Rethinking Risk Response in the Digital Enterprise

R.V. Raghu
Author: RV Raghu, Past Board Director, ISACA, and director of Versatilist Consulting India Pvt. Ltd
Date Published: 7 July 2021

What does the term risk response, or risk treatment, as it is sometimes colloquially known, suggest (especially the word “treatment”)? If you are like me, treatment probably signifies risk is something that is bad, like a disease, and hence needs to be treated, or worse is like industrial effluent that needs treatment before being released into nature. So, what does this treatment look like, or for that matter, what do these risk response options look like? Well, if you have some experience with risk or have access to a search engine, you will know that risk treatment involves any of the following actions (without intending any specific order):

Risk Response in the Digital Era

In fact, a quick perusal of the ISO 31000 standard tells us that risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following:

Sl No

ISO 31000 description

Risk treatment connection

a)        

Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk

Risk avoidance

b)        

Taking or increasing the risk in order to pursue an opportunity;

This is something I will discuss a little later

c)        

Removing the risk source;

a)  changing the likelihood;

b)  changing the consequences;

Risk mitigation

d)        

Sharing the risk with another party or parties (including contracts and risk financing)

Risk transfer

e)        

Retaining the risk by informed decision

Risk acceptance

Depending on the organizational context, the type of risk and a whole host of factors, you have the luxury of choosing one of these options, and hopefully, it’ll lead to a happily ever after. Now it may look like I am stating the obvious but hear me out. I think these response options, i.e., risk avoidance, mitigation, transfer, and acceptance, were probably right in previous eras. For the enterprise of today, the one teetering on the edge of digital transformation or embarking on a digital transformation, these risk response options will not do. I think a fifth option is to be considered, which could be something like risk leverage or risk exploitation – something that signifies taking advantage of the risk or, as the ISO 31000 standard puts it, taking or increasing the risk in order to pursue an opportunity.

Now semantics notwithstanding, the idea is that enterprises today do not have the luxury of working with the four risk response options since traditionally and definitionally the four risk response options can be limiting in what is possible, especially in the digital era. Redefining the four existing risk response options to also include a fifth can be game-changing. That said, I think if we broaden how we define risk, it makes things easier. Risk is traditionally defined as the effect of uncertainty on the achievement of objectives. Based on definitions from ico’s Risk Management Policy and Appetite Statement, I propose a possibly better definition: A risk is an expression of uncertainty to achieving objectives and can be a threat or an opportunity.

Borrowing on the second definition, I propose a slightly revised version (which may not be entirely new but might be useful for our consideration) that could read “risk is the potential effect of uncertainty on the achievement of strategic objectives and could be a threat or opportunity.” There are two key words in the revised definition a) opportunity and b) strategic. While the second word may not seem so new considering it is also sometimes used in the traditional definition, the first word, “opportunity,” is important because it highlights the possibility of an upside or an advantage from risk. The usefulness of what looks like a semantic change becomes obvious when we apply a digital lens.

Enterprises in the throes of a digital transformation are facing risks, risks that they should and must adopt, and even leverage or exploit, especially when digital transformation is more often than not tied to strategic objectives, including business model changes and the need to fend off competition. In this context, being risk-averse and even applying the four usual risk response options will not do. Take the scenario of a brick-and-mortar enterprise faced with the choice of making a strategic pivot and establishing an online presence, or even leapfrogging into an app environment. Whichever way you look at it, what the enterprise is staring at ticks two boxes:

  1. These initiatives are strategic; and
  2. There are several risks that need to be considered.

So, how will this pan out when we apply the traditional risk response options? Let’s take the easy way out here and adopt an elimination approach. At a high level, the enterprise may not be able to avoid the risk because this means not carrying out the underlying activity from which the risk originates, and this is practically not possible and will probably lead to extinction. Similarly, the option of transferring risk does not make sense since this will be like giving away the keys to the kingdom to someone else. This leaves us two options: Either accept or mitigate. While on the face of it, acceptanceseems plausible, but it may be too wild a ride for the enterprise. Even if we consider that this is a strategic objective, the enterprise has considerable reserves of risk appetite.

This brings us to the final (traditional) option of risk mitigation. The Merriam-Webster dictionary defines mitigation as the act of mitigating something or the state of being mitigated: the process or result of making something less severe, dangerous, painful, harsh, or damaging. Adding concepts from the ISO 31000 standard to the above means that the enterprise is expected to:

  1. remove the risk source.
  2. change the likelihood.
  3. change the consequences.

I am aware that it might look like I am cherry-picking the intent of the words to suit my ends. But the reason is that often enterprises end up interpreting risk mitigation very narrowly and bear the catastrophic brunt of this, which leads me to the proposed fifth option (drum roll please!):

By including a fifth option into the risk response lexicon, it becomes easier for risk practitioners, business lines, and the board itself to better understand risk while also accepting that risk need not be a threat alone and might include an opportunity as well. An opportunity that needs to be studied well, analyzed deeply, and evaluated thoroughly before committing resources to its pursuit, but something that must be done because the very continued existence and survival of the enterprise may depend on this. So, going back to the brick-and-mortar enterprise looking to pivot into the online or the app space, things look different now (hopefully). There is no need to only look at the risks negatively. Semantically, at least there is an option to now see the upside, opportunity, or the positive in the actions, and I think that will make a world of difference. I also think this makes establishing and connecting aspects relating to risk appetite and digital transformation easier because the enterprise will be better able to understand and articulate what successful performance looks like and how to best pursue the opportunity that arises from a risk.

Now, before you nudge me gently and point out that the fifth option already exists, as suggested by the ISO 31000 standard, I assure you, I am aware of that. I only want to make sure that we as professionals keep this fifth option in mind and spread the message.

Let me know what you think. Drop me a note on Twitter @iyeraghu.