Risk management is about more than just processes. It’s about creating a culture in which decisions can be confidently made based on insights gathered by data, both to make the most of potential opportunities and to mitigate internal or external threats. The more encompassing and accurate the data, the easier it is to make beneficial, low-risk decisions.
The thing is, risk is so pervasive and widespread in today’s digital landscape that ranking, organizing and categorizing those risks can be more difficult than identifying them in the first place. That’s where qualitative risk management comes into play, and it’s an essential addition to any company’s risk management toolkit.
One of our reasons for depending on data and qualitative analysis so much when it comes to risk, is that we’re fallible and extremely prone to misjudgment. Even the most astute business mind develops bad habits when it comes to looking at probability and risk in a holistic, objective manner. So we lean on quantitative analysis to remove bias when identifying risks, but what happens when those risks need to be prioritized? How do we assess the likelihood of a risk occurring and the impact it might have on a given project?
With so many risks in play, many of them with the potential to have a knock-on effect and create other risks and vulnerabilities within your business, how can you and your team intuit the right course of action?
While it might be easier to get started with qualitative risk analysis as it partly relies on intuition and experience, it’s about more than simply creating likelihood assessments based on past events and environmental factors. It’s about how you establish the process of interpreting, categorizing, sharing and even discussing risk.
For instance, departments must establish clear and agreed-upon technology when talking about risk and agree on formalities and processes when relaying risk-based information. Frequent engagement by leadership will also prove advantageous, ensuring that it stays a core part of the company’s culture and the channels of communication between departments remain open.
It’s also worth bearing in mind that what one department sees as low risk another department may see as high risk, so aggregate reporting will need to take this into account when developing a hierarchy of risks to an organization as a whole. Transparency is another area that businesses will have to work hard on if they foster an open and valuable culture around risk reporting, without compromising on confidentiality or security.
All of these things and more must be considered if a business is to leverage qualitative risk analysis to its advantage and use it as part of its overall risk management solution.
Matthew Davies is a Senior Director of Product Management at SureCloud and works with Information Security, Risk and Compliance professionals to help them establish consistent and repeatable Governance, Risk and Compliance processes and tooling.
Matthew has been working in GRC technology and IT Risk assurance for the last seven years. In that time, he worked at PwC and Deloitte before joining SureCloud, working with RSA Archer, ServiceNow GRC, Auris GRC, IBM OpenPages and Bwise. Matthew supported organizations with building their GRC framework to automate and optimize their manual GRC processes.