How can risk management be defined?

Author: Manu Steens

In this post I write my own opinion, not that of any organization.

The word risk management can be divided into two words: risk and management. You therefore need to know something about both their own nature.

ISO 31000 defines risk as “the effect of uncertainty on the achievement of objectives”.

This definition of risk is very theoretical and is often translated in practice as

Risk = Probability x Impact.

This definition works well for a risk analysis method such as the ‘Bow-Tie‘ method (‘Bow-Tie‘) where the risk is identified with a risk statement that consists of three parts:

Cause & Event & Effect

Where the probability is roughly determined by the causes and the impacts by the consequences.

This definition is applicable to roughly 80% of the processes and projects for most organizations.

But… It’s not always that simple. As an organization, you also have to deal with the risks in your environment. The concrete way to define a risk often depends on the domain in which the risk occurs.

With the ‘society for risk analysis glossary‘ in 2018, the ‘Society for Risk Analysis‘ provided a list of, among other things, the following qualitative definitions that are often used:

  • “Risk is the possibility of an unfortunate occurrence.”
  • “Risk is the potential for realization of unwanted, negative consequences of an event.”
  • “Risk is exposure to a proposition (e.g., the occurrence of a loss) of which one is uncertain.”
  • “Risk is the consequences of the activity and associated uncertainties.”
  • “Risk is uncertainty about and severity of the consequences of an activity with respect to something that humans value.”
  • “Risk is the occurrences of some specified consequences of the activity and associated uncertainties.”
  • “Risk is the deviation from a reference value and associated uncertainties.”

In addition, there may be abnormalities in the formula. For example, more generally:

Risk = Probability x ImpactN

If N > 1 one is risk-averse. If N = 1, one is risk-neutral. 0 < N < 1 is risk-seeking.

It is sometimes even more complex: the definition of risk then depends on the stakeholders of that risk. A ‘simple’ example can be found in agriculture, which is suffering from the drought.

If a year is very dry, the probability of drought = ‘1’ and the risk will depend purely on the impact of the drought on the harvest. You then calculate this impact by comparing the results with those of a reference year of a normal harvest.

A measure of risk to the private gardener’s harvest then becomes:

(Harvest of cultivation in the dry year) – (Harvest of cultivation in the reference year).

A farmer will look at things differently: he will compare the monetary values of the dry year with respect to the reference year as follows:

(Financial yield from the harvest of cultivation in the dry year + Subsidy that dry year) –

(Financial yield from the harvest of the crop in the reference year + Subsidy that reference year).

For the Seller in the stores, however, the risk can be calculated as a comparison of the profit of a crop in a dry year compared to a normal year as follows:

(Total selling price of cultivation per kg in the dry year – Total purchase price of cultivation per kg in the dry year – Loss of goods in the dry year) – (Total selling price of cultivation per kg in the reference year – Total purchase price of cultivation per kg in the reference year – Loss of goods in the reference year)

The tax authorities have the same risk as the seller in the store, after VAT calculation in both years. After all, no one guarantees that the VAT rate will be the same in both years.

Mathematical geniuses will be able to come up with much more complicated formulas. I’m going to stick to it here.

This shows that the simple case of growing vegetables in itself implies a different definition for the understanding of risk for different stakeholders. Not everyone in the supplychain is aware of this. These examples show that the concept of ‘risk’ is more complex than simply ‘an event’. The definition must be thoroughly considered for each scenario.

Depending on this definition of the risk, the measures may then change. For example, the gardener or the farmer will or will not invest in water for spraying, the farmer’s accountant will or will not do creative accounting, the seller decides to adjust his prices throughout the season,… In this way, risk management adapts to the environment. And the concept of ‘risk’.

The management part is nothing more or less than the wise approach and handling of those risks. Some of that wisdom is contained in standards. For example, ISO 31000 talks about Deming’s PDCA cycle (Plan-Do-Check-Act) that makes ISO applicable to everything. This is the management part in which they prescribe to identify, analyze, evaluate, define measures, which are implemented and monitored, after which the cycle is resumed. Every risk standard that respects itself has a qualitatively well-thought-out systematic way of tackling and handling risks.

This well-thought-out risk type-dependent way of handling risk is the ‘formal risk management’.

There is also ‘informal risk management’. This occurs, for example, with small traders who do not invest in a risk management system according to a standard. They intuitively apply ‘common sense’ measures within their business. Or they have employees who warn each other of a pitfall out of authentic concern.

When are you prepared for a risk?

Author: Manu Steens

In this post I write my own opinion, not that of any organization.

ISO 31000 largely prescribes in outline what a risk management system can look like. It requires you to carry out a risk assessment, and to come up with measures, which you must then implement. However, it does not prescribe how to assess a measure (see my earlier blog

Nor does it describe how to know if you’re prepared for a risk. That is what I want to talk about now. Because if a measure has been assessed positively, the actual work only begins.

A first step you need to take is to effectively carry out a risk assessment. There is no way around that. You have to do that. But defining a measure is only the beginning of the actual operational preparation for the risk. There are a few things you need to do / check, besides implementing it.

  • Do you have a budget?

Provide a budget that is large enough. And there are several types of budgets that you can provide.

The first is the budget you need for the implementation of the chosen measure.

A second is the budget you may need for external insurance.

A third is the budget you may need to get through the dark times, a kind of bridging budget.

A possible fourth is a budget in the form of a captive. This is only relevant for very large risks or for large risk portfolios.

These budgets must be represented in the balance sheet. Without double purposes.

  • Do you have people?

In many crises, there is always a shortage of hands in the operational activities. It is best to think in advance which people and which types of profiles you will need. Discuss this in advance with HR, to see if they can include the activities required of them in their part of the business continuity plan (BCP).Do they know people with the appropriate profiles? Do they know the necessary contacts to get them quickly? HR also needs to lend a hand.

  • Do you have material resources?

People often can’t do anything if they don’t have the necessary equipment. Do you have the necessary back-up equipment for this? Do you have the necessary goods and information to continue the work or services? Are there goods or equipment that are duplicated as back-up for multiple purposes, with multiple measures? Can the organization afford this ?

  • Do you have the necessary information (distributed)?

This can be the call tree within your organization or the log-in data of the notification system etc. Are our own employees aware of the measure where useful and necessary? Is the environment (internal and external) aware of the possible risk if this is relevant to them? The other stakeholders too?

  • Do you have an owner of the risk?

Who is responsible for addressing the risk when it materializes? Is that the process owner? Anyone else? Is the handling of the crisis delegated to another person? You previously discussed the measure with him/her in an operational assessment. (cfr. URL Supra.) Who does what and who reports to the Crisis Management Team (CMT)?

  • Do you have a sponsor of the risk?

Typically, this is a high-ranking manager who approves the budgets for the measure. In addition, you previously discussed the measure with him/her in a strategic assessment. (cfr. URL Supra.)

Finally, if a measure was not possible, do you have a plan of action? Have you talked to risk managers from other organizations who may have similar risks and who have plans? Can you exchange experiences? Can you come to agreements with competitors for the joint deployment of people when a risk occurs?

Checking off this list does not prevent your measure from failing. But after all, it can convince the interested parties that the organization has already taken the necessary steps to avert, prevent or mitigate the risk if it occurs.

Evolution of cars and society, what does foresight tell us?

Author: Manu Steens

In this post I share my own opinion. Not that of any organization.

The evolution of transport in the west can partly be outlined with ‘PEST’. PEST is a mnemonic that helps to map the environment of an organization or society. It stands for ‘Political’, ‘Economic’, ‘Social’ and ‘Technological’.

‘P’: There is a strong call for electric cars and it is not yet clear whether the technical evolution will fully evolve towards only fully electric cars and other vehicles or not.

‘E’: the question is whether, once the electric car breaks through as a standard means of transport, the insurances, partly due to technical evolution, have a clear picture. There is a debate about who will be to blame for damage. One of the occupants, or one of the automotive companies that took care of the software development…

‘S’. Common use (car-sharing), which has long been promoted for classic internal combustion engine vehicles, will continue to apply to electric vehicles. This will need continued political support to become more successful. People don’t all like to share a car. As the livelihood increases, this is an option for more and more people.

‘T’: The ‘Society for Automotive Engineers’ created an evolution towards autonomy in 5 discrete steps. Here’s how they did it:

  1. First there was the ‘driver assist’ (also known as cruise control)
  2. Afterwards ‘partial control ‘, (known as lane control)
  3. Then comes ‘highly automated’ (limited vehicle control)
  4. The fourth step is ‘fully automated / driver override’ (default vehicle control)
  5. To get to ‘fully automated’ (complete vehicle control).

Cars today have level 1 and 2 and some vehicles use level 3 like a certain brand with its ‘autopilot feature’.

