The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria.
This is a direct quote from ISO 31000, A.2. Like the definition of risk, this statement also needs some unpacking.
The ‘organisation’ is optional.
Risks are managed on behalf of an ‘organisation’. That is a useful manner of speaking. The ‘organisation’ can be a formally defined legal entity, a work unit within an entity, or even an individual. In the expansive direction, the ‘organisation’ can be a loose coalition of aligned entities, an industry or sector, a community, a nation, or an international community.
For convenience, all the different users of the International Standard are referred to by the term ‘organisation’. [ISO 31000 1 Scope]
Many otherwise excellent sources confuse risk management with Enterprise Risk Management. The word ‘organisation’ in the ISO 31000 goal for effective risk management is an example of that confusion. Interestingly, if you look for scholarly journal papers on risk management, you will find a large mass of material on narrowly quantitative risk assessment for narrowly-scoped risks, not so much on practical enterprise risk management.
If you’re confused, I have been too. Watch out for a future article specifically on the concept of Enterprise Risk Management, and how it differs from risk management.
Stakeholders are mandatory.
Stakeholder is an ugly word with a modern meaning that contradicts its origins in stake and holder. Despite that sad fact, stakeholder is used in ISO 31000 to mean a person or organization that can affect, be affect by, or perceive themselves to be affected by a decision or activity. [ISO Guide 73:2009, definition 126.96.36.199.]
It is useful to understand that the ‘organisation’ is generally accountable to ‘stakeholders’ that are outside the ‘organisation’.
Managing risk involves understanding the effects of uncertainty on the stakeholders’ objectives.
It is a common error to look only at risk to the organisation. Management of risk by an organisation is never for the sole benefit of that organisation in isolation. Risk management is about stakeholders even if the organisation’s main motive for managing risk is just profitability or self-interest.
A profit-motivated organisation has stakeholders such as investors, customers, and employees. Those stakeholders’ interests are important for the organisation’s profit-making planning and self-interested risk management. ‘Governance’ measures and regulation try to make self-interest overlap with stakeholder interest. There is always some alignment between self-interest and stakeholder interests, though there is never quite enough alignment to ensure that everyone stays happy.
Non-profit organisations typically have clients and funders (such as donors and tax-payers), who are primary stakeholders, comparable with investors and customers.
Project and team managers within larger organisations need to take note of their stakeholders. Their stakeholders may be invisible and nearly silent, but those stakeholders are represented by project boards, senior executives, and directors, who are in turn accountable to investors and customers. Project managers are formally trained in stakeholder management, but may have the idea that a stakeholder is someone with influence over the project. In risk management, stakeholders are also the people who are affected by project outcomes.
Other middle managers may not have any specific discipline of stakeholder management, but they always have stakeholders.
Risk criteria are agreed limits.
Risk criteria are the limits of acceptable risk. Acceptable risk is defined through a process to decide the nature and extent of risks that the organisation is willing to create, impose on stakeholders, or suffer for itself in the pursuit of its objectives. ISO 31000 is emphasises that this process must be based on communication and consultation. Risk criteria are based on the organisation’s objectives, the tolerable range of outcomes on each objective, ‘risk capacity’, and ‘risk appetite’, recognising that all of these factors are attributes of external stakeholders as much as of people inside the organisation.
‘Risk capacity’ and ‘risk appetite’ are complicated ideas not given much explanation within ISO 31000. They are not important in developing a basic understanding of risk management, as long as we have an idea that there are limits on acceptable risk.
The sweet spot
There is a sweet spot where the level of risk is best for long term outcomes, not too limited and not too great.
Finding the sweet spot and manipulating risk to keep it there is the purpose of risk management.
This is a paraphrase from from the CRMA Study Guide (page 101). The image of a sweet spot recognises that achieving objectives will always involve accepting some uncertainty, even some exposure to terminal events such as bankruptcy or death. At the same time, risk can be unacceptable or counter-productive beyond a certain level. In business terms, more return comes at the expense of more risk. Risk can become unacceptable when the likelihood of a specific negative outcome is too high, even if there are also positive potential outcomes that could be made more likely or bigger in size. In any event, a point is always reached when taking ever-increasing risk cannot be expected to improve long-term returns.
The goal of risk management is staying in the sweet spot. In the sweet spot, risks are ‘within the organisation’s risk criteria’.
Main article on What is risk management? (Everyone)
Recommended next articles:
All pages on What is Risk Management?