Risk management
Risks are an ubiquitous and characteristic side-effect of taking action by organisations (see also Chapter 33). Although there are many different types of risk (financial, economic, project, market, technical, social, operational, safety, etc.), the structured approach of risk management helps to identify risks and take appropriate action to minimise the likelihood of the occurrence or reduce the (negative) impact of that risk (Figure 23.1).
Every activity brings some risk as zero risk does not exist, so it is about minimising the negative impact of risk. That is what risk management offers. Many organisations operate in (market) environments where taking high levels of risk is necessary to compete. In some industries, the risks taken are thus high and/or the negative impact of the risks severe, so that designated risk management becomes a primary function of the organisation (e.g. in banking, insurance, and the pharmaceutical and petrochemical industries). Sometimes risk management is even regulated through legislation (e.g. Solvency2 for insurers and BASEL III rules for banks) and standards (e.g. ISO 31000 and OHSAS 18001).
Risk management is a systematic set of methods and techniques that help to analyse, prevent, mitigate, reduce and even eliminate risks. It consists of four interrelated phases: risk identification, risk assessment, risk management (or handling) and risk measurement (or monitoring). When starting with risk management and setting up your framework, you start by identifying risks. Using a multi-perspective approach covering as many possible types of risks – from operational, to financial, to environmental, to safety, etc. – a long list of risks will be drafted. Next the risks are to be prioritised according to the potential (negative) impact they can have on the organisation: to what extent are which assets vulnerable to this risk?
Then, the prioritised risks are analysed: what is the probability that the risk will occur? What will trigger its occurrence? What relationships are there between risks and their triggers? What is the worst-case scenario for the organisation (what likely combination of risks could occur simultaneously)?
When the risks are better known and understood, an assessment is to be made of what appropriate responses the organisation can take to these risks. Different gravity of the impact on the organisation, different exposure of assets, different probability and different triggers will require different actions. The appropriate actions can be categorised into mitigating actions to, eliminating actions, preventive actions, actions regarding reduction of consequences and actions regarding handling of consequences. As your risk management framework is being set up for the first time, you will have to decide on which action to take when the identified risk occurs. When it is possible to prevent or mitigate a risk, that action will be preferred. When only the impact of the risk can be mitigated or reduced, decision criteria to choose what action to take will include minimisation of cost of action and potential collateral damage. When the risk management framework is set up, the decision on what action to take will most likely be documented (in a script or scenario) and then periodically checked for new insights into and revision of the appropriate action decided on earlier.
Risk management’s most common activity is monitoring risks. This predominantly involves the risks that are identified, but monitoring will also lead to identification of other or new risks. Monitoring also includes the monitoring of the actions taken to mitigate, prevent or handle risks and their impact.
Risk management is a model that can be used to understand how to cope with risks. It provides a framework in which, per phase or per activity, several tools and methods can be used both to find the risks and to take appropriate actions. In many businesses and markets, taking risks is part of the game, and risk management is thus a primary function of the organisation.
There is, however, a tendency to place a lot of emphasis on risk management. Especially when things go sour, organisations (and regulators) tend to take overly strong actions and impose a very strict risk management framework on the organisation (or the whole industry). Excess risk management can be counterproductive: risk management is about managing the effects of doing business, but too much will inhibit doing business.
Risk management is not an all-encompassing solution: although almost all risks will be identified by organisations, keeping an eye on them is more difficult. In particular, when risks are assessed to have a very low probability, they tend to drift off the radar, and when they actually do happen, the organisation is unprepared to take the appropriate action.
Crouhy, M., Galai, D. and Mark, R. (2013) The Essentials of Risk Management, 2nd edn. McGraw-Hill.
Hopkin, P. (2012) Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management, 2nd edn. London: Kogan Page.
Lam, J. (2014) Enterprise Risk Management: From Incentives to Controls, 2nd edn. John Wiley & Sons.
The Institute of Risk Management: www.theirm.org