Here, in this situation, eight possible futures arise, depending on the following three uncertainties:

  • Does the electric car break through completely or not? In the latter case, the classic combustion engine will again play a more important role than expected, or the market will shift towards hydrogen gas as a fuel.
  • Is car sharing breaking through or not? In the latter case, man is too attached to owning his own car.
  • Will there come a period in which the technology succeeds in providing sufficient certainty to people with a fully automated vehicle (level 5) or not?

In this article I want to look at the consequences of the future with ‘yes’ to all three uncertainties in 15 to 20 years:

  • Pure electric cars are the standard.
  • Car sharing is becoming the main mode of personal transport.
  • ‘Fully automated’ completely breaks through with cars.

What does this possible future mean for people and society? Thinking through PEST provides the following possibilities:


  • Power plants will have to become ecological, because the defense of fossil power plants will become incomprehensible in the eyes of future generations. This is due to the great need for electricity.
  • Politicians will demand a major say in technological development in terms of cyber security for cars.
  • Ambiguity of liability in the event of damage must be decided politically. Possibilities in the legislation must be investigated. This differs for the vehicles depending on their technically automated level.
  • Electric classic cars will not have a number of advantages in terms of insurance due to a lower level of safety in automation. This requires a political decision with changes in traffic legislation. If necessary, they will be banned.
  • Police can conduct multiple types of investigation on any vehicle. This requires legal protection of the owner. (route, location, times of use,…) .
  • By sharing cars for short distances, public transport will be more attractive for longer distances.
  • As state revenues from cars fall, other excise duties and taxes go up.


  • Fewer impulse purchases of snacks and soft drinks by drivers in those gas station stores that survive the switch with charging stations. Many products will have to reinvent their outlets, or they will suffer potential loss of sales.
  • Less shelf length for soft drinks and snacks, CDs and DVDs and booklets and magazines in remaining gas station stores.
  • Insurance is becoming cheaper for car-sharing users. Car owners may be the victims.
  • Transport costs with more car sharing become less per kilometer: you only pay when you drive.
  • Savings on personal transportation costs favor other expenses.
  • Electric cars are getting cheaper and cheaper. Until they become more expensive again?


  • Less serious or less likely damage.
  • Less or no speed violations depends on the rigor of the legislation and its technical implementations.
  • Less pressure on emergencies in hospitals in terms of accidents on weekends. More intoxications on weekends or during the week. This entails a reorientation of doctors’ specializations.
  • In the cities, the air becomes purer, resulting in fewer particulate matter-related patients.
  • When you drink, cargo is safely delivered to your home. Will that be allowed?
  • The police will have to invest in cyber technology for vehicle checks.
  • Cybercrime for transport is also becoming a problem on a social level. It is not whether cars will be hacked, but when and what will happen to them.
  • Illegal drug deliveries with fully automated cars become possible.


  • Car sharing makes it technically more feasible to provide sufficient electricitypoles for the cars in cities.
  • They are working purposefully to phase out fossil fuel plants: as they are insufficient in terms of efficiency for transport compared to other electricity generation, they become irrelevant.
  • Society is taking a big step forward with AI in traffic. This will require greater availability of the Internet.
  • Cybercrime is becoming a challenge. The vehicles of the future must in no way be an open system for intrusion from the Internet, except by police services.
  • The police and customs will be able to stop cars and freight transport for inspection in a secure manner.


Governments will have to determine good indicators to see if this possible future will materialize. If necessary, they will have to develop regulations.

The insurance companies will work with governments to develop a method to allocate liability in the event of damage. This becomes more difficult when cars of different technical levels are involved in a claim.

The food industry will have to look for and find new outlets.

Automotive companies will have to invest heavily in the development of quality software algorithms and their implementation.

There will be a pressure reduction in urgency. Emergency services and their emergency physicians will partly reorient themselves to other specialties. Universities should follow the evolutions of traffic to see when they need to make and what changes.

A new type of crime or terror will eventually emerge: cybercrime on cars to disrupt them and associated extortion. Police and government departments will prepare for this. This will be difficult with the ‘war for talent’ that is already present. The automotive industry is therefore also making an effort to secure this, making cars as ‘unhackable’ as possible. Cooperation between the car industry and the police forces is inevitable.

Reconstruction Ukraine – what are key points ?

Author: Manu Steens

In this article I write my own opinion, not that of any organization.

Ukraine is currently being shot into the Stone Age. The target par excellence is critical infrastructure: water and energy installations, as well as others, such as road infrastructure, ports and airports, do not come out unscathed.

