ISO 31000 defines risk as: effect of uncertainty on objectives. The opening paragraph of the introduction to the standard explains that risk is the consequence of an organisation setting and pursuing objectives against an uncertain environment. The uncertainty arises from those internal and external factors and influences that it does not completely control but that may cause the organisation to fail to achieve its objectives or may cause delay. These factors and influences can also lead to the objectives being obtained early or exceeded. Risk therefore is neither positive nor negative but the consequences the organisation experiences may vary from loss and detriment to gain and benefit.
When risk is defined like this, it reveals more clearly that managing risk is, quite simply, a process of optimization that makes the achievement of objectives more likely. Risk treatment is then concerned with changing the magnitude and likelihood of consequences, both positive and negative, to achieve a net increase in benefit. Controls then are the outcomes of risk treatment, whose purpose is to modify risk. It also follows that risks are not events or just consequences. They are descriptions of what could happened and what it could lead to in terms of how objectives could be affected.
In the past, it has been common for risk to be regarded solely as a negative concept that organisations should try to avoid or transfer to others. However, it is now widely understood that risk is simply a fact of life and is neither inherently good nor inherently bad. To avoid it entirely is to forgo the opportunity of pursuing objectives. If we can successfully detect and understand risk, including how it is caused and influenced, we can, if necessary, change it so that we are more likely to achieve our objectives and might even do this faster, more efficiently, and with improved results.
Risks are either changed or created in all decisions people make: how those decisions are made and the information they are based on will affect whether objectives are achieved in a reasonable time scale. Decision-making is, in turn, an integral part of day-to-day existence and nowhere more prominent in an organisation that at times of change and when responding to external or internal developments. This is why risk management is an inseparable aspect of managing change and other forms of decision-making.
In an organisation with advanced risk management the following characteristics will be featured:
- An emphasis is placed on continual improvement in risk management through the setting of organisational performance goals, measurement etc.;
- There is comprehensive, fully defined, and fully accepted accountability for risks, controls, and risk treatment tasks;
- All decision-making within the organisation involves the explicit consideration of risks and the application of risk management to some appropriate degree;
- There is continual communication with external and internal stakeholders, including comprehensive and frequent reporting of risk management performance, as part of good governance; and
- Risk management is viewed as central to the organisation’s management processes, such that risks are considered in terms of effect of uncertainty on objectives.
The central spine of the risk management process is concerned with preparing for and then conducting risk assessment leading, as necessary, to risk treatment. The process starts through defining what the organisation wants to achieve and the external and internal factors that may influence success in achieving those objectives. This step is called establishing the context and is an essential precursor to risk identification. Risk assessment comprises the three steps of risk identification, risk analysis, and risk evaluation. Risk treatment is the process by which existing controls are improved or new controls are developed and implemented. It involves evaluation of and selection from options, including analysis of costs and benefits and assessment of new risks that might be generated by each option, and then prioritising and implementing the selected treatment through a planned process. If this process is followed, the systematic way in which the risks have been assessed means that risk treatment can proceed with confidence.
At the end of this session, participants will be able to: (not limited to)
- Discuss the definition of risk (ISO 31000)
- Describe the nature of risks to organisations
- Discuss the characteristics of an organisation with advanced risk management
- Discuss the hierarchy of risk control