Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000.
ISO 31000 defines risk management activity at two levels, the definition and maintenance of a risk management framework (Clause 4, summarised in Figure 1 of ISO 31000) and the execution of the risk management process (Clause 5, summarised in Figure 2 of ISO 31000). The activities described by ‘risk management’ are those within the risk management process.
|This table shows how risk management is simply management, with uncertainty taken into account. The left margin is the ISO 31000 label for the risk management activity, the middle column is my summary of what is involved, and the right column describes the corresponding activities in ‘management’ other than ‘risk management’. This argument is original with Clear Lines on Audit and Risk, so it’s fair game for queries and criticism.|
|ISO 31000 risk management process activity||Risk management process activity||Management process activity|
|Establishing the context||Developing risk criteria, through understanding the stakeholders’ risk appetite and tolerance around a particular activity.||Setting objectives, targets, and budgets, having regard to stakeholder expectations and priorities. Budgets will include spending limits for particular management levels (parallel to risk tolerances).|
|Risk assessment||Identifying, analysing and assessing risk.||Developing a plan for the steps necessary to deliver on the objectives and targets, such as an annual business plan or project plan.|
|Evaluating assessed risk in relation to risk criteria.||Evaluating the feasibility of the business plan or project plan.|
|Risk treatment||Implementing treatment actions for evaluated risk. Treatment actions can include communicating, avoiding, transferring, and monitoring the risk, and re-designing the activity to change the risks involved.||Amending the business or project plan to achieve both feasibility and stakeholder objectives. Deciding the controls that need to be maintained.|
|Implementing risk treatment actions for evaluated risk. Treatment actions can include maintaining controls, and adhering to policies and planned strategies designed to optimise risk and reward.||Executing the business plan or project plan. Maintaining controls. Complying with organisational policies.|
|Monitoring and review||Reviewing and improving particular risk management processes, and the management of particular risks, based on experience. An important type of review is monitoring actual events and comparing those to the forecasts made in risk assessment.||Continuous improvement based on activity tracking and performance assessment. An important type of review is comparing actual outcomes (deliveries, expenditures) to planned outcomes.|
|Communication and consultation
Recording and reporting (2017 revision of ISO 31000)
|Communicating and consulting about the overall situation with risk and risk management, particularly with stakeholders and their representatives.||Communicating and consulting about actual business performance or project delivery, forecasts, and plans. Communications and consultation will be with stakeholders and their representatives (e.g. senior manager, project board).|
|Within an organisation, some of these roles are part of management performed by managers, while others may be performed by risk specialists. Work done by risk specialists is done on behalf of decision-making managers at one level or another. Risk specialists are not decision makers.|
Specialities focused on risk management
Different risk specialists assume different boundaries of ‘risk’.
The term ‘risk management’ is often used to describe specific disciplines involving the uncertain potential for trouble, such as security, business continuity, credit, or fraud management. This usage of ‘…risk management’ resembles the way that ‘… science’ or ‘…disorder’ get added when something has doubtful credibility, such as ‘beauty science’ or ‘narcissistic personality disorder’.
But on the whole, this usage is fair and helpful. Activities like security management are an excellent example of risk management, separate from Enterprise Risk Management. Better practices in security management include application of risk management principles consistent with ISO 31000, with some extensions. Standardised extensions for security risk management include asset definition and threat identification based on specific attackers’ capabilities and motivations.
|The thing to watch is that security specialists (for example) tend use the term ‘risk’, without a qualification, in a very narrow and specific way. By ‘risk’ they do not always mean the total effects of uncertainty in any given activity. Sometimes they will use ‘risk’ in the common (but incorrect) way of referring to a kind of threat, without specifying the effect on any objective. At other times they will refer to an effect on an objective, but only a very narrow kind of effect, such as the potential ‘security’ impact. For example, security folks will often assess a ‘risk exposure’ in terms of an asset’s rated value and the likelihood of its compromise. The rated ‘asset value’ is a fiction that simply differentiates severe and minor consequences, without any real link to effects on organisational objectives as understood at CEO and Board level. This can be a good thing to do, but not the same thing as enterprise level risk management. Apart from its security value, it can also be a useful part of the way in which whole of enterprise-wide risk is understood. In a later article I’ll be exploring ways to join different branches and styles of risk management within an organisation, to create an enterprise view.|
Previous article for Everyone
|Everyone||Version 1.0 Beta|
Main article on What is Risk Management?