most risk management standards suggest applying lessons across the entire risk management process and framework. Reviewing the full process offers several benefits, such as:

  • Ensuring responses are both effective and efficient, addressing any weaknesses or gaps in our control measures.
  • Recognizing and mitigating unintended consequences or adverse effects of our actions.
  • Enhancing knowledge to improve risk identification and analysis.
  • Strengthening the connection between risks and objectives, key dependencies, core processes, and stakeholder needs.
  • Anticipating shifts in internal or external contexts.
  • Identifying trends and changes in existing risks.
  • Preparing for new or emerging risks.
  • Highlighting effective risk management practices to share and replicate across the organization.

Our final point on learning focuses on reviewing actual events—risk incidents and near misses—that can occur in any organization. When a threat or opportunity materializes, resulting in a problem or a less favorable outcome than anticipated, the event itself offers valuable lessons. Likewise, when a risk is managed exceptionally well, those insights can serve as best-practice examples to share with less risk-mature parts of the organization. Near misses—situations where a risk nearly becomes reality but doesn’t cause significant harm (positive or negative)—also provide learning opportunities. Examples of negative near misses include:

  • A small fire extinguished before causing damage.
  • A minor fraud detected before financial loss.
  • An airplane forced to make an emergency landing.
  • A disaster impacting a competitor that could have easily affected us (e.g., lessons for oil and gas firms from BP’s 2010 Deepwater Horizon incident, or for individuals, organizations, and nations from the COVID-19 pandemic).

Reviewing near misses helps us understand:

  • What caused the event.
  • Whether it was previously identified as a potential risk.
  • Why it didn’t lead to a major impact.
  • Whether our assessments of its likelihood and impact were accurate.

In conclusion, risk incidents and near misses offer the richest opportunities for learning and refining our risk management framework. Given the wide array of risks and controls in any organization, there’s always room for continuous learning and improvement.

4.5 Communication and Consultation

ISO Guide 73:2009, the standard on vocabulary for risk management, defines communication and consultation as follows:

“Continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.2.1.1) regarding the management of risk (1.1)

Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.6.1.1), significance, evaluation, acceptability and treatment of the management of risk.

Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue.

Consultation is:

a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making.”

As highlighted in its definition, communication is fundamental to risk management. Without timely and effective interaction with relevant stakeholders to collect the most accurate and current information on risks and controls, risk management efforts fall short. Risk management is a dynamic, ongoing process that demands active participation and commitment to safeguard, sustain, and generate value for an organization. Central to this process is communication, which facilitates the collection and dissemination of risk-related information across all organizational levels. ISO 31000:2018 emphasizes that communication and consultation must be coordinated to ensure a “factual, timely, relevant, accurate, and clear exchange of information,” while respecting confidentiality, data integrity, and individual privacy rights. We’ve explored stakeholder mapping, a visual method for identifying and categorizing stakeholders based on their interest in and influence over an organization and its activities. According to ISO Guide 73, consultation is a process that shapes decisions by incorporating stakeholder input. Through stakeholder mapping, organizations pinpoint which parties need close engagement, regular updates, satisfaction, or simple monitoring. This analysis directly informs communication plans, which outline the who, how, why, what, and when of engaging with target audiences. Every organization should maintain communication plans, adaptable to include risk management considerations. A 2021 Forbes article identifies five key elements of a successful strategic communication plan, including designating who is accountable for communication. Like stakeholder mapping, these plans must address both internal and external audiences. While communication plan formats may vary, they generally align with the core questions of who, how, why, what, and when.

Communication Plan
  Type  Audience  Objective / MessageMedia / Channel  Frequency  TimingOwner / Responsibility  Feedback
Team meeting  Team members  Review of weekly planFace to Face  Weekly  Mondays, 10:30  Team Leader  Review of previous actions
Risk Committee     Risk CommitteeRisk Committee membersStatus of principal risks – in preparation for Risk Committee meetingReportMonthly2 weeks prior to Risk Committee meetingChief Risk OfficerMinutes of meeting Discussions with risk managers and relevant risk owners

Communication plans are often scarce within organizations, typically limited to external plans managed by the communications team or project-specific plans that mandate stakeholder analysis and communication strategies. An effective communication plan should address:

  1. What is the goal of the communication plan?
  2. Who is the intended audience, and what message resonates with them?
  3. What methods will be used to deliver the message?
  4. When is the best time for the communication—immediately or at a later point?
  5. Who will take ownership of executing the communication?

