1.5 Enterprise Risk Management is Complex

Enterprise risk management isn’t simple.  It involves several many to many relationships between threats, risks, objectives and controls.  Enterprise risk management involves people from throughout the enterprise – from the top-level decision makers to the subject matter experts who best know the changing environment of threats and technologies.  But complexity can be managed.  We will present a framework that makes enterprise risk management as simple as possible – but it is not simple[1].  We will make it as simple to understand as possible – but you may need to rethink some of your current understandings of risk.  The framework can be used to model/manage risk starting with few details and taking less than half an hour, evolving to encompass all of the relevant risk details of the enterprise in an ongoing process.   

To do the above, we will need to agree on unambiguous definitions that are meaningful to both risks we face and risks we take.  For example, while it is ok to not distinguish between threats and risks in conversations about risk, it is essential that we distinguish between threats as uncertain events that do not entail losses and risks that are uncertain events that entail losses to one or more objectives.  Only then can we progress from just talking about risk and start actually managing risk.  We will begin with a discussion of alternative definitions of risk.

[1] A quote attributed to Albert Einstein “Everything should be made as simple as possible, but not simpler”.