Recent events in the world have brought risk into higher profi le. Terrorism, extreme weather events and the global fi nancial crisis represent the extreme risks that are facing society and commerce. These extreme risks exist in addition to the daily, somewhat more mundane risks mentioned above.
Evaluating the range of risk responses available and deciding the most appropriate response in each case is at the heart of risk management. Responding to risks should produce benefi ts for us as individuals, as well as for the organizations where we work and/or are employed.
Within our personal and domestic lives, many of the responses to risk are automatic. Our ways of avoiding fi re and road traffi c accidents are based on well-established and automatic responses. Fire and accident are the types of risks that can only have negative outcomes and they are often referred to as hazard risks.
Certain other risks have established or required responses that are imposed on us as individuals and/or on organizations as mandatory requirements. For example, in our personal lives, buying insurance for a car is usually a legal requirement, whereas buying insurance for a house is often not, but is good risk management and very sensible.
Keeping your car in good mechanical order will reduce the chances of a breakdown. However, even vehicles that are fully serviced and maintained do occasionally break down. Maintaining your car in good mechanical order will reduce the chances of breakdown, but will not eliminate them completely. These types of risks that have a large degree of uncertainty associated with them are often referred to as control risks.
As well as hazard and control risks, there are risks that we take because we desire (and probably expect) a positive return. For example, you will invest money in anticipation that you will make a profi t from the investment. Likewise, placing a bet or gambling on the outcome of a sporting event is undertaken in anticipation of receiving positive payback.
People participate out of choice in motor sports and other potentially dangerous leisure activities. In these circumstances, the return may not be fi nancial, but can be measured in terms of pride, self-esteem or peer group respect. Undertaking activities involving risks of this type, where a positive return is expected, can be referred to as taking opportunity risks.
Organizations face a very wide range of risks that can impact the outcome of their operations. The desired overall aim may be stated as a mission or a set of corporate objectives. The events that can impact an organization may inhibit what it is seeking to achieve (hazard risks), enhance that aim (opportunity risks), or create uncertainty about the outcomes (control risks).
Risk management needs to offer an integrated approach to the evaluation, control and monitoring of these three types of risk. This book examines the key components of risk management and how it can be applied. Examples are provided that demonstrate the benefi ts of risk management to organizations in both the public and private sectors. Risk management also has an important part to play in the success of not-for-profi t organizations such as charities and (for example) clubs and other membership bodies.
The risk management process is well established, although it is presented in a number of different ways and often uses differing terminologies. The different terminologies that are used by different risk management practitioners and in different business sectors are explored in this book. In addition to a description of the established risk management standards, a simplifi ed description of risk management that sets out the key stages in the risk management process is also presented to help with understanding.
The risk management process cannot take place in isolation. It needs to be supported by a framework within the organization. Once again, the risk management framework is presented and described in different ways in the range of standards, guides and other publications that are available. In all cases, the key components of a successful risk management framework are the communications and reporting structure (architecture), the overall risk management strategy that is set by the organization (strategy) and the set of guidelines and procedures (protocols) that have been established. The importance of the risk architecture, strategy and protocols (RASP) is discussed in detail in this book.
Most risk management publications refer to the benefi ts of having a common language of risk within the organization. Many organizations manage to achieve this common language and common understanding of risk management processes and protocols at least internally. However, it is usually the case that within a business sector, and sometimes even within individual organizations, the development of a common language of risk can be very challenging.
Reference and supporting materials have a great range of terminologies in use. The different approaches to risk management, the different risk management standards that exist and the wide range of guidance material that is available often use different terms for the same feature or concept. This is regrettable and can be very confusing, but it is inescapable.
Attempts are being made to develop a standardized language of risk, and ISO Guide 73 has been developed as the common terminology that should be used in all ISO standards. The terminology set out in ISO Guide 73 will be used throughout this book as the default set of defi - nitions, wherever possible. However, the use of a standard terminology is not always possible and alternative defi nitions may be required.
To assist with the diffi cult area of terminology, Appendix A sets out the basic terms and defi nitions that are used in risk management. It also provides cross reference between the different terms in use to describe the same concept. Where appropriate and necessary a table setting out a range of defi nitions for the same concept is included within the relevant chapter of the book and these tables are cross-referenced in Appendix A.
Failure to adequately manage the risks faced by an organization can be caused by inadequate risk recognition, insuffi cient analysis of signifi cant risks and failure to identify suitable risk response activities. Also, failure to set a risk management strategy and to communicate that strategy and the associated responsibilities may result in inadequate management of risks. It is also possible that the risk management procedures or protocols may be fl awed, such that these protocols may actually be incapable of delivering the required outcomes.
The consequences of failure to adequately manage risk can be disastrous and result in ineffi - cient operations, projects that are not completed on time and strategies that are not delivered, or were incorrect in the fi rst place. The hallmarks of successful risk management are considered in this book. In order to be successful, the risk management initiative should be proportionate, aligned, comprehensive, embedded and dynamic (PACED).
Proportionate means that the effort put into risk management should be appropriate to the level of risk that the organization faces. Risk management activities should be aligned with other activities within the organization. Activities will also need to be comprehensive, so that any risk management initiative covers all the aspects of the organization and all the risks that it faces. Finally, risk management activities should be dynamic and responsive to the changing business environment faced by the organization.