The question then is, with what will remain of it, not only what it can look like, but especially what are key points for reconstruction.

On rough terrain, such as a broken road infrastructure, transport costs quickly rise to five times those of an intact road network. The financial cost has thus been demonstrated as an important risk for the supply chain.

Health care: care for the injured, but also the current tuberculosis and the still present corona pandemic and the flu wave and associated pneumonia, need for action: provide for a reconstruction of sick care.

Training: schools are needed to provide a renewed approach to training for future generations, but the infrastructure includes not only the buildings, but also the teachers, the classroom infrastructure, projectors, IT systems, course materials,…

Airports that have been destroyed must be rebuilt, not only for civil aviation, but also for military aviation. This is important for easy accessibility deep in the country, once there is peace.

The water supply needs to be redeveloped, debris cleared.

In order to rebuild that critical infrastructure, concrete mixers have to run, pumps move water, and therefore electricity is needed, for that in one of the most important first infrastructureworks the electricity nodes have to be rebuilt. In order to clear the debris and brick buildings, heavy machinery and vehicles are also needed on site. So transport will have to be possible, and one must provide fuel and people. Then nutrition is also needed.

With such reasoning we find out what is important for the reconstruction of the Ukrainian state, when we do this from scratch: a first attention should be given to the following sectors (not necessarily in that order) (non-exhaustive list)

  1. Agriculture and livestock farming and (sea) fishing as a basic link in the food chain.
  2. Food and beverage production and the hospitality industry, including drinking water sector
  3. Medicine, medicine and hygiene. They may be exhausted and run slower for a while, also due to recovery from past crises.
  4. Clothing for protection against weather conditions.
  5. Substances and simple chemistry (such as fuels, soap, calcium carbonate (for many applications), …)
  6. Advanced chemistry e.g. petrochemical sector products (e.g. for medicines).
  7. Materials such as clay, metals, glass, and building materials
  8. Electricity and other forms of energy (because then a lot can work where there are people who can work)
  9. Mobility / transport (because then factories can be supplied and the supply chain works back)
  10. Means of communication (because justice depends on it, but actually the entire society)
  11. Relaunch of the schools: what about the people who could not do their year?
  12. Politics: keeping predators at bay who want to take over the economic markets in the terminally ill country in order to make it easier to take the future markets
  13. Banks, with a key role for economic / financial transactions

What is important as a supporting skill is the specialized supply chain of many of these sectors. These include roads, railways, waterways, ports, airports, warehouses, cooling, production sites…

So a big interest of politics will be to facilitate those supply chains. A key role for her is to ensure that the different sectors work together to achieve optimal results. In order to get these things going, support from abroad is needed. Read the EU.

However, such a situation of reconstruction entails risks: threats and opportunities.

For example, every port that is set up threatens to become a hub of drugs, counterfeits, e-waste (waste import), weapons, illegal immigrants, etc.

The clearing of bombed-out apartments and critical infrastructure not only produces gravel, but also precious metals such as copper, which is wrapped in plastic. If one tries to remove this plastic by burning it, dioxins are released. They initially move in the air, then rain out and thus end up in the food chain or elsewhere in fauna and flora.

Due to the large future demand for vehicles, the country will become a market for second-hand and third-hand vehicles from Western European countries. Transport of such vehicles is known to transport a lot of waste in the cargo areas of these vehicles.

The high need for cheap means of communication will increase the demand for second-hand means of communication such as mobile phones and computers, causing second-hand devices to change hands again. In addition, a new reinstallation takes place, which greatly shortens the life cycle. That gives a false appearance of cost-benefit responsible means of communication.

Weak legislation and a lack of income from the country will tempt farmers to use very strong very unhealthy weedkillers to maximize their crops, which does not benefit the health of the customers.

Due to a shortage of police presence in the transition period to a rebuilt state, crime will flourish during that transition period .

A shortage of inspectors creates investors looking for pollution havens. Although, according to certain studies in the literature, this is often not the reason for attracting foreign investment. More often people are looking for many and cheap well-trained workers, for an abundance of skilled suppliers and for an environment with several other investors. A number of these are in themselves bottlenecks.

Longer-term investments are needed before they bear much fruit.

The destroyed country can become a haven for extremists.

The conclusion of all this is that peace in the short term requires a well-oiled government apparatus.

When are scenario thinking and future planning appropriate in risk management ?

Author: Manu Steens

In this article I write my own opinion, not that of any organization.

