Risk management imposes unavoidable expense. At one extreme, an organization might choose to forego all efforts at reducing risk and accept whatever losses come its way. At the other extreme, it might spare no expense to mitigate all possible risks regardless of their likelihood. Somewhere between these extremes lies a point at which the combined cost of losses and the effort expended to avoid loss is as low as it can possibly be. 

A handful of guiding principles can help an organization achieve optimum efficiency in risk management:

• Maintain full regulatory compliance.
• Eliminate rework such as audit findings that require remediation.
• Cultivate a mindset that recognizes loss, non-compliance, and exposure as inefficiencies.
• Make risk management practices and reporting a consequence of value-added processes and a source of qualitative information about processes, not mindless reviews of those processes. Turn detective measures into preventive measures.
• Ensure coherent internal policies that complement each other, enable straight-through processes, and enhance the customer experience.
• Reconcile loss management overhead with the actual and emerging risk environment on a continual basis.

Following these guidelines can help an organization manage risk at the point of minimum total expense for the combined cost of losses and controls. While cost-justification of risk controls poses a challenge, foregoing controls can impose significant cost through loss and possible fines. Striving for optimization helps realize the greatest value risk management can provide.