The Risk Management View - How the Machine Looks From the Inside
Risk Management is a philosophy of management science that sees an organisation's state in terms of the balance of its risk and opportunity portfolio. An organisation with in a steady state will experience a rise in the value of opportunities commensurate with a rise in the volume or value of risk, while a destructively unstable scenario would be rising risks with falling opportunity and while rising value of opportunities with steady or falling risks might indicate either a desirable growth pattern or under achievement of opportunities.
In its most common implementation today, risk management focuses on the risk side of the equation. With this constraint to its domain, risk management sees the universe as a variably dangerous place measured in terms of the likelihood of an event that might be a cause of some consequence that will have a measurable impact. A group of such events with shared impacts is a risk. A risk might have a severity (based on the likelihood of its various triggering events and the worst case scenario of the impacts of those causal triggers) and it might have a value based on the impacts. With or without the value one view of risk management might claim that risk management is about cost minimisation (in terms of anything measurable like money, brand value, social standing, votes won, etc). Minimising cost does not mean minimising risk itself necessarily as other factors may influence that decision such as the risk appetite (willingness to tolerate a level or type of risk), and confidence in the dependent opportunities (not measured in a risk-only model).
The causes and consequences of a risk might be seen, through their likelihood and impact respectively, to imply a particular inherent level of risk, once we know the risks we naturally do things to either prevent the triggers from occurring, to know when they have, and to respond with corrective action in the event that a risk manifests as an occurrence. We call these things controls or strategies, and would be right to think that this should moderate our value for a given risk in some way.
The risk manager might accommodate this control impact in multiple ways depending on the risk model in use:
- By rating the controls themselves and reducing the total risk rating by applying this value in some way to the inherent risk and getting a rating of the risk remaining after controls are added - commonly known as the residual risk. The ratings of controls and strategies is in-exact in itself and the addition of additional data for control ratings may be no more reliable than the instinctive feel for the control impact required in approach 2. Considerably more rigour may be needed in the controls understanding than is common in management.
- By rating the likelihood and impact of a risk again AFTER the raters have considered the controls thus having two ratings measuring likelihood and impact : inherent and residual. Under this approach the control impact is assumed in the revised likelihood and impact ratings. Controls should not be rated as a risk group, but can be rated separately to inform the residual likelihood and impact ratings. This method provides no way to reliably analyse the cost-effectiveness of individual control strategies from the resulting ratings.
Together these components describe the essence of the model through which risk managers view the organisation and thence the universe through which the organisation moves. With a risk only view the risk manager sees a health index in terms of risk to the organisation.
The Risk Management Function - Keeping the Machine Healthy
The risk manager uses the risk model to view the health state of an organisation. The risk manager improves and protects that state by managing essentially the input variables of the model. This includes:
- facilitating the process of identifying risks and their properties and the process of rating the risks.
- ensuring that every risk has a clear management responsibility attached to it.
- ensuring strategies have been devised to prevent (to some degree) causes where possible, to detect causes when they trigger and to mitigate consequential impacts.
- ensuring executive and governors are properly informed of the risk profile and changes therein over time.
- ensuring the accuracy of the model through actions such as regular review and re-rating of risks, monitoring strategy progress.
Articles in this topic:
Topics covered by articles include:
- Risk Management - Introduction
- BPC RiskManager Software Suite
- Managing Risk in Mergers & Acquisitions
The full category is available from: Risk Management Topics