3.3 ERM – Interplay Between Risk Analysis and Decision Analysis
The linkage between the two aspects of ERM is indirect; decisions or choices of alternatives made in a ‘risks-we-take’ process can, and often do, result in uncertain losses (risks) and uncertain gains (opportunities) that the organization might realize afterwards. The decision of which choice/alternative is best is a tradeoff among benefits, costs, uncertain benefits (opportunities) and uncertain costs (risks). Some of the risks are short term in the sense that they will materialize or not shortly after the decision is made. Other risks, however, will persist as risks the organization will face in the future – for example as risks to obsolescence or loss of competitive advantage. These risks become risks the organization will ‘face’! It might be helpful to think of ‘risks-we-take’ as voluntary, and “risks-we-face” as involuntary.
A risk/opportunity analysis can and should be useful as part of decision analysis – risks-we-take – by identifying and analyzing the potential risks events and opportunity events for some or all of the alternatives being considered.[1]
Consider the following excerpt from OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk Management and Internal Control[2]
“Enterprise Risk Management is: “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals, and objectives.”An explicit understanding of the differences and interplay between (1) decision analysis (with its focus on selecting alternatives to achieve objectives) and (2) risk/opportunity analysis (with its focus on identifying, evaluating and controlling uncertain events that may result in losses or gains to objectives)is helpful in understanding the above statement of management’s responsibility.
Standards such as ISO31000, PMI, and COSO have recently incorporated ‘upside’ risks in their frameworks. However, we believe this is confusing and prefer to refer to uncertain gains as opportunities rather than upside risks and speak of risk analysis, opportunity analysis, or mixed risk/opportunity analysis.
[1] However, a less detailed analysis of the relative risks of alternatives being considered during decision analysis can be performed without considering risk events by evaluating the relative importance of the objectives impacted by the risk events, such as project cost, schedule and scope and the relative risks or opportunities of the alternatives with respect to these objectives.
[2] Association for Federal Enterprise Risk Managers, November 7, 2016 https://www.aferm.org/wp-content/uploads/2016/11/ERM_2016_Mader_OMB_Circular.pdf