Risk Management is a general term that collectively denotes the techniques, practices or behaviors that aim to identify, measure and mitigate risks to an individual or an organization. Informal Risk Management as practiced by individuals is the domain of intuitive decision making which typically does not involve rigorous Risk Analysis, does not require additional training and does not employ elaborate tools or methodologies.
Risk management includes the culture, processes and structures that are put in place to effectively manage potential negative events. As it is in general not possible or desirable to eliminate all risk, the objective is to reduce risks to an acceptable level (formally termed Risk Appetite).
In professional / organizational contexts the need to better manage risks has elevated the concept of risk management into a separate discipline with more formally specified language, rules and tools. The wide applicability of risk management in very different domains of activity means that only some high level concepts may be shared among them.
Note: The term risk management is frequently used as a synonym of Risk Mitigation, but in the overall process this is only the third element in the general sequence:
- Risk Identification, apply an analytical approach to the task of identifying, classifying and enumerating the various risks that an organization is facing
- Risk Measurement, quantify (produce numerical measures) for the risks to an organization that are amenable to such quantification
- Risk Mitigation, reduce or eliminate perceived risks exercising whatever options are available to do so
A Risk Management Framework is a formal set of rules, policies, prescriptions, tools etc. that indicate how an entity organizes its risk management activities. Implementation of the framework may be a legal requirement (e.g. imposed by regulators) or a best-practise prescription (e.g. developed by a sectoral association of businesses).
Examples of formal, high level, risk frameworks are
Enterprise Risk Management
The concept of Enterprise Risk Management aims to provide an over-arching framework for the effective and consistent application of risk management in an enterprise context. It is not a universally accepted approach (see Risk Silo. Similar objectives are found under the names Holistic risk management or Integrated Risk Management.
Risk Management Domains
In certain domains there are detailed, fully specified frameworks for the systematic application of risk management concepts. Further, entire business sectors such as Financial Services or the Insurance industry may have a substantial part of their business models and added-value deriving from the expert management of certain risks.
A partial list of such sub-domains inlcudes:
- Financial Risk Management as applied by entities exposed to Financial Risk is a well developed risk management framework. A customary subdivision follows the predominant subdivision of financial risks by Risk Type
- Insurance Risk Management for any of the risk types that are underwritten by the insurance industry
- Project Risk Management, focusing on risk management of a defined project
- Safety and Health Risks as practiced by firms
- Natural Disaster Risks as practiced by public entities
In contrast with the formal, documented and organized nature of Risk Frameworks, the concept of Risk Culture captures less tangible but equally relevant aspects of risk management. It denotes the combined set of institutional/corporate Values, norms, attitudes, competencies and behaviour related to risk awareness (perception of risk) and risk taking (active management decisions) that determine a firm’s or organizations commitment to and style of risk management
Issues and Challenges
Risk Management is still a young discipline. While elements of risk management are practised very widely in diverse individual, commercial or public sector settings, Risk Management is not a widely recognized academic discipline. Most of the body of risk management knowledge being developed is in the context of specific sectoral / professional groups
- There is a long running debate about the meaning of Risk versus Uncertainty
- Inherent versus Residual risk (After the application of risk controls)
Given its less tangible and behavioural character, a problematic risk culture is harder to identify or improve
- Organizational resistance to rigorous risk management can occur at any level of an organization, as it may
- interfere with existing practices, hierachies and internal organizational arrangements
- conflict with existing incentive schemes
- The Risk Silo phenomenon. Reflecting the challenge of integrating a consistent overall view on risk across diverse activities
- The prevalence of various unrecognized biases that might interfere with any of the stages of identifying, measuring or managing risk
- Blind spots. In the most extreme case biases may manifest as smaller or larger blind spots, namely areas of risk that are, wittingly or unwittingly, left completely unmanaged
- Excessive reliance on Quantitative Risk Management, including under-estimation of Model Risk
- Excessive reliance on external (e.g. regulatory, Compliance oriented) prescriptions for risk management as opposed to emanating from an internal risk culture
Potential side effects of applying risk management are second order effects that may arise even under "perfect" conditions
- Overconfidence, which may be intrinsic or due to the availability of sophisticated tools
- Risk Avoidance, in particular for initiatives that are harder to analyse from a risk perspective