What is Risk Management
Risk management as a formalised discipline has been around for at least 100 years. It has its early origins in the specialist activity of insurance, which can trace its history back for several centuries. As insurance became more formalised and structured, the need for risk control standards increased, especially about the insurance of cargo king transported by ships around the world. Perhaps one of the earliest developments in this field was the introduction of the Plimsoll Line’ to indicate the level of cargo that a ship could safely transport without being dangerously overloaded.
As it became more developed, education programmes emerged to support the development of risk management as a profession. It was at this time that risk management regulations associated with corporate governance began to develop and various regulators were given more authority about specific hazards (such as health and safety), and also about particular business sectors (such as financial institutions). The development of risk management qualifications became increasingly more formalised during the 1980s.
The development of education and qualifications in risk management, as well as the more structured approach of regulators, led to the emergence of risk management standards. Risk management standard AS/NZS 4360:1995 was one of the early examples of a comprehensive approach to the management of risk. As well as the generic risk management standards applicable to all industries, specific risk management approaches also emerged in particular sectors, including the finance sector. The emergence of regulated capital requirements for banks and insurance companies indicated the increased level of risk management maturity required of financial institutions.
The corporate risk management role in the United States during the 1950s became an extension of insurance purchasing decisions. During the 1960s, contingency planning became more important to organisations. There was also an emphasis beyond risk financing on loss prevention and safety management. During the 1970s, self-insurance and risk mention practices developed within organisations. Captive insurance companies also started to emerge. Contingency plans then developed into business continuity planning and disaster recovery plans.
Areas of Risk Management
Risk management is a constantly developing and evolving discipline. As well as its origins in the insurance industry and other branches of hazard management, risk management has strong connections with the credit and treasury functions. Many functions within large organisations will have a significant risk management component to their activities, such as tax, treasury, human resources, procurement and logistics.
However, it is unlikely that specialises in those areas will consider their activities as simply a branch of the risk management discipline. Perhaps one of the best known and specialist areas of risk management is that of health and safety at work. Another specialist area is that of disaster recovery planning and business continuity planning. Also, there is no doubt that quality management is a very well developed branch of risk management, given the high profile attached to quality management systems, such as ISO 9000. Additionally, other specialist areas of risk management have developed over the past decades, including project risk management;
• clinical/medical risk management;
• energy risk management;
• financial risk management (FRM)
• IT risk management.
All of the above specialist areas of managing risks have contributed considerably to the development and application of RM tools and techniques. Project RMT is an area where the application of risk management tools and techniques is particularly well developed. As discussed earlier, project RM has its emphasis on the management of uncertainty or control risks.
Clinical risk management (CRM) has been developing for some time. This area of managing risks is primarily concerned with patient care, especially during surgical operations.The cost of medical malpractice claims and the inevitable delay in making insurance payments has resulted in risk management systems being introduced. Particular aspects of clinical risk management include greater attention to making patients aware of the risks that may be associated with the procedure they are about to undertake. It is also important that surgeons report incidents that occur during the surgery.
Considerable emphasis has been placed on CRM on the need to report, in an accurate and timely manner, details of any incidents that occur in the operating theatre. There are many publications available on clinical risk management, and a great deal of work has been put into establishing the necessary systems and procedures to cover this specialist area of risk management.
Risk management in the finance sector focuses on operational risks, as well as market, credit and other types of financial risks. It is in the finance sector that the title Chief Risk Officer was first developed. The energy sector has also seen an increase in the attention paid to RM tools and techniques. For some organisations in the energy sector, RM is mainly concerned with the future price of energy and with exploration risk. Therefore, the RM approach is similar to the activities of the treasury function, where hedging and other sophisticated financial techniques form the basis of the risk management effort.
FRM has acquired a high profile in recent times, and Chapter 30 considers the importance of operational risk management within the finance sector. However, risk management within the finance sector is broader than just operational risk. Banks and other financial institutions will be concerned with the credit risk and market risk, as well as operational risk.
Finance and insurance are highly regulated business sectors, governed by international standards such as Basel III and Solvency II.
Management of IT risks is another well-developed and specific branch of this topic.The increasing importance of information to organisations, regarding the management of and security of data, has resulted in the development of specific standards applicable to IT risk management. Amongst the best established of these risk management standards is COBIT, which is similar in many regards to the COSO standard.
Risk management is not a “cure all” and it should never be viewed as such.
Your risk management best practices may not correspond to your customer’s risk management best practices. At a minimum, you should demonstrate how your process and best practices map to your customer’s process and best practices and address any disconnects. Do this as early as possible to help prevent any misunderstandings and potential problems. Don’t just say without providing substantiating information that your process and best practices are better than those of your customer’s. I’ve witnessed multiple instances of this behaviour directed at a customer in a public forum, including twice from the same individual.
The net result was a substantial loss of credibility at the company-wide level in the eyes of a very important customer. Instead, even if you have a superior risk management process and best practices vs your customer, work with the customer to the extent possible to help them understand your process and best practices and to upgrade theirs as appropriate.
Risk vs Likelihood
The risk is a function of both probabilities of occurrence and consequence of occurrence. It is not appropriate to discuss risk in terms of one of these two terms only. Avoid phrases such as “likelihood of a risk” or “risk probability” and “impact of a risk” or “risk impact” since this mixes risk with either probability or consequence when in reality, the risk is composed of both probability and consequence terms. The intermixing of risk with a component of risk (e.g., probability) should be avoided since it is confusing, redundant, and may lead to misinterpretation, confusion, and erroneous results by different people.
Note also that likelihood and risk are part of an overlapping set and risk is not independent of likelihood since risk = f (probability, consequences). The same is also true of impact and risk—they are part of an overlapping set and risk is not independent of the impact since risk = f (probability, consequence). Avoid phrases such as “likelihood of a risk” or “risk probability” and “impact of a risk” or “risk impact” since this mires risk with either probability or consequence when in reality, the risk is composed of both probability and consequence terms.