As risk professionals we often talk about Key risks and Key controls; while the expressions are quite commonplace, I’ve
been in situations where the concept of a Key risk is not used appropriately. This
is my attempt to shed some light.
I’d like to spend a moment on the word ‘Key’ in this
context. The ‘Key’ in Key risk is short for ‘Keystone’. Wikipedia: “A keystone (also known as capstone) is
the wedge-shaped stone at the apex of a masonry arch or typically round-shaped
one at the apex of a vault or arch. It is the final piece placed during
construction and locks all the stones into position, allowing the arch or vault
to bear weight.” Without the keystone, the arch could not stand.
 |
| Keystone |
On similar lines, a Key
business process is an activity without which the business could not
operate or in some cases even exist. For example, if you are an e-commerce
business; your site’s uptime is critical; anything that could negatively impact
the site’s uptime would be a Key Risk.
I’ve found it helpful to bring this this concept up in
discussions with leadership teams, it helps focus on what is really important
and prioritize control activities to mitigate key risks. As risk practitioners
we know that risk cannot be eliminated and we need to ensure opportunities for
value creation are not missed by trying to eliminate all risk.
Continuing with the earlier example of an eCommerce
business, a couple of IT risks could be articulated as:
- Risk: Downtime or Unavailability: Risk that the website is not available to customers
- Risk: Information Loss: Risk that customer /payment information is lost or stolen
 | ||
| Key Risk Identification |
And the risk
assessment would look like this.
 |
| Risk Assessment |
I hope this brings helps bring clarity when you are
identifying key risks and controls.
I’d appreciate your thoughts and feedback.
Insightful, did not know that!
ReplyDelete