Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services
What to read first: What is risk management?
Deciding strategy for an organisation with a mission
An organisation never has a single strategy that is assured of fulfilling the mission without offsetting disappointments. Risk management is involved in choosing between alternative strategies to maximise the likelihood of success and to minimise exposure to failure. Risk management can also justify taking a shockingly high-risk strategy if the potential for rewards is sufficiently high and the potential for failure is acceptable.
Risk management within strategy planning can be highly formal and structured, or completely informal and intuitive. It would probably be healthy to use many different styles and then test whether they are resulting in consistent conclusions.
Various forms of expert judgement may be involved, which will imply an awareness of uncertainty and its effects. Expert judgements may or may not be linked with a structured approach to risk management.
Operations have performance objectives, and also objectives to minimise negative events such as downtime, injuries, and product or service defects. Risk management is involved in implementing operational processes that find the right balance and include the appropriate internal controls and safety features.
It is common for process design to include effective risk treatments identified by experience, recognised better practices, and applicable regulations before any explicit consideration of ‘risk’ as an assessable factor. It is generally wise to have regard to mandated or conventional processes and controls, whether or not the risk treatment decisions are confirmed through formal risk assessment.
Objective subject to uncertainty: Achieve operational performance objectives with acceptable offsetting outcomes, such as downtime, injuries, and product or service defects.
Managing a work unit within an organisation
Each sub-unit within a larger organisation influences the expectations and uncertainties in the organisation’s overall outcomes. Assuming that there is a formalised process for risk management across the enterprise, each unit can take its share in the overall risk management effort, just as each unit manager is part of the management structure of the organisation. On the whole, that is a much better idea than structuring risk management as a separate activity removed from other work units in the enterprise. Every work unit has its objectives, and can manage the uncertainties that affect achievement of those objectives. (Risk to the organisation’s objectives is not the ‘total’ of all the risk in each work unit, but is influenced by the risk in each unit.)
Objective subject to uncertainty: As defined by the work unit’s role, in support of the organisation’s broader objectives. A work unit can have an objective beyond than the outcomes that are within its control. For example, a WHS unit does not directly cause or prevent any injuries, but it has the objective of minimising injuries on behalf of the whole of the organisation. The organisation will have other objectives (such as making a profit) that are not the responsibility of the WHS unit.
Designing a facility for safety
Think nuclear reactors and airliners. Risk management is used to make basic design and safety feature choices that keep the likelihood of specific catastrophe scenarios to an acceptably tiny level. Risk management also rules out certain business and design ideas if the resulting likelihood of catastrophe cannot be shown to be low enough.
In this class of risk management, assessment methods are likely to be very formal and based on true risk management concepts. Risk criteria will usually be represented numbers that approximate real quantities in the world, such as an expected number of fatalities in a century. Mathematical modelling will be involved.
Objective subject to uncertainty: An acceptable forecast level of deaths, injuries and property damage while achieving the primary benefit of operating the facility. The acceptable level of death and injury is usually very low, but above zero. Safety hazards are highly repetitive by nature, so a low likelihood of harm in any one instance of the hazard may, over a long enough time, result in a number cases of actual harm. It is important to understand the expected long-term rate and to compare that with acceptable long-term rates and with the rate encountered in actual experience.
Designing an information system to meet integrity objectives
Risk management is used in the design of an information system. While computer systems may appear to be deterministic, the business outcomes from using them are absolutely not pre-determined. Major system projects are notorious for ‘failing’, and even those that do not ‘fail’ do not necessarily deliver expected business or strategic benefits. At a more operational level, information systems create exposure to transaction and recording errors, breach of confidentiality, system outages, and so on.
Any use of information technology involves significant risk, while giving it up is usually an unacceptable cost.
As the risks are diverse, complicated, and diffuse, it is likely that formalised risk management methods will be used, but with limited application of quantitative risk criteria. In general the style of risk management will resemble that involved in enterprise or project risk management, supported by non-risk methods for deciding on risk treatments.
Objective subject to uncertainty: Realise whole-of-life business benefits from the information system, specifically based on information quality components such as believability, accessibility, accuracy, and confidentiality. (For an authoritative breakdown of information objectives, the Information Enabler in COBIT5, Appendix G.)
Accounts payable system design
An accounts payment process is designed to generate legitimate payments but to prevent payment errors or fraudulently generated payments. A simple form of risk management is involved in designing the process. The risk considerations are simple to the extent that most error and fraud scenarios are classified by likelihood as either possible or practically impossible. The consequence is regarded as the dollar value of the payment.
The style of risk management may be formal or informal, but will probably not draw on pure risk management concepts in the first instance. System controls are designed to ensure that all foreseeable errors and frauds are practically impossible. The approach taken is to assess the error scenarios for a single payment transaction. If the error scenario appears possible, a control is added to the system to prevent it, that is, to reduce dramatically the scenario likelihood. After the designed controls are in place, the likelihood of improper payment in any given transaction is extremely low, practically zero. Risk ratings are therefore binary (‘near zero’ or ‘too high’), rather than scaled or quantified.
Objective subject to uncertainty: There is a timely payment to the supplier if there was organisational approval of the expense and if the goods or services were actually delivered as agreed. There is no payment if these conditions are not met.
Health and safety
In developed countries at least, every enterprise has a duty of care to minimise deaths and adverse health impacts from its activities. Demonstrating a response to that duty of care requires that the enterprise demonstrates a process of identifying, assessing, and acting on hazards to human well-being. The duty also requires that commonly accepted risk-reducing measures are implemented, unless there is a demonstrated basis for not doing so.
Risks must therefore be managed in a formal way, with regard to risk management concepts. Quantification of risk may be involved to some extent. Loose quantification that supports effective action is infinitely better than inaction arising from an inability to quantify risk.
Objective subject to uncertainty: Minimising disease, injury, and death arising from an activity, with only proportional and warranted interference with the activity.
Regulating an industry or sector
Regulations usually give minimal room for flexibility. Regulations are drawn up so that compliance requirements are clear, and also in such a way that the enforcement body is not easily manipulated into an inadequate response to breaches. That means that enforcement actions are automatic, with limited opportunities for discretionary relief.
In contrast with the rigid nature of regulations themselves, the total systemic effect of any given regulation is unpredictable and may be huge. Almost any regulation, no matter how well intentioned, can result in ‘gaming’ behaviours that undermine the regulatory intent and community benefits. Tightly regulating an industry in one jurisdiction may simply move the industry elsewhere, with no net gain to anyone.
Therefore, regulators consider the potential outcome of potential regulations and regulatory policies before setting them. This level of consideration is an important application of risk management.
The methods involved would ideally draw on formal risk management concepts and methods, on a large scale. The nature of the risks may also require use of extended analysis and study, well beyond the typical use of (say) risk registers and risk ratings. In practice, many of the risk management decisions may be made from unstructured consideration of large amounts of formal and informal analysis, rather than on simple statements about the nature or magnitude of ‘a risk’.
Objective subject to uncertainty: Net community or national benefit from the industry or sector.
Speculating in the hope of a massive success
A prospector puts in months or years of unproductive effort, in the hope that now and then (or one day) there will be a big find that more than pays back all the seemingly unproductive time and money that was spent. Risk management can show that prospecting is a rational activity, despite the lack of any visible results while waiting for the big find. Similarly, an investor with plenty of equity funds a hundred high-tech start-ups, knowing most or all of them will fail and the investment may well be lost entirely. At the same time, there is a worthwhile chance that one of them will generate a massive profit. Risk management finds a rational balance between speculation and prudence, without guaranteeing the outcome.
The risk management approach may be trivial and intuitive (in the case of an individual prospector), or highly formal or even quantified (in the case of venture capitalism by institutional financiers).
Objective subject to uncertainty: A major find resulting in massive profits.
Balancing investment returns and security
An investment portfolio manager evaluates the individual and collective likelihood of particular loss and return levels from investments. The investment mix is changed if the balance is not considered satisfactory.
The style of risk management involved may be highly formalised and quantified, though perhaps limited to a narrow range of investment outcomes, such as prospective profit and loss levels at future dates.
Objective subject to uncertainty: Net asset value to which the investment is ultimately converted.
Choosing between medical treatments
A patient is very ill. Several courses of treatment are open. Each one has a range of possible costs. Some of those costs are economic. Others are felt in side-effects or other potential loss of life duration and quality. Each course of action also has a range of possible benefits for quality and length of life.
Choosing the appropriate course involves an appreciation of uncertainties and of the relative desirability or undesirability of each potential outcome. Some non-risk value decisions are likely to come into play as well.
Formal risk management methods may be used, though most of the risk information comes from medical statistics rather than fresh assessment of the individual case. Scientific health-care is well supported by sophisticated risk concepts and data-gathering, though individual treatment decisions are subject to many other influences.
Objective subject to uncertainty: Quality and length of the patient’s life.
Approving and managing a project
Objective subject to uncertainty: Net outcomes from the project, including benefit realisation, cost, timeliness, ongoing operational cost and performance.
Project objectives can be broken down into perspectives, such as the strategic, benefits, operations, and delivery perspective. The delivery perspective looks at scope, quality, cost, and schedule. An authoritative source is The OGC’s Management of Risk: Guidance for Practitioners (M_o_R), Chapter 6.
In a properly governed project, there will be solid stakeholder demand for formal risk assessment and reporting.
Procurement of assets or services
Objective subject to uncertainty: Whole-of-life costs and benefits from the procurement.
Next article for Everyone
Risk management is (not) expressing levels of risk on a standard scale. Introducing risk management is (not) implementing a standard ‘methodology’ for ‘risk management’. Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).
The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria. The ‘organisation’ is optional. Stakeholders are mandatory. Risk ‘criteria’ are agreed limits.
Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.
Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different specialists assume different boundaries of ‘risk’.