Discrete risk management processes within an enterprise

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. A risk management process has a scope and objectives. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

This topic assumes you have a general understanding of risk management, such as the one illuminated at length in What is Risk Management? There are three articles for Everyone on the topic of discrete risk management processes. This one is the first of the three. It explains the concept of discrete risk management processes in an enterprise. It is useful to then look at some examples of the scoping of discrete risk management activities. The third article explores the fact that for any given scope for risk management, there are two kinds of risk it involves – the risk ‘to’ it and risk ‘from’ it.


Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit.

Risk management is management with recognition of the effects of uncertainty on the objectives. All management needs to take uncertainty into account, so all management in an enterprise involves some form of risk management.

If the enterprise has a formalised risk management program, that program may or may not extend to all branches of management across the enterprise. Where the formalised program does not reach, the local managers will find their own way to address uncertainty, which may be more or less formal and explicit, and more or less effective.

More formality may not lead to more effect. We have all seen risk management processes that are more about going through the prescribed steps than about understanding and acting on the effects of uncertainty. The primary benefit of being formal and explicit is that the process of understanding and acting on risk can be shared and demonstrated.

Risk management can happen anywhere. Understanding and acting on the effects of uncertainty does not of itself need an integrated risk management program, nor a defined risk management process.

A risk management process has a scope and objectives.

The concept of a risk management ‘process’ is defined in ISO 31000, Clause 5. The section of Clause 5 of most importance in the current topic is 5.3.4 Establishing the context of the risk management process. As usual, HB 436 includes a helpful explanation of how to implement 5.3.4, for instance:

It is less likely that risks will be overlooked and the process will prove more practicable if whatever is being examined is considered logically in smaller parts…if the risks associated with an organization as a whole are to be considered, this could be done by looking at either each organizational unit or each location separately. (HB 436 5.3.4.2)

The description of ‘process’ in ISO 31000 tends to assume that the process covers the whole of an organisation. However, in ISO 31000 the word ‘organisation’ refers to any user of risk management. The user may be an element within a larger organisation or enterprise.

This blog uses the term ‘(discrete) risk management process’ to refer to an identifiable application of risk management that has a defined context and scope.

There may be multiple discrete risk management processes across the enterprise.

If there is no integrated risk management program for the enterprise, discrete formalised risk management processes covering different aspects of the enterprise are likely to be needed anyway. Those discrete risk management processes will probably not take in all risk throughout the whole enterprise, but they may do a good job in those areas of risk that warrant some kind of formalised management.

If there is an integrated risk management program for the enterprise, that may also involve discrete risk management processes. Those discrete activities may conform to prescribed standards and conventions, and may be linked together to form an enterprise view of risk.

Enterprise risk management (ERM) may follow the path of discrete risk management processes within the enterprise. It can also be tackled in a more unitary and centralised way.

Whether or not there is a single enterprise risk management program, it is desirable to encourage active and explicit risk management throughout the enterprise. Decentralising the risk management effort maximises the engagement of local managers in the management of local and enterprise risk. Decentralised effort allows local management to decide local risk treatments, and to be accountable for the consequences. That is unlikely to work efficiently if risk management is the domain a separate ‘risk management’ team that is far removed in organisational distance and outlook.

You may have picked up that I don’t regard consistency and integration of risk management as intrinsically good or important. I have already legitimised discrete or dissimilar risk processes within an enterprise. My position is that it is much better to manage risk effectively than to manage it consistently, so each risk management process should be fit for its particular purpose, users, and stakeholders. ‘Risk management is tailored’ (ISO 31000 Key Principle G). To me that means ‘tailored’ for specific and varied needs within the enterprise.

I am still in favour of enterprise risk management. I just acknowledge that a lot of good risk management is done without being driven by the centralisation paradigm of ERM. I propose ways of linking together discrete and dissimilar risk management processes, without standardising them, for an enterprise view of risk (to be covered in a future topic).

Any discrete risk management process needs to have a definite scope.

Each member of the hierarchy within an organisation will need, at the least, an understanding of the scope of risk management that is and is not a definite responsibility of the position. Each manager will also need an idea of other people’s risk management responsibilities so that issues can be referred appropriately.

The process of dividing up the enterprise risk management effort into manageable parts is one of the first major stumbling blocks in an organisation’s implementation of systematic risk management. If there is to be an enterprise view of overall risk, any separate units of risk management process must be joined together again for an enterprise view.

Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

The following articles Shapes for risk management processes and Examples of activity areas and themes for discrete risk management processes will make this point clear by spelling out multiple common examples. The Australian Government page includes a list of mandatory separate risk assessments, which may look familiar enough to readers all around the world.


Drill-down articles

Shapes for discrete risk management processes

A discrete risk management process is generally tied to an area of activity or to a theme.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Examples of discrete risk management processes

The whole enterprise (Enterprise Risk Management) A work unit within the organisation A defined business process or system A project, programme, or portfolio A specific proposed change or initiative Security risk Fraud risk Health and safetyBusiness continuity ‘Legal’ risk

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Risk ‘to’ an area of activity and risk ‘from’ the activity

There is risk ‘to’ any given activity within an enterprise, and there is risk to the enterprise ‘from’ that same activity. The same applies to theme-based risk.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Discrete risk management processes within an enterprise (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Discrete risk management processes within an enterprise (supplement for executives)

Find out about the separate risk management activities in your organisation.

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

Discrete risk management processes within an enterprise (supplement for the Australian Government)

The Commonwealth Risk Management Policy is silent on the subject of discrete risk management processes within an agency. Risk management is mandated for certain themes and activities. The expectation of the Commonwealth Risk Management Policy is substantially equivalent to enterprise risk management.

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

Index to the topic Discrete risk management processes within an enterprise

Leave a Reply

Your email address will not be published. Required fields are marked *