The goal of risk management (Everyone)

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria.

This is a direct quote from ISO 31000, A.2. Like the definition of risk, this statement also needs some unpacking.

The ‘organisation’ is optional.

Risks are managed on behalf of an ‘organisation’. That is a useful manner of speaking. The ‘organisation’ can be a formally defined legal entity, a work unit within an entity, or even an individual. In the expansive direction, the ‘organisation’ can be a loose coalition of aligned entities, an industry or sector, a community, a nation, or an international community.

For convenience, all the different users of the International Standard are referred to by the term ‘organisation’. [ISO 31000 1 Scope]

Many otherwise excellent sources confuse risk management with Enterprise Risk Management. The word ‘organisation’ in the ISO 31000 goal for effective risk management is an example of that confusion. Interestingly, if you look for scholarly journal papers on risk management, you will find a large mass of material on narrowly quantitative risk assessment for narrowly-scoped risks, not so much on practical enterprise risk management.

If you’re confused, I have been too. Watch out for a future article specifically on the concept of Enterprise Risk Management, and how it differs from risk management.

Stakeholders are mandatory.

Stakeholder is an ugly word with a modern meaning that contradicts its origins in stake and holder. Despite that sad fact, stakeholder is used in ISO 31000 to mean a person or organization that can affect, be affect by, or perceive themselves to be affected by a decision or activity. [ISO Guide 73:2009, definition 3.2.1.1.]

It is useful to understand that the ‘organisation’ is generally accountable to ‘stakeholders’ that are outside the ‘organisation’.

Managing risk involves understanding the effects of uncertainty on the stakeholders’ objectives.

It is a common error to look only at risk to the organisation. Management of risk by an organisation is never for the sole benefit of that organisation in isolation. Risk management is about stakeholders even if the organisation’s main motive for managing risk is just profitability or self-interest.

A profit-motivated organisation has stakeholders such as investors, customers, and employees. Those stakeholders’ interests are important for the organisation’s profit-making planning and self-interested risk management. ‘Governance’ measures and regulation try to make self-interest overlap with stakeholder interest. There is always some alignment between self-interest and stakeholder interests, though there is never quite enough alignment to ensure that everyone stays happy.

Non-profit organisations typically have clients and funders (such as donors and tax-payers), who are primary stakeholders, comparable with investors and customers.

Project and team managers within larger organisations need to take note of their stakeholders. Their stakeholders may be invisible and nearly silent, but those stakeholders are represented by project boards, senior executives, and directors, who are in turn accountable to investors and customers. Project managers are formally trained in stakeholder management, but may have the idea that a stakeholder is someone with influence over the project. In risk management, stakeholders are also the people who are affected by project outcomes.

Other middle managers may not have any specific discipline of stakeholder management, but they always have stakeholders.

Risk criteria are agreed limits.

Risk criteria are the limits of acceptable risk. Acceptable risk is defined through a process to decide the nature and extent of risks that the organisation is willing to create, impose on stakeholders, or suffer for itself in the pursuit of its objectives. ISO 31000 is emphasises that this process must be based on communication and consultation. Risk criteria are based on the organisation’s objectives, the tolerable range of outcomes on each objective, ‘risk capacity’, and ‘risk appetite’, recognising that all of these factors are attributes of external stakeholders as much as of people inside the organisation.

‘Risk capacity’ and ‘risk appetite’ are complicated ideas not given much explanation within ISO 31000. They are not important in developing a basic understanding of risk management, as long as we have an idea that there are limits on acceptable risk.

The sweet spot

There is a sweet spot where the level of risk is best for long term outcomes, not too limited and not too great.

Finding the sweet spot and manipulating risk to keep it there is the purpose of risk management.

This is a paraphrase from from the CRMA Study Guide (page 101). The image of a sweet spot recognises that achieving objectives will always involve accepting some uncertainty, even some exposure to terminal events such as bankruptcy or death. At the same time, risk can be unacceptable or counter-productive beyond a certain level. In business terms, more return comes at the expense of more risk. Risk can become unacceptable when the likelihood of a specific negative outcome is too high, even if there are also positive potential outcomes that could be made more likely or bigger in size. In any event, a point is always reached when taking ever-increasing risk cannot be expected to improve long-term returns.

The goal of risk management is staying in the sweet spot. In the sweet spot, risks are ‘within the organisation’s risk criteria’.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Key Principles for actually managing risk (Everyone)

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

Stream supplements Risk Specialists Executives Australian Government CRMA CRISC

Drill-down articles:

What is risk management? Examples (Everyone)

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What is risk management? Thinking too narrowly (Everyone)

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What is risk management? Less common errors (Everyone)

Risk (only) arises where there is non-compliance Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

All pages on What is Risk Management?

For everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *