Many organizations think that they can pick and choose which parts of an ERM framework to use and call what they do “risk management”. I say that identifying a few risks and performing some assessments is not risk management: this is only half-risk management.
When I see this sort of thing, it reminds me of Raiders of the Lost Ark.
In the movie, the Nazis are trying to figure out where the Ark of the Covenant is buried based on the inscriptions from one side of the medallion burned on to the hand of the sinister Gestapo agent. Because they do not know what is written on the other side of the medallion – they only have half the data and are digging for the treasure in the wrong place.
If you are using a framework for your risk management program, read the entire framework and use the entire framework. You cannot pick and choose then call what you are doing risk management if you only identify and assess but leave out the manage, prioritize, action plans, communication or change management pieces.
If you only use half the framework you are going to be digging for the treasure in the wrong place.