Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates.
This is an implicit message of ISO 31000. Its name is Risk Management Principles and Guidelines. It is not ‘the right way to do Risk Management’. It does not even include a way to ‘do Risk Management’. Within and outside the ISO 31000 family, there are many possible methods for approaching the management of risk.
…[I]t is not intended to promote uniformity of risk management across organisations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organisation, its particular objectives, context, structure, operations, processes, functions, projects, products, services or assets and specific practices employed. [ISO 31000, 1 Scope]
Instead, ISO 31000 defines eleven principles that distinguish effective risk management from the unreal and ineffective. The first principle is that risk management creates and protects value. The ten further principles continue to emphasise effectiveness in the real world.
These principles are the exact opposite of a standardised process, or any suggestion of unproductive red tape and compliance overhead. No unproductive nonsense deserves oxygen in the name of risk management.
It is true that ISO 31000 goes on to prescribe features a risk management framework and process, but these are also based on principles. They are nothing like a prescribed method.
Risk management is simply ‘management’, with recognition of the effects of uncertainty.
Management is about taking actions to achieve an outcome. Risk management is simply the recognition that outcomes are uncertain, even if management takes the right actions. Management can take actions to reduce (or increase) uncertainty, but outcomes are never guaranteed.
Risk is managed by decision makers and their teams, whether at Board, senior executive, or individual worker level. Risk is managed when and where the decisions are made.
As risk management is simply management, we can classify the exercise of risk management by the degree of formalisation of ‘risk management’ methods. This table shows how that classification might be done.
Formality of risk management
(managing with recognition of the effects of uncertainty)
|Explicit and formal methods||
Formalised ‘risk management’ methods
Typical techniques: Risk registers, risk criteria, risk ratings.
Examples: Enterprise, project, health and safety, security, fraud, and business continuity risk management.
Typical techniques: Quantified bow-tie, fault tree, event tree, simulations, Monte Carlo, game theory.
Examples: Safety engineering, investment management, derivatives trading.
Other formalised approaches to risk-motivated decisions
Examples: Control design, regulatory compliance, better practices, incident monitoring and logging, streaming of cases.
|Implicit and informal methods||
Learning from experience
Varieties: Inertia, conservatism, rules of thumb, critical events, collective wisdom, research, noting others’ experiences.
Examples: Day to day management, critical incident review, evaluation of investment or change proposals.
Examples: Tactical business planning, general supervision within the enterprise.
Examples: Strategic planning, marketing decisions.
If we talk about ‘using risk management’ or a risk management activity, we are assuming that formalised risk management methods are involved. That subset of risk management practice is represented by the black area of the table. The actual management of risk across an enterprise—that is, managing with recognition of uncertainty—involves all of the activities in the table.
Any of the example management activities can be the subject of formal risk management methods, but it is not automatic that use of those methods will improve understanding or outcomes.
Because ISO 31000 is a Standard, it is explicitly aimed at organisations and external stakeholder interests. As a consequence, it sets some expectations for documentation, record keeping, and visibility for risk management. Those expectations go beyond the ‘essence’ of risk management as I have defined it. ISO 31000 sets expectations for documentation, but does not set an expectation for a specific way of managing risk that must be visible in documentation. One consequence is that implicit and informal risk management may be effective, even robust, but there will be problems in demonstrating implementation of ISO 31000. The same will apply to some extent with formal methods not based on ISO 31000 risk concepts, such as regulatory compliance or better practices.
‘Treating a risk’ means doing something different.
It is impossible to make a decision to influence risk in isolation from deciding what actions will be taken. Those actions always have consequences other than for ‘risk’ in isolation – profit expectations might increase or decrease, costs might also increase or decrease, and so on. Exactly the same thing happens in the management of human resources or financial management. A change to staffing or budgets will always have effects on overall business outcomes, in the same way that a risk-based action will have effects on outcomes.
Treating a risk means changing the activity so that the new activity has risk better aligned with the activity’s objectives and with the stakeholders’ attitudes to the risks involved. Changes to the activity can be minor (adding a control), fundamental (abandonment), or anything in between. It is not a separate adjustment to ‘the risk’.
Stakeholders outside an organisation can also manage risk to their own interests. The can do that by choosing to engage with that organisation, by choosing to avoid it, or by imposing conditions on support for the organisation.
Risks are managed by managers, not risk specialists.
Risk specialists and advisers don’t manage risk. They may motivate, regulate, evaluate, and support risk management, but they don’t manage risk.
The amount of risk management going on can never be more than the importance given to risk considerations as actions are decided. Adding specialist risk advisory services and processes does not add to risk management if there is no influence from them at the moment of decision.
You may then wonder what managers are doing when they are specifically ‘managing risk’. You may also wonder what ‘risk managers’ and Chief Risk Officers do, if it’s not managing risk. These questions are answered in What separate activities are specific to ‘risk management’? (Everyone), and in What is risk management? It’s not what ‘risk managers’ do (Specialists).
Main article on What is risk management? (Everyone)
Recommended next articles:
|How does ‘risk management’ fit with all the other kinds of ‘management’? (Everyone)|
All pages on What is Risk Management?