What is Risk Management?
Risk-taking is part and parcel of business: no risk, no reward. Whatever strategy an organization chooses, each course of action comes with its own expected rewards and risks. Good risk management therefore does not imply avoiding all risks at all cost. However, it does imply making informed and coherent choices regarding the risks the organization wants to take in pursuit of its objectives and particular choices regarding the measures to manage and mitigate those risks.
Definition of “risk”
But before we continue let’s make sure that the term “risk” is well-understood. The dictionary defines risk as follows:
Another useful definition is offered by the expert risk management authors Smith and Merritt:
Exposure to these “misfortunes”, occasions of “loss”, or “undesired outcomes” generally comes from particular events or what are more commonly called hazards. Some hazards are known and this may lead to considerable care or mitigation. For example, motorways are well-fenced and have no sidewalks to ensure that pedestrians do not easily “stray” into the path of speeding cars. Similarly, people know that it is not a good idea to take the risk of jumping into the lion enclosure at the zoo.
In general, these more obvious hazards are rarely the major risk problem. It is often the less obvious or even completely hidden hazards that can pose the greatest difficulties. Poorly constructed buildings, old machinery and homemade tools for example can all hide serious hazards that increase the likelihood that accidents or damage/loss can arise.
Determining risk “appetite”
When leaders determine an organization’s strategy or set particular goals and targets to deal with identified hazards, it essentially balances opportunities and expected rewards against related risks. To perform this vital task well, a given leader should be clear about the organization’s “risk appetite”. This risk appetite is the determination of which risks a business is willing to take and which ones is it not willing to take in its pursuit of value and rewards. An explicit, comprehensive discussion of risk appetite should therefore form part of any future planned project, process change or strategy review.
Clear and operational definitions of risk appetite form the basis for what is often now commonly called “Enterprise Risk Management” approach or ERM for short. ERM is mainly concerned with making an explicit determination of an organization’s tolerance of risk in all of its major decisions. For example, when does a company start to feel uncomfortable if the percentage of its revenues generated by just its four or five biggest clients rises continually or even becomes dominant? Another example may be a company which experiences 10% (and growing) product returns from customers-at what point does this become too big a risk –to overall customer satisfaction, company costs or general reputation? In both of these cases, one company may have a completely different tolerance of risk to another but this needs to be explicitly understood and capable of change when circumstances require it to do so.
So what is risk management?
Assuming that we well-appreciate the concept of risk, hazards and risk appetite, risk “management” is then simply the particular effort made by a given company to control its identified risks. Once assessed, efforts may be made to eliminate, mitigate or retain/live with the risk.
Risk elimination (perceived to be the best risk management approach) is often much more possible than many people think because many risks are “introduced” by particular decisions and can be “un-introduced” or removed by different decisions (especially if the leader or manager that introduced the risk is the one responsible for making the decision to avoid the risk).
Although elimination may appear to be the best solution or answer to all risks, complete avoidance also means losing out on the potential gain that accepting (retaining) the risk may have allowed. For example, not entering a business to avoid the risk of loss also avoids the possibility of earning profits.
Risk Mitigation, or what is often called “treating” the risk in some way, is essentially concerned with lessening the impact that a particular risk might have. In considering this strategy, we have usually accepted that the risk cannot be readily avoided or transferred and are therefore now only trying to keep the expected loss or damage to acceptable levels. Of course, “acceptable” is a subjective term and has to do with how much risk the organization may be comfortable in taking from task to task or project to project. However, in all cases, the aim is to either lower or increase the likelihood (depending upon whether the risk is positive and negative) and/or decrease or increase the impact. In most cases, mitigation involves achieving a reduction of the risk impact. This means that our mitigation strategies should either reduce the probability that the risk will occur or lessen the overall severity (damage or loss) experienced.
Risk Retention or tolerance means that the risk cannot be eliminated or even mitigated readily so a business may only be left with living with the risk. The response may be to do nothing (and accept that the likelihood of occurrence is very low and/or the impact if it did is very minor), or take steps to protect people from the risk. A good example of the latter is the use of personal protective equipment such as a hard hat or steel-toed shoes etc. Ear plugs are another example where the risk of noise may be unmitigated but the individual is protected from harm (provided they wear their earplugs).
In the final analysis risk management is a strategy that will vary greatly from one company to another. However, the approach of understanding the hazards, determining the “appetite” for risk and then looking to manage each risk individually is a common one.