All teams, departments, and functions should create communication plans to ensure meaningful engagement with stakeholders or interested parties. These plans must incorporate appropriate communication and consultation regarding risk information. Instead of crafting entirely new plans, risk management should be integrated into existing communication processes.

Reporting feedback loops

We explored feedback loops, highlighting their role in integrating risk management into the regular rhythm of meetings and reporting, which forms a key element of the risk architecture. Feedback loops are vital to effective communication. Often, risk information is passed up through various management levels via risk reports, only to seemingly vanish without a trace. This lack of response undermines engagement in the risk management process, as sharing information with management becomes a one-way street without reciprocal feedback. In the absence of a feedback loop, the individual providing the information is left uncertain about whether it was received, comprehended, or acted upon. An illustration of effective feedback can be found earlier in the Table of Example Communication Plan. ISO 31000:2018 elaborates on communication and consultation, stating that communication aims to raise awareness and comprehension of risks, while consultation focuses on gathering feedback and insights to inform decision-making. Similarly, an employment website’s article, “Creating a Positive Feedback Loop in Your Business (with Examples),” suggests that a positive feedback loop can enhance processes, products, and services within an organization, while also positioning it to make more informed, strategic decisions.

Internal reporting

o evaluate the effectiveness of risk management within an organization, directors need regular, detailed insights into risks, controls, and the structure of the risk management framework. As mentioned previously, some regulations mandate an annual risk review by boards, but it’s typical for board meetings to include a recurring agenda item featuring a report from the head of risk management. Once risks are identified and their overall impact on the organization is evaluated—considering not just their risk ratings but also how risks and controls interrelate—decisions must be made about investing in measures to alter those risks. This requires the board or senior management to weigh the costs and benefits of establishing a control framework. While some risks undeniably require controls, there’s often flexibility in selecting them, and senior leaders bear the responsibility for these choices. To support this, the risk management function must provide comprehensive risk analysis reports, including control options, their costs, and their impact on processes (interventions). The risk management process enables an assessment of the risks faced, the capacity to manage them within the given context and objectives, and whether those objectives remain achievable. If objectives can’t be met, leaders may need to seek approval or resources to further mitigate risks or adjust goals. Risk reporting should enable these discussions.

To ensure risk reporting is thorough, the risk management function should establish a framework for consistently delivering risk information, developed through dialogue with senior managers and board members to determine their preferred data and presentation style. Many of these leaders bring insights from other organizations about what’s effective and visually appealing. This risk reporting framework should be woven into the organization’s broader risk management communication plan and, as noted earlier, integrated into the existing reporting rhythm and structure—part of the risk architecture within the risk management framework. Risk information is shared not only to aid decision-making—ranging from individual control adjustments to shifts in organizational strategy—but also to empower managers to challenge and decide appropriately. Yet, many organizations simply share risk registers with senior leaders or highlight the “top 10” risks using color-coded risk matrices. This can misdirect focus, either by overwhelming leaders with all risks or by overlooking risks with potentially massive impacts that aren’t flagged as “red” but remain uncontrolled.

Useful risk report content might include:

  • Confidence levels in achieving objectives.
  • Notable changes in risks, controls, context, or objectives.
  • Emerging or significant new risks, themes, or trends.
  • Progress on actions to reduce risks to acceptable levels.
  • Further actions required to manage risks.
  • Updates on control effectiveness.

This data is compiled into a report for senior managers and, ultimately, the board, allowing the risk management function to update leaders on the current risk landscape and seek approval for improvement measures. Beyond these regular updates, an annual comprehensive review of risk management is common, enabling the board to assess and approve its alignment with the organization’s risk strategy, appetite, and tolerances. Some organizations leverage IT platforms to streamline risk reporting, while others incorporate it into dedicated risk management information systems, if available. The risk register typically serves as the primary source for upward reporting, detailing all risks and control assessments. Additional risk insights often come from early warning tools tailored to the organization, such as key risk indicators (KRIs) and key control indicators (KCIs).

External reporting

Regulated entities like banks and insurance firms must provide their regulators with details about their risk management strategies, any violations of regulatory rules, and customer complaint information. Under the UK Companies Act 2006, nearly all companies must include their main risks and uncertainties in their annual reports and accounts, giving stakeholders insight into potential business risks, unless they qualify for an exemption. The Financial Reporting Council (FRC) expands on this in its ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting,’ expecting annual reports to disclose specifics such as:

  • The primary risks facing the company
  • Directors’ confidence in the company’s ability to continue operating and meet its obligations
  • The use of the going concern accounting principle
  • An evaluation of the risk management and internal control systems, including their key elements

The FRC emphasizes that such disclosures inform stakeholders about risks and risk management while promoting accountability and oversight by the board and shareholders. They advocate for reports to be clear, concise, tailored to the company, and overall fair, balanced, and comprehensible. Through its Financial Reporting Lab, the FRC also offers guidance on ‘Reporting on risks, uncertainties, opportunities, and scenarios,’ outlining what investors seek, including:

  • Governance and processes – how risks are dynamically identified, tracked, and managed by the board and leadership
  • Nature of risks – their context, significance, and how they are recognized and categorized
  • Management’s approach – concrete responses to risks, their interrelations within the organization, and their impact on viability and resilience
  • Scenarios and stress testing – emerging risks and their incorporation into risk management

Even organizations outside the FRC’s scope often adopt similar reporting practices. For instance, the UK Charities Commission mandates that audited charities include a risk management statement in their trustees’ annual report. Aligned with the Orange Book, the UK Government’s ‘Good Practice Guide – Risk Reporting:2021’ outlines risk reporting principles and details four report types: the principal risk report, the deep dive report, the risk radar, and the risk moderation report.

Severn Trent Water plc’s 2021 annual report highlights key risks the company faces. The directors have carefully assessed these risks, though the list is not complete or ranked by importance. The risks include threats to health and safety, unsafe drinking water, poor wastewater treatment, supply chain issues, cyber threats, stricter regulations, pension funding problems, financial liquidity risks, climate change challenges, and environmental impact. Additionally, emerging risks include rising energy costs, geopolitical tensions, supply chain disruptions, and changing customer expectations. The report provides more details and stresses the need for accurate and complete information.

4.6 The decision-making process

We have considered the simple four step risk management process, noting that the last arrow is the most   important one as it ‘closes the loop’ and ensures that we use the process in decision-making.   The central question of risk management is “Given the context in which we are working, and the risks (be they opportunities or threats) that are faced, and the extent to which they are managed, is it possible to achieve the objectives previously set?”. As such, decisions made on the basis of the risks that affect or can be affected by that decision are an important output from the risk management process.

Effective decision making ,that the decision-making process has a sequence of six steps:

  1. Classify the problem – is it new, unique or exceptional, or is it generic
  2. Define the problem – what is the situation
  3. Specify the answer to the problem – what are the boundaries
  4. Decide what is right, rather than what is acceptable, in order to meet the boundaries
  5. Build the decision into the action to carry it out – what is the action and who needs to know
  6. Test the validity and effectiveness of the decision – how was the decision implemented and is appropriate

The decision-making process, as set out here, is threat based – dealing with the problem.  However, decision-making deals with situations that can have both good and bad outcomes.  Risk management can be related to all steps in this process, guiding and informing each one.  At the heart of this process is the need to not only decide what to do, but to then implement that decision. As such, there is no reason to use the term risk-based decision making.  However, this does perhaps require a higher level of maturity in the risk management process, where the focus on risk is embedded and a natural part of organisational thinking.  Where you are trying to improve that maturity level, it may be useful to focus attention on the need to consider risks when making important decision.

People in the decision-making process

When making decisions, it is important to determine who should be responsible for them. Key decisions are needed when considering whether to allocate more resources to managing a risk, adjust objectives, or accept that certain goals cannot be achieved. These decisions must be escalated to those with the appropriate level of authority, with strategic choices made by executives or the board, while operational decisions occur at other levels. However, decision-making is not just about authority—it is also influenced by perception, experience, knowledge, and biases. A Harvard Business Review (2012) article found that despite having access to large amounts of data, organizations do not always use it effectively. Employees were grouped into three decision-making types: unquestioning empiricists (who rely only on data), visceral decision-makers (who trust instincts alone), and informed skeptics (who balance analysis with judgment). Only 38% of employees and 50% of senior managers fell into the informed skeptic category, indicating that many decisions may not be made effectively. Decision-making styles also vary. These styles can be classified into four categories: directive, analytical, conceptual, and behavioral, based on whether a person focuses on tasks or social aspects and their tolerance for uncertainty. Understanding these styles is important for ensuring that decisions are well-supported with data and that sensitive decisions are handled appropriately. An organization’s risk culture and its willingness to take risks also influence decision-making. Recognizing different styles can help provide individuals with the right support and information to improve decision quality.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply