What separate activities are specific to ‘risk management’?

I answered the question ‘What is risk management?’ with an invisible essence: To manage risk is to understand and act on the effects of uncertainty on objectives. I later claimed that Risk management is simply ‘management’, with recognition of the effects of uncertainty.

I also declared that unlike radioactive waste, risk does not need a management system. Risk is not a separate substance, and risk management is not an activity separate from management.

That leaves a question about the management activities that are added or changed because uncertainty is taken into account.

This article answers the question with visible activities that may be needed specifically in response to an awareness of uncertainty. I stick to my premise that the invisible essence of risk management is, well, essential, whereas the visible activities can vary widely.

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000. Different risk specialists assume different boundaries of ‘risk’.

What to read first: How does ‘risk management’ fit with all the other kinds of ‘management’?What is risk management?

Everyone

Activities specific to ‘risk management’ are typical activities specific to ‘management’, with special features. They also have special names, defined in places like ISO 31000.

ISO 31000 defines risk management activity at two levels, the definition and maintenance of a risk management framework (Clause 4, summarised in Figure 1 of ISO 31000) and the execution of the risk management process (Clause 5, summarised in Figure 2 of ISO 31000). The activities described by ‘risk management’ are those within the risk management process.

This table shows how risk management is simply management, with uncertainty taken into account. The left margin is the ISO 31000 label for the risk management activity, the middle column is my summary of what is involved, and the right column describes the corresponding activities in ‘management’ other than ‘risk management’. This argument is original with Clear Lines on Audit and Risk, so it’s fair game for queries and criticism.
ISO 31000 risk management process activity Risk management process activity Management process activity
Establishing the context Developing risk criteria, through understanding the stakeholders’ risk appetite and tolerance around a particular activity. Setting objectives, targets, and budgets, having regard to stakeholder expectations and priorities. Budgets will include spending limits for particular management levels (parallel to risk tolerances).
Risk assessment Identifying, analysing and assessing risk. Developing a plan for the steps necessary to deliver on the objectives and targets, such as an annual business plan or project plan.
Evaluating assessed risk in relation to risk criteria. Evaluating the feasibility of the business plan or project plan.
Risk treatment Implementing treatment actions for evaluated risk. Treatment actions can include communicating, avoiding, transferring, and monitoring the risk, and re-designing the activity to change the risks involved. Amending the business or project plan to achieve both feasibility and stakeholder objectives. Deciding the controls that need to be maintained.
Implementing risk treatment actions for evaluated risk. Treatment actions can include maintaining controls, and adhering to policies and planned strategies designed to optimise risk and reward. Executing the business plan or project plan. Maintaining controls. Complying with organisational policies.
Monitoring and review Reviewing and improving particular risk management processes, and the management of particular risks, based on experience. An important type of review is monitoring actual events and comparing those to the forecasts made in risk assessment. Continuous improvement based on activity tracking and performance assessment. An important type of review is comparing actual outcomes (deliveries, expenditures) to planned outcomes.
Communication and consultation
Recording and reporting (2017 revision of ISO 31000)
Communicating and consulting about the overall situation with risk and risk management, particularly with stakeholders and their representatives. Communicating and consulting about actual business performance or project delivery, forecasts, and plans. Communications and consultation will be with stakeholders and their representatives (e.g. senior manager, project board).
Within an organisation, some of these roles are part of management performed by managers, while others may be performed by risk specialists. Work done by risk specialists is done on behalf of decision-making managers at one level or another. Risk specialists are not decision makers.

Specialities focused on risk management

Different risk specialists assume different boundaries of ‘risk’.

The term ‘risk management’ is often used to describe specific disciplines involving the uncertain potential for trouble, such as security, business continuity, credit, or fraud management. This usage of ‘…risk management’ resembles the way that ‘… science’ or ‘…disorder’ get added when something has doubtful credibility, such as ‘beauty science’ or ‘narcissistic personality disorder’.

But on the whole, this usage is fair and helpful. Activities like security management are an excellent example of risk management, separate from Enterprise Risk Management. Better practices in security management include application of risk management principles consistent with ISO 31000, with some extensions. Standardised extensions for security risk management include asset definition and threat identification based on specific attackers’ capabilities and motivations.

The thing to watch is that security specialists (for example) tend use the term ‘risk’, without a qualification, in a very narrow and specific way. By ‘risk’ they do not always mean the total effects of uncertainty in any given activity. Sometimes they will use ‘risk’ in the common (but incorrect) way of referring to a kind of threat, without specifying the effect on any objective. At other times they will refer to an effect on an objective, but only a very narrow kind of effect, such as the potential ‘security’ impact. For example, security folks will often assess a ‘risk exposure’ in terms of an asset’s rated value and the likelihood of its compromise. The rated ‘asset value’ is a fiction that simply differentiates severe and minor consequences, without any real link to effects on organisational objectives as understood at CEO and Board level. This can be a good thing to do, but not the same thing as enterprise level risk management. Apart from its security value, it can also be a useful part of the way in which whole of enterprise-wide risk is understood. In a later article I’ll be exploring ways to join different branches and styles of risk management within an organisation, to create an enterprise view.

Previous article for Everyone

How does ‘risk management’ fit with all the other kinds of ‘management’?

Risk management is not just another dimension of management. It’s a dimension of all the other dimensions

Everyone Version 1.0 Beta

Parent articles

What is risk management?

Risk is not a mysterious hypothetical substance. Unlike radioactive waste, it does not require a management system. You should never ask how much of it there is. Risk is nothing other than the possibility that your world might not end up the way you meant it to be. To manage risk is to understand and act on the effects of uncertainty on objectives. ‘Effects’ can be positive or negative. ‘Uncertainty’ includes all kinds of unknowns, including unknown unknowns. Risk management comes naturally from human capacity to plan for the future with conscious actions. Risk management is not defined by any step by step process based on rules and templates. Risk management is simply ‘management’, with recognition of the effects of uncertainty.

Everyone Version 1.0 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.