The question itself throws up a number of images in our heads, all of which seem a little chaotic or incoherent. You might be imagining men and women in grey looking suits, wearing nerdy glasses with scientific calculators in hand, talking really fast about risk analysis. They want you to know about “net residual exposures and how you should continue to mitigate your market risk with hedging strategies”. Um, OK then.
The next image to load on the cinema screen inside your head might be of an older man with deep-furroughs on his face, frowning at you and shaking his head. He points his clipboard in your direction. “If you had done a proper job to identify risks, looking at all the types of risk and not just those coming from natural disasters my friend, then you would have clearly recognised that the main issue here is Health and Safety. That’s a tripping hazard right there and I think I can smell Asbestos in your outbuildings. I’m shutting you down!”. And in that moment, the person does the only thing that brings them any joy in life: stopping other peoples’ plans.
Maybe the idea of Risk Management conjures up other images for you. Is it Scottie the Chief Engineer from Star Trek saying, “We can’t risk it, Captain. We have nae got the power!”? Is it your favourite TV surgeon leaning towards the anxious theatre nurse saying, “We’ll just have to take the risk sister, otherwise they’ll be dead within the hour!”. Perhaps you have a risk advisor type voice in your head, telling you not to buy Bitcoin because it’s an asset bubble just about to burst and you’ll be left penniless!?
What we’ve tried to show you already, is that the nature of risks are very diverse. Every person is affected by them, on a daily basis. For example, I have already faced the risk of dying in a road traffic accident today, professional humiliation, food poisoning, having an airliner fall on my head, falling into a river and drowning, being taken hostage by the postman and rejection by the person I think is the most important in the whole world.
Most of us manage risks like this without really thinking about it. It’s not because the risks don’t matter to me. It’s because I have learned to handle them efficiently.
To be more precise, the “thing which interferes with what we want to achieve or see happen” is a risk, and the risk has an effect on our objectives. There are many potential risks in the world that have nothing to do with our objectives. Lightning strikes in Papua New Guinea don’t bother me much. We can say there are more risks than we have time/resources to care about. Risk management is the process that keeps us focused on the things which matter, so it doesn’t take up all our attention, all the time. We’ve got things to do!
Depending on the person, or type of organisation, the risk management process can be fast, informal and ad-hoc. If your objectives are not that important, or highly flexible, you can easily cope with unexpected and minor interferences. If you are the head of operations at a nuclear power generation plant, your risk factors are long term, serious, inter-connected and potentially catastrophic for a whole region of the planet. You will use a detailed, precise and rigid method to do a risk assessment and wherever possible, make them as low as reasonably possible. It is your duty.
Coping with a risk event is often a question of timing. How much time did we have to prepare for the risk before it started to happen? How long did it take to recognise what was happening and trigger our pre-prepared action plan? How long will it take for the risk event to materialise or complete? Risks can be categorised according to their suddenness of happening (“We saw it a long way off” to “It was a complete shock to all of us”), likewise the duration of the impact of a risk when it does happen (minutes to centuries).
Because risks are always changing, combining, becoming entangled then pulling apart, it’s never enough to just evaluate risk one time, take some actions to reduce risk to what you think is a good enough level, then believe that the job has been concluded once-and-for-all (time). That would be like seeing a still photo from a movie series and believing you had watched the entire run of films!
Risk management is the organised and structured way of answering the 4 questions we raised 2 minutes ago, in a repeating process. Risks can affect individuals, groups, entities, objects, intangible processes or assets, as well as very physical things such as mega-cargo container ships. An organisation must consider all of its objectives (both implicit and stated), as well as those assumed by regulatory process, legal liability or social expectation. It’s vital that risk management takes into account the views of stakeholder groups above and beyond the narrow views of the organisation’s top management. Employees, shareholders, advisory bodies, auditors, regulators, NGOs, politicians, journalists, consumer groups, lobbyists, regulators, financial markets (as a whole) may react in ways that affect direction or outcomes, so should be taken into consideration when reviewing existing risks and future risks.
When an organisation believes they have a current understanding of their risks, they can then choose a variety of risk management strategies for dealing with them. Some risks can be avoided because they completely unacceptable (would result in the closure of the business for example). Some risks can be reduced down to a lower level (probability or impact) and this is usually called risk mitigation. Some risks allow them to be shared with others, usually for a price. Typically this would involve insurance or some kind of joint-venture or outsourcing arrangement. The final approach is for a risk where the upside of what the activity brings about, makes the downsides inescapably attractive. Despite all efforts to reduce and share risk, there is a residual level which we can choose to accept.
Good risks like this would be flying or travelling by car. Our brains know that jet engines and gravity can propel us into the ground at unsurvivable speeds. We do everything we can to create a system that manages ‘gravity risk’ to an acceptable level. For most people, the tiny bit of residual risk remaining is far outweighed by the benefits of taking the risk.
When we ask, what is risk management, we can say that it is the planned approach to accurately understanding what risks affect our objectives and making informed decisions to achieve the best trade-offs between potential upsides and downsides. Doing this in a coordinated fashion across all aspects of an organisation’s activities is called Enterprise Risk Management. It involves women and men in grey or other coloured clothing, with calculators. It includes people with deep concern for health, for safety, for the environment, for financial well-being, for sustainability, for product quality, for reputation protection, for wealth generation. Risk management is a sign that an organisation cares, professionally.
We know what you mean.
Download our free guide that shows the top 20 training mistakes when designing training.
