What is risk management? (CRMA)

This article assumes you have read What is risk management? (Everyone). You will probably also want to look at What is risk management? (Specialists) sooner or later.


The CRMA study guide is neutral between authoritative definitions and concepts. The implicit messages in the CRMA guide are closer to modern and principles-based understandings captured in ISO 31000 than to older approaches based on methods.

One of the definitions of risk quoted in CRMA is original to the IIA:

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. [IPPF 2013, quoted in the CRMA Review Manual at page 7]

This IIA definition of risk follows COSO in referring to possible events rather than uncertainty, as favoured in ISO 31000. It also specifies impact and likelihood as the measures of risk, which ISO 31000 does not. While the words are different, the underlying intentions are in harmony, as the later parts of the IIA’s CRMA study guide discuss other risk measures (‘assessment criteria’), while ISO 31000 clearly favours likelihood and effect magnitude as the most important measures of risk, without excluding others.

Within the CRMA study guide, the basic natures of risk and risk management are explored in Domain 1 Part A. The discussion of fundamental purpose is on pages 7-8, followed by identification of ‘processes within risk management’. The CRMA ‘processes’ identification parallels the ISO 31000 definition of the ‘framework’, though with different contents. [ISO 31000, Section 4]

The CRMA study guide understands risk management predominantly as Enterprise Risk Management, which is defined on page 9 as

a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding responses to, and reporting on opportunities and threats that affect the achievement of its objectives. [Original source: IIA 2009 Position Paper Role of Internal Auditing in Enterprise Risk Management.]

My approach is different, to the extent that I discuss risk management as a general activity, not necessary linked to a single organisation (‘enterprise’), or to the objectives of the organisation regarded as a unit. I regard Enterprise Risk Management as a specific application of risk management. Otherwise, there is close agreement.

Study guide Domain 1 Parts B and C go into some depth about the risk management context before getting into registers and ratings. This order of discussion also parallels ISO 31000. This structure in itself carries a strong message: understanding the context and final purpose of risk management is far more important than the detailed steps taken along the way.

Risk ‘exploitation’ as a treatment

This blog hasn’t formally discussed risk treatment, but there was some interpretation of ‘acting on’ risk in the lead Everyone article on ‘what is risk management’. . This section assumes that you are already familiar with conventional categories of risk treatment or response.

‘Acting’ on risk could include finding out more, discussing risk with stakeholders, monitoring, changing likelihoods, changing consequences, and comparing actual events with predictions. These actions map on to standard risk management actions, usually characterised as something like ‘accept’, ‘avoid’, ‘mitigate’, and ‘transfer’, plus some other conventional responses to risk.
The CRMA Study Guide addresses risk treatment in Part II.B.4, pages 100 through 111. It adds to the usual four categories of risk treatment ‘exploit’.

The concept of ‘exploiting’ a risk confused me no end, particularly as it was explained on page 109. To me that paragraph focused on investing for uncertain gains, which is a type of risk acceptance, not a different ‘exploitation’ of a risk. So here’s my attempt at explaining ‘exploit’ as a response to risk. Continue reading at your own risk.

Suppose there is a type of risk common across your industry. Many of your competitors restrict their activities to limit their exposure to that risk, to the point that they are comfortable with that exposure.

Also suppose that your organisation has either a higher tolerance for the risk, or a better way of limiting the risk that is otherwise common. In either case, your organisation will take on activities that others won’t.
That means your organisation can get a high market share, or charge premium prices, by doing the work that competitors won’t.
This strategy can be called ‘exploiting the risk’.It is not just a matter of accepting uncertain profits or accepting that bad things can happen, which everybody does to some extent.

An example for this kind of risk exploitation is a movie stunt artist. Most of us will not attempt dangerous stunts even if the pay were to be very high—higher than movie companies would be willing to pay. But a professional stunt artist can limit their own risk in ways not available to the rest of us, using special skills and resources, while performing in a spectacular way for the movie. In this way, a few stunt artists can get paid high, but justifiable, fees for doing things that are too dangerous for the rest of us. In this way, the stunt artists ‘exploit’ the risk of injury in performing stunts that would be very dangerous to anyone else, though much less so to them. Stunt artists have a high market share in this kind of work. They can charge premium fees for it, while keeping the price low enough that they do actually get some paid work.

Another example is an insurance company. For simplicity let’s focus on fire insurance. Individuals and businesses are unwilling to accept the risk of losing all of their assets through fire. While the likelihood may be low, the potential impact on the individual or business is devastating. So they take out fire insurance, paying a relatively small but known premium so that the economic loss from any actual fire will be small or zero, rather than catastrophic. The insurance company is absorbing the risk that the individual or business customer is avoiding.

So far we are talking about risk transfer. The insurer is also exploiting the risk if there are many different customers, and the total of all premiums consistently amounts to more than the payouts for fire damage, thereby making a profit. A profit is possible because while the likelihood and magnitude of economic loss transferred by each policy is the same for both the customer and the insurer, the insurer can cope with the economic loss from each fire in a way that the customer cannot. The insurer has a higher ‘risk capacity’ than the customer. This higher ‘risk capacity’, actually a capacity for discrete economic losses, gives the insurer the ability to ‘exploit’ fire risk and to profit from it.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *