Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Asking ‘what is risk management?’ often gets you the trite answer ‘it’s the management of risk’ or we get a list of activities associated with risk management. Neither result is satisfying and we need a better definition that explains the intent of risk management along with some clarification of what this is and is not. Here, I’ve presented some initial ideas on a definition along with four components that should give us a more thorough definition.
Not having an essay on risk management itself seems like an oversight on a site about risk management, but it turns out that tackling this a few years in is helpful for a couple of reasons.
First, many the building blocks of what we consider to be risk management have been discussed previously, so it’s easier to refer to back to these.
Second, the question ‘what is risk management?’ isn’t as easy to answer as it initially seemed, so anything I wrote before now would probably have been a bit superficial.
So although I initially worried that this was a massive oversight, I’m glad that I waited a while to tackle this.
So what is risk management?
The simple answer is obvious: risk management is the management of risk. (There’s more on risk itself here.)
We could then list all of the things that make up risk management to develop a basic definition. So risk management is conducting risk assessments, conducting risk governance, and so on. This is what some definitions will do and it’s not a terrible as a start point. Unfortunately, listing the associated actions is not the same as thoroughly defining risk management.
This is the same challenge as not being objectives-led: you can work through a set of actions and produce outcomes, but without a clear purpose, you’re unlikely to achieve your objective. You’ll just be going through the motions.
So we need a better idea of what risk management is for – what’s the objective? – if we want to be successful.
Unfortunately, that’s not as straightforward as we might like.
Before risk management, there’s risk
Before we get into risk management, we should define risk. Risk is a function of uncertainty (e.g. ‘risk is the effect of uncertainty on objectives’ (ISO 73)), so risk management is the management of uncertainty.
But what do we mean by uncertainty? Uncertainty or fuzziness can come from several sources:
- Incomplete data
- Things we cannot know or that have no precedent
- Disagreement between parties
- Inconsistent data or randomness
We can take some steps to reduce uncertainty, but we cannot eliminate it altogether. Some pieces of the puzzle will remain incomplete because data are unknowable, change frequently, or are genuinely random, defying analysis. In some cases, the effort required to gather all the information would overwhelm everything else.
Therefore, defining risk management as the elimination of uncertainty is setting ourselves up for failure.
And this isn’t just impractical. Without uncertainty, there’s no serendipitous encounter when you meet your soulmate, no surprise parties, or unexpected research breakthroughs. Oh, and no financial markets or start-ups.
So we can’t and don’t want to eliminate uncertainty, but we do want to limit it, which gives us part one of our definition.
Risk management 1 – Improving understanding
So instead of managing uncertainty, let’s say risk management should reduce uncertainty as much as practical while accepting that some unknowns will remain.
By practical, we mean that we accept that we’re limited by the data available and the resources available to process that data. We also acknowledge that unknowns exist due to either a lack of information, randomness, or because there’s no past-precedent (e.g. a Black Swan).
Therefore, within these limits, we can say that risk management’s first function is to improve certainty or understanding.
Risk management 2 – Preparing for change
Although we’ve established that some uncertainty will always remain, there will also be changes that you can anticipate. These might be scheduled market events, recurring weather patterns, or events that happen with some degree of frequency, such as system failures or outages.
These events are not strategic surprises – you know something is very likely to occur – but the time and place are unknown, hence it is a tactical surprise.
Preparing for these kinds of events is what we do with our risk assessment process and develop measures to address identified risks using something like the A4T options: avoid, tolerate, treat, transfer, and terminate.
These measures help us prepare for, or react to, the change that occurs if a threat emerges or an opportunity arises.
Therefore we can say that the second element of risk management is to prepare the organization for change.
(Note that this is different from organizational change management which focuses on guiding an organization through a process of planned change. Here we are talking about change that the organization had not planned to undertake.)
Risk management 3 – Preparing for when things go wrong
Unfortunately, things can still go wrong, despite all of the preparations we’ve discussed already. Your response to an anticipated event could fail or be overwhelmed, or there could be a genuine Black Swan for which you’re unprepared.
