Do Your Risk Assessments Include Vulnerability and Velocity?

  • May 22, 2017
  • William Hord

Most every Enterprise Risk Management (ERM) program I have seen, consulted on, developed or read about follows a similar process of identifying, analyzing, responding to, and monitoring risks and opportunities. It doesn’t matter what risk framework you utilize, if you are not effectively making Vulnerability and Velocity part of that process your results simply won’t be as accurate as they could be.


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines Vulnerability as “the susceptibility of the entity to a risk event in terms of criteria related to the entity’s preparedness, agility, and adaptability.”

So why is using vulnerability in your risk assessment process so important?

In the absence of it, your assessment results may elevate one area over another guiding you and your resources towards mitigation efforts that while still prudent, may not be the best approach at that time. Introducing vulnerability into your assessment process will assist in determining how well you are managing your risks which directly affects the impact should a given event occur. To ensure you are deploying your resources effectively, understanding how vulnerable you are will assist you in determining where to allocate those resources to maximize your effectiveness. So, when you are reviewing your assessment data and certain aspects of it seem to be equal, the inclusion of vulnerability can help be the deciding factor that tips the scale.


COSO also defines Velocity as “the speed of onset or the time it takes for a risk event to manifest itself, or in other words, the time that elapses between the occurrence of an event and the point at which the company first feels its effects.”

So why is using velocity in your risk assessment process so important?

When you introduce velocity into your risk assessment process you gain a better understanding of how fast the impacts of risks will be felt by your organization. Determining potentially how much reaction time you have to a given risk ultimately improves your overall assessment of risks, and will allow you to better align your prevention, mitigation and response strategies. This means you can provide better prioritization of your resources to impact your most pressing risk needs.

Vulnerability and Velocity Make a Great Team!

Let’s use an existing regulation with an upcoming change where the regulation impacts multiple processes but the changes may impact fewer processes as an example. When assessing compliance risk, you might generate similar risk scores if assessed only for their probability of likelihood and impact. The impact may be the same based upon the fines for non-compliance and the likelihood may be relatively similar because some controls already exist to comply with the regulation. So, in the standard two-dimensional model (Likelihood x Impact), the risks might appear to pose essentially the same amount of risk to the organization.

By adding vulnerability and velocity to your assessments you begin to see that the processes impacted by the regulatory change not only increase your impact due to your vulnerabilities but also due to the velocity incurred by how quickly the regulatory change requires compliance for those processes. In this example, you are clearly able to make determinations of which processes to allocate resources to first and which ones can possibly wait. Although this is an overly simplified example, when vulnerability and velocity are applied against your entire risk landscape you will begin to see a change in how your risk data is presented which in turn means your risk mitigation strategies will be enhanced, that saves time and money.