Risk Management

Man in suit rolling dice

Risk management refers to the identification and assessment of risks, and the attempts to establish processes that are able to minimize or control either the probability or impact of negative risks. Risk management is an attempt to cost-effectively limit financial or legal liability, accidents, and other potential uncertainties which can have a large, adverse effect on a company’s bottom line. At their core, risk management strategies often seek to avoid or minimize negative risks, but some risks are improbable enough that organizations are often willing to accept them and their consequences as the cost of doing business.

Method

In most risk management methodologies, organizations ideally seek to first identify risks that are both probable and highly damaging. This often involves careful analysis of any vulnerabilities to important processes, the likelihood that those vulnerabilities could be exploited, and the development of strategies to mitigate or avoid the negative risk, or transfer the risk of such events to another party. Once these high-priority risks are identified, organizations will then carry out analysis of other, less likely or less damaging risks, and take action accordingly. Depending on the severity of the risk, and the budgetary resources devoted to risk management, these lower-priority risks may be deemed ‘acceptable risks’ and no action may be taken to mitigate or avoid them.

Principles

The International Organization for Standardization (ISO) identifies several guiding principles that risk management practices should follow in order to be effective. Risk management practices should take into account the best information that is readily available, the inherent differences that the ‘human factor’ play in any organization, be a built-in part of the decision-making process, and be treated as a necessary and important part of the initial planning process. Furthermore, it should be structured, but still able to respond to constantly changing demands in a dynamic environment. Finally, it should create value for the organization: the potential cost of not engaging in risk management practices should outweigh the actual costs of avoiding or mitigating the negative risks initially identified by the organization.

Process

There are several core processes which are universally applicable to effective risk management strategies. The first process is to establish the context within which potential risk may be discovered. This involves the identification of potential risks in a selected process, understanding where that risk fits into the process by mapping out the process to completion, developing a framework to analyze the potential impact or probability of the potential risk, and evaluating the potential technological and organizational measures available to mitigate or avoid the risk. The next step is to actively identify a risk within a process. This is often done by checking through lists of common risks (within a given industrial process, for instance), or through scenario-based analysis, where scenarios are created that may expose risk through the application of possible, yet unexpected, forces on the process. Once a risk is actively identified, a root-cause analysis is done to determine whether the source of the risk is internal or external to the process, or whether a more broad, systematic or organizational problem may be the culprit. Finally, when a risk has been identified, an assessment should be made to determine the probability of the risk occurring, as well as the potential severity of its impact. Some events can impact intangible assets, and it can be very difficult to properly understand damage to the value of those assets. Since the rate of occurrence of many risks is relatively low, it can also be difficult to forecast the potential negative impact of the event, given its improbability. Impact analysis is therefore an imprecise exercise, where judgments based on the best possible information available are used to prioritize the allocation of resources. Nonetheless, a risk management evaluation should provide the necessary information for an organization to understand the most critical risks in a process and make the best educated decision possible.