What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

What to read first: What is risk management?

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

Your roles as an ‘Executive’

The ‘Executive’ stream in this site is for people who actually make decisions and thereby manage risk.

I don’t limit ‘Executive’ readers to the senior management levels. Decisions are also made at middle management and team leader levels, and all levels manage risk.

I have two broad categories of decision maker in mind, regardless of management level. The obvious category is populated by managers with direct day to day executive control of activity and resources. To take an analogy with the arms of government, these people are in the Executive arm.The other category is for those not in direct control, but representing stakeholder interests and exercising critical influence through that role. For example, the senior user, financial, or marketing representatives for an ICT project are stakeholders in risk as managed by those making the day to day decisions. In the government analogy, these people are in the Legislature. As with the Legislative arm of government, the total legislature has a lot of power, though individual members may have little.

The interests of the direct decision makers (Executive) and influential stakeholders (Legislature) tend to overlap at higher levels of executive management.

Regardless of which category you are in, or your management level, you are already managing risk. You may not be doing it well, but you are definitely doing it – already. Risk management is not something new to add to your workload. Management is taking actions to achieve an outcome, and risk management is simply recognising uncertainty of outcomes.

If you have a new thing called ‘risk management’ pushed at you and it walks and talks like a waste of time (or worse), you may well be right. Even when the effort is worthy, defined risk management processes may well produce decisions and assurance that could be made more directly and reliably using other human faculties. Common sense and relevant experience are often good alternatives. Your first priority is getting the right things done for your organisation.

On the other hand, your current management of risk may not be sufficient. If you are unable to demonstrate a clear awareness of all the risks, and responsible action on them, you may be letting down your organisation and exposing yourself to career damage.

You may also want to think about whether you are comfortable with everyone you manage either ignoring the uncertainty of success, or making their own risk-based decisions without ever explaining them to you. Your superiors may feel about you the same way you feel about your people, only with more eyes peering over their own shoulders.

For those reasons, you must ensure that risks are managed so as to meet your actual responsibilities and concerns. If that isn’t happening, something needs to change.

Future articles will suggest specific ways make risk management work for you. There is no one best way. There are plenty of other sources, and I’ll refer you to the good ones that I know about.

For now, here are some test questions that you can use to distinguish the useful from the annoying.

Test questions for direct managers

As a manager, you are managing risk on behalf of stakeholders.

‘Managing risk’ is making decisions about what happens, with more or less awareness of the implications for risk.

  • Is this helping to make better decisions than would have been made without it? A ‘better’ decision can mean a different course, the same course with some extra safeguards, or simply an improved ability to explain what was done.
  • What is the likelihood of the activity achieving success? What is the likelihood of a failure so bad that the activity would better not have been started? How often will bad things happen? How bad will they be? Is there a chance of something unexpectedly good coming out of this activity?
  • Can the ‘risk management’ activity actually answer those questions? If not, what good is it?
  • Do I have a clear idea of the actions are that were assumed to have been taken when these conclusions were reached? Have they actually been taken in the way assumed by the risk assessment?
  • What opportunities are being given up to reduce the exposure to disappointments?
  • If something goes wrong, can it be shown that the risk-based decisions were the right ones anyway? Or will the so-called ‘risk assessment’ be the first casualty?

These questions aren’t actually as helpful as they seem:

  • How many risks have actually been identified? How many have been rated?
  • Do we know what the top n risks are? (See “Risk management is (not) identifying the ‘top 3 risks’” within What is risk management? Thinking too narrowly.)
  • Do we know how many high or extreme risks there are?

Test questions for stakeholder representatives

As a stakeholder, you are relying on the decision makers to look out for your interests.

You are the one directly exposed to risks in the activity. You don’t have direct executive control over the activity but you can query or object to what the decision makers are doing. You may even be in a position to kill the activity if you’re not happy.

  • Do the decision makers know what is important for me to get out of the activity, and the outcomes that I really want to avoid?
  • Can they explain how likely it is that I will be disappointed, and how badly?
  • Why should I trust what I’m being told about that?

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic What is Risk Management?


Leave a Reply

Your email address will not be published. Required fields are marked *