Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be.
The question ‘What is risk management?’ has many answers. A lot of them are right. None of the right answers involve detection, containment or disposal of hazardous risk.
This blog offers three answers based on three versions of the question:
- What is the essence of risk management?
- What separate activities are specific to risk management?
- How does ‘risk management’ fit with all the other kinds of ‘management’ that go on in organisations?
It may also be useful to see some examples of where and how risk management can be applied.
This article concentrates on the central essence of managing risk. It is based closely on ISO 31000, but aims to be more reader-friendly.
The essence of risk management
To manage risk is to understand and act on the effects of uncertainty on objectives.
That’s a lot to take in as one line, even if each word is familiar. Let’s unpack some of those words.
‘Objectives’ are the preferred outcomes of an activity.
Every activity has objectives, whether or not those objectives are defined clearly and captured in words. Even if you have looked at risk simply as the potential consequences of an event, there are implicit objectives in the activity that drive your evaluation of those consequences.
Your objectives are your outcome preferences.
Usually there are multiple objectives that cannot all be maximised at once. Pushing for a better outcome on one objective will eventually involve a worse outcome on another. Each organisation must decide on desired and tolerable outcome ranges for each objective, and on appropriate trade-offs between objectives. (This process is related to ‘risk appetite’, but is not the same thing.)
‘Effects’ can be positive or negative.
An effect is a deviation from the expected. It can be positive and/or negative. [From ISO Guide 73:3009 definition of risk, Note 1]
In the draft 2017 revision of ISO 31000,
An effect is a deviation from the expected. It can be positive (sometimes expressed as opportunities), or negative (sometimes expressed as threats) or both. [3.1 definition of risk, Note 1]
Effects on objectives include both not reaching the intended outcome, and having unintended outcomes. Those effects would be negative.
Effects on objectives can also include reaching a desired but unlikely outcome, or having an unexpected gain. Those effects would be positive.
Let’s spread out those dichotomies into a quadrant diagram:
|Intended outcome||Unintended outcome|
|Positive effect from uncertainty||Success in reaching an intended outcome that had otherwise been looking doubtful: While looking for oil, you find some and make a good profit.||Unexpected gain (windfall): While looking for oil, you stumble across gold.|
|Negative effect from uncertainty||Failure to reach an intended outcome that had been expected: While looking for oil, you don’t find any, and end up broke.||Unintended consequence (side-effect): While looking for oil, you die from malaria.|
The expected outcome is some version of achieving the intended objectives, without unexpected harms. In the oil example, it might have been: You look for oil and find enough to make it worthwhile. No-one will be injured as a result. There is an expectation for the outcome when the decision is made to start the activity. The expectation can change frequently as events unfold. The decisions can also change.
Historically, the risk management profession has concentrated on the black quadrant at lower right. However, risk management is applicable to all four quadrants. Within the LinkedIn Group ISO 31000 Risk Management Standard, we are regularly reminded to look upward from the negative to the positive. Norman Marks, among others, has emphasised the left column. Emphasis on the left column often goes with a recommendation to focus risk management on strategy, as well as on operations.
If we define risk as the effects of uncertainty ‘on objectives’, as in ISO 31000, we must cover all the quadrants. In the list of objectives, we must include some ‘objectives’ to avoid or minimise undesirable outcomes. Ideally, we also include objectives about taking the benefit of unexpectedly favourable events.
‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns.
Uncertainty includes both the possibility of an unplanned event, and the possibility that the world isn’t quite as we assumed.
Within that broad scope of ‘uncertainty’, there are some special cases:
Black swan: The possibility of a unique event or discovery that no-one ever imagined to be possible.
Faulty assumptions: The possibility that we made the wrong assumption when planning an activity. It is conceivable that we never even find out which assumption was faulty.
Faulty risk analysis: The possibility that our understanding of the effects of anticipated events or errors is faulty.
Unplanned events can occur outside or inside the organisation.
‘Act on’ includes many kinds of response.
Actions on uncertainty can include:
- Finding out more, to reduce uncertainty.
- Discussing potential outcomes with people who may be affected.
Such communication and consultation is applicable to all four quadrants of the effects on objectives. It may be particularly important when there is a clear possibility of unintended negative outcomes for people outside the organisation undertaking the activity.
- Monitoring the apparent likelihood of a future event or discovery.
- Taking steps to increase or decrease the likelihood of particular events or mistaken assumptions.
- Taking steps to increase or decrease the likelihood of particular consequences from events or errors that occur.
- Comparing predicted events with historical events, and exploring the reasons for differences.
This process builds a basis for belief in the assessment of future risk.
|Everyone||Version 1.0 Beta|
Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.
|Everyone||Version 1.0 Beta|
|Everyone||Version 1.0 Beta|
|Risk specialists||Version 1.0 Beta|
|Australian Government||Version 1.0 Beta|
|CRMA||Version 1.0 Beta|
|CRISC||Version 1.0 Beta|
Index to the series What is risk management?