On the one hand, we have risk management.

In risk management, it is common practice to translate a risk as a product of probability and impact.  The most well-known formula for measuring a risk is:

R = P * I

R is the measure of risk, P the measure of the probability of an undesirable event occurring and I its impact on achieving the objectives of the organization. Both are considered known.

Special attention in this article is paid to the situation in which there is a high degree of uncertainty with a risk. Unlike certainty, usually mathematically defined as a number between 0 and 1, or between 0% and 100%, uncertainty is rather something we feel but on which we cannot attach a clear mathematical definition that leans back on certainty. What we do know, however, is when the uncertainty is maximum for the occurrence of an event as a result of a cause. That is if the probability is 50%. Why? Because then the occurrence of the event is a coin on its side: you really do not know which way it will fall.

On the other hand, we have the combination of the future strategies with scenario thinking.

In itself, risk management is also a bit like thinking towards the future: if the probability is high, for example 95% chance of occurrence, then there is a relative high certainty of the occurrence of the impact. It is then, from risk management and in function of the impact, that one has to define and implement a measure. This allows the impact to be optimally prevented or mitigated (in the event of a threat) or provoked to the maximum (in the event of an opportunity).

However, the reasoning I want to make here is this one where the uncertainty is maximum. There it is therefore unclear whether the event will occur, or not. So a twofold future occurs: the event happens or does not happen. With this, a game of extremes occurs, for example:

  • Will it be war or peace?
  • Will healthcare become more preventive or more curative?
  • Will sufficient measures be taken in time for the climate or will it become an unbearable climate?
  • Will there be famine or abundance?

With such uncertainties one can consider these uncertainties in their own right, where one has two futures per uncertainty, or one can  express them per two against each other (if they are sufficiently independent), obtaining quadrants that represent four futures.

In theory one can work with n uncertainties, where one then obtains 2n futures but it becomes problematic, because already from n = 3 one has 8 futures, which becomes unworkable and also because in practice it  becomes more difficult to maintain the independence of these uncertainties.  And that is necessary to foresee extremely different futures.

For each of these futures, instead of directly defining measures, one can then start thinking about scenarios. This is a strategic choice, where one defines how one will act in a certain direction depending on which future becomes true. This instead of putting a single project or action in the pipeline because one has a strong expectation regarding whether (probability rather high) or not (probability rather low) the event with a specific impact will occur.

In order to be able to make the right choice, it is necessary to explore the evolution of the circumstances of the organization.  In other words, lowering the uncertainty about the knowledge of the future. To do that, one has a number of things that one can do.

  • The very first thing to do is to dare to question the assumptions. Are the assumptions that were made the good ones.
  • One determines the extreme futures, the scenarios, and whether one is ready for it, or whether, in contrast, one still has work to do. Usually it is the latter. To this end, one looks at which strategic option is most useful in which possible future. These options involve developing possible future projects or actions, and thoroughly considering their effects with a 360° view. As far as possible, tests or exercises are carried out to estimate the possible effects.  What are the shortcomings that need to be filled in?
  • Furthermore, there is the collection of the necessary information. One will define relevant parameters – indicators – and follow their trends. One determines in advance when one will decide on the basis of which (combination of) indicators which strategic options one will roll out. This is important, because being there in time and preparing for a future can determine whether one can get a  competitive or societal advantage from it or whether one is more likely to encounter a problem.
  • When the future unfolds, one deliberately monitors it, and consciously chooses the pre-agreed options tailored to the actual nuanced future. The timing of the decision and the roll-out of action plans is then crucial.


Scenario thinking and future planning are relevant within risk management. However, one should have a good idea when this is the case. A rule of thumb is: do this with priority where the probability of an event with a certain impact is average.

Usually there are multiple risks with an average probability. Then give priority to risks with a high impact. After all, these give a more extreme course of the possible futures. As much as possible, make sure that you work with uncertainties that are maximally independent of each other if you plot them against each other.

However, if the impact is very large, and opportunities exist to influence the probabilities in your favor, do not fail to do so with common risk management strategies. “Choose your battles wisely.” After all, future planning and scenario thinking are especially useful when the internal and / or external environment of the organization are substantially uncertain. The choice to work on certainty, or to try to take advantage of uncertainty, is also a strategic choice in itself. And that depends on the capabilities of the organization. The internal environment can usually be influenced. Tinkering with the external environment is usually an impossible task. That is why this technique is also important when trying  to look at risk management objectively for the organization as part of the world.