What is risk management

What is risk management?

Identifies, assesses and controls threats to an organization

Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

If an unforeseen event catches your organization unaware, the impact could be minor, such as a small impact on your overhead costs. In a worst-case scenario, though, it could be catastrophic and have serious ramifications, such as a significant financial burden or even the closure of your business.

To reduce risk, an organization needs to apply resources to minimize, monitor and control the impact of negative events while maximizing positive events. A consistent, systemic and integrated approach to risk management can help determine how best to identify, manage and mitigate significant risks.

The risk management process

At the broadest level, risk management is a system of people, processes and technology that enables an organization to establish objectives in line with values and risks.

A successful risk assessment program must meet legal, contractual, internal, social and ethical goals, as well as monitor new technology-related regulations. By focusing attention on risk and committing the necessary resources to control and mitigate risk, a business will protect itself from uncertainty, reduce costs and increase the likelihood of business continuity and success.
Three important steps of the risk management process are risk identification, risk analysis and assessment, and risk mitigation and monitoring.

Identifying risks

Risk identification is the process of identifying and assessing threats to an organization, its operations and its workforce. For example, risk identification may include assessing IT security threats such as malware and ransomware, accidents, natural disasters and other potentially harmful events that could disrupt business operations.

What Is Risk Management? Importance Of Risk Management

June 18, 2020 By Hitesh Bhasin Tagged With: Management

The term risk management is used to refer to the identification, the polarization and the analysis of the threats or risks that may affect the capitals and earnings of any particular organization.

This is then followed by the economic and coordinated applications of the resources in order to minimize, control and monitors the impact of any unforeseen events or to maximize the opportunities’ realization.

Table of Contents

What is risk management?

Risk management is basically a process in which anything that may act as a threat or a risk to the organization is identified, analyzed, evaluated on several factors so that it can be eluded. These risks can arise due to several aspects like financial uncertainty, strategic management factors, legal liabilities, accidents, and natural disasters, etc.

Risks management is also done while making an important investment decision in which the identification, analysis and acceptance or mitigation of uncertainty in investment is done. Risk management is a practice of analyzing potential risks ahead of time.

After that those risks are evaluated on the basis of several factors and finally some precautionary steps are taken so that the risks could be reduced.

The risk management is associated with managing any type of possible risks in a portfolio and then reducing it through diversification. Now in a business one can inculcate many different types of risk especially in the investing world.

Now some of these may include economic factors, competition, and market volatility. Now the entities may also become a factor like in term so their position, their capital, in terms of the risks investment, etc.

It is quite essential for the organizations which are into businesses, to assess their risk on a daily basis. Most often it is common for any business to refer back t their previously done risks analysis so that they can decide the type of securities they would be wanting to purchase it or the type of ventures that they will want to invest in also the risks management issued in cases in which the companies are considering to launch some kind of their product line in future or factory expansion.

With the help of risk management, they are able to assess the level of threat of investment before launching the product.

Now in the financial world, risk management occurs everywhere. Mostly it occurs when the low risks bonds are being bought by the investor instead of the riskier corporate bonds. Now many of the financial instruments like ‘options’ or ‘futures’ or ‘money managers’ tend t use the strategies, for example, a portfolio or an investment diversification. This is done so that the risk could be mitigated or managed in an effective manner.

Now with the risk management is done in an inadequate way, it can then result in severe consequences which may affect the organization or a business or an individual or the economy.

Examples of risks management

On top of it all, the prices of the stock is also high thus in the short term, any potential dividends would be extremely limited. Therefore he decides to go for a risk analysis so that he can make the best investment decision according to his situation.

After the risk assessment, it was revealed that investing in the stocks of Apple would be very risky for those who are new in the investing world in the present scenario. And in addition to it, the prices of the stock is also quite high thus making it extremely limited for any potential dividends in the short term. In this way, she will be needing to devote a part of her remaining savings so that she could perceive adequate dividends.

Thus because of so many reasons, he finally comes to a conclusion that it would be unwise of him to make an investment. And then he decides to invest in some new equipment that is related to the business and focus on increasing sales.

What are the various standards of risk management?

Now since the early 2000s, there have been many government organizations and industries that have been coming up with regulatory compliance rules that used to come with various plans associated with risk management. It would include the manner in which the plans could be executed, the various policies associated with it and the producers of implementing those plans.

In many of the big organization and businesses, there is the board of directors who are assigned this job of reviewing and the reporting of the accuracy of the enterprise risk management process. And over time these have become major aspects of the strategy to make a business successful.

Now there are several organizations like the ‘National Institute of Standards and Technology’ and the ISO as well. The main purpose of these organizations is to identify any kind of threats, analyze unique vulnerability so that the risks could be determined and then find out the ways in which those risks could be reduced or completely eliminated.

Once all of the above processes are done, the risk reduction efforts can be implemented according to the strategy specified by the organizations.

For instance, the ISO 31000 principles, is known to provide a framework for the risks management process which the companies use irrespective of the size of the company or the target sector.

