There’s no shortage of risks in today’s business environment. One challenge for management is agreeing on the risks that are most likely to have a significant impact on the organization’s business model and strategic plan.

In the 15th edition of The State of Risk Oversight Report, which we publish annually in collaboration with AICPA, We asked a series of questions to understand how organizations determine which risks are most critical to their organization.

2024 Insights from Data

• Organizations typically develop both likelihood and impact scales to provide guidelines for executives to rank order risks.
• Most approaches used by entities to prioritize risks are more qualitative than quantitative (59%), with few organizations mainly using quantitative approaches (20%) to assess risk probabilities and consequences. 21% of organizations reported having no formal techniques in place.
• Few organizations have robust reporting of key risk indicators (KRIs) that management can use to monitor shifts in risk conditions over time. Only 26% of organizations described their KRIs as ‘mostly’ or ‘extensively’ robust, with financial services organizations reporting the greatest use of KRIs (43%).

Discussion Items for Management and Board Consideration

The list below suggests 5 questions that risk leaders can use to prompt conversations with executives and boards about how to better prioritize risks and monitor them over time.

1. How effective is our organization’s approach to prioritizing our most important risks?
2. What challenges does our leadership team face in prioritizing our most important risks? For example, for those organizations that use scales to prioritize risk likelihood and impact, are those scales well understood and helpful?
3. Beyond considering likelihood and impact, how might our organization also consider other risk dimensions (i.e., speed of change, level of preparedness, interconnectedness to other risks) to prioritize risks?
4. To what extent are differences in risk prioritizations across various levels of management and the board considered to identify differing views of potential risk exposure?
5. What enhancements to our management dashboard do we need to make to provide metrics to effectively track changes in risks over time (i.e., key risk indicators)?

Related Tools

We’ve created two downloadable tools to help risk leaders prioritize and monitor potential risks. Click on the resource name to view a detailed page where you can download the tool or template.