What is risk management? (CRMA)

What to read first: What is risk management? (supplement for risk specialists) What is risk management? (for Everyone)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

The CRMA study guide is neutral between authoritative definitions and concepts. The implicit messages in the CRMA guide are closer to modern and principles-based understandings captured in ISO 31000 than to older approaches based on methods.

One of the definitions of risk quoted in CRMA is original to the IIA:

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. [IPPF 2013, quoted in the CRMA Review Manual at page 7]

This IIA definition of risk follows COSO in referring to possible events rather than uncertainty, as favoured in ISO 31000. It also specifies impact and likelihood as the measures of risk, which ISO 31000 does not. While the words are different, the underlying intentions are in harmony, as the later parts of the IIA’s CRMA study guide discuss other risk measures (‘assessment criteria’), while ISO 31000 clearly favours likelihood and effect magnitude as the most important measures of risk, without excluding others.

Within the CRMA study guide, the basic natures of risk and risk management are explored in Domain 1 Part A. The discussion of fundamental purpose is on pages 7-8, followed by identification of ‘processes within risk management’. The CRMA ‘processes’ identification parallels the ISO 31000 definition of the ‘framework’, though with different contents. [ISO 31000, Section 4]

The CRMA study guide understands risk management predominantly as Enterprise Risk Management, which is defined on page 9 as

a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding responses to, and reporting on opportunities and threats that affect the achievement of its objectives. [Original source: IIA 2009 Position Paper Role of Internal Auditing in Enterprise Risk Management.]

My approach is different, to the extent that I discuss risk management as a general activity, not necessary linked to a single organisation (‘enterprise’), or to the objectives of the organisation regarded as a unit. I regard Enterprise Risk Management as a specific application of risk management. Otherwise, there is close agreement.

Study guide Domain 1 Parts B and C go into some depth about the risk management context before getting into registers and ratings. This order of discussion also parallels ISO 31000. This structure in itself carries a strong message: understanding the context and final purpose of risk management is far more important than the detailed steps taken along the way.

Risk ‘exploitation’ as a treatment

This blog hasn’t formally discussed risk treatment, but there was some interpretation of ‘acting on’ risk in the lead Everyone article on ‘what is risk management’. . This section assumes that you are already familiar with conventional categories of risk treatment or response.

‘Acting’ on risk could include finding out more, discussing risk with stakeholders, monitoring, changing likelihoods, changing consequences, and comparing actual events with predictions. These actions map on to standard risk management actions, usually characterised as something like ‘accept’, ‘avoid’, ‘mitigate’, and ‘transfer’, plus some other conventional responses to risk.
The CRMA Study Guide addresses risk treatment in Part II.B.4, pages 100 through 111. It adds to the usual four categories of risk treatment ‘exploit’.

The concept of ‘exploiting’ a risk confused me no end, particularly as it was explained on page 109. To me that paragraph focused on investing for uncertain gains, which is a type of risk acceptance, not a different ‘exploitation’ of a risk. So here’s my attempt at explaining ‘exploit’ as a response to risk. Continue reading at your own risk.

Suppose there is a type of risk common across your industry. Many of your competitors restrict their activities to limit their exposure to that risk, to the point that they are comfortable with that exposure.

Also suppose that your organisation has either a higher tolerance for the risk, or a better way of limiting the risk that is otherwise common. In either case, your organisation will take on activities that others won’t. That means your organisation can get a high market share, or charge premium prices, by doing the work that competitors won’t. This strategy can be called ‘exploiting the risk’.It is not just a matter of accepting uncertain profits or accepting that bad things can happen, which everybody does to some extent.

An example for this kind of risk exploitation is a movie stunt artist. Most of us will not attempt dangerous stunts even if the pay were to be very high—higher than movie companies would be willing to pay. But a professional stunt artist can limit their own risk in ways not available to the rest of us, using special skills and resources, while performing in a spectacular way for the movie. In this way, a few stunt artists can get paid high, but justifiable, fees for doing things that are too dangerous for the rest of us. In this way, the stunt artists ‘exploit’ the risk of injury in performing stunts that would be very dangerous to anyone else, though much less so to them. Stunt artists have a high market share in this kind of work. They can charge premium fees for it, while keeping the price low enough that they do actually get some paid work.

Another example is an insurance company. For simplicity let’s focus on fire insurance. Individuals and businesses are unwilling to accept the risk of losing all of their assets through fire. While the likelihood may be low, the potential impact on the individual or business is devastating. So they take out fire insurance, paying a relatively small but known premium so that the economic loss from any actual fire will be small or zero, rather than catastrophic. The insurance company is absorbing the risk that the individual or business customer is avoiding.

So far we are talking about risk transfer. The insurer is also exploiting the risk if there are many different customers, and the total of all premiums consistently amounts to more than the payouts for fire damage, thereby making a profit. A profit is possible because while the likelihood and magnitude of economic loss transferred by each policy is the same for both the customer and the insurer, the insurer can cope with the economic loss from each fire in a way that the customer cannot. The insurer has a higher ‘risk capacity’ than the customer. This higher ‘risk capacity’, actually a capacity for discrete economic losses, gives the insurer the ability to ‘exploit’ fire risk and to profit from it.

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

Everyone Version 1.0 Beta

Parent articles

What is risk management? (extras for risk specialists)

Risk specialists Version 1.0 Beta

Main article on What is Risk Management?

Index to the series What is risk management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.