In this way the main objective of the ISO 31000 is to “enhance the livelihood of achieving their goals, improving their abilities to identify both the opportunities and the threats, being able to effectively allocate and make use of the resources that are available there of the risk management’.

Now here one thinks to note is that this ISO 31000 can’t be used for the purpose of certification although it does provide the guidance for both the external as well as the internal risk audits. And in addition to that, it also allows the companies to make a comparison between their practices of risks management to thus of the benchmarks that are recognized at international levels.

What is the importance of risk management?

The risk management is important for all kinds of organizations be it a profit organization or a nonprofit organization. This is because the risks are unexpected events that can cause a lot of damage to the organizations is it is not shielding properly prior to the time. There can be various operational risks which have to be managed.

Now, these risks can be in several forms like loss of funds, injury to staff, natural disasters or anything else could have a serious impact on your business. Thus this is where the risks management comes handy.

The risks management is important because, in such an unforeseen situation, it protects your organization or your business. Risk management helps to prepare for all of those unexpected events in advance.

This way it minimizes the risk and also cuts down the extra cost or financial burden that you would have to bear unless otherwise. If the risks management is carried out in a proper manner, it will help a lot in saving up your money and also in protecting the future of your organizations.

Risks management helps you in identifying all sorts of risk that are possibly evaluating different aspects. This by after carrying out the risk, the owner of the business or the organization can design or plan a certain procedure that will be following in order to avoid the risk or minimize the impact of it to a greater extent or at least be able to cope up with the impact of it.

Thus it is various essential to the risk management base it will help these entities to understand the actual level of risks, evaluate it and then come up with a plan that will help them lessen the impact of it or in some cases completely eradicate it.

What are the advantages of risk management?

There are various advantages of risk management. Some of these are mentioned below-

Conclusion

Thus risk management is very essential for any entity to be a profit organization or a nonprofit organization. The owner of such entities must make sure that effective risk management is carried out to avoid future damages.

Risk Management in Finance

Amanda Bellucco-Chatham is an editor, writer, and fact-checker with years of experience researching personal finance topics. Specialties include general financial planning, career development, lending, retirement, tax preparation, and credit.

What Is Risk Management?

In the financial world, risk management is the process of identification, analysis, and acceptance or mitigation of uncertainty in investment decisions. Essentially, risk management occurs when an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment, such as a moral hazard, and then takes the appropriate action (or inaction) given the fund’s investment objectives and risk tolerance.

Risk is inseparable from return. Every investment involves some degree of risk, which is considered close to zero in the case of a U.S. T-bill or very high for something such as emerging-market equities or real estate in highly inflationary markets. Risk is quantifiable both in absolute and in relative terms. A solid understanding of risk in its different forms can help investors to better understand the opportunities, trade-offs, and costs involved with different investment approaches.

Key Takeaways

What is Risk Management?

Understanding Risk Management

Risk management occurs everywhere in the realm of finance. It occurs when an investor buys U.S. Treasury bonds over corporate bonds, when a fund manager hedges his currency exposure with currency derivatives, and when a bank performs a credit check on an individual before issuing a personal line of credit. Stockbrokers use financial instruments like options and futures, and money managers use strategies like portfolio diversification, asset allocation and position sizing to mitigate or effectively manage risk.

Inadequate risk management can result in severe consequences for companies, individuals, and the economy. For example, the subprime mortgage meltdown in 2007 that helped trigger the Great Recession stemmed from bad risk-management decisions, such as lenders who extended mortgages to individuals with poor credit; investment firms who bought, packaged, and resold these mortgages; and funds that invested excessively in the repackaged, but still risky, mortgage-backed securities (MBS).

How Risk Management Works

We tend to think of «risk» in predominantly negative terms. However, in the investment world, risk is necessary and inseparable from desirable performance.

A common definition of investment risk is a deviation from an expected outcome. We can express this deviation in absolute terms or relative to something else, like a market benchmark.

While that deviation may be positive or negative, investment professionals generally accept the idea that such deviation implies some degree of the intended outcome for your investments. Thus to achieve higher returns one expects to accept the greater risk. It is also a generally accepted idea that increased risk comes in the form of increased volatility. While investment professionals constantly seek—and occasionally find—ways to reduce such volatility, there is no clear agreement among them on how it’s best done.

How much volatility an investor should accept depends entirely on the individual investor’s tolerance for risk, or in the case of an investment professional, how much tolerance their investment objectives allow. One of the most commonly used absolute risk metrics is standard deviation, a statistical measure of dispersion around a central tendency. You look at the average return of an investment and then find its average standard deviation over the same time period. Normal distributions (the familiar bell-shaped curve) dictate that the expected return of the investment is likely to be one standard deviation from the average 67% of the time and two standard deviations from the average deviation 95% of the time. This helps investors evaluate risk numerically. If they believe that they can tolerate the risk, financially and emotionally, they invest.

