Defining Risk and Risk Management

What is Risk?

The ISO 31000 risk management standard defines risk as, “the effect of uncertainty on objectives.”

Risks are typically related to one of four areas:

• The organization’s long-term strategy (three years, five years, and beyond)
• The way that an organization manages change (for example, during mergers and restructuring)
• The day-to-day operations of the organization
• The general financial health of an organization

Risk can be positive, negative, or neutral. They are, in general, simply a deviation from the norm.

Risk is often defined as an event or a consequence. Some examples of risks are:

• Interruptions of the business cycle or business processes arising from government regulation, economic conditions, social conditions, weather systems, natural disasters, and other sources
• Unforeseen changes in existing strategic partnerships, key business relationships, and vendor/supply sources
• Changing labor market conditions affecting labor force availability and costs
• Issues arising from integrations of computer systems, communications networks, accounting systems, and other systems
• Access to information may be prevented by government or legal restrictions, privacy concerns, or other frameworks that are put in place
• Security conditions might arise that affect operations

Types of Risks

Quantitative risks are those that can clearly be quantified. They have an impact on time, people, money, or other resources. An example could be lost revenue, lost production, or delayed time.

Qualitative risks are those that cannot easily be clearly quantified. This may be because you do not have sufficient historical data to determine the likelihood of the risk and/or its impact is not understood well enough for a qualitative impact to be associated with it.

An example: Your organization is opening an oil rig in a new area. You have no concrete data for this particular type of machinery in poor weather, but you do know that other facilities in the area have their production affected in varying amounts each year because of weather.

You should always strive to make all qualitative risks quantitative, if possible, by collecting and analyzing data.

What is Risk Management?

Risk management is defined as a set of principles and processes that help minimize the negative impacts of risks and maximize the positive impacts. Risk management should identify risks, assess them, determine a suitable response, and implement that response. In order for risk management to be successful, it must be integrated into the culture and the day-to-day activities of the organization.

Your risk management process should be PACED:

• Proportionate to the size of your organization
• Aligned to your organization’s mission
• Complete
• Embedded into the culture of the organization and its day-to-day activities
• Dynamic and responsive

Some examples of risk management processes and plans:

• House insurance
• Disaster recovery plans
• Succession planning

Establishing Your Risk Management Context

Each organization is unique, and it is crucial that you identify the context in which your risk management framework must operate. Consider:

• The regulatory or legal environment you operate in with respect to both internal practices (e.g. labor laws and regulations, liability claims, etc.) and how you relate to your customers and vendors.
• Communication methods you will use to notify and communicate with your stakeholders, as a range of techniques may be required to suit different stakeholder groups.
• The size of the organization in terms of the number of divisions, revenue of business lines, size of markets, and budgets of functional groups.
• Labor relations in the organization.
• The structure of the organization, which can affect risk analysis, planning, and implementation.
• The culture of the organization with respect to risk tolerance. Is your organization a conservative family business or an edgy risk-taker?