Risk treatments serve to drive decisions critical to the management of an organization's risk portfolio in alignment with long-term strategic objectives. As risk levels surpass or trend towards breaching pre-approved risk appetite thresholds, or as shock events move risk levels outside of the guardrails, risk treatments enable risk officers to invest in methods to bring their risk back to a tolerable level.
Ultimately, risk owners have five options to treat a risk: avoid, accept, increase, transfer and mitigate. Each of these methodologies serves unique purposes in allowing risk owners to manage risk effectively.
Risk avoidance refers to the strategy of eliminating exposure to the source of risk by modifying the plan or approach.
Risk acceptance involves acknowledging that a particular risk exists but deciding not to take any action to prevent or mitigate it. Risk acceptance is typically for a specified duration.
Risk increase may seem counterintuitive, but this strategy can be effective in situations where the organization is willing to take on a higher risk for greater potential rewards.
Risk transfer involves shifting the responsibility for a risk to a third party.
Risk mitigation focuses on investments in controls or capabilities that reduce the likelihood or impact of a risk.
Figure 1 displays how risk treatments serve as the connection point between risk appetite, budget, and organizational strategy.
Figure 1: Enterprise Risk Management Framework
A defined risk treatment approach ensures the organization is shielded from potential threats while remaining capable of leveraging other risks as opportunities, sustaining long-term growth and advancing its overall mission. Here we outline six steps in creating a risk treatment strategy.
1. Understand the Source of the Risk
A risk is deemed treatable if it can be controlled through targeted actions. Untreatable risks are those that are required to achieve the strategy or are external to an organization’s influence. Considering whether a risk’s source is internal and can be controlled, or external and may be outside an organization’s control is an important stage in decision-making. This step facilitates appropriate actions by risk owners.
Brenda Boultwood
The simplicity of this step gets leaders moving in the right direction and spurs a personal investment in the decision. Additionally, this step ensures that proper risk assessment and identification is complete, verifies that the risk owners comprehend the source and type of risk, and ensures that risk appetite levels have been established.
2. Identifying the Treatment Options
In this step, risk owners and risk managers should brainstorm the appropriate risk response. Should the organization mitigate, accept, transfer, avoid, or increase their risk? Risk owners and risk managers can leverage their experience to develop scenarios for each potential response to enhance their decision-making process. All options need to be considered in an unbiased and unconstrained environment in order to bring out all the options.
3. Evaluating Each Treatment Option
Risk officers need to understand and quantify each of these treatment plans. This step ensures that each potential risk treatment receives an objective review, independent of the other proposed treatment methods. Treatment plans are typically about either enhancing existing controls or creating new capabilities.
Quinn Ellis
Through transforming the brainstormed treatment plans into numbers, variables, and equations, risk officers can employ economic models and data analysis to assign each treatment plan an associated cost and an estimated effect on the residual risk, and an estimated timeline. The treatments need to be analyzed and evaluated by themselves to ensure an unbiased and untapped analysis. Their comparisons and trade-offs will come in a later step.
4. Considering Constraints and Opportunity Costs
Objective functions, constraining functions, and definitions are applied in this step. In terms of objectives, risk owners need to define their strategic objectives, demands, and proposed appetite levels to achieve the objectives. In terms of constraint, risk owners need to define their timeline, resources, and budget. Integrating these multi-objective and multi-constraint functions with the pre-defined costs associated with Step 3 creates an optimization problem. Computer programming and complex optimization techniques then produce a trade-off visualization for risk owners to analyze.
5. Selecting the Treatment and Creating an Action Plan
To maintain their autonomy, risk owners now need to make a data-driven decision. Their decision should come in the form of an action plan. An action plan includes a problem statement, a risk owner, the owner’s appetite for this risk, the treatment for the risk, and the timeline.
6. Implementing and Monitoring
This step ensures the risk manager can track the progress of the treatment, hold individuals accountable, and ensure the organization is on-track to complete the treatment on time. The deadlines provided in the action statement ensure that the organization is focused and time-constrained.
Understanding that this framework acts more as a continuous cycle, both across time and across risk owners, is critical to the survivability and applicability of the framework. As treatment approaches are implemented, environments change, or more information is gathered, risk owners need the autonomy to readdress and retreat risks. Furthermore, plans of action, records of events, and timelines provide examples for risk owners, both today and tomorrow, to draw inspiration from, criticize, study, and apply to their own risks.
Parting Thoughts
Risk treatment is a critical portion of an organization’s risk management framework as it allows risk owners and risk officers to put their hands on their risks. Molding their risks around their current environments, risk officers can utilize risk treatment decisions to move risk levels in to comfortable and tolerable levels.
Through adopting a risk treatment approach, organizations can make informed decisions on managing risk levels in order to achieve organizational objectives, maintain security, and stay within budget constraints. A treatment framework ensures all treatment options are identified, each option is equally evaluated, and risk officers can visualize each option’s cost, effectiveness, and residual risk. Ultimately, this framework ensures that risk owners have guidance towards the most efficient and effective risk treatment solutions.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy, the U.S. Navy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management, and compliance roles at JPMorgan Chase and Bank One.
Quinn Ellis is a rising first-class midshipman at the United States Naval Academy from Germantown, Tennessee. He is a Quantitative Economics major and a member of 23rd Company.
Topics: Enterprise
