Well to me, this means – the results of the risk analysis has to be presented in EXACTLY the same way the decision is being discussed.
If an investment decision is made based on NPV and IRR – then risk manager has to bring to the table new calculation for NPV and IRR based on risk analysis.
If the decision is discussed in terms of schedule and budget – the risk manager needs to calculate and bring new schedule and budget with risks incorporated.
High, medium, low is not going to cut it if you are serious about integrating risk into decision making.
Join for an online debate to talk how both COSO ERM 2017 and ISO31000 2018 fail in this regard: https://go.oceg.org/iso-31000-2018-versus-coso-2017-for-enterprise-risk-management-the-great-debate