So the similar situation this is actually, I taught this as part of the IT Management course, is handling audits. So every audit, you know, particularly overlaps with the IT department, because, you know, they would examine the finance systems and. And the security around the finance systems, and increasingly, the cybersecurity issues around the finance systems. And, you know, are we protecting the money? Are we protecting against fraud?
Are we complying with all of the credit card rules and regulations, et cetera. And what we ended up doing was a graph or infograph that we took all of the risks from the risk register for the enterprise and the risk register that we had identified with third party consultant groups like Price Waterhouse that had come in and analyzed things, and we put every risk on a chart that had, one axis was, what would be the impact to the organization? So high, medium, low impact. And the other axis was, what was the likelihood that it would happen, high, medium, or low. And what we said to the audit committee of the board of directors was, I drew a line down the graph, and I said, essentially, those things that are in the quadrant of low likelihood and low impact, we're not going to work on.
We're not going to lose sight of it. It will still be here on this graph. But we're not going to work on them. And for those that are in the medium intersections, we might do some of those, but where we're going to focus our investment in time is making sure that the high impact, high likelihood items are getting addressed. And so we call that the risk frontier, that things below that line we were explicitly not going to work on and invest our time and money addressing at this time.
We'll keep our eye on them, but we're not going to work on them. And the things above the line were, what things are we going to work on? And they love that that made sense to them, because usually, especially in a nonprofit organization that has a brand to protect and is very intense, to be very risk averse is to say, well, if the auditors found this, then we have to address them. And our assessment was, no, not everything is of equal value with respect to risk. And we need to make sure with our limited resources and limited budget, we're dealing with the most important items. And so that segregation of impact versus likelihood was then something we used to analyze every risk and every new risk that came on.
It made it doable, like you said, because if you see all of it, you say, we can't do all these things and you have to push back. But a way of pushing back strategically was to say, we're pushing back on the things below the line, and we're agreeing to address the things above the line. |