What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.

What to read first: What is risk management?

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

I answered the question ‘What is risk management?’ with an invisible essence:

To manage risk is to understand and act on the effects of uncertainty on objectives.

I later claimed that

Risk management is simply ‘management’, with recognition of the effects of uncertainty.

I also declared that unlike radioactive waste, risk does not need a management system. Risk is not a separate substance, and risk management is not an activity separate from management.

That leaves a question about the management activities that are added or changed because uncertainty is taken into account.

This article answers the question with visible activities that may be needed specifically in response to an awareness of uncertainty. I stick to my premise that the invisible essence of risk management is, well, essential, whereas the visible activities can vary widely.


Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000.

ISO 31000 defines risk management activity at two levels, the definition and maintenance of a risk management framework (Clause 4, summarised in Figure 1 of ISO 31000) and the execution of the risk management process (Clause 5, summarised in Figure 2 of ISO 31000). The activities described by ‘risk management’ are those within the risk management process.

This table shows how risk management is simply management, with uncertainty taken into account. The left margin is the ISO 31000 label for the risk management activity, the middle column is my summary of what is involved, and the right column describes the corresponding activities in ‘management’ other than ‘risk management’. This argument is original with Clear Lines on Audit and Risk, so it’s fair game for queries and criticism.
ISO 31000 risk management process activity Risk management process activity Management process activity
Establishing the context Developing risk criteria, through understanding the stakeholders’ risk appetite and tolerance around a particular activity. Setting objectives, targets, and budgets, having regard to stakeholder expectations and priorities. Budgets will include spending limits for particular management levels (parallel to risk tolerances).
Risk assessment Identifying, analysing and assessing risk. Developing a plan for the steps necessary to deliver on the objectives and targets, such as an annual business plan or project plan.
Evaluating assessed risk in relation to risk criteria. Evaluating the feasibility of the business plan or project plan.
Risk treatment Implementing treatment actions for evaluated risk. Treatment actions can include communicating, avoiding, transferring, and monitoring the risk, and re-designing the activity to change the risks involved. Amending the business or project plan to achieve both feasibility and stakeholder objectives. Deciding the controls that need to be maintained.
Implementing risk treatment actions for evaluated risk. Treatment actions can include maintaining controls, and adhering to policies and planned strategies designed to optimise risk and reward. Executing the business plan or project plan. Maintaining controls. Complying with organisational policies.
Monitoring and review Reviewing and improving particular risk management processes, and the management of particular risks, based on experience. An important type of review is monitoring actual events and comparing those to the forecasts made in risk assessment. Continuous improvement based on activity tracking and performance assessment. An important type of review is comparing actual outcomes (deliveries, expenditures) to planned outcomes.
Communication and consultation
Recording and reporting (2017 revision of ISO 31000)
Communicating and consulting about the overall situation with risk and risk management, particularly with stakeholders and their representatives. Communicating and consulting about actual business performance or project delivery, forecasts, and plans. Communications and consultation will be with stakeholders and their representatives (e.g. senior manager, project board).
Within an organisation, some of these roles are part of management performed by managers, while others may be performed by risk specialists. Work done by risk specialists is done on behalf of decision-making managers at one level or another. Risk specialists are not decision makers.

Specialities focused on risk management

Different risk specialists assume different boundaries of ‘risk’.

The term ‘risk management’ is often used to describe specific disciplines involving the uncertain potential for trouble, such as security, business continuity, credit, or fraud management. This usage of ‘…risk management’ resembles the way that ‘… science’ or ‘…disorder’ get added when something has doubtful credibility, such as ‘beauty science’ or ‘narcissistic personality disorder’.

But on the whole, this usage is fair and helpful. Activities like security management are an excellent example of risk management, separate from Enterprise Risk Management. Better practices in security management include application of risk management principles consistent with ISO 31000, with some extensions. Standardised extensions for security risk management include asset definition and threat identification based on specific attackers’ capabilities and motivations.

The thing to watch is that security specialists (for example) tend use the term ‘risk’, without a qualification, in a very narrow and specific way. By ‘risk’ they do not always mean the total effects of uncertainty in any given activity. Sometimes they will use ‘risk’ in the common (but incorrect) way of referring to a kind of threat, without specifying the effect on any objective. At other times they will refer to an effect on an objective, but only a very narrow kind of effect, such as the potential ‘security’ impact. For example, security folks will often assess a ‘risk exposure’ in terms of an asset’s rated value and the likelihood of its compromise. The rated ‘asset value’ is a fiction that simply differentiates severe and minor consequences, without any real link to effects on organisational objectives as understood at CEO and Board level. This can be a good thing to do, but not the same thing as enterprise level risk management. Apart from its security value, it can also be a useful part of the way in which whole of enterprise-wide risk is understood. In a later article I’ll be exploring ways to join different branches and styles of risk management within an organisation, to create an enterprise view.

Next article for Everyone

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. A risk management process has a scope and objectives. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Drill-down articles

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Thinking too narrowly

Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

What is risk management? What matters for management

The ‘Executive’ stream in this blog is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

For executives and managers: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

For the Australian Government: This series assumes you work within the Australian Government, but have no prior knowledge of the subject. It does not use technical terms without explaining them first.

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Everyone

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Objectives’ are the preferred outcomes of an activity. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. ‘Act on’ includes many kinds of response. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *