Risk is a part of life. Individual people might be able to go through life disregarding this fact – instinct alone can see a person through many times. Organizations, however, cannot ignore risk, or they will inevitably fail and cease to exist. What is the importance of risk management? Really, it is everything – it impacts all aspects of policy. Furthermore, it is a way to react to external factors that are out of an organization’s control.
Risk Management: The Basics
Risk management is probably the biggest subcategory in the larger field of project management. Project management is the term for all types of organizational strategy, usually aimed at reducing waste, increasing efficiency, and reaching certain established goals. The Project Management Institute (PMI) is the main governing body for project management certification in the USA, though it has global scope. Standardization organizations include the National Institutes of Standards and Technology and the International Standards Organization (ISO).
Risk management plays some role in almost every aspect of an organization’s policy. Every subarea of project management creates some risk. Depending on the size of an organization or project, there might be an appointed risk officer, risk team, or even an entire risk department.
Risk management is not just avoiding bad things. It is a careful assessment of how likely events are to occur and how best to reduce losses and increase gains. In fact – on the positive side – knowing how to embrace opportunity is also a part of risk management. Mathematically, risk is the likelihood of something occurring and the value of what would be gained or lost if the event occurred.
If you would like be certified in risk management, there are a number of options. One of the most popular is the PMI Risk Management Professional (PMI-RMP) certification. However, there are other certifying organizations, such as The Risk Management Society (RIMS™) and the Institute of Risk Management (IRM).
Most of these certifications require an exam. Generally, this exam will test your ability to properly understand threats, to come up with solutions to prevent negative events from happening, and to ameliorate the situation should a negative event occur. Certification might also require a certain amount of job experience and/or coursework.
The Philosophy of Risk
While instinct might help you to discover a potential threat or opportunity, risk assessment is overall very technical – it is more like risk calculation. Managers use data to draw up clear characteristics and parameters (definition) of a threat. If there is no definition, members of a working team have trouble keeping track of the problem at hand.
Statistics and data analysis are important in risk calculation, because they allow decision makers to draw conclusions that they could not otherwise. On a basic level, risk is equal to loss if an event were to occur multiplied by the likelihood of the event occurring.
Similarly, opportunity is the amount gained if a desirable event occurs multiplied by the likelihood of the event occurring. Big data is especially valuable for large organizations, as it allows a huge amount of information to be processed at once to generate meaningful conclusions.
Inherent in the definition of risk is prioritization. Risks that are more costly and more likely to happen need to be addressed first. Similarly, opportunities that are more lucrative and more likely need to be embraced first. In general, threats that would be more costly to correct than they would be if they occurred are not viewed as risks.
Of course, there is always the philosophical question: what is cost? Cost does not necessarily mean material or monetary cost. Cost could also refer to ethical or humanitarian cost. However, sometimes, these two come together: customers and stockholders do not like to support a company that engages in unethical practices.
Because risks must be prioritized, you never eliminate all risk. There is always some residual risk. Similarly, there is always some opportunity cost. Opportunity cost refers to the loss of value that happens as a result of not choosing a certain option. Ideally, the opportunity cost of the chosen option is more than that of other options.
Unfortunately, some threats arise purely from a lack of knowledge. A negative event might be almost certain to occur but an organization did not even consider it and so, when it does happen, it is an issue or crisis. Finding these unconsidered risks is called intangible risk management.
An obstacle to intangible risk management is optimism bias – the tendency for people to disregard negative information. Group-thinking might contribute to optimism bias within teams or organizations, as groups become fixed on certain directions of thought and disregard outlying considerations.
Issue management is a form of risk management. An issue is something that impacts stakeholders or concerned members of the public; an issue is an event that is already unfolding – it is not just a possible occurrence. It could be viewed as cross-functional with stakeholder management and public relations. It is important to let stakeholders, customers, and concerned members of the public know how the issue is being addressed. This might be part of a social media campaign.
Issue management is less a question of chance and more a question of how best to deal with the issue. However, defining and assessing the issue is still important. For one thing, some problems will not actually affect an organization or business enough to justify action. Such problems are not normally defined as issues. Risk managers need to prioritize: they have to determine whether an issue is really worth the cost to fix the issue. This is a cost/resource management issue.
Because of its link to stakeholder management, cost management, public relations, social media marketing and more, issue management inherently demands cross-functional collaboration. In many cases, this is not just collaboration or communication within the organization; it also involves external parties. Negotiations and communications with government officials or bureaucrats might be needed; talks with other companies or organizations might also be needed.
Communication that is clear, emotionally effective, and honest is often the most important aspect of issue management. The best way to be sure this happens is to have each manager’s role well-defined. Communication concerning issues is more helpful if it happens in a timely manner, because people tend to become more and more dug-in to whatever views of the situation they have as time passes. Digital media only makes this solidification of views happen even faster.
Issue management is both a defensive and offensive operation. Actions have to be taken to counteract problems. There need to be both short- and long-term plans to deal with the functional and communicational aspects of the issue. If something is not a true problem, the organization or business needs to give a clear reason why. Relevant knowledge-gathering before an issue occurs can make dealing with the issue easier. Analytics of market and finance trends, government regulations, public opinion, and global events can all be relevant.
Similar to an issue, but even less anticipated and more acute, is a crisis. A crisis is a truly unexpected occurrence that is a clear threat to the business or organization. Crises normally have the potential to negatively impact both stakeholders and members of the greater public. While mitigating measures can be taken, a crisis is usually so serious and immediate that some damage is inevitable.
A crisis, by definition, demands a change from normal protocol. Ideally, the shift to a new protocol happens quickly – whatever happens, there is not much time to think about it. Having good intra-organization communication and a clear sense of pre-determined leadership roles is always helpful, but especially in crisis situations. Therefore, good general project management and good communication management help in crises – these are the perfect defense.
Like issues, crises are very much about public relations. In some instances, much of the crisis is about the organization’s reputation or about a difference in how customers and management view a situation. Things that are mere tiffs or small criticisms become serious talking points in the hands of social media. While social media can be used to give everyone a voice and expose problems, organizations have a right to tell their side of the story, too. A successful organization demonstrates to the public that they see problems and are taking steps to fix them.
As with issues, crises need to be clearly defined as soon as possible, partly so that it is clear when a crisis is over and when recovery can begin. Definition is also necessary to develop recovery tactics and to help with evaluation. Evaluation is an important step in all of risk management: It allows an organization to learn from a mistake or crisis and be able to play better defense in the future; such insight might allow an organization to create better contingency or emergency plans.
Crises come in a variety of categories: cyberattacks and other criminal activity, natural disasters, computing system breakdowns (the Y2K bug would have been a big example of this), severe mismanagement (either negligent or of selfish intent), and violence (including terrorist activity).
Attacks on an organization – such as social media rumors – can be just as severe as these other threats. If there is significant truth to a rumor, it might better be described as the organization being “called out,” usually for unethical conduct. Rapid shifts in societal expectations might cause practices that were once acceptable to be suddenly considered reprehensible.
Regardless of the crisis’ nature, the business has to try to go on, both during and after the crisis. This is known as business continuity management. Business continuity managers are tasked with being sure there is protocol for the business to keep going even under circumstances of rapid change. Emergency management (the same as crisis management, but used to refer more to humanitarian issues) is also critical to crisis management and ultimately helps recovery and continuity.
The first thing most people think of as an IT risk is cyberattacks/hacking, and this is certainly a risk. Cybersecurity could be considered the risk management of IT. The SANS Institute (SysAdmin, Audit, Network, and Security) indicates that there are 6 steps of IT risk management: Preparation, identification, containment, eradication, recovery, and lessons learned.
This is not much different from the risk management standards in other areas. Ideally, IT professionals define risks and anticipate them. If an issue or crisis happens, they try to mitigate and, eventually, stop the damage. Then, they must have a strategy to bounce back and continue after the damage; finally, they must evaluate what happened and try to keep the same or similar events from happening again.
Financing a project might seem secondary to the project itself, but actually it can present many risks and opportunities. There are a variety of measures of risk in the financial world: Value at risk (VaR) is a statistically calculated estimate of how much investments could lose. Margin at risk is a kind of liquidity risk – if investments change in value, then it is harder to project how much money can be released upon the sale of such investments.
Any entrepreneur should avoid giving in to excessive optimism and consider risks: Entrepreneurs are vulnerable to such risks as interest rate, asset liability, liquidity, market, and operational risks. Enterprise risks coincide considerably with financial risks, since all entrepreneurs need financing. Changing interest rates create a different loan environment for both lender and borrower. Assets and liabilities becoming imbalanced is a red flag, no matter why it happens – as are changes in market prices.
Finally, entrepreneurs may struggle with their business just not being as efficient as hoped – finding losses somehow greater than they expected. As with any other area of project management, entrepreneurial risk managers need to consider what a problem is, why it occurred, and what they can do going forward to fix it.
Risk Is Everywhere
There are even more types of risk to consider: Relationship risk is when collaboration is ineffective – a common problem. Process engagement risk is when procedures are not well-optimized. One of the most common ways for both organizations and individuals to deal with risks that are out of their control is to purchase an insurance policy. Ethical, honest, and effective risk management can be the difference between raging success and complete failure.