What is risk management? Index page

For everyone

Supplements for risk specialists

Supplement for executives and managers

Supplement for the Australian Government

Supplement for CRMA Candidates

Supplement for CRISC Candidates


For everyone

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Thinking too narrowly

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number).Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change.Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.
Risk specialist supplements

What is risk management? (supplement for risk specialists)

What to read first: What is risk management?

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Reconciling definitions of risk management

What to read first: What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

What to read first: What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

What to read first: What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

What to read first: What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

What to read first: What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? It’s not what ‘risk managers’ do

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

What to read first: What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.
Executive and manager supplement

What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

What to read first: What is risk management?

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.
Australian Government supplement

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

What to read first: What is risk management?

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.
CRMA Candidate supplement

What is risk management? (CRMA supplement)

What to read first: What is risk management? (supplement for risk specialists) What is risk management?

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.
CRISC Candidate supplement

What is risk management? (CRISC supplement)

What to read first: What is risk management? (supplement for risk specialists) What is risk management?

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.