Risk management is a skill, not the ultimate goal

To those of you who aren’t sports geeks, my apologies. Ignore the specifics … you’ll get the drift.

Why does a world-class athlete practice? Let me get more specific. Why does a basketball player practice a fade-away jump shot 200 times a day? Why does a tennis play practice half-volleys at the net time after time? Why does a football lineman practice his foot work while run blocking dozens of times every day? For the top athletes, it’s not because they want to become the best fade-away jump shooter or be the best at any one of these particular skills.

No. They are focusing on details because it helps expand their overall game. It helps them better respond, instinctively, when they are in the flow of the game. By developing every weapon in their arsenal, it makes them a stronger overall player. Details are important because IT HELPS THEM WIN THE GAME.

Let’s look at “risk management”. I feel comfortable proposing that most organizations approach risk management with the goal of managing their risks. Why not, right? That seems pretty straight-forward. But, that shouldn’t really be the underlying reason for risk management. Risk management, in the business world, is like a fade-away jump shot in professional basketball. It’s a skill. However, it’s not the ultimate goal. The ultimate goal is to win the game.

Every organization (of any type, any size, for-profit or not) has a reason for its existence. Maybe it’s to produce a product. Maybe it’s to serve a disadvantaged group of people. Whatever; if risk management doesn’t help that organization achieve its goals, what good is it?

When it’s approached correctly, risk management is viewed as a skill that needs to be part of the organization’s overall bag of tricks. When it’s approached correctly, it helps the organization achieve its goals. Let me draw a comparison to another fundamental skill. Most organizations have some way of communicating individual performance objectives to their staff. “Bob, this year I would like you to accomplish …”. They do this because there is an obvious and clear link between objective-setting and winning the game. Objective-setting is a skill that helps them win.

Risk Management is exactly the same. It provides another core competency that the organization can draw on. It’s a skill that gives the organization more options. It’s something that helps them perform better, instinctively.

So, don’t focus on the skill as an end in itself. Recognize that the skill should be a well-integrated competency (among many). Winners don’t let their vision stray. They stay focused on winning the game.

Risk Assessments – a management tool

In earlier posts, I wrote about the difference between “Risk” (uncertainty) and “risks” (events).

The topic I want to address in this post is how we can use a Risk Assessment as an actual management tool. In an earlier post I said that risk assessments work best when they are focused on determining the level of “Risk” (uncertainty) within a particular Strategy. The technique that we use to determine the level of uncertainty is to use our experience or other resources to identify the potential events (“risks”) that could cause the Strategy to fail. Once these potential events are identified, our next step in the process is to look at the likelihood that they might actually occur.

OK. Let’s say we’ve done these steps. We have now identified the “risks” that might impact the Strategy. Now what do we do? Remember that our goal is to identify whether the overall level of uncertainty in the Strategy is appropriate, given all of the circumstances. How do we do that? Answer – we use our judgment.

In a few cases, such as investment trading strategies, the level of uncertainty in a Strategy might be determined using an analytical model. However, the vast majority of situations require solid judgment. We need to sit back and look at the big picture. How many “risks” did we identify? How likely are they to actually derail the Strategy? Do these “risks” amplify or offset each other? Would these events ramp up slowly, or would they overwhelm us in a matter of seconds? What is our experience telling us? How much uncertainty are we willing to accept relative to this overall Goal?

By asking these questions, we’re beginning to use the Risk Assessment as a management tool. Remember that the reason we’re performing the Risk Assessment is to help us make a management decision – whether the current Strategy is appropriate.

So what happens if we feel a little uncomfortable as a result of the Risk Assessment? Maybe we feel that there’s a too much uncertainty in this Strategy. Perhaps too many things could go wrong and prevent us from achieving our Goal. What do we do now?

That’s an easy answer. We eliminate some of the uncertainty. We create contingency plans that we put into play if a particular event occurs. Maybe we build in redundancies. Perhaps we buy insurance to protect ourselves from a particular event. Maybe we outsource the entire activity to an expert third-party provider. The types of mitigation activities are limited only by your imagination (and budget). By taking these types of steps, the individual “risks” (events) become less likely to actually derail the newly improved Strategy. We’ve added additional  steps to mitigate individual “risks” and, in the process, lowered the level of overall “Risk” in the Strategy.

So, the Risk Assessment is employed to tell us about the level of uncertainty within a Strategy as of a point in time. We use this Risk Assessment as a gauge to tell us if the Strategy is acceptable. If not, we tweak the Strategy until the Risk Assessment provides you with the level of comfort that you need.

Guess what – we’re using risk management techniques to actually help us better run our organizations.

What are your thoughts?

Risk Assessments – what are we assessing?

In recent posts, I wrote about the difference between “Risk” (uncertainty) and “risks” (events that could cause harm). Now let’s think about the implication of this distinction when it comes to performing a risk assessment.

ISO 31000 says that a risk assessment is the overall process of risk identification, risk analysis, and risk evaluation.

COSO’s ERM Framework indicates that it allows an entity to consider the extent to which potential events have an impact on achievement of objectives.

When actually performing an assessment, ISO 31000 says that it is expressed in terms of the combination of consequences and their likelihood. COSO says that management assesses events from two perspectives – likelihood and impact. Both stick with the idea of the two axes – i) how impactful is the risk? and ii) how likely is it to occur?. This approach tends to focus on assessing “risks” — the events that could occur and cause harm. However, in an earlier post I wrote  about the problem that exists if you take this approach.

Should we be assessing “risks” (events) or should be assessing “Risk” (uncertainty)? Let’s look at an example to help us think this through.

I’m a little concerned about my 10-year-old car. It is presenting me with some transportation uncertainty. Here’s an immediate clue — the word ‘uncertainty’ popped up. What I’m really looking for is an answer to “Is the car sufficiently reliable, or do I need to do something?” I’m not really looking for a prioritized list of every component, its potential impact, and the likelihood that the component will fail.

Said another way,

  • my Goal is Reliable Transportation
  • my current Strategy is to Retain my Current Car As-Is
  • the Risk Assessment needs to tell me Is this a good Strategy?

The Risk Assessment needs to tell me if the level of uncertainty (“Risk”) is appropriate given this Goal and Strategy. The technique for actually accomplishing this is to identify potential events ( “risks”), along with their likelihood and impact, in order to make the final evaluation of whether the current Strategy is acceptable.

The technique for performing the risk assessment is to look at individual “risks”, but the reason that we’re performing the risk assessment is to evaluate the level of “Risk” within the strategy and determine whether the uncertainty is appropriate given the overriding goal.

“Risk” vs “a risk” (part 2)

In my last post, I talked about the semantic difference (in my view) between “Risk” and “a risk”. In this post, I want to talk about the implications of this distinction.

As you may recall, I said that “Risk” is a concept that relates to general uncertainty about whether or not you can actually accomplish a goal.  “A risk”, on the other hand, usually refers to a specific event — something specific that could happen and cause us problems.

When management asks the broad question Do we have too much risk in the organization? what do they mean? Are they asking if  there are too many discrete events that could cause problems? Or are they asking if there is too much uncertainty?

Generally speaking, executive leadership would love to have assurance that their strategies will actually achieve their goals. That helps them keep their jobs. They would love to have certainty about every strategy. The opposite side of this coin, obviously, is uncertainty. If certainty is what they want, then uncertainty is often what they want to avoid. Uncertainty causes sleepless nights.

Since “Risk” (or “uncertainty”) is not terribly concrete, it’s very hard to measure. So, we devise a stand-in, or proxy, for this concept. We say that “Risk” exists in a strategy because there are certain discrete events that could occur and cause  that strategy to fail. Examples of “a risk” might be “consumers won’t like the new product” or “production costs will push the retail price too high”. These are individual risks — discrete events that could occur. If we have too many of these, and if they have a real likelihood of occurring, then the strategy might be thought of as having too much “Risk”. This means that there is little assurance that the strategy will actually achieve the goal.

So, if there are a lot of “risks” (potential bad events), then there might be too much “Risk” (uncertainty). Right?

The most important point, of course, is to recognize the semantic use of the word “r-i-s-k” to mean two different, albeit related things. When you’re discussing “r-i-s-k” with someone you can help assure a fruitful conversation by recognizing that you may not be coming from the same point of reference. One of you may be talking about “Risk” while the other is talking about “a risk”. Once you recognize this difference and put yourselves on the same page, your conversation will proceed much more smoothly.

What do you think?

“Risk” vs “a risk” (part 1)

There is an important semantic distinction that is often missed when discussing risk management. When you say “risk”, are you talking about “Risk”? or are you talking about “a risk”? Let me explain.


I am capitalizing this word just so I can keep myself on point. “Risk” is an idea – a concept. The adjective is “risky”. This relates to the potential of something bad happening. When you drive a car with your eyes closed, you are experiencing “Risk”.

ISO 31000 defines “Risk” as the effect of uncertainty on objectives.

COSO ‘s ERM Framework defines “Risk” as the possibility that an event will occur and adversely affect the achievement of objectives.

“a risk”

On the other hand, when people talk about “a risk” they are commonly thinking about a specific event or occurrence. It is one of the specific bad things that could happen. When you drive a car with your eyes closed, you experience many risks — you could hit a tree, you could drive into a ditch, etc.

ISO 31000 says that risk is often characterized by reference to potential events and consequences, or a combination of these.

COSO’s ERM Framework takes a different approach. They focus on ‘events’ as a major specific topic and say that an event is an incident or occurrence from internal or external sources that affects achievement of objectives. The implication is that an event with a negative impact is a risk, while an event with a positive impact is an opportunity.

So what does this mean?

This means that you need to be careful when talking about risk. Sometimes you may be talking about the general uncertainty of a strategy relative to its ability to actually achieve its goal — “this is a risky strategy”. Other times you’re talking about specific events. “What’s our biggest risk?” Unfortunately, we’re saddled with the same word being used in different, although obviously related, ways.

In my next post I’ll talk about this a little more.

Your thoughts?