The goal of risk management

The ‘organisation’ is optional Stakeholders are mandatory Risk criteria are agreed limits

What to read first: What is risk management?

Everyone Version 1.0

The end-points of effective risk management are that the organisation has a current, correct and comprehensive understanding of its risks, [and] the organisation’s risks are within its risk criteria.

This is a direct quote from ISO 31000, A.2. Like the definition of risk, this statement also needs some unpacking.

The ‘organisation’ is optional.

Risks are managed on behalf of an ‘organisation’. That is a useful manner of speaking. The ‘organisation’ can be a formally defined legal entity, a work unit within an entity, or even an individual. In the expansive direction, the ‘organisation’ can be a loose coalition of aligned entities, an industry or sector, a community, a nation, or an international community.

For convenience, all the different users of the International Standard are referred to by the term ‘organisation’. [ISO 31000 1 Scope]

Many otherwise excellent sources confuse risk management with Enterprise Risk Management. The word ‘organisation’ in the ISO 31000 goal for effective risk management is an example of that confusion. Interestingly, if you look for scholarly journal papers on risk management, you will find a large mass of material on narrowly quantitative risk assessment for narrowly-scoped risks, not so much on practical enterprise risk management.

If you’re confused, I have been too. Watch out for a future article specifically on the concept of Enterprise Risk Management, and how it differs from risk management.

Stakeholders are mandatory.

Stakeholder is an ugly word with a modern meaning that contradicts its origins in stake and holder. Despite that sad fact, stakeholder is used in ISO 31000 to mean a person or organization that can affect, be affect by, or perceive themselves to be affected by a decision or activity. [ISO Guide 73:2009, definition]

It is useful to understand that the ‘organisation’ is generally accountable to ‘stakeholders’ that are outside the ‘organisation’.

Managing risk involves understanding the effects of uncertainty on the stakeholders’ objectives.

It is a common error to look only at risk to the organisation. Management of risk by an organisation is never for the sole benefit of that organisation in isolation. Risk management is about stakeholders even if the organisation’s main motive for managing risk is just profitability or self-interest.

A profit-motivated organisation has stakeholders such as investors, customers, and employees. Those stakeholders’ interests are important for the organisation’s profit-making planning and self-interested risk management. ‘Governance’ measures and regulation try to make self-interest overlap with stakeholder interest. There is always some alignment between self-interest and stakeholder interests, though there is never quite enough alignment to ensure that everyone stays happy.

Non-profit organisations typically have clients and funders (such as donors and tax-payers), who are primary stakeholders, comparable with investors and customers.

Project and team managers within larger organisations need to take note of their stakeholders. Their stakeholders may be invisible and nearly silent, but those stakeholders are represented by project boards, senior executives, and directors, who are in turn accountable to investors and customers. Project managers are formally trained in stakeholder management, but may have the idea that a stakeholder is someone with influence over the project. In risk management, stakeholders are also the people who are affected by project outcomes.

Other middle managers may not have any specific discipline of stakeholder management, but they always have stakeholders.

Risk criteria are agreed limits.

Risk criteria are the limits of acceptable risk. Acceptable risk is defined through a process to decide the nature and extent of risks that the organisation is willing to create, impose on stakeholders, or suffer for itself in the pursuit of its objectives. ISO 31000 is emphasises that this process must be based on communication and consultation. Risk criteria are based on the organisation’s objectives, the tolerable range of outcomes on each objective, ‘risk capacity’, and ‘risk appetite’, recognising that all of these factors are attributes of external stakeholders as much as of people inside the organisation.

‘Risk capacity’ and ‘risk appetite’ are complicated ideas not given much explanation within ISO 31000. They are not important in developing a basic understanding of risk management, as long as we have an idea that there are limits on acceptable risk.

The sweet spot

There is a sweet spot where the level of risk is best for long term outcomes, not too limited and not too great.

Finding the sweet spot and manipulating risk to keep it there is the purpose of risk management.

This is a paraphrase from from the CRMA Study Guide (page 101). The image of a sweet spot recognises that achieving objectives will always involve accepting some uncertainty, even some exposure to terminal events such as bankruptcy or death. At the same time, risk can be unacceptable or counter-productive beyond a certain level. In business terms, more return comes at the expense of more risk. Risk can become unacceptable when the likelihood of a specific negative outcome is too high, even if there are also positive potential outcomes that could be made more likely or bigger in size. In any event, a point is always reached when taking ever-increasing risk cannot be expected to improve long-term returns.

The goal of risk management is staying in the sweet spot. In the sweet spot, risks are ‘within the organisation’s risk criteria’.

Next article for Everyone

Key principles for actually managing risk

Risk management is simply ‘management’, with recognition of the effects of uncertainty. ‘Treating a risk’ means doing something different, not turning a knob. Risks are managed by managers, not risk specialists.

Everyone Version 1.0 Beta

Previous article for Everyone

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

Everyone Version 1.0 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.