When we cross the street, we look both ways, and if we see a car nearby, we stop "" we have evaluated the risk of being hit by a car and have decided not to step off the curb. If we see a car in the distance, we evaluate its speed and determine the likelihood that the car will hit us if we move quickly across the street.

If we are in downtown Manhattan, we probably determine if it is safe to cross against the "˜Don't Walk' sign, keeping in mind the potholes, other New Yorkers determined to get somewhere quickly and tourists moving at a sedate pace. We look for bicycle messengers going the wrong way down the street and yellow cabs ignoring all the rules to get to a fare.

What this illustrates is the fact that we, as humans, perform risk identification and assessment every day, and often instantaneously. However, when analyzing enterprise risks, we obviously need a much more rigorous and analytical model. Risk libraries play a role in helping organizations identify and manage enterprise risk, and accept prudent risk in order to grow their business. A risk library helps us to identify risks we may not have fully considered in depth, for example, customer service and customer loyalty. Identification of risks can also help in determining strategies to assist in meeting business objectives. Once we identify an area of risk, we can use our experience to better describe, categorize, and measure that risk.

When we consider the impact of risk on business strategies, we can adopt a similar approach as pedestrians crossing the street. We can begin by reviewing a library of standard risks to determine which risks to consider when executing the business strategy; we can then refine our objectives and risks, add new ones, and create a tailored risk library to address our business strategy. We can then implement a management plan to mitigate these risks and implement the strategy.

Let me use a hypothetical example to describe this process. An organization has decided that because of the recession, their primary business strategy objective will be to retain loyal customers. Initially, management believed that this would only involve focusing attention on customer service "" being nicer to all customers was the key to loyalty. As a first step, they began reviewing the risks in the generic risk library. Of the 200+ risks in the library, they determined that "business strategy/alignment," "customer/market," and "internal processes" would have the most impact on their customer loyalty strategy.

The team was able to use the detailed information that comes along with each risk in the library to help them come to agreement on which of those risks would have the most impact on their specific objective. I have included a sampling of that information here to give you a sense of the level of insight a generic risk library can offer:

Business Strategy - Alignment



The risk of inefficient use of resources because:

• An organization's business plans, supporting systems and the implementation of these plans are not aligned with the strategic direction




• Inadequate prioritization of the organization's products and services does not maximize business performance




• An organization does not monitor performance against the business strategy

Customer/Market

• The risk that customers who may be impacted from the execution of the business strategy are not identified, their needs documented, their interest and influence assessed and analyzed, and their expectations managed.




• The risks of loss because customer expectations are not met through an inability to effectively manage, maintain or improve critical customer relationships.




• The risk of an inability of the company's product or service to consistently meet or exceed customer expectations.




• The risk that consumers may not differentiate an organizations product from their competitors.

Internal Processes

• The risk of loss or inefficiency because unrealistic, subjective or unclear performance measures may cause employees to act in a manner that is inconsistent with the organization's business objectives.




• The risk that an ineffective promotions strategy will not lead to an increase in sales compared to promotion costs.




• The risk associated with poor quality of product or service.




• The risk that the underlying design of an automated information system and its individual components does not support the achievement of an organization's business objectives.

In our hypothetical example, the initial analysis of risk indicated that being nicer to all customers was not the only key to loyalty. Instead, customer loyalty is the result of a large number of factors, each one of which might need its own risk management strategy to ensure that the result "" increased customer loyalty "" is achieved. So, a strategy for improved customer loyalty might also include:

• Getting a better understanding of what a "˜loyal customer' is, including defining behavior that a customer might exhibit to qualify them as "loyal"




• Identifying the needs of loyal customers. This could have an impact on internal processes that address potential needs, such as distribution of goods to customers within a promised time




• Developing promotional programs that would target and reward loyal customers




• Aligning the organizations' processes, systems, service and product lines to a customer orientated strategy




• Communication of the strategy




• Providing additional training to employees and employee incentives that would reward alignment with the strategy




• Determining the performance indicators needed to measure progress




• Determining the information that could be provided by existing information systems and determining if IT systems needed to be enhanced.

The next step would be the development of a work plan of action items to implement the first stage of the strategy. As the strategy is refined, additional objectives supporting the customer loyalty objective would be determined and the risks associated with objectives identified.

This simple example illustrates the importance of a comprehensive (and extensible) risk library for the effective identification of the key enterprise risks that might impact your business goals and strategy.

*Image used under Creative Commons, courtesy of Craig Cloutier.