Risk Management Diagram
Before we consider the four-step process of managing risk (or “managing surprises” as it is called by some people), it is worth defining exactly what we specifically mean by the term “risk management”, because so many organizations have a risk management system but not necessarily a common understanding about what constitutes risk.
The dictionary defines risk as follows:
Another longer definition, offered by the authors Smith and Merritt is:
Following on from these definitions, exposure to these “misfortunes”, occasions of “loss”, or “undesired outcomes” generally comes from particular events or what are more commonly called hazards. Some hazards are known and this may lead to considerable care or mitigation. Motorways are well-fenced and have no footpaths to ensure that pedestrians do not easily “stray” into the path of speeding cars for example. Similarly, people know that it is not a good idea to take the risk of jumping into the lion enclosure at the zoo. In general, these more obvious hazards are rarely the major risk problem. It is often the less obvious or even completely hidden hazards that can pose the greatest difficulties. Poorly constructed buildings, old machinery and homemade tools for example can all hide serious hazards that increase the likelihood that accidents or damage/loss can arise.
When managers determine an organization’s strategy or set goals and targets, it essentially balances opportunities and expected rewards against related risks. To perform this vital task well, leaders should be clear about the company’s risk appetite: in our pursuit of value and rewards, which risks are we willing to take, which ones not? Good risk management then does not imply avoiding all risks at all cost. It does imply making informed and coherent choices regarding the risks an organization wants to take in pursuit of its objectives and regarding the measures to manage and mitigate those risks.
One approach that can be useful to adopt is shown in the risk management diagram shown here. If offers four key progressive steps to be taken, with a fifth (information exchange and ongoing communication) as a continual requirement to ensure that the process flows smoothly. The first step is set the direction or appetite for risk in the future, or decide how loosely or tightly to set up the controls that are needed. The second step is to imitate the risk assessment regime that is needed for all key processes. The third step is to effective control with policies, procedures and other actions which render activities as safe as they can be. Finally, the fourth step is to evaluate or monitor the risk management efforts on an ongoing basis. By rigorously adopting the simple strategy shown in this diagram, most organizations can improve their risk identification and management efforts considerably.