How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

There are many different kinds of management in any organisation, no matter how small. Here are some well-known examples.

  • Performance management
  • Quality management
  • Financial management
  • Customer relationship management
  • Human resource management
  • Workplace health and safety management
  • Security management
  • Business continuity management

…and so on. There is also ‘risk management’. The question is how these different varieties of ‘management’ link together. Do they have any sort of hierarchy or priority order?

It is fairly obvious that all of these different kinds of management have a similar level of importance, to the extent that in their own way, are of them all essential. Each kind of management may be more or less explicit and formal according to the needs of the organisation and the local culture, but they will all exist as behaviours in the real world.

Risk management relates to the others in the following way.

For each of the types of ‘management’, there are different outcome objectives. Performance management aims to maximise performance, quality management supports quality objectives, and so on. Some of those objectives are in competition, in that one can only be achieved at the expense of another. All of those objectives are important.

Risk management is different. Risk management is simply understanding and acting on the effects of uncertainty on each of those separately important objectives.

Risk management is not a further competing type of objective. It is recognising and acting on the uncertainty of achieving those objectives that are important for their own reasons.

What sometimes competes with pursuing the agreed objectives is the need to limit exposure to certain negative outcomes that are best avoided. That type of avoidance objective may only receive attention under the heading of ‘risk management’, but it was always an objective in itself. It is not a separate kind of ‘risk management objective’.

Some of the types of ‘management’ may have their own administrative frameworks. For example, there may be a performance reporting framework. There will almost always be a financial administration framework, consisting of a well-defined system with links into budgets, ledgers, and payment processing. These frameworks are not the same as the performance objectives or financial objectives. They are merely part of the means chosen to help achieve those objectives. There may not be a comparable formal framework or system for managing work health and safety, even though health and safety objectives are no less important.

Risk management may have a separate and additional administrative framework, or even a networked system, all of which may be either helpful or destructive to the actual management of risk. As I have said elsewhere, the administrative framework should not be allowed to get in the way of actually managing risk.

This view of the relationship between risk management and other management frameworks is based on ISO 31000 and other authoritative sources in risk management. It might not be clear from secondary sources on topics such as project management or governance. In places like that you may see risk management as another item in a list of management considerations. That is misleading, and it’s why I wrote this article.

Next article for Everyone

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Drill-down articles

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Thinking too narrowly

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Everyone

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *