Author: Manu Steens
In this post I write my own opinion, not that of any organization.
The word risk management can be divided into two words: risk and management. You therefore need to know something about both their own nature.
ISO 31000 defines risk as “the effect of uncertainty on the achievement of objectives”.
This definition of risk is very theoretical and is often translated in practice as
Risk = Probability x Impact.
This definition works well for a risk analysis method such as the ‘Bow-Tie‘ method (‘Bow-Tie‘) where the risk is identified with a risk statement that consists of three parts:
Cause & Event & Effect
Where the probability is roughly determined by the causes and the impacts by the consequences.
This definition is applicable to roughly 80% of the processes and projects for most organizations.
But… It’s not always that simple. As an organization, you also have to deal with the risks in your environment. The concrete way to define a risk often depends on the domain in which the risk occurs.
With the ‘society for risk analysis glossary‘ in 2018, the ‘Society for Risk Analysis‘ provided a list of, among other things, the following qualitative definitions that are often used:
- “Risk is the possibility of an unfortunate occurrence.”
- “Risk is the potential for realization of unwanted, negative consequences of an event.”
- “Risk is exposure to a proposition (e.g., the occurrence of a loss) of which one is uncertain.”
- “Risk is the consequences of the activity and associated uncertainties.”
- “Risk is uncertainty about and severity of the consequences of an activity with respect to something that humans value.”
- “Risk is the occurrences of some specified consequences of the activity and associated uncertainties.”
- “Risk is the deviation from a reference value and associated uncertainties.”
In addition, there may be abnormalities in the formula. For example, more generally:
Risk = Probability x ImpactN
If N > 1 one is risk-averse. If N = 1, one is risk-neutral. 0 < N < 1 is risk-seeking.
It is sometimes even more complex: the definition of risk then depends on the stakeholders of that risk. A ‘simple’ example can be found in agriculture, which is suffering from the drought.
If a year is very dry, the probability of drought = ‘1’ and the risk will depend purely on the impact of the drought on the harvest. You then calculate this impact by comparing the results with those of a reference year of a normal harvest.
A measure of risk to the private gardener’s harvest then becomes:
(Harvest of cultivation in the dry year) – (Harvest of cultivation in the reference year).
A farmer will look at things differently: he will compare the monetary values of the dry year with respect to the reference year as follows:
(Financial yield from the harvest of cultivation in the dry year + Subsidy that dry year) –
(Financial yield from the harvest of the crop in the reference year + Subsidy that reference year).
For the Seller in the stores, however, the risk can be calculated as a comparison of the profit of a crop in a dry year compared to a normal year as follows:
(Total selling price of cultivation per kg in the dry year – Total purchase price of cultivation per kg in the dry year – Loss of goods in the dry year) – (Total selling price of cultivation per kg in the reference year – Total purchase price of cultivation per kg in the reference year – Loss of goods in the reference year)
The tax authorities have the same risk as the seller in the store, after VAT calculation in both years. After all, no one guarantees that the VAT rate will be the same in both years.
Mathematical geniuses will be able to come up with much more complicated formulas. I’m going to stick to it here.
This shows that the simple case of growing vegetables in itself implies a different definition for the understanding of risk for different stakeholders. Not everyone in the supplychain is aware of this. These examples show that the concept of ‘risk’ is more complex than simply ‘an event’. The definition must be thoroughly considered for each scenario.
Depending on this definition of the risk, the measures may then change. For example, the gardener or the farmer will or will not invest in water for spraying, the farmer’s accountant will or will not do creative accounting, the seller decides to adjust his prices throughout the season,… In this way, risk management adapts to the environment. And the concept of ‘risk’.
The management part is nothing more or less than the wise approach and handling of those risks. Some of that wisdom is contained in standards. For example, ISO 31000 talks about Deming’s PDCA cycle (Plan-Do-Check-Act) that makes ISO applicable to everything. This is the management part in which they prescribe to identify, analyze, evaluate, define measures, which are implemented and monitored, after which the cycle is resumed. Every risk standard that respects itself has a qualitatively well-thought-out systematic way of tackling and handling risks.
This well-thought-out risk type-dependent way of handling risk is the ‘formal risk management’.
There is also ‘informal risk management’. This occurs, for example, with small traders who do not invest in a risk management system according to a standard. They intuitively apply ‘common sense’ measures within their business. Or they have employees who warn each other of a pitfall out of authentic concern.