Well to me, this means – the results of the risk analysis has to be presented in EXACTLY the same way the decision is being discussed.
If an investment decision is made based on NPV and IRR – then risk manager has to bring to the table new calculation for NPV and IRR based on risk analysis.
If the decision is discussed in terms of schedule and budget – the risk manager needs to calculate and bring new schedule and budget with risks incorporated.
High, medium, low is not going to cut it if you are serious about integrating risk into decision making.
Join for an online debate to talk how both COSO ERM 2017 and ISO31000 2018 fail in this regard: https://go.oceg.org/iso-31000-2018-versus-coso-2017-for-enterprise-risk-management-the-great-debate
2 thoughts on “Everybody says the risk managers should speak business language. But what does it actually mean?”
Finally, more people are asking the right question. NPV based on probability based events have solutions both in closed form and computationally. Naturally, since something is probability based, Risk computation does not result in a single score but a plausable range and sometimes even metrics to monitor for operational controls over a risk.
I personally like the gambling approach as many — whether they favor gambling or not — can appreciate the issues at hand. How much cash would I need to set aside earning interest to be 95% confident that all possible outcomes of chance are covered? If risk treatment changed that probability, did it free up some of the money set aside at interest for the business?
Somehow I missed your comment and it’s really good. Thank you