Coping with a risk event is often a question of timing. How much time did we have to prepare for the risk before it started to happen? How long did it take to recognise what was happening and trigger our pre-prepared action plan? How long will it take for the risk event to materialise or complete? Risks can be categorised according to their suddenness of happening (“We saw it a long way off” to “It was a complete shock to all of us”), likewise the duration of the impact of a risk when it does happen (minutes to centuries).
Because risks are always changing, combining, becoming entangled then pulling apart, it’s never enough to just evaluate risk one time, take some actions to reduce risk to what you think is a good enough level, then believe that the job has been concluded once-and-for-all (time). That would be like seeing a still photo from a movie series and believing you had watched the entire run of films!
Risk management is the organised and structured way of answering the 4 questions we raised 2 minutes ago, in a repeating process. Risks can affect individuals, groups, entities, objects, intangible processes or assets, as well as very physical things such as mega-cargo container ships. An organisation must consider all of its objectives (both implicit and stated), as well as those assumed by regulatory process, legal liability or social expectation. It’s vital that risk management takes into account the views of stakeholder groups above and beyond the narrow views of the organisation’s top management. Employees, shareholders, advisory bodies, auditors, regulators, NGOs, politicians, journalists, consumer groups, lobbyists, regulators, financial markets (as a whole) may react in ways that affect direction or outcomes, so should be taken into consideration when reviewing existing risks and future risks.