Risk management is not about compliance, nor is it about dealing solely with potential negative outcomes.
Risk management is about anticipation, it is also about exploring potential positive outcomes.
I have been dealing with risk management for many years, and I had too few occasions to meet with organizations which had internalized the positive side of risk, meaning taking a proactive approach to risk management and hence looking out for leveraging opportunities. The weakest approach being a strict compliance-focused risk management view.
Apart from start-ups, innovators and entrepreneurs, most organizations are too risk-adverse and too narrowly focused on the downside of risk.
I believe there is generally a misunderstanding about what a risk is. Common language refers to risk as meaning “danger, hazard, imminence, menace, peril, pitfall, threat, trouble” (Merriam-Webster dictionary) i.e. risk is always seen as being negative.
A well-grounded definition is to be found in the ISO 31000:2018 Risk management – Guidelines which states that a risk is “the effect of uncertainty on objectives”. Although the ISO 31000:2018 Risk management – Guidelines may at first sight appear to be a kind of overarching and theoretical document, it sets out clear fundamental principles for effective risk management approach. When considering the fact that a risk is “the effect of uncertainty on objectives”, we must keep in mind that the effect of uncertainty may be either positive or negative. In other words, the risk itself may manifest in the form of consequences and impacts that are either positive or negative or both. What does it mean actually? Simply put, it means that some factors and parameters may have an influence on our objectives, meaning they may make us diverge from our expected goals.
What is also interesting is to look at the meaning of “uncertainty”. I quite like this definition by MacMillan dictionary: “the fact that something is not known or has not been decided”. Simply put, it means that under uncertain circumstances and/or with uncertain factors and parameters, we cannot have access to the whole picture, meaning there are some blind spots. However, in the end we still have to make decisions regarding how we will attain our objectives. And this is where risk management is key. It is not because you don’t have all clues that you cannot decide. Risk management is about managing uncertainty and about making decisions.
What is more, risk management is about anticipation, meaning the wait-and-see approach and the compliance approach are not sufficient especially in a world where so-called disruptions and Black Swans can appear rapidly and almost unexpectedly. What does it mean? It implies that considering what might influence our goals and objectives in a positive or in a negative way has to be anticipated beforehand. Of course, the idea here is not to have a full and exhaustive list of everything that may have an impact on our objectives but to figure out what could have a heavy impact and under what probability. And this has to be connected with the organization’s weaknesses or strengths which may amplify potential impacts.
After all, risk management is about being risk-aware and also being ready to leverage opportunities.
And being risk-aware is not the same as being risk-adverse.
I welcome your thoughts and comments.