example, a risk of a supplier going bankrupt could cause associated risks
within the sales and marketing organizations. A response process also allows
the line of business owners to effectively manage their risks. Risk response
helps business owners identify and implement the appropriate technology or
processes to manage the impact of a loss event to their line of business. Now,
there are some risks you can’t do anything about if you didn’t anticipate them,
such as an earthquake, hurricane, or a big change in the economy: These you
just have to accept. But in many cases, you can select a response that allows
you to better manage the impact of these risks. In fact, when submitting risks
to managers, employees may also provide what they view as some possible
responses and even quantify how those responses could help.
The type of quantitative analysis mentioned in the identification and analysis
step can be used to compare the return on investment of various responses,
which may be used in combination or separately. Based on the return on
investment, you may decide to choose one response over another.
Every response is recorded in the enterprise risk management framework,
whether it actually prevents the risk or not. The next time someone is faced
with a similar question like this, she can look at the experience of others to
discover whether hiring more people, one possible approach to a project in
trouble, actually helped. (Hiring people doesn’t always help; for example,
consider the classic question: If one woman can have a baby in 9 months,
can 9 women have a baby in one month?) If your organization is using spread-
sheets, this information might be on someone’s laptop rather than in your
enterprise risk management framework, where it can be informative to others
who are managing similar risks.
Part of managing risks is looking at what best practices suggest. If you don’t
have much experience yet, consultants can be helpful in providing input. But
with enterprise risk management, whether you get outside help or not, you
begin to harness everyone’s experience in a systematic way, building your
own database of best practices.
Any risk response has a status. It’s all well and good to say that you will hire
three more people to help with a project, but if you don’t have three people
to hire, the status has to reflect this fact. Depending how hard it is to find
qualified help, the response might not be as effective as you had hoped. The
status of the risk has to be updated periodically so that the risk can be prop-
erly monitored, which is the next phase to consider.
Risk monitoring
After you’ve decided what kinds of risks you want to consider, quantified them
in terms of likelihood and potential loss, and considered your responses, the
next step is to monitor them, analyzing the information you have from a
number of perspectives.
56 Part I: Governance, Risk, and Compliance Demystified
