Risk management is (not) expressing levels of risk on a standard scale.
A standard scale for ‘level of risk’ seems to allow risks of different kinds to be compared and aggregated. That is an illusion.
Effects on objectives are a very diverse. There can be no standard scale that makes risks with very different effects directly comparable. It is easy enough to construct a scale that looks like it is doing that. That step takes you directly from managing real-world risk to playing with numbers.
ISO 31000 does not require a single scale for different types of risk. It does recognise ‘level of risk’ as a concept, but holds back on the idea of ‘level of risk’ as a simple scale or number:
The way in which consequences and likelihood are expressed and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used. … In some cases, more than one numerical value or descriptor is required to specify consequences and their likelihood for different times, places, groups or situations. [ISO 31000, 5.4.3]
In any event, the idea of putting levels of risk on a scale is particular to formalised risk management methods, which are not the only way in which risk is managed in the real world. (Remember the diagram in the key principles, under risk management is simply ‘management’, with recognition of the effects of uncertainty.)
Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’.
ISO 31000 is not a ‘methodology’ and it does not say that a single methodology has to be adopted across a large organisation. On the contrary, the ISO 31000 Key Principle (g) is that risk management is tailored. If the organisation includes a wide variety of activities and risks, some differences in the risk management approach are almost certainly necessary.
If an organisation is to understand its risks, there must be an overview of confidence that organisational objectives will be achieved. To achieve such an overview, there must be some coherence in the way that risk is understood across the organisation’s different objectives.
Later articles will give some suggestions for ways to fit risk management styles to specific activities while maintaining a coherent view of risk at each level of the organisation. Risk specialists may want to jump ahead to Centralised or de-centralised risk management in your enterprise?.
By the way, ‘methodology’ is a useless, overblown word that always has a better synonym. The original meaning that justified its proper use is long gone (through repeated misuse of the word), so it need never appear anywhere.
Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation.
The word ‘register’ does not appear anywhere in ISO 31000, nor does any synonym.
An organisation can have an overview of confidence in achieving its objectives without trying to put every discrete ‘risk’ into a single register. The idea that any such list of risks can be complete is itself problematic, because risks can be defined at arbitrary levels of detail, and at any organisational level.
It is essential that making the right decisions about risk takes precedence over populating and maintaining registers.
Risk specialists might want to jump to Centralised or de-centralised risk management in your enterprise?.
Risk management is (not) only about what can go wrong.
Risk management includes all flavours of uncertainty and effects on objectives.
- Risk includes confidence that intended and positive outcomes will be achieved, and the possibility of unintended and negative outcomes.
- Risk management can include investing in a possible scenario that is unlikely, but would be a huge win.
- Risk management includes both the recognition of freakishly rare but extreme possibilities (perhaps killing customers), and the possibility of unsurprising but significant variations around an expected result (perhaps a profit 3% below forecast).
To that extent, risk management is about ‘what can go wrong’ if one adopts the attitude that any departure from the planned ideal result is ‘wrong’. However, that rigid attitude would be inconsistent with a genuine appreciation of risk. It makes no sense if one recognises that there is uncertainty everywhere.
Risk management usually includes reducing exposure to unplanned negative outcomes. It also includes choosing to increase the potential for undesirable outcomes where the exposure is within tolerance and is justified by the potential rewards.
There are ways in which risk management can address events that will definitely occur, with an unknown frequency and impact, as well as events that are possible but unlikely to occur in any given period, or ever.
Risk management is (not) only about events that may or may not occur.
The ISO 31000 definition of risk is based on uncertainty, not potential events. Uncertainty includes potential events, and unknown facts that may or may not be true already. Risk management is vitally concerned with the uncertainties and consequences from decisions made on limited information.
There are some formal definitions of risk that refer specifically to events and not to other uncertainties, for instance from COSO and the IIA.
|I suspect neither of them actually mean to exclude the missing uncertainties, but simply prefer to find a way to frame any sort of uncertainty as a potential ‘event’. It is usually possible to do that, at the cost of distracting oneself from actual risk management.|
Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number).
Listing the ‘top n risks’ is a short-form risk reporting style that gets attention on a short list of deserving issues. A report on the ‘top n risks’ is not a report on the overall risk to an activity, nor on the assurance of success. Thoughtful risk analysts will know that the way risks are separated, combined and counted is rather arbitrary, so the statement that ‘these are the top n risks’ is never a fact, even if it is the best thing to say to get a productive response.
It is not credible to report the ‘top n risks’ without first having been through a process that at least attempts to understand all risk before picking off the top n of anything within that space. It might be the top n risk scenarios, or perhaps the top n hazards or events (reported as the top n ‘risks’) or n shakiest objectives (also reported as the top n ‘risks’).
Being in a position to report the top n risks with confidence is an indicator of solid work in attempting to understand risk, as that work will have been needed to reach the conclusion. Knowing the top n risks is not itself on the critical path of risk management from acting in ignorance to acting on understanding. Constructive action on risk should not wait for formal identification of the highest risks.
In practice, it may be useful to report in ‘top n risks’ style from an understanding of risk that is limited and does not include an aggregated view of confidence and risk. The top n risks report does not replace that understanding, but might be much better than nothing while that understanding is yet to be reached.
Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).
A future topic will focus specifically on the differences between Enterprise Risk Management and risk management. In the real world, risk management is done selectively for particular activities or themes within an organisation, often before there is any attempt at managing risk for a whole enterprise.
Previous article for Everyone
Main article on What is Risk Management?