Return on Investment (ROI) is an Essential Element in Risk Management

Key Takeaways

• The Role of ROI in Risk Management: ROI is a crucial factor in determining the effectiveness of risk treatments and making informed decisions about risk mitigation investments.
• Risk Competes for Resources: Risks must compete for limited capital and operating expenses, which means understanding the ROI is essential to prioritizing risk treatments.
• Evaluating Risk Treatment Options: The ROI of risk treatments should be assessed to determine if it meets organizational thresholds, if it can be improved, and how it compares to other investment opportunities.
• Collaboration with Finance: Risk management decisions should not be made in isolation; they must be done collaboratively with the finance team to ensure strategic alignment and resource optimization.

Deep Dive

In this article by Norman Marks, he explores the critical intersection of Return on Investment (ROI) and risk management. The evolving landscape of risk management requires organizations to make informed decisions about how they treat and mitigate risk, ensuring that each investment aligns with strategic goals. In this piece, we’ll dive deeper into the concept of ROI as it relates to risk management and explore why every risk treatment should be evaluated not just for its effectiveness but also for the return on that investment.

The Critical Link Between ROI and Risk Management Decisions

When I think about risk management and the business, I usually have the perspective of a business leader. Maybe that’s because by the time I was leading a risk management function, I was already a vice president and working with the executive management team. I was focused on helping them succeed; I was not one of the people using the tools and techniques of the specialist risk practitioner to quantify and report risk levels.

Which brings me to a situation and question that I believe illustrates an essential point in managing risk. As an executive, I am given a report that shows that some sources of risk are at undesirable levels. (I will let you decide whether that means they exceed risk appetite, risk tolerances, risk criteria, risk limits, or are simply too high in our judgment.)

So what? What should we do about it?

Let’s say that we understand how these sources of risk might affect our business, the likelihood of achieving our goals and objectives, our personal and enterprise success. Of course, that is not usually the case with risk reports, but let’s assume the level of risk has been translated effectively into actionable business language.

I still ask, “So what? What should we do about it?”

You might say that we need to apply a risk treatment. (That sounds like applying an ointment in mild cases or a tourniquet in severe ones. But then, I have a strange sense of humor.) We need to consider our options. Which risk treatment will work best? Which is the preferred treatment that will bring the level of risk down (or up in some cases) to an acceptable level?

The treatment could be simple and inexpensive. But often, it requires an investment of capital, operating expenses, or both. Money doesn’t grow on trees. It is not freely available. Capital that is allocated to mitigating a source of risk has to come from a limited pool of available funds.

That means that risks have to compete for capital (and the same applies to operating expenses) with other business needs: other sources of risk and opportunity. How does a source of risk compete?

The “level” of risk is not the only factor. Others will include:

• By how much will the risk be reduced? (Or the opportunity increased?) Will the treatment result in it being returned to desired levels?
• How certain is that risk improvement? (A point most miss.)
• What is the ROI on the investment?
• Is that ROI at the desired level? (Most organizations require the ROI on an investment to exceed a threshold.)
• Can the treatment be modified to improve the ROI?
• Is that ROI better than those for other investment opportunities?
• Can we afford not to treat the risk, even if the ROI is poor?

The point is that managing and treating risk cannot be effective if performed in a vacuum. Risk should not be managed in a silo, nor should risk treatments be considered out of context of managing the entire organization.

The analysis and selection of risk treatment options needs to be done collaboratively with Finance.

I welcome your thoughts.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.