Therefore, we need contingencies for both the events where we have some idea of what might occur and for those that are wholly unanticipated. For events that we can map out in advance, we can build specific contingencies. These will be scenario-specific and can be very detailed, possibly only requiring a start time and location to initiate.
For events where there is greater uncertainty, we can build general contingencies. These are more likely to be a set of individual tools that we combine to develop a specific response to a particular scenario.
Because of the higher degree of uncertainty involved, it’s less likely that we can do much about the threat or vulnerability elements of the risk because it’s already underway when we start to respond. Therefore, a lot of this activity will focus on reducing the impact of the event. Similarly, if it’s an opportunity that presents itself, you’ll be looking to maximize the upside.
Similar to how the ‘preparing for change’ component rubs up against change management, this starts to overlap with incident management. However, we’re focused here on the preparation, not the execution. When something goes wrong, the risk manager could be the incident manager, but this isn’t inevitable.
The risk manager also doesn’t have to be the one to develop these contingency plans – that’s the purview of the subject matter experts – but the risk manager is best-placed to ensure that contingencies are in place to manage planned and unanticipated events. This is similar to the idea that the risk manager doesn’t manage every risk, but she is responsible for seeing that every risk is managed.
So the third element of our definition of risk management is to prepare for when things go wrong.
Risk management 4 – Balancing
So far, a lot of what we’ve covered will be fairly recognizable, particularly if you’re familiar with the KISS risk management philosophy and the other articles on the subject.
However, this next part is where I’m going get a little over my skis. I want to introduce another concept that I haven’t tackled before, which relates to balancing your risks.
As something of a confession, balancing is something I’ve always done informally but, if I’m honest, I haven’t thought about this formally until now. This is an oversight on my part, and I think I was hiding behind the excuse that I didn’t do any technical risk management and that operational or non-technical risks were more spongy. However, that’s probably just a way to excuse my laziness and lack of intellectual curiosity.
However, I’m writing mid-COVID-19 and am appalled at our inability – notably the inability of political leaders – to balance (or even compare) risks. I’ve also been working my way through Nassim Nicholas Taleb’s Antifragile, which is both through-provoking and provocative. Both of these factors have pushed me to think about this idea of balancing more thoroughly.
Finally, because I’m a little late to this party, there’s also the danger that I’m about to present a Great Discovery Of Real Importance, which is actually what everyone else has been doing all along, so apologies in advance if that’s where we end up.
So back to balancing
By balancing, I mean comparing the upside and downside risks, or risks and opportunities, and then taking appropriate action to get into a position where you are net-positive. In simpler terms, we want our benefits to outweigh the costs. (So technically, this is imbalancing because we want the upside to beat the downside.)
This whole idea of balancing might seem like the purview of a Chief Risk Officer, sitting at a desk the size of a tennis court, making weighty decisions with the CEO. (Probably the idea I had stuck in my mind.) And while there’s certainly a lot of balancing and comparison that will take place at the top, it’s not just a C-suite activity.
Instead, this should extend all the down through an organization so that balancing becomes ingrained at every level.
This is similar to the difference between a top-down, centralized risk management system versus a bottom-up, decentralized set-up.
In a centralized risk management system, risks are reported and submitted into a single system where a centralized group will determine what’s acceptable, unacceptable, and what measures to take. This group will also look at the overall risk environment to determine if this is in balance or where to make adjustments.
In a decentralized system, risk assessment and balancing occur at every level, similar to how departments manage and balance their individual budgets. Departments might not always be able to achieve this – an R&D team might always have a risk deficit – but there’s still an organizational component that looks at the overall risk environment to keep the whole system properly balanced.
The optimum set up, where we start to move beyond merely being robust to being what Taleb calls antifragile, is where the downsides are capped but the potential benefits are tremendous.
(See a summary here or read Taleb if you have the time, fortitude, and temperament).
An excellent example of this kind of positive imbalance is how Richard Branson started Virgin Airlines leasing second-hand 747s from Boeing. If the airline failed, he could return the aircraft and only be out of pocket for the leasing and operating costs up to that point. He capped the downside.
