Untangling Concepts in Risk and GRC
Too often, risk professionals get hung up on definitions. In general, this isn't helpful. At the same time it is important to use words consistently and in ways that reduce the risk (!) that your business operators misunderstand what you are saying -- and in ways that allow you and your peers to focus on what matters -- effective decision-making.
To be sure, words have power. Hopefully, by reading to the end of this short article you will learn what is even more powerful than words.
First, some context.
The OCEG membership includes people who have been educated differently in accounting, law and business schools and who hold a range of jobs that use the same terms to have different meanings or different terms to mean the same thing.
This includes board members, operating executives, risk managers, internal auditors, compliance managers, ethics program managers, IT security managers, IT auditors and more.
Because of the different way they use key terms, they often must first untangle their vocabulary to effectively work together.
This article will address how the OCEG/GRC community takes on two items: 1) Risk and Reward; and 2) Opportunity and Threat.
1. Risk and Reward.
This phrase is almost as old at the word "risk" itself.
Most senior executives in the c-suite and boardroom are comfortable with this pairing of risk and reward. They also immediately know the essence of what each word means and how they work together.
Most successful executives, almost by definition, have succeeded because they grasp how to address risk and reward (though they might address risk and reward in an implicit or undocumented manner).
Technically, both risk and reward refer to a quantity -- a measure of something.
Risk is a measure of the effect of uncertainty on objectives that focuses the mind on the negative effects. Gross risk is a measure of the downside effect without considering reward. Net risk is a measure of the downside effect factoring in reward.
Reward is a measure of the effect of uncertainty on objectives that focuses the mind on positive effects. Gross reward is a measure of upside effect without considering risk. Net reward is a measure of the positive effect factoring in risk.
In this way, Net Risk = Net Reward.
NOTE: I'm omitting the notion of inherent and residual for this piece but anyone skilled in risk management will know how to slide these concepts into this lesson.
Of course, these measures of Risk and Reward are often represented as distributions and not single values.
In fact, analyzing Risk and Reward can result in multiple distributions where the effects are measured using ordinal, interval or ratio scales. I've even seen some results that use nominal or categorical scales which is fine so long as you don't try to do math on these non-numeric scales. (NOTE: When using these multiple distributions, don't get hung up on trying to convert everything to some "grand unified model." Just use them "as is" to inform your decisions).
When people say "X is worth the risk" they mean that they believe net reward is a positive value (or net risk is a negative value). When people say "X is not worth the risk" they mean that they believe net risk is a positive value (or net reward is a negative value).
So you can see that these measures necessarily contain the other. In other words, a measure of risk includes reward. A measure of reward includes risk.
An analogy comes from my friend who is an architect. She tells me that much of her design is about managing how light interacts with a room -- she is a light manager. Now, by managing light, she necessarily manages brightness and darkness. And, depending on the kind of room, she might refer to how "bright the room is" or how "dark the room is" and how the rooms makes people feel. She regularly specifies both lighting and shading structures to make the room brighter/darker.
A really dark room is a really not bright room. A really bright room is a really not dark room. But she never says "really not dark" instead of bright.
She uses both words in context as appropriate.
You get the idea.
NOTE: The technical measure of emitting brightness typically uses lux or lumens. The technical measure of darkness typically uses absorption coefficient. If you are talking about the darkness of a sky you might use a Bortle scale. However, an object can be measured in either unit. It all depends on what your mind is focused on.
As a final note on vocab, even though technical risk and reward are best used as quantities, people colloquially use both words to refer to the underlying events and circumstances or other subjects associated with the quantity.
More info here: http://www.grcglossary.org/terms/risk
2. Threat (Hazard) and Opportunity.
These refer to events, circumstances or entities that, on balance, present the possibility of either a negative or positive effect on objectives respectively. So a wet floor is a threat ... it isn't a risk. In safety management, some people use "Hazard" to mean an event/circumstance/entity in a benign state (like a river flowing near your factory) and "Threat" to mean a event/circumstance/entity in a harmful state (the river has overflowed and might reach the factory).
I suppose I should include a note about the word Vulnerability here. Vulnerability is an assessment of how protected you are against a Threat. When people say that "we are vulnerable" they mean that there is a low level of protection against a threat with high risk.
I rarely run into a successful executive who gets confused when using these words and definitions. Rather, it is WE who get confused because we feel that "words have power" and that if we don't agree on definitions that we will "talk past each other."
However, that isn't my experience at all.
In fact, I've seen several risk professionals get demoted from the c-suite because they feel compelled to correct the executive team's use of language.
"No, no, no," they say, "You mean X is a Threat ... not a Risk." One risk professional felt that it was important to inform the c-suite that "you can't gain reward without risk" and that "there is both upside and downside to action X,Y,Z."
Ooof! Do ya think they might already know that?
What is most powerful is the use of plain language and focusing on decisions instead of frameworks and vocabulary.
Using plain language often cuts through the BS and allows management (and us as risk professionals) to actually think about the objectives, strategies and tactics that grow value and make progress in the marketplace. It allows you to focus on powerful techniques to analyze the situation regardless of what words you use for upside/downside, etc.
Hopefully that clarifies how the GRC world looks at this stuff.
I know that it is a bit different than ISO/COSO/COBIT world ... but I believe it is compatible in spirit.
And, by using the language that the OCEG / GRC community uses, you maximize compatibility with the plain language that business operators without losing technical meaning and usefulness.
Most importantly, you won't come across as a pedantic scold.