The term “risk management” covers many different types of risk, including strategic risk, financial risk, reputational risk, operational risk, project risk, environmental risk, legal risk, contract risk, or technical risk, as well as corporate governance, business continuity and disaster recovery. While each of these areas has its own special language, processes and techniques, there are some principles which apply to them all. These might be called
“universal laws of risk management”.
| Available in multiple
Languages!* Read this article in:
Chinese [3]
French
German [4]
Portuguese [5]
Spanish [6]
*Requires Adobe
Acrobat
Reader
|
The first law of risk management is that
risk is uncertain. A risk is something in the future which might or might not occur. This is vital to a proper understanding of risk and its management. Risks do not yet exist, indeed they may never exist at all. They are potential future events or sets of circumstances or conditions. This makes them quite different from things which have happened in the past or which currently exist in the present. Past and present events can be analysed and measured, but future events can only be imagined or estimated. A risk which may or may not exist in the future cannot be experienced directly unless or until it happens. This makes risks different from issues, problems or constraints. In every type of risk management, risk is in the future, which is inherently uncertain.
The second law is that
risk matters. If they occur, risks will have consequences
which make a difference in some way. It is not possible to have an inconsequential risk, by definition. While various types of risk management focus on different sorts of consequence, all agree that a risk must affect something. This is because risks are inextricably linked to objectives. Wherever some field of human endeavour is attempting to achieve something, it is possible to identify uncertainties which might affect the chances of success. Whether the objectives are to achieve good corporate governance, successful projects or business continuity, risk management aims to identify possible future events which could influence those objectives, and to enable them to be understood and managed effectively.
The third law is that
managing risk is a process. They may have different steps, but all approaches to risk management provide a framework which is designed to maximise both efficiency and effectiveness. Although the details of risk processes are different, every type of risk management has two important parts: analysis and action. Before risk can be properly managed, it must first be identified, described, understood and assessed. Analysis is a necessary first step but it is not sufficient – it must be followed by action. A risk process which does not lead to implementation of actions to deal with identified risks is incomplete and useless. The ultimate aim is to manage risk, not simply to analyse it.
Finally, the fourth law is that
risk is managed by people. The human aspects of risk management are vital to its success and effectiveness. People implement processes, though we may use machines to automate calculations, to record results, or to generate reports. People set risk thresholds, identify risks, assess the degree of uncertainty and extent of possible impact, propose appropriate responses and implement agreed actions. These require judgements, estimates and decisions to be made in the presence of uncertainty. These judgements are subject to a range of influences, both explicit and hidden, which can significantly affect the outcome. Risk management at every level is exposed to sources of bias arising from overt and covert influences acting on individuals and groups who are trying to make risk-based decisions with imperfect or incomplete information.
Whatever type of risk we face, we have to follow these universal laws of risk management. To manage risk effectively we need to deal with
uncertainty that
matters, follow a
structured process, and take account of the
people aspects.
Dr. David Hillson (PMP, FAPM, FIRM, MCMI) is an international risk management consultant, and Director of Risk Doctor & Partners (
www.risk-doctor.com [7]). His speciality is risk technology transfer, assisting organisations to develop in-house risk processes, and he is a popular conference speaker and author on risk, winning several awards for his papers.
David can be contacted at
david@risk-doctor.com [8]
