If an organization wants to manage risk effectively, people need to agree about what risks they need to address. Even more, people need to know what they are talking about when they talk about risk. Any discussion of risk should start with an agreed‐upon view of what it is the organization does—its business processes—and then what risks arise from those processes and which of these are really causes for concern.
To determine key processes, it is not simply a matter of what the firm is doing now or has been doing in the past; it is also a matter of what it will do in the future. The starting point for risk identification is a comprehensive list of business goals, starting with enterprise goals and then cascading down to goals for each line of the business and its function. Just to reiterate the point discussed in detail in Chapter 17, only when a business has defined its goals can it start to identify the risks that it is likely to incur and plan for those. In addition, goals must be understood so that processes can be built to support those goals. These processes will determine the activities and the operational risks that will be incurred.
Once goals have been agreed upon and put into a clear set of statements, they must be linked to business processes. While goals don't need to be comprehensive, business processes do. An organization must learn about everything that it does and ...