What is Risk Management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be.

The question ‘What is risk management?’ has many answers. A lot of them are right. None of the right answers involve detection, containment or disposal of hazardous risk.

This blog offers three answers based on three versions of the question:

  1. What is the essence of risk management?
  2. What separate activities are specific to risk management?
  3. How does ‘risk management’ fit with all the other kinds of ‘management’ that go on in organisations?

It may also be useful to see some examples of where and how risk management can be applied.

This article concentrates on the central essence of managing risk. It is based closely on ISO 31000, but aims to be more reader-friendly.


The essence of risk management

To manage risk is to understand and act on the effects of uncertainty on objectives.

That’s a lot to take in as one line, even if each word is familiar. Let’s unpack some of those words.

‘Objectives’ are the preferred outcomes of an activity.

Every activity has objectives, whether or not those objectives are defined clearly and captured in words. Even if you have looked at risk simply as the potential consequences of an event, there are implicit objectives in the activity that drive your evaluation of those consequences.

Your objectives are your outcome preferences.

Usually there are multiple objectives that cannot all be maximised at once. Pushing for a better outcome on one objective will eventually involve a worse outcome on another. Each organisation must decide on desired and tolerable outcome ranges for each objective, and on appropriate trade-offs between objectives. (This process is related to ‘risk appetite’, but is not the same thing.)

‘Effects’ can be positive or negative.

An effect is a deviation from the expected. It can be positive and/or negative. [From ISO Guide 73:3009 definition of risk, Note 1]

In the draft 2017 revision of ISO 31000,

An effect is a deviation from the expected. It can be positive (sometimes expressed as opportunities), or negative (sometimes expressed as threats) or both. [3.1 definition of risk, Note 1]

Effects on objectives include both not reaching the intended outcome, and having unintended outcomes. Those effects would be negative.

Effects on objectives can also include reaching a desired but unlikely outcome, or having an unexpected gain. Those effects would be positive.

Let’s spread out those dichotomies into a quadrant diagram:

Intended outcome Unintended outcome
Positive effect from uncertainty Success in reaching an intended outcome that had otherwise been looking doubtful: While looking for oil, you find some and make a good profit. Unexpected gain (windfall): While looking for oil, you stumble across gold.
Negative effect from uncertainty Failure to reach an intended outcome that had been expected: While looking for oil, you don’t find any, and end up broke. Unintended consequence (side-effect): While looking for oil, you die from malaria.

The expected outcome is some version of achieving the intended objectives, without unexpected harms. In the oil example, it might have been: You look for oil and find enough to make it worthwhile. No-one will be injured as a result. There is an expectation for the outcome when the decision is made to start the activity. The expectation can change frequently as events unfold. The decisions can also change.

Historically, the risk management profession has concentrated on the black quadrant at lower right. However, risk management is applicable to all four quadrants. Within the LinkedIn Group ISO 31000 Risk Management Standard, we are regularly reminded to look upward from the negative to the positive. Norman Marks, among others, has emphasised the left column. Emphasis on the left column often goes with a recommendation to focus risk management on strategy, as well as on operations.

If we define risk as the effects of uncertainty ‘on objectives’, as in ISO 31000, we must cover all the quadrants. In the list of objectives, we must include some ‘objectives’ to avoid or minimise undesirable outcomes. Ideally, we also include objectives about taking the benefit of unexpectedly favourable events.

‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns.

Uncertainty includes both the possibility of an unplanned event, and the possibility that the world isn’t quite as we assumed.

Within that broad scope of ‘uncertainty’, there are some special cases:

Black swan: The possibility of a unique event or discovery that no-one ever imagined to be possible.

Faulty assumptions: The possibility that we made the wrong assumption when planning an activity. It is conceivable that we never even find out which assumption was faulty.

Faulty risk analysis: The possibility that our understanding of the effects of anticipated events or errors is faulty.

Unplanned events can occur outside or inside the organisation.

‘Act on’ includes many kinds of response.

Actions on uncertainty can include:

  • Finding out more, to reduce uncertainty.
  • Discussing potential outcomes with people who may be affected.

Such communication and consultation is applicable to all four quadrants of the effects on objectives. It may be particularly important when there is a clear possibility of unintended negative outcomes for people outside the organisation undertaking the activity.

  • Monitoring the apparent likelihood of a future event or discovery.
  • Taking steps to increase or decrease the likelihood of particular events or mistaken assumptions.
  • Taking steps to increase or decrease the likelihood of particular consequences from events or errors that occur.
  • Comparing predicted events with historical events, and exploring the reasons for differences.

This process builds a basis for belief in the assessment of future risk.


Drill-down articles

The goal of risk management

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Key principles for actually managing risk

Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Thinking too narrowly

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed.
Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *