Risk management is a set of processes and procedures that help organizations identify, assess, and control potential issues that can put assets in jeopardy. Risk comes in many forms, such as financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents, and natural disasters.
Every organization must contend with risk. Understanding risk management, as it pertains to the operations of an organization, is the first step in setting up effective controls to keep risk in check.
A common mistake when defining risk management is conflating it with threats. Risks are not threats. Risk is what could happen. A threat is an actuated risk or a risk that has become a specific, imminent incident. By understanding the risk management objective and what assets are at risk, it is possible to be proactive and discover vulnerabilities before they become problems.
It is important to note that individual risk differs significantly from risk management for organizations. The biggest difference is scale. Organizations’ risk footprint is not only larger, but far more complex than for individuals.
In addition, organizations’ risk goes beyond the pieces they directly control. They must also consider the risk management liability for each of the third parties they work with—from supply chain partners to cloud service providers.
Risk management programs consider risk in several core categories:
- Compliance
- Digital, including:
- Cybersecurity
- Automation
- Data privacy
- Economic
- Environmental
- Financial
- Legal
- Operational
- Political
- Quality
- Reputational
- Strategic
“Results from major situations, events, circumstances, acts or inactions that may negatively influence an entity’s capacity to achieve its objectives and execute its plans.”
-Business risk, according to the American Institute of Certified Public Accountants (AICPA)
Why risk management is important
Organizations cite risk management as an important process for many reasons, including:
- Drives awareness of risk across organizations
- Enables future growth by protecting assets
- Enhances operational efficiency through more consistent application of risk processes and control
- Ensures that high-priority risks are addressed as aggressively as possible
- Gives organizations the necessary tools to identify and address potential risks
- Improves security for employees and customers
- Increases confidence in organizational objectives and goals
- Protects organizations from different types of loss related to risk
- Provides organizations with a structured process for sound decision-making
- Supports compliance with regulatory and internal compliance mandates
Additional reasons risk management is important include:
- Facilitates project success by increasing awareness of hazards that can create project roadblocks or increase costs. Because a well-run risk management program takes a holistic view of organizations, projects benefit from its continuous search for risks.
- Increases productivity and efficiency by ensuring that workplaces are safe and eliminating distractions caused by unchecked risks.
- Limits the chances of reputational issues by proactively identifying and mitigating risks that can cause issues that result in negative public attention.
- Makes workplaces safer by increasing visibility and awareness of risks and organizations’ ability to address them proactively. With risk management programs in place, trends related to losses and injury are identified early, so changes can be made to mitigate associated risks.
- Minimizes unexpected events with its forward-looking approach. Risk management programs are often credited with forestalling serious trouble as part of their constant vigilance and proactive response to risk in an organization.
- Provides financial benefits by minimizing threats and incidents’ direct and indirect costs.
- Reduces uncertainty, because risk management programs provide systems for identifying and exposing risks. This clarity of the risk landscape is credited with reducing uncertainty and providing derivative increases in productivity and efficiency.
The risk management process
One of the most widely used risk management processes was developed by the International Organization for Standardization, a standards body commonly known as ISO. It includes five steps that any type of organization can use to determine the best risk management approach.
Step one: Identify the existing risks
To gain a complete view of risk across an organization, it is necessary to bring in managers and employees from key functional areas to consider the risk in their groups. The first step in this phase of the risk management process is to identify all the events that can impact the organization. Participants should be encouraged to think about day-to-day risks and worst-case scenarios.
Step two: Analyze the identified risks
Once risks have been identified, the next step is to evaluate them. There are two types of risk analysis—qualitative and quantitative.
- Qualitative risk analysis
Assess the probability and impact of a risk - Quantitative risk analysis
Assesses the financial impact or benefit of a risk
Step three: Prioritize risks
Risk prioritization determines the order in which risks are addressed and the best risk management approach. Taking time to prioritize risks saves time and money as well as ensures that the most significant vulnerabilities are addressed in a timely fashion.
Step four: Address the risks
Once risks have been identified and prioritized, the next step focuses on mitigation to prevent them from becoming threats and to stop them from recurring. Risk mitigation actions should be assigned to a person or team. In addition, deadlines and reporting criteria should be established.
Step five: Monitor results and be prepared to take further action as necessary
Risks and the actions taken to remediate them must be carefully monitored. Reports, based on risk monitoring, ensure that any flare-ups are quickly identified, so further remediation actions can be implemented swiftly to minimize potential damage.
Responding to risk
The five main responses to risk are avoidance, reduction, sharing, transfer, and acceptance.
Risk avoidance
A risk avoidance response is typically taken when an organization wants to eliminate uncertainty. This response to risk involves not engaging in any activities that have any potential for risks that could have a negative impact on the organization.
Risk reduction
With a risk reduction response, the organization minimizes risk and accepts the potential effects of that rather than eliminate it with risk avoidance. A risk reduction approach is usually taken when the risk exposure can be reduced to an acceptable level.
Risk sharing
Shared risk occurs when the potential loss is transferred to a larger group to minimize those potential losses. This type of risk management arrangement allows organizations to accept a higher level of risk than they normally would, based on their risk tolerance.
