This month we thought we might go back to basics and answer the question: what is risk management? We ask this because we see many organisations still struggle with success in implementing risk management; those that do often have a culture that sees it as a box-ticking exercise, rather than actually adding value across the company.

Although corporate governance, compliance and statutory duties all require aspects of risk management to be implemented, to successfully adopt a risk-based approach across an organisation, it must actually help people make better decisions rather than adding another layer of administrative ‘pain’ without any payback.

Risk Assessment - The Funnel Analogy

If an organisation was to identify and treat every possible risk it faced, no matter how insignificant, the list of risks would be enormous. In a perfect world, every risk would be documented, completely mitigated and nothing would be left to chance. But in reality, resources are scarce, and many risks will inevitably be left alone without any action being taken.

The risk assessment process is the way to identify, analyse and evaluate risks to determine which risks need attention.

The diagram below illustrates how the risk assessment process can be likened to a funnelling process.

Essentially, a “box” is filled up with all identified risks, and tipped into a funnel (a risk analysis). Some risks are so small that they fall through the bottom of the funnel and accepted for what they are. To formally document treatments for such small risks does not represent good value for the effort required.

Other risks may be slightly larger, and get stuck along the way. Still larger risks will barely move down the funnel at all. Depending upon the organisation’s tolerance for risk, the funnel’s filters will allow different sized risks to fall through the gaps, or remain at the top. The way risks are prioritised depends on where they sit in the funnel; the higher they sit, the greater the priority they represent.

Risk Treatment

Once all risks have been analysed the challenge is to develop a way to “draw the lines in the funnel”; that is, how you evaluate risks to determine which risks fall through to the bottom (tolerate), which ones get stuck halfway (treat / transfer) and which sit at the top (terminate / transfer). It is sensible to classify all risks as low, medium, high or extreme. In this way, the decision about what type of action to take is more obvious. A risk that is high or extreme has, by definition, a higher level of urgency and level of unacceptability.

How Much Can You Tolerate?

Levels of risk tolerance may differ between assessments, or across organisations, because of the contexts within which they operate: a risk-averse company may evaluate a particular risk as high and unacceptable whereas a less cautious one may define the same risk lower and tolerable. Similarly, a well-resourced company may classify many risks as lower, whereas a poorly-resourced one may consider it high (because it cannot take risks for its own survival).

By understanding and applying this process and the context within which the analysis is being applied, organisations can apply risk management principles to help deal with future uncertainty, to spend less time on small priority risks, and spend more time on the things that are important (i.e. big risks).