Risk and Risk Management
Andrew Graham (reference below, e-book on right) defines risk as
“an event or circumstance in the future that could significantly enhance or impede the ability of an organization to achieve its current or future business objectives.” (p. 15)
and risk management as:
“the process of managing risk through the following steps:
- Understanding the risks to the business
- Building vigilance into the organization in a systematic way through effective controls, operational measurement and strategic scanning
- Creating a culture that encourages effective risk identification, mitigation and monitoring
- Orderly management of the process
- Linking risk management to rewards and resourcing
- Communicating to the organization, its stakeholders and owners.” (p. 17)
Positive as well as negative
Graham uses a “balanced” definition of risk, that includes both the positive and negative elements. Graham notes that there are many valid definitions of risk but the one chosen by an organization should reflect its real needs.
“The choice of how you define risk will also drive the way in which you approach it. Some will focus on the possibility of loss or threats to the organization. Others will be concerned about financial issues. Others will deal with errors or the possibility of mistakes being made. Some will focus on public reactions, stakeholder interests or political embarrassment. Complex organizations will have to deal pretty well all of these. Be careful how you define risk. Avoid being entirely negative. A focus on error or threats alone will certainly lead to a focus on controls and risk avoidance. This may well cost the organization some opportunities or possibilities to actually use risk management to effectively advance their objectives and even improve on them. Not all risk is bad.” (p. 15)
“Risk is good. It creates opportunities. It forces an organization to look at events or weaknesses in terms of its objectives. It also makes an organization aware of its vulnerabilities and pushes it to do something about them. You cannot claim that all risks will ever be eliminated. That is foolhardy and unrealistic. However, having a systematic approach to risks, which is the essence of risk management, guarantees that you will have the tools to reduce the negative effects to the best extent possible and identify the potential for positive use of risk. Of course, in these days of increased oversight and accountability, it also demonstrates sound management and is increasingly an expectation of boards, oversight and standards setting bodies and governments and their external auditors.” (p. 16)
See also Leslie Pal’s discussion of Risk in Public Management including the International Organization of Standards definition of risk as a “combination of the probability of an event and its consequences.”
Atlas topic, subject, and course
Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.
Page created by: Ian Clark, last modified 21 September 2017.
Image: Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.