Risk transfer
An example of transferring risk is using insurance to cover possible damage or injury. Risk and associated liabilities are contractually transferred to a third party in this case.
Risk acceptance
Despite best efforts, risk cannot be eliminated. Residual risk is what remains after risk avoidance, risk reduction, risk sharing, and transferring risk. In some cases, organizations decide that the potential benefit derived from a process or activity sufficiently outweighs the risks. In these cases, the organization will accept the residual risk, but should implement strict monitoring procedures.
Risk management challenges
- Errors in assessing the probability or the size of risk-related losses
- Failure to include known risks in assessments
- Failure to monitor, report, and manage risks
- Failure to use appropriate risk metrics
- Inaccurate measurement of known risks
- Poor communication with top management about risks
- Rapidly changing risk characteristics
- Risk-related decisions made without proper information or based on an overly optimistic perception of the risk position
Risk management standards
Several standards, frameworks, and guidelines are available to direct risk management program efficacy. Examples include the following.
COBIT risk management framework
The COBIT (Control Objectives for Information Technologies) risk management framework focuses on the management and governance of enterprise IT. Developed by the Information Systems Audit and Control Association (ISACA), it was created to establish reliable auditing standards.
COSO enterprise risk management framework
The COSO enterprise risk management (ERM) framework provides a set of twenty guiding principles to help organizations effectively manage risk. The framework’s principles are organized under five interrelated categories with the intent of integrating risk into and tying it to operational performance. The five categories are:
- Governance and culture
- Information, communication, and reporting
- Performance
- Review and revision
- Strategy and objective-setting
ISO 31000
This ISO (International Organization for Standardization) standard:
- details ERM principles
- provides a framework for applying risk management strategies to operations
- outlines a process for identifying, evaluating, prioritizing, and mitigating risk
NIST risk management framework
The NIST (National Institute of Standards and Technology) risk management framework (RMF) helps federal organizations assess and manage risks to IT systems by ensuring the security of defense and intelligence networks. Federal agencies are required to comply with this framework, but other organizations also follow its guidelines.
RIMS risk maturity model (RMM)
The RIMS (Risk Management Society) RMM framework provides guidance for how to assess risk management programs in five categories: strategy alignment, culture and accountability, risk management capabilities, risk governance, and analytics.
Costs associated with risk
The costs of risk encompass all the expenses associated with risk management and any exposures or losses attributed to risk, such as:
- Adverse publicity and public opinion
- Civil or statutory legal fees, fines, judgments, and liabilities
- Claim management expenses
- Cost of investigation, legal fees, fines, and awarded judgments
- Cost of mitigating risks
- Damages to physical assets that must be repaired or replaced
- Decrease in production capability
- Diminished worker productivity
- Higher potential insurance premiums
- Increase in expenses or reduction of revenue due to loss
- Key personnel loss (e.g., due to death, disability, retirement)
- Loss adjustment expenses
- Loss of market share
- Loss of property
- Loss of reputation
- Net insurance proceeds
- Payments made due to the death, disability, or resignation of employees
- Reduced brand exposure and product placement
- Reductions in revenue
- Retained losses (e.g., deductibles, retention, exclusions)
- Risk control costs
- Risk management program administration costs
- Transfer costs
- Uninsured retained losses
Creating a risk management plan
When creating a risk management plan, an organization must determine its risk appetite and tolerance. An organization’s risk appetite is the amount of risk it will accept. Risk tolerance is how much risk can be incurred beyond the organization’s acceptable risk appetite. Whatever level of risk an organization takes, the plan should be integrated and aligned with the organization’s overall strategy.
In addition to detailing the enterprise’s risk appetite and tolerance, the risk management plan specifies how risk will be managed. It includes:
- the organization’s risk approach
- roles and responsibilities for those involved in risk management
- what resources will be allocated to manage risk
- the program’s policies and procedures
The core elements of a risk management plan are:
- Communication and consultation to ensure the success of the risk management plan by raising awareness about what it is and why it is needed.
- Establishing the organization’s acceptable level of risk, taking into consideration factors such as overall objectives, culture, and compliance requirements.
- Defining the risk scenarios that could positively or negatively impact the organization and maintaining records of these to guide risk management program actions.
- Analyzing identified risks to determine how likely each is to turn into a threat and how severe the impact on the organization would be if this occurs.
- Monitor risks and, if a risk escalates, apply treatments using agreed-upon controls and processes, and then follow up to confirm that the risk was mitigated to an acceptable level.
Some widely followed risk management best practices are also worth noting. A risk management program should:
- Enforce continuous monitoring and improvement
- Follow a structure that is:
- Adaptable to meet changing requirements and environments
- Based on accurate information
- Systematic and structured
- Tailored to the unique needs of the organization
- Transparent and all-inclusive
- Generate value for an organization
- Have an integral role in an organization’s operations
- Identify and address any uncertainty
- Serve as a critical factor in management’s decision-making processes
Risk management value
A successful risk management program is more than the sum of its parts; it not only proactively identifies vulnerabilities and staves off threats, but elevates the reputation of organizations. This is because risk management gives employees, customers, partners, and other stakeholders confidence in the enterprise’s ability to operate smoothly and protect their interests.