Organizations that wish to identify risk related to new processes, projects, or existing applications traditionally take one of the following approaches:

1. Derive risk from failed controls, which assumes that a mapping has taken place between an organization’s control framework and risk catalog;
2. Conduct a workshop to identify risks that the stakeholders might identify with the help of a facilitator; or
3. Allow stakeholders to select risks from a predefined catalog or matrix, with or without the help of a facilitator.

Each of these options may involve processes where forms are completed to assist with documentation and the determination of threat and likelihood.  Different organizations are likely to have different measures for these important risk metrics.

An important consideration for risk management programs is how either of these approaches will affect reporting.  By calculating risk impacts, an organization should be able to derive comparisons between different departments or regions for average or total risk.  However, unless a defined risk catalog or matrix is employed, top # style reporting (where a risk manager or Chief Risk Officer can view, for example, the Top 10 risks affecting a certain group) becomes very difficult across across an organization.

If a goal for a risk management team is to be able to compare levels of risk across an enterprise, then normalizing risks using a predefined catalog or risk matrix should be an early goal.  Many standards exist today that can be leveraged for this purpose (e.g. BITS, COSO, etc.).  While the predefined risk set may be adequate, attention should be paid to customizing it to suit the organization’s industry, geographical considerations, and other legal or regulatory traits.  To better enhance reporting options, risks can also be grouped into logical categories that can enable better presentations of risk across the enterprise.  For example, “Natural Disasters” can encompass risks associated with earthquakes, tornadoes, or hurricanes.  While conversely, a category called “Data Loss” could include risks such as data theft, disk failure, or system fault.

The end result of using a risk matrix is a predictable set of risk measurements that can be compared across the organization and trended from one reporting period to another.  In this sense, risk officers can gauge more accurately how their risk posture is changing over time.