However, if he succeeded, as he did, the upside was immense. Hence the original Virgin Airways was antifragile because of this imbalance.
It’s also notable that the current – mid-2020 – Virgin Airways is no longer antifragile and is instead extremely fragile due to the downturn in travel because of COVID-19. Virgin has had to take out significant loans to continue operation and Branson was even offering his personal property as collateral at one stage. This would seem to be about as fragile as you can get. So even the antifragile can become fragile.
So that’s a long way of saying that risk managers at every level and in every sector, not just the technical ones, need to be actively involved in this balancing process.
Therefore, the final element is that risk management aims to balance the organization’s risks, ideally generating an imbalance where the positives outweigh the negatives.
And as a final reminder, I am the laggard here: if this is what you’ve been doing all along, Bravo! And shame on me.
A more simple definition
I recognize that there’s a lot here and too much to include in a glossary or job description, so we need a more straightforward answer to the original question of what is risk management? Therefore, as a start, I’d propose the following:
Risk management helps optimize organizations for success by preparing them to adapt to change. The four components of this are:
– Reducing uncertainty as much as practical
– Addressing identified risks
– Developing specific contingencies to address anticipated events and general contingencies for unanticipated events
– Building tools to limit losses and maximize benefits (balancing)
This definition might need more work, but I think it’s a decent start and certainly more useful than ‘risk management is the management of risk.’ Furthermore, even though there are four activities listed, we now have a unifying purpose putting these into context.
Postscript. Do we need to define risk management at all?
But do we need all of these definitions to manage risk effectively?
In the same way that you don’t need to understand physics to ride a bicycle, there are lots of people managing risk successfully without understanding the specifics of risk vs. threat or ever having opened a spreadsheet. They are effective practitioners based on their practical experience instead of theoretical knowledge. (I was reasonably effective as a security and risk manager for the best part of a decade before I got my degree.)
So you can undoubtedly be a practitioner, and a successful one, without an in-depth knowledge of the subject. ‘Instinctive’ System 1 thinking, based on a deep understanding of a field, can be very effective. (“System I operates automatically and quickly, with little or no effort and no sense of voluntary control.” Kahneman.)
However, there is some benefit to having more in-depth knowledge for a few reasons.
First, we rarely work in complete isolation, so there’s going to be a need to explain things to others. Being able to explain what would otherwise appear to be instinct can be helpful when persuading or explaining things to others. It also helps when you have to teach someone else tools and heuristics (rules of thumb) to build their own expertise.
Second, if you move outside of your particular area of expertise, your System 1 thinking might let you down as this can be very domain-specific. Instead, you need a set of frameworks and tools to give you a head start.
Third, we can build more robust, better models when we codify and refine rules based upon experiential lessons. So instead of starting with a theory and seeing if it fits, we distill our experiences into theories that we then improve and build on. Experience-based theories are also less prone to being too narrow as each experience will have a slightly different context. That means you are less likely to make a false assumption based on a single element.
For example, is an athlete successful because they put their socks on in a particular way, or is their success based on thorough preparation, part of which is how they put on their socks? (I would say it’s the preparation but you could come away with the impression that it’s all about the socks if you didn’t take a moment to think about things.)
It’s this last part that I think is most important. There’s a lot to be said for relying on proven techniques and heuristics passed down from generation to generation. These have been tested and refined over decades, centuries in some cases, and survive because they’re effective. But, they’re effective in what could have been a narrow set of circumstances and fail when the situation changes.
So if all you have are these rules of thumb, learned by rote, you have no way of building a new model to address a different situation without a great deal of trial and error. However, if we pair the timer-worn lessons-learned with their theoretical underpinning, we can establish models and frameworks that will adapt to new circumstances.
This is of particular importance as we think back to this core idea of uncertainty, which only increases as systems become more complicated, intertwined, and the outcomes more unpredictable. Therefore, the answer to the postscript is yes, we do need a definition for risk management and an understanding of all the associated components.
But that must be coupled with a practical understanding because, as Yogi Bera said, “In theory there is no difference between theory and practice. In practice there is.”
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.