The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria.

This is a direct quote from ISO 31000, A.2. Like the definition of risk, this statement also needs some unpacking.

The ‘organisation’ is optional.

Risks are managed on behalf of an ‘organisation’. That is a useful manner of speaking. The ‘organisation’ can be a formally defined legal entity, a work unit within an entity, or even an individual. In the expansive direction, the ‘organisation’ can be a loose coalition of aligned entities, an industry or sector, a community, a nation, or an international community.

For convenience, all the different users of the International Standard are referred to by the term ‘organisation’. [ISO 31000 1 Scope]

Many otherwise excellent sources confuse risk management with Enterprise Risk Management. The word ‘organisation’ in the ISO 31000 goal for effective risk management is an example of that confusion. Interestingly, if you look for scholarly journal papers on risk management, you will find a large mass of material on narrowly quantitative risk assessment for narrowly-scoped risks, not so much on practical enterprise risk management.

If you’re confused, I have been too. Watch out for a future article specifically on the concept of Enterprise Risk Management, and how it differs from risk management.

Stakeholders are mandatory.

Stakeholder is an ugly word with a modern meaning that contradicts its origins in stake and holder. Despite that sad fact, stakeholder is used in ISO 31000 to mean a person or organization that can affect, be affect by, or perceive themselves to be affected by a decision or activity. [ISO Guide 73:2009, definition 3.2.1.1.]

It is useful to understand that the ‘organisation’ is generally accountable to ‘stakeholders’ that are outside the ‘organisation’.

Managing risk involves understanding the effects of uncertainty on the stakeholders’ objectives.

It is a common error to look only at risk to the organisation. Management of risk by an organisation is never for the sole benefit of that organisation in isolation. Risk management is about stakeholders even if the organisation’s main motive for managing risk is just profitability or self-interest.

A profit-motivated organisation has stakeholders such as investors, customers, and employees. Those stakeholders’ interests are important for the organisation’s profit-making planning and self-interested risk management. ‘Governance’ measures and regulation try to make self-interest overlap with stakeholder interest. There is always some alignment between self-interest and stakeholder interests, though there is never quite enough alignment to ensure that everyone stays happy.

Non-profit organisations typically have clients and funders (such as donors and tax-payers), who are primary stakeholders, comparable with investors and customers.

Project and team managers within larger organisations need to take note of their stakeholders. Their stakeholders may be invisible and nearly silent, but those stakeholders are represented by project boards, senior executives, and directors, who are in turn accountable to investors and customers. Project managers are formally trained in stakeholder management, but may have the idea that a stakeholder is someone with influence over the project. In risk management, stakeholders are also the people who are affected by project outcomes.

Other middle managers may not have any specific discipline of stakeholder management, but they always have stakeholders.

Risk criteria are agreed limits.

Risk criteria are the limits of acceptable risk. Acceptable risk is defined through a process to decide the nature and extent of risks that the organisation is willing to create, impose on stakeholders, or suffer for itself in the pursuit of its objectives. ISO 31000 is emphasises that this process must be based on communication and consultation. Risk criteria are based on the organisation’s objectives, the tolerable range of outcomes on each objective, ‘risk capacity’, and ‘risk appetite’, recognising that all of these factors are attributes of external stakeholders as much as of people inside the organisation.

‘Risk capacity’ and ‘risk appetite’ are complicated ideas not given much explanation within ISO 31000. They are not important in developing a basic understanding of risk management, as long as we have an idea that there are limits on acceptable risk.

The sweet spot

There is a sweet spot where the level of risk is best for long term outcomes, not too limited and not too great.

Finding the sweet spot and manipulating risk to keep it there is the purpose of risk management.

This is a paraphrase from from the CRMA Study Guide (page 101). The image of a sweet spot recognises that achieving objectives will always involve accepting some uncertainty, even some exposure to terminal events such as bankruptcy or death. At the same time, risk can be unacceptable or counter-productive beyond a certain level. In business terms, more return comes at the expense of more risk. Risk can become unacceptable when the likelihood of a specific negative outcome is too high, even if there are also positive potential outcomes that could be made more likely or bigger in size. In any event, a point is always reached when taking ever-increasing risk cannot be expected to improve long-term returns.

The goal of risk management is staying in the sweet spot. In the sweet spot, risks are ‘within the organisation’s risk criteria’.


Next article for Everyone

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates.
Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Drill-down articles

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector
Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Thinking too narrowly

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number).
Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring.
Risk management is (not) calculating the ‘expected’ loss or gain.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the
CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Parent articles

What is risk management?


Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *