Use this framework to evaluate the potential severity - and likelihood - of risks to your business.
“We used to view risk through two primary lenses: impact and likelihood,” notes Jonathan Copulsky, principal at Deloitte Consulting and author of Brand Resilience: Managing Risk and Recovery in a High-Speed World.
“Now we’ve added a new dimension - velocity. In today’s highly connected environment, reputational damage can spread at lightning speed. In a matter of minutes, companies could have to deal with 5,000 new complaints... from highly connected consumers. That’s a major change from only a few years ago - and one that holds serious new implications for managing risk.”
To help tackle these potential perils, consultant Jacob Morgan has designed a risk-evaluation framework. Morgan, author of the recently released book The Collaborative Organization, is cofounder and principal of Chess Media Group, whose clients include Sprint, Siemens, and the U.S. State Department. His framework offers flexible parameters for assessing risks depending on the nature of your business.
For example, in the Severity category for Risk 2 - negative customer feedback - some companies might grade negative feedback as a 9 or 10, because even one complaint (especially if it goes viral) has the potential to sink the ship. Other companies, such as large retailers, receive negative feedback all the time; for them, a few complaints might not be particularly severe. To calculate whether negative feedback warrants a high or low grade for your organization, Morgan recommends asking two questions: What is the potential harm of this? and How important is it that this not happen?
The magic of Morgan’s framework occurs once you multiply the severity number by the numbers you come up with in the Probability of Occurrence and Probability of Early Detection categories. You’ll then have a single number, which will allow you to quantify - and therefore prioritize - which risks are, well, the riskiest. The framework also insists that you designate a Recommended Action to address the risk, and earmark which teams and departments own Responsibility for taking action.
What it does not address, however, is the identification of the risks themselves. That is a matter of “involving both business unit leaders and IT personnel in the risk discussion,” says Morgan. Talk early, talk often. “They should naturally be able to come up with some perceived risks and negatives.”
Article provided by thebuildnetwork.com ©TheBuildNetwork
