What is Risk Management? (Everyone)

To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response.

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be.

The question ‘What is risk management?’ has many answers. A lot of them are right. None of the right answers involve detection, containment or disposal of hazardous risk.

This blog offers three answers based on three versions of the question:

  1. What is the essence of risk management?
  2. What separate activities are specific to risk management?
  3. How does ‘risk management’ fit with all the other kinds of ‘management’ that go on in organisations?

It may also be useful to see some examples of where and how risk management can be applied.

This article concentrates on the central essence of managing risk. It is based closely on ISO 31000, but aims to be more reader-friendly.


The essence of risk management

To manage risk is to understand and act on the effects of uncertainty on objectives.

That’s a lot to take in as one line, even if each word is familiar. Let’s unpack some of those words.

‘Objectives’ are the preferred outcomes of an activity.

Every activity has objectives, whether or not those objectives are defined clearly and captured in words. Even if you have looked at risk simply as the potential consequences of an event, there are implicit objectives in the activity that drive your evaluation of those consequences.

Your objectives are your outcome preferences.

Usually there are multiple objectives that cannot all be maximised at once. Pushing for a better outcome on one objective will eventually involve a worse outcome on another. Each organisation must decide on desired and tolerable outcome ranges for each objective, and on appropriate trade-offs between objectives. (This process is related to ‘risk appetite’, but is not the same thing.)

‘Effects’ can be positive or negative.

An effect is a deviation from the expected. It can be positive and/or negative. [From ISO Guide 73:3009 definition of risk, Note 1]

In the draft 2017 revision of ISO 31000,

An effect is a deviation from the expected. It can be positive (sometimes expressed as opportunities), or negative (sometimes expressed as threats) or both. [3.1 definition of risk, Note 1]

Effects on objectives include both not reaching the intended outcome, and having unintended outcomes. Those effects would be negative.

Effects on objectives can also include reaching a desired but unlikely outcome, or having an unexpected gain. Those effects would be positive.

Let’s spread out those dichotomies into a quadrant diagram:

Intended outcome Unintended outcome
Positive effect from uncertainty Success in reaching an intended outcome that had otherwise been looking doubtful: While looking for oil, you find some and make a good profit. Unexpected gain (windfall): While looking for oil, you stumble across gold.
Negative effect from uncertainty Failure to reach an intended outcome that had been expected: While looking for oil, you don’t find any, and end up broke. Unintended consequence (side-effect): While looking for oil, you die from malaria.

The expected outcome is some version of achieving the intended objectives, without unexpected harms. In the oil example, it might have been: You look for oil and find enough to make it worthwhile. No-one will be injured as a result. There is an expectation for the outcome when the decision is made to start the activity. The expectation can change frequently as events unfold. The decisions can also change.

Historically, the risk management profession has concentrated on the black quadrant at lower right. However, risk management is applicable to all four quadrants. Within the LinkedIn Group ISO 31000 Risk Management Standard, we are regularly reminded to look upward from the negative to the positive. Norman Marks, among others, has emphasised the left column. Emphasis on the left column often goes with a recommendation to focus risk management on strategy, as well as on operations.

If we define risk as the effects of uncertainty ‘on objectives’, as in ISO 31000, we must cover all the quadrants. In the list of objectives, we must include some ‘objectives’ to avoid or minimise undesirable outcomes. Ideally, we also include objectives about taking the benefit of unexpectedly favourable events.

‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns.

Uncertainty includes both the possibility of an unplanned event, and the possibility that the world isn’t quite as we assumed.

Within that broad scope of ‘uncertainty’, there are some special cases:

Black swan: The possibility of a unique event or discovery that no-one ever imagined to be possible.

Faulty assumptions: The possibility that we made the wrong assumption when planning an activity. It is conceivable that we never even find out which assumption was faulty.

Faulty risk analysis: The possibility that our understanding of the effects of anticipated events or errors is faulty.

Unplanned events can occur outside or inside the organisation.

‘Act on’ includes many kinds of response.

Actions on uncertainty can include:

  • Finding out more, to reduce uncertainty.
  • Discussing potential outcomes with people who may be affected.

Such communication and consultation is applicable to all four quadrants of the effects on objectives. It may be particularly important when there is a clear possibility of unintended negative outcomes for people outside the organisation undertaking the activity.

  • Monitoring the apparent likelihood of a future event or discovery.
  • Taking steps to increase or decrease the likelihood of particular events or mistaken assumptions.
  • Taking steps to increase or decrease the likelihood of particular consequences from events or errors that occur.
  • Comparing predicted events with historical events, and exploring the reasons for differences.

This process builds a basis for belief in the assessment of future risk.

Further Reading

Recommended next articles:

The goal of risk management (Everyone)

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.

Stream supplements Risk Specialists Executives Australian Government CRMA CRISC

Drill-down articles:

What is risk management? Examples (Everyone)

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What is risk management? Thinking too narrowly (Everyone)

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What is risk management? Less common errors (Everyone)

Risk (only) arises where there is non-compliance Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *