There are many ways to prioritize risk — but how do you know which method is right for your team? In this article, we’ll outline everything you need to know about risk prioritization, including definitions, different methods and strategies, and next steps for you and your compliance team.
What is risk prioritization?
Risk prioritization is the process used by compliance professionals to analyze risks and determine the order in which they are mitigated. It is a process for defining which risks are the highest priority to the business and need remediated first.
Why does risk prioritization matter?
Resources available to risk managers are limited, and risk prioritization allows organizations to break down risk into manageable pieces sorted by certain criteria the business decides to follow. There are many different methods you can use to sort risks into different buckets, which we will outline below.
Before you get started, it is important to use a cohesive plan to identify, assess, and prioritize risk. Otherwise, there may be breakdowns in communication across the organization, resulting in duplicative work due to silos across departments. And, most importantly, a structured approach can help prevent serious risks from going undetected and unmitigated.
What are the factors of risk prioritization?
Risk prioritization is an involved process, as it takes input from many levels of stakeholders to accomplish successfully. From the board to management and other organizational units, prioritization can happen at multiple levels.
Ideally, prioritization is set based on the board’s documented risk tolerance. This high-level direction then sets the tone for priorities at lower levels. It’s a process — not a project — and companies may have external requirements about how often they need to review each level of risk. It is not a ‘one-and-done’ process, but an ever-evolving one.
Prioritization is affected by multiple factors, including risk attitude, risk sensitivity, resource availability, cost, risk severity, and risk manageability, all defined below.
Risk attitude is the state of mind an organization or individual has toward risk uncertainty. There are often three types of risk attitude: risk-averse, risk-seeking, and risk-neutral. Each of these attitudes affects how stringent the remediation process will be. Risk attitude helps inform the organization on which risks should be prioritized based on the company’s disposition toward risk (and risk appetite).
Risk sensitivity is a quantitative risk assessment tool that helps determine how changes in risk affect the overall risk posture, and thus, the mitigation strategy. You will often encounter tornado charts when analyzing sensitivity.
Resource availability depends on the amount of resources available to the team for mitigating risk. This includes personnel, time, cost, and other resources needed to accomplish remediation.
Cost is a factor that places the monetary value of a risk into consideration for prioritization. Based on the cost of a certain risk, you may choose to prioritize a more costly risk over a risk with less monetary value at stake. In some instances, companies may transfer a risk to insurance when cost is not prohibitive.
Risk severity is the level to which a risk can cause damage to the organization. Using severity, you can create a risk matrix to help identify which risks are the most severe and which would cause negligible damage to the company.
Risk manageability refers to the overall manageability of a risk and whether or not the company could handle an occurrence of the risk and its overall impact. A more manageable risk would have negligible business impact if it occurred, whereas a less manageable risk could potentially disrupt business operations.
What are risk priority numbers?
Used in quantitative approaches to risk prioritization, risk priority numbers help determine which risks are a priority based on their financial impact. Rather than trusting a gut feeling or guessing like in qualitative analysis, quantitative risk analysis is fact based.
Take into account the following variables, according to ThorTeaches:
- Threat: a potentially harmful incident
- Vulnerability: a weakness that can allow the Threat to do harm.
- Impact: how bad is it?
To calculate risk, take Threat multiplied by Vulnerability to reach the following equation:
Risk = Threat x Vulnerability
If you’re looking to add Impact to determine a more complete picture of risk, you can use the following equation:
Risk = Threat x Vulnerability x Impact
To calculate Total Risk, add the Asset Value as another variable:
Total Risk = Threat x Vulnerability x Asset Value
Lastly, to calculate Residual Risk, subtract the value of your countermeasures and remediation activities from your Total Risk:
Residual Risk = Total Risk – Countermeasures
What are the different levels of risk?
Risks can affect different levels of the organization and are generally best thought to be addressed at each of those levels. There are board-level risks, management risks, risks to specific organizational units, and risks specific to projects. The type of risks typically fall into four main buckets, which we’ve outlined below:
1. Tolerable risk
Tolerable risk is a risk level that can be sustained with little to no interruption to business operations. The probability of a tolerable risk is low enough to not cause concern.
2. Low risk
Low risk is a risk with relatively low impact. The adverse effects on the business minor, and the likelihood of occurrence is likewise low. Therefore, these risks are of low concern.
3. High risk
High risk is a risk level with a high likelihood of occurrence. The risk can cause harm to the business’ operations and objectives.
4. Intolerable risk
Intolerable risk is a risk that has a high likelihood of occurrence and an impact that could critically affect the business. It could affect costs, schedule, and performance of the business, causing significant harm.
Strategies for risk prioritization
One of the most popular ways to prioritize risks —organizing risks by severity — goes hand-in-hand with risk matrices. Risk matrices are sorted by probability x impact. The higher the probability of a risk — and the higher the impact — means the subsequent risk response priority will be higher.
Risk matrices are read with likelihood as the Y axis and impact as the X axis. When risks fall into the upper right, their severity and likelihood are high and remediation is of utmost importance. Meanwhile, when risks fall to the lower left, they are risks with negligible impact to the business and are very unlikely.
Maintaining a risk matrix is made easier when risks are documented in a risk register, like in Hyperproof.
Not every organization has the budget to mediate all of their risks. That’s why one strategy for prioritizing risks is organizing them by cost. The most expensive risks might be prioritized first because of their potential high impact to the business.
However, another way to prioritize risks is by remediation cost. The cheapest risks to remediate might be placed first because of budgetary restraints. This is not recommended, because the most cost-effective risks may not be the highest levels of risk, because if even one intolerable risk occurs, the business impact would be larger than a dozen tolerable or low risks occurring . We recommend that teams prioritizing by cost try to do so based on the risks that could make the largest estimated financial impact.
By regulatory or legal penalty
Organizing your risks by regulatory and legal penalty is another strategy. Some businesses may opt to pay a fine to not deal with a risk, and this strategy allows them to prioritize based on the potential fine.
When it comes to attitude, you have to consider a few more variables, such as your risk appetite, risk tolerance, and risk threshold. Your risk appetite is how much uncertainty the business can accept to continue operations. Risk tolerance is how much risk impact the business is willing to sustain. Finally, the risk threshold is the level of uncertainty or impact that serves as a cutoff point for the business. Above the risk threshold, the risk will not be accepted. Below the risk threshold, the risk will be accepted. These variables combine as a way to prioritize risks based on attitude.
Sensitivity revolves around which risks have the most potential impact on operations. By understanding the uncertainty levels of each risk, you can then compare them by uncertainty and prioritize them. According to Project Risk Manager, “sensitivity [is] a function of change in risk outcome with respect to change in risk input.” Put simply, the sensitivity of a risk is determined by examining the change in outcome to the change in overall risk input.
Typically, a risk uncertainty tornado chart is used to help prioritize risks. Start with the risks with the most uncertainty at the top of the chart and descend until you reach the bottom, where you’ll show the risks with the least uncertainty, creating the “tornado” the chart is named after.
By resource availability
When unavoidable, risks can be prioritized by resource availability. This type of risk prioritization should only happen when other projects need specialist level skills, such as in an assessment. It’s important to monitor affected risks until you have sufficient resources available to mitigate them. If there are changes in severity or overall manageability, the team’s response may need to adapt to accommodate these changes.
At the lower left of the chart, risks are less manageable and have a higher impact and imminency. They are therefore more severe and need to be mitigated sooner. Meanwhile, in the upper right of the chart, risks are more manageable, with less impact and a longer timeline for mitigation.
Managing risk prioritization: how to prioritize risks
1. Identify the risks
To address risks, you must first identify them. Identification happens at multiple levels of the organization — from board and management levels all the way down to project levels. Once you’ve identified all of the risks, it’s important to document them in your risk register so you can then analyze them.
2. Use a risk register to analyze the risks
Each risk documented in your risk register should contain a broad description of the risk, the likelihood of its occurrence, its potential financial impact, how it ranks in priority, the remediation response, and who owns the risk.
Once you’ve documented all of your risks, you can then work on analyzing them by measuring the probability of the risk occurring and assessing the overall impact. These assessments will help you determine which strategy is best for your organization, so you can tackle remediation in an order that makes the most sense for your team.
3. Measure the probability of risks occurring
The most important part of this step is understanding the likelihood of whether a particular risk will occur so you can plan accordingly. There are both qualitative and quantitative approaches to measuring probability, but quantitative approaches can sometimes be a challenge. Choosing quantitative measurements can often serve as an excuse for why you can’t measure the risk right now, which isn’t what your stakeholders want to hear.
The quantitative approach
Quantitative risks use statistical techniques to quantify risk. Factor Analysis of Information Risk (FAIR) is the most commonly mentioned quantitative risk assessment methodology. FAIR uses probabilistic and statistical methods to provide monetary values for potential loss due to risks. Some companies may find this helpful because it provides objective, data-driven measurements of risk.
Companies choose quantitative methods when they have access to enough reliable data and when the executive team demands financial details to make decisions. It’s primarily used in fields like finance and insurance where data is abundant.
Quantitative risk management has several drawbacks. It requires significant data, and the quality of the output is largely dependent on the quality of the inputs. The FAIR methods also struggle with non-tangible impacts, like reputational damage. Finally, implementing quantitative models is time-consuming and requires expertise in statistical modeling.
The qualitative approach
By comparison, qualitative risk management is more subjective but also in widespread use. It uses descriptive categories (such as high, medium, low) instead of numerical values to assess the likelihood and impact of risks. It’s often based on expert opinion, experience, and judgment rather than numerical data.
Companies tend to choose this approach when they lack the necessary data for a quantitative approach, don’t have the time or experience required to implement a quantitative model, or when the risk involves factors that are hard to quantify. It’s faster and simpler to implement, and can capture a wider range of risks including those relating to culture, reputation, and stakeholder relationships.
The two drawbacks of qualitative risk management are a perceived lack of precision and potential for bias. Since it’s largely based on subjective judgment, it can be influenced by personal bias, and different people might rate the same risk differently.
4. Assess the impact
If a risk did occur, what would the impact be? That’s what we assess for during this crucial step. Understanding the impact a risk has on your organization can make a major difference to the order you remediate your risks. High impact risks should often be tackled first, but there may be resource constraints that prevent this from happening. That’s why selecting a strategy is so important — you can prioritize based on the unique needs of your organization.
5. Select a strategy
Choosing a risk prioritization strategy that works for you is vital to the success of your remediation efforts. Look at the capabilities of your team — how resource strapped are you, for example — as well as your budgetary constraints. Take into consideration the number of risks you have and their severity. Know what your risk threshold is, which risks can be accepted, and which cannot. Once you’re familiar with your risks, choose a strategy and get stakeholder buy-in so everyone is on the same page.
6. Prioritize your risks
Once you’ve selected your strategy, it’s time to actually prioritize risks. Depending on your strategy, you may be using charts to help with the risk prioritization process. These visual aids are helpful because they allow you to view all of your risks in one place. This helps you and your compliance team recognize which risks are vital to the business’ operations and which can fall by the wayside.
7. Determine and execute the risk response
At this point in the process, create an action plan for how to mitigate risk. Now that you’ve gone through the prioritization process, you and your team should be able to identify which risks are mission critical and where to start the remediation process.
8. Identify and respond to changes over time
Risks change over time. Whether it’s in occurrence or impact, your response may be different depending on the changes. Therefore, monitoring your risks over time is an important part of the risk management process. Remediation will also affect your risks. Some may become more tolerable due to the actions your team takes, and others may become more intolerable to the business. These changes are always happening, and they’re one of the reasons risk management is a complex aspect of the business.
Software can help you prioritize risk
From robust risk registers to automatically updated risk matrices, the right risk management software can help significantly reduce the amount of time spent prioritizing risks. Plus, it can help you track changes in risk over time — whether that’s remediation efforts or changes in processes. With a platform like Hyperproof, you can optimize your risk management program so you can spend more time focusing on strategic thinking and less on the manual tasks that make risk prioritization so time-consuming.