What is risk management? Topic index page

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

The goal of risk management

The ‘organisation’ is optional Stakeholders are mandatory Risk criteria are agreed limits

What to read first: What is risk management?

Key principles for actually managing risk

Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

What to read first: The goal of risk management What is risk management?

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions

What to read first: Key principles for actually managing risk What is risk management?

What separate activities are specific to ‘risk management’?

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different risk specialists assume different boundaries of ‘risk’.

What to read first: How does ‘risk management’ fit with all the other kinds of ‘management’? What is risk management?

What is risk management? Examples

Deciding strategy for an organisation with a mission Running operations Managing a work unit within an organisation Designing a facility for safety Designing an information system to meet integrity objectives Accounts payable system design Health and safety Regulating an industry or sector Speculating in the hope of a massive success Balancing investment returns and security Choosing between medical treatments Approving and managing a project Procurement of assets or services

What to read first: What is risk management?

What is risk management? Thinking too narrowly

Risk management is (not) maintaining a central ‘risk register’ for all risks in an organisation. Risk management is (not) only about what can go wrong. Risk management is (not) only about events that may or may not occur. Risk management is (not) identifying the ‘top 3 risks’ (substitute your own number). Risk management is (not) understanding and acting on all risks in an enterprise (Enterprise Risk Management).

What to read first: What is risk management? Examples What is risk management?

What is risk management? Less common errors

Risk (only) arises where there is non-compliance. Risk (only) arises from change. Risk (only) arises where governance or control processes are not mature. Risk is (only) whatever can stop the plan from being executed. Risk management is (just) designing controls. Risk management is (not) workshops, consensus, and voting. Risk management is (not) about re-directing blame. Risk management can (not) be achieved by risk scoring. Risk management is (not) just a matter of monitoring. Risk management is (not) calculating the ‘expected’ loss or gain.

What to read first: What is risk management? Thinking too narrowly What is risk management?

What is risk management? (extras for risk specialists)

What to read first: What is risk management?

Reconciling definitions of risk management

What to read first: What is risk management? (extras for risk specialists)

Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

What to read first: Reconciling definitions of risk management

Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

What to read first: Definition of ‘risk’ Reconciling definitions of risk management

Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

What to read first: Definition of ‘risk management’ Reconciling definitions of risk management

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

What to read first: Reconciling definitions of risk management What is risk management? (extras for risk specialists)

What is risk management? It’s not what ‘risk managers’ do

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

What to read first: What is risk management? It’s not following a risk management process What is risk management? (extras for risk specialists)

What is risk management? (Australian Government supplement)

The Commonwealth Risk Management Policy generally follows ISO 31000 and creates similar expectations. Recommended reading

What to read first: Key principles for actually managing risk The goal of risk management What separate activities are specific to ‘risk management’? How does ‘risk management’ fit with all the other kinds of ‘management’? What is risk management?

What is risk management? (CRMA supplement)

What to read first: What is risk management? (extras for risk specialists) What is risk management?

What is risk management? (CRISC supplement)

What to read first: What is risk management? (extras for risk specialists) What is risk management?