How to find money for risk treatments
Well-conceived and researched business cases play a pivotal role in improving the quality of organizational decision-making. The business case doesn't stand by itself, but is part of a toolbox for analyzing and making decisions about proposed risk treatments.
Whatever risk treatment you're considering, and whatever means you used to identify it, the business case determines and enunciates the value of that treatment. In Figure 1, I've used the ISO31000 Risk Management Standard process to illustrate the business case's role. It supports the analysis, selection, and implementation of risk treatments.
Figure 1: The Role of Business Cases in the context of the Risk Management Process
At the risk of stating the obvious, let's go back to basics for a moment. Any proposed risk treatment should relate directly to a specific risk or risks. For example, if risk number one in your risk register is "Failure to deliver organizational outcomes within budget due to inadequate financial reporting," you might end up with a range of risk treatments, each of which will have different merits. It's worth pointing out at the moment that 'risk' includes both opportunities and threats (benefits and costs).
Accordingly, you might also choose to rephrase the above risk as an opportunity, such as "Increased profitability due to cost reductions resulting from improved financial reporting." Irrespective of how you phrase this risk, let's say that in our hypothetical example, you have identified two main treatments to address it. You'll note from the examples in Table 1 that we've included a reference to which risk(s) each treatment addresses.
Table 1: Example of Risk Treatment Plan
In this hypothetical treatment plan (Table 1), each treatment has a reference to the risks it addresses. Risk Treatments number 1 and 2 primarily address risk number 1, but they also reduce the risks associated with risks 5 and 8. It's not essential what risks 5 and 8 are (it's a hypothetical example, remember). Risk number 8 may be addressed primarily by Treatment number 4 and potentially also be improved by Treatments 1 and 11.
It's a complicated scenario, but it's worth remembering when you define the benefits of treatment number one that you should consider its impact on risks number 5 and 8. You never know; it could be the indirect benefits of your proposed risk treatment that sways the decision-makers in favor of supporting it. Add in ALL the intangible and indirect benefits. They all count.
You'll find more information in my book "Business Cases for Risk Management."