Key Principles for actually managing risk (Everyone)

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates.

This is an implicit message of ISO 31000. Its name is Risk Management Principles and Guidelines. It is not ‘the right way to do Risk Management’. It does not even include a way to ‘do Risk Management’. Within and outside the ISO 31000 family, there are many possible methods for approaching the management of risk.

…[I]t is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organisation, its particular objectives, context, structure, operations, processes, functions, projects, products, services or assets and specific practices employed. [ISO 31000, 1 Scope]

Instead, ISO 31000 defines eleven Key Principles that distinguish effective risk management from the unreal and ineffective. The first principle is that risk management creates and protects value. The ten further principles continue to emphasise effectiveness in the real world.

These principles are the exact opposite of a standardised process, or any suggestion of unproductive red tape and compliance overhead. No unproductive nonsense deserves oxygen in the name of risk management.

It is true that ISO 31000 goes on to prescribe features a risk management framework and process, but these are also based on principles. They are nothing like a prescribed method.

Risk management is simply ‘management’, with recognition of the effects of uncertainty.

Management is about taking actions to achieve an outcome. Risk management is simply the recognition that outcomes are uncertain, even if management takes the right actions. Management can take actions to reduce (or increase) uncertainty, but outcomes are never guaranteed.

Risk is managed by decision makers and their teams, whether at Board, senior executive, or individual worker level. Risk is managed when and where the decisions are made.

As risk management is simply management, we can classify the exercise of risk management by the degree of formalisation of ‘risk management’ methods. This table shows how that classification might be done.

Formality of risk management
(managing with recognition of the effects of uncertainty)
Explicit and formal methods Formalised ‘risk management’ methods

  • Loosely quantified (risk represented by categorical and ordinal variables)

Typical techniques: Risk registers, risk criteria, risk ratings.

Examples: Enterprise, project, health and safety, security, fraud, and business continuity risk management.

  • Fully quantified (risk represented by interval and ratio variables)

Typical techniques: Quantified bow-tie, fault tree, event tree, simulations, Monte Carlo, game theory.

Examples: Safety engineering, investment management, derivatives trading.

Other formalised approaches to risk-motivated decisions

Examples: Control design, regulatory compliance, better practices, incident monitoring and logging, streaming of cases.

Implicit and informal methods Learning from experience

Varieties: Inertia, conservatism, rules of thumb, critical events, collective wisdom, research, noting others’ experiences.

Examples: Day to day management, critical incident review, evaluation of investment or change proposals.

Situational awareness

Examples: Tactical business planning, general supervision within the enterprise.

Expert predictions

Examples: Strategic planning, marketing decisions.

If we talk about ‘using risk management’ or a risk management activity, we are assuming that formalised risk management methods are involved. That subset of risk management practice is represented by the black area of the table. The actual management of risk across an enterprise—that is, managing with recognition of uncertainty—involves all of the activities in the table.

Any of the example management activities can be the subject of formal risk management methods, but it is not automatic that use of those methods will improve understanding or outcomes.

Because ISO 31000 is a Standard, it is explicitly aimed at organisations and external stakeholder interests. As a consequence, it sets some expectations for documentation, record keeping, and visibility for risk management. Those expectations go beyond the ‘essence’ of risk management as I have defined it. ISO 31000 sets expectations for documentation, but does not set an expectation for a specific way of managing risk that must be visible in documentation. One consequence is that implicit and informal risk management may be effective, even robust, but there will be problems in demonstrating implementation of ISO 31000. The same will apply to some extent with formal methods not based on ISO 31000 risk concepts, such as regulatory compliance or better practices.

‘Treating a risk’ means doing something different.

It is impossible to make a decision to influence risk in isolation from deciding what actions will be taken. Those actions always have consequences other than for ‘risk’ in isolation – profit expectations might increase or decrease, costs might also increase or decrease, and so on. Exactly the same thing happens in the management of human resources or financial management. A change to staffing or budgets will always have effects on overall business outcomes, in the same way that a risk-based action will have effects on outcomes.

Treating a risk means changing the activity so that the new activity has risk better aligned with the activity’s objectives and with the stakeholders’ attitudes to the risks involved. Changes to the activity can be minor (adding a control), fundamental (abandonment), or anything in between. It is not a separate adjustment to ‘the risk’.

Stakeholders outside an organisation can also manage risk to their own interests. The can do that by choosing to engage with that organisation, by choosing to avoid it, or by imposing conditions on support for the organisation.

Risks are managed by managers, not risk specialists.

Risk specialists and advisers don’t manage risk. They may motivate, regulate, evaluate, and support risk management, but they don’t manage risk.

The amount of risk management going on can never be more than the importance given to risk considerations as actions are decided. Adding specialist risk advisory services and processes does not add to risk management if there is no influence from them at the moment of decision.

You may then wonder what managers are doing when they are specifically ‘managing risk’. You may also wonder what ‘risk managers’ and Chief Risk Officers do, if it’s not managing risk. These questions are answered in What separate activities are specific to ‘risk management’? (Everyone), and in What is risk management? It’s not what ‘risk managers’ do (Specialists).

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

How does ‘risk management’ fit with all the other kinds of ‘management’? (Everyone)

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

Stream supplements Risk Specialists Executives Australian Government CRMA CRISC

Drill-down articles:

What is risk management? Examples (Everyone)

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What is risk management? Thinking too narrowly (Everyone)

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What is risk management? Less common errors (Everyone)

Risk (only) arises where there is non-compliance Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *