What separate activities are specific to ‘risk management’? (Everyone)

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

This article assumes you have read What is risk management? (Everyone).

In that article I answered the question ‘What is risk management?’ with an invisible essence:

To manage risk is to understand and act on the effects of uncertainty on objectives.

I later claimed that

Risk management is simply ‘management’, with recognition of the effects of uncertainty.

I also declared that unlike radioactive waste, risk does not need a management system. Risk is not a separate substance, and risk management is not an activity separate from management.

That leaves a question about the management activities that are added or changed because uncertainty is taken into account.

This article answers the question with visible activities that may be needed specifically in response to an awareness of uncertainty. I stick to my premise that the invisible essence of risk management is, well, essential, whereas the visible activities can vary widely.

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000.

ISO 31000 defines risk management activity at two levels, the definition and maintenance of a risk management framework (Clause 4, summarised in Figure 1 of ISO 31000) and the execution of the risk management process (Clause 5, summarised in Figure 2 of ISO 31000). The activities described by ‘risk management’ are those within the risk management process.

This table shows how risk management is simply management, with uncertainty taken into account. The left margin is the ISO 31000 label for the risk management activity, the middle column is my summary of what is involved, and the right column describes the corresponding activities in ‘management’ other than ‘risk management’. This argument is original with Clear Lines on Audit and Risk, so it’s fair game for queries and criticism.
ISO 31000 risk management process activity Risk management process activity Management process activity
Establishing the context Developing risk criteria, through understanding the stakeholders’ risk appetite and tolerance around a particular activity. Setting objectives, targets, and budgets, having regard to stakeholder expectations and priorities. Budgets will include spending limits for particular management levels (parallel to risk tolerances).
Risk assessment Identifying, analysing and assessing risk. Developing a plan for the steps necessary to deliver on the objectives and targets, such as an annual business plan or project plan.
Evaluating assessed risk in relation to risk criteria. Evaluating the feasibility of the business plan or project plan.
Risk treatment Implementing treatment actions for evaluated risk. Treatment actions can include communicating, avoiding, transferring, and monitoring the risk, and re-designing the activity to change the risks involved. Amending the business or project plan to achieve both feasibility and stakeholder objectives. Deciding the controls that need to be maintained.
Implementing risk treatment actions for evaluated risk. Treatment actions can include maintaining controls, and adhering to policies and planned strategies designed to optimise risk and reward. Executing the business plan or project plan. Maintaining controls. Complying with organisational policies.
Monitoring and review Reviewing and improving particular risk management processes, and the management of particular risks, based on experience. An important type of review is monitoring actual events and comparing those to the forecasts made in risk assessment. Continuous improvement based on activity tracking and performance assessment. An important type of review is comparing actual outcomes (deliveries, expenditures) to planned outcomes.
Communication and consultation
Recording and reporting (2017 revision of ISO 31000)
Communicating and consulting about the overall situation with risk and risk management, particularly with stakeholders and their representatives. Communicating and consulting about actual business performance or project delivery, forecasts, and plans. Communications and consultation will be with stakeholders and their representatives (e.g. senior manager, project board).
Within an organisation, some of these roles are part of management performed by managers, while others may be performed by risk specialists. Work done by risk specialists is done on behalf of decision-making managers at one level or another. Risk specialists are not decision makers.

Specialities focused on risk management

Different risk specialists assume different boundaries of ‘risk’.

The term ‘risk management’ is often used to describe specific disciplines involving the uncertain potential for trouble, such as security, business continuity, credit, or fraud management. This usage of ‘…risk management’ resembles the way that ‘… science’ or ‘…disorder’ get added when something has doubtful credibility, such as ‘beauty science’ or ‘narcissistic personality disorder’.

But on the whole, this usage is fair and helpful. Activities like security management are an excellent example of risk management, separate from Enterprise Risk Management. Better practices in security management include application of risk management principles consistent with ISO 31000, with some extensions. Standardised extensions for security risk management include asset definition and threat identification based on specific attackers’ capabilities and motivations.

The thing to watch is that security specialists (for example) tend use the term ‘risk’, without a qualification, in a very narrow and specific way. By ‘risk’ they do not always mean the total effects of uncertainty in any given activity. Sometimes they will use ‘risk’ in the common (but incorrect) way of referring to a kind of threat, without specifying the effect on any objective. At other times they will refer to an effect on an objective, but only a very narrow kind of effect, such as the potential ‘security’ impact. For example, security folks will often assess a ‘risk exposure’ in terms of an asset’s rated value and the likelihood of its compromise. The rated ‘asset value’ is a fiction that simply differentiates severe and minor consequences, without any real link to effects on organisational objectives as understood at CEO and Board level. This can be a good thing to do, but not the same thing as enterprise level risk management. Apart from its security value, it can also be a useful part of the way in which whole of enterprise-wide risk is understood. In a later article I’ll be exploring ways to join different branches and styles of risk management within an organisation, to create an enterprise view.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Drill-down articles:

What is risk management? Examples (Everyone)

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What is risk management? Thinking too narrowly (Everyone)

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What is risk management? Less common errors (Everyone)

Risk (only) arises where there is non-compliance Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *