Robert Torok

Risk Management — Setting Priorities by Likelihood and Impact

How companies can prepare their governance, risk and compliance profiles to better manage the next set of unexpected events.

March 28, 2011
by Robert Torok, CA

Most organizations prioritize risk based on some combination of likelihood and impact, with those perceived as high in both dimensions being given the highest priority. Of course, that assumes organizations can define the basis on which impact will be measured and what the various gradations from low to high even mean. The next challenge lies in assigning the correct priority to those risks seen as high in one dimension but low in the other. The typical result in such cases is some ‘middling’ placement on a typical risk map, such as the shown in Figure 1.

Reader Note: Don’t miss Robert Torok’s presentation at the upcoming AICPA National CFO Conference, May 19-20  in Boston.

But an equal consideration when prioritizing risk should be the degree of independence of a given risk. At one extreme is the stand-alone risk, which can be assessed and actions taken essentially in isolation. But these circumstances are rare indeed. At the other extreme there are risks that correlated with others closely, thus spawning a web-like network of actions and reactions. At a minimum, organizations must seek to identify those plausible combinations of events that could cause serious adverse consequences and then identify actions that might prevent or mitigate more than one risk.

Unfortunately, most traditional risk management approaches overlook one key factor: management’s ability — or lack thereof to influence or control either the impact or likelihood of a given risk. Consider at one end of the spectrum a natural disaster. Management has no ability to influence the likelihood of such an event and therefore all of its efforts must be focused on impact mitigation, an area in which management likely has substantial influence. Conversely, fraud may be viewed through the opposite lens. Management has substantial influence over the likelihood of fraud, largely through internal controls, but relatively less influence over the impact.

The benefit of considering management’s influence over each dimension of the matrix is that it can deliver “quick wins” the mitigation of risks that can be managed with relative ease while avoiding the waste of resources against those risks that cannot be prevented or mitigated ahead of time. This approach is also a foundational step in measuring the value of the “next dollar” of risk-mitigation action, i.e. the cost-benefit tradeoff of each additional prevention or mitigation action.

There are a number of risk domains in which a chief financial officer or corporate controller can provide leadership and expertise, as shown in Figure 2. The most obvious, of course, is ensuring that the organization is fully compliant with external accounting and reporting regulations and standards, which we show below as one key element of having a license to do business. Building on that foundation, Controllers and CFOs must also ensure appropriate adherence to internal accounting and financial control policies and procedures. CPA Insider™ readers should note that it is important to recognize that other senior executives will also hold similar foundational compliance responsibilities over risks such as quality control, export regulations, health and safety regulations and more.

But these internal policies and procedures should not be as hard and fast as external laws and regulations, where noncompliance is simply not an option. Internal policies and procedures should be subject to managerial and employee judgment the very characteristic for which most employees are hired based on specific business circumstances, rather than forcing blind adherence, which often leads to compliance with the letter of the policy but not the spirit.

The middle two levels of the pyramid represent the application of, ethical standards and principles by financial executives respectively, particularly in regards to external disclosure of financial results and other information; and the exercise of judgment over managerial decisions. In the former case, the question is usually guided by principles and the fundamental question of “economic reality.” However, the latter is much more difficult since there is no up-front “right” answer.

For example, senior finance executives are often asked to assess alternatives and recommend the best course of action with regards to payment terms in a contract, lease versus buy situations and revenue-recognition policies relative to contractual terms. In most of these cases, there is no absolute “best” answer, but rather a trade-off between the pros and cons of each alternative. Finance executives should be less concerned with the answer than with ensuring that a reasonable process of risk assessment and analysis is followed.


In summary, senior finance executives can often act as the moral compass of the organization, but in doing so they should take care to ensure that their peers and colleagues retain the authority to adjust internal policies and practices to suit business requirements. Agility and flexibility are often the hallmarks of successful risk management.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Robert Torok, CA, is an executive consultant with IBM Global Business Services, leading the development of solutions and methods and delivering Enterprise Risk Management (ERM) services for IBM clients. He is a chartered accountant and a member of the Institute of Chartered Accountants of Ontario (Canada).

A version of this article appeared previously in the Controllers' Corner series on IBM.com.