Risk and Risk Management
There is so much that is risky in operating a business, shouldn't there be ways to manage the risk? Read the Wikipedia entry on risk management to get an overview of how businesses can manage risk.
A widely used vocabulary for risk management is defined by ISO Guide 73:2009, "Risk management. Vocabulary".
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first. Risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss, versus a risk with high loss but lower probability of occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.
Opportunity cost represents a unique challenge for risk managers. It can be difficult to determine when to put resources toward risk management and when to use those resources elsewhere. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.
Risk is defined as the possibility that an event will occur that adversely affects the achievement of an objective. Uncertainty, therefore, is a key aspect of risk. Systems like the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM), can assist managers in mitigating risk factors. Each company may have different internal control components, which leads to different outcomes. For example, the framework for ERM components includes Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring.
For the most part, these methods consist of the following elements, performed, more or less, in the following order:
- Identify the threats
- Assess the vulnerability of critical assets to specific threats
- Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
- Identify ways to reduce those risks
- Prioritize risk reduction measures
The International Organization for Standardization (ISO) identifies the following principles of risk management:
Risk management should:
- Create value – resources expended to mitigate risk should be less than the consequence of inaction
- Be an integral part of organizational processes
- Be part of decision making process
- Explicitly address uncertainty and assumptions
- Be a systematic and structured process
- Be based on the best available information
- Be tailorable
- Take human factors into account
- Be transparent and inclusive
- Be dynamic, iterative and responsive to change
- Be capable of continual improvement and enhancement
- Be continually or periodically re-assessed
Mild Versus Wild Risk
Benoit Mandelbrot distinguished between "mild" and "wild" risk and argued that risk assessment and management must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.