Example

For example, during a 15-year period from August 1, 1992, to July 31, 2007, the average annualized total return of the S&P 500 was 10.7%. This number reveals what happened for the whole period, but it does not say what happened along the way. The average standard deviation of the S&P 500 for that same period was 13.5%. This is the difference between the average return and the real return at most given points throughout the 15-year period.

When applying the bell curve model, any given outcome should fall within one standard deviation of the mean about 67% of the time and within two standard deviations about 95% of the time. Thus, an S&P 500 investor could expect the return, at any given point during this period, to be 10.7% plus or minus the standard deviation of 13.5% about 67% of the time; he may also assume a 27% (two standard deviations) increase or decrease 95% of the time. If he can afford the loss, he invests.

Risk Management and Psychology

While that information may be helpful, it does not fully address an investor’s risk concerns. The field of behavioral finance has contributed an important element to the risk equation, demonstrating asymmetry between how people view gains and losses. In the language of prospect theory, an area of behavioral finance introduced by Amos Tversky and Daniel Kahneman in 1979, investors exhibit loss aversion. Tversky and Kahneman documented that investors put roughly twice the weight on the pain associated with a loss than the good feeling associated with a profit.

Beta and Passive Risk Management

Another risk measure oriented to behavioral tendencies is a drawdown, which refers to any period during which an asset’s return is negative relative to a previous high mark. In measuring drawdown, we attempt to address three things:

For example, in addition to wanting to know whether a mutual fund beat the S&P 500, we also want to know how comparatively risky it was. One measure for this is beta (known as «market risk»), based on the statistical property of covariance. A beta greater than 1 indicates more risk than the market and vice versa.

Beta helps us to understand the concepts of passive and active risk. The graph below shows a time series of returns (each data point labeled «+») for a particular portfolio R(p) versus the market return R(m). The returns are cash-adjusted, so the point at which the x and y-axes intersect is the cash-equivalent return. Drawing a line of best fit through the data points allows us to quantify the passive risk (beta) and the active risk (alpha).

The gradient of the line is its beta. For example, a gradient of 1.0 indicates that for every unit increase of market return, the portfolio return also increases by one unit. A money manager employing a passive management strategy can attempt to increase the portfolio return by taking on more market risk (i.e., a beta greater than 1) or alternatively decrease portfolio risk (and return) by reducing the portfolio beta below one.

Alpha and Active Risk Management

If the level of market or systematic risk were the only influencing factor, then a portfolio’s return would always be equal to the beta-adjusted market return. Of course, this is not the case: Returns vary because of a number of factors unrelated to market risk. Investment managers who follow an active strategy take on other risks to achieve excess returns over the market’s performance. Active strategies include tactics that leverage stock, sector or country selection, fundamental analysis, position sizing, and technical analysis.

Active managers are on the hunt for an alpha, the measure of excess return. In our diagram example above, alpha is the amount of portfolio return not explained by beta, represented as the distance between the intersection of the x and y-axes and the y-axis intercept, which can be positive or negative. In their quest for excess returns, active managers expose investors to alpha risk, the risk that the result of their bets will prove negative rather than positive. For example, a fund manager may think that the energy sector will outperform the S&P 500 and increase her portfolio’s weighting in this sector. If unexpected economic developments cause energy stocks to sharply decline, the manager will likely underperform the benchmark, an example of alpha risk.

The Cost of Risk

In general, the more an active fund and its managers shows themselves able to generate alpha, the higher the fees they will tend to charge investors for exposure to those higher-alpha strategies. For a purely passive vehicle like an index fund or an exchange-traded fund (ETF), you’re likely to pay 1 to 10 basis points (bps) in annual management fees, while for a high-octane hedge fund employing complex trading strategies involving high capital commitments and transaction costs, an investor would need to pay 200 basis points in annual fees, plus give back 20% of the profits to the manager.

The difference in pricing between passive and active strategies (or beta risk and alpha risk respectively) encourages many investors to try and separate these risks (e.g. to pay lower fees for the beta risk assumed and concentrate their more expensive exposures to specifically defined alpha opportunities). This is popularly known as portable alpha, the idea that the alpha component of a total return is separate from the beta component.

For example, a fund manager may claim to have an active sector rotation strategy for beating the S&P 500 and show, as evidence, a track record of beating the index by 1.5% on an average annualized basis. To the investor, that 1.5% of excess return is the manager’s value, the alpha, and the investor is willing to pay higher fees to obtain it. The rest of the total return, what the S&P 500 itself earned, arguably has nothing to do with the manager’s unique ability. Portable alpha strategies use derivatives and other tools to refine how they obtain and pay for the alpha and beta components of their exposure.

Risk Management

The identification, analysis and response to risk factors affecting a business

What is Risk Management?

Risk management encompasses the identification, analysis, and response to risk factors that form part of the life of a business. Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively. Therefore, effective risk management offers the potential to reduce both the possibility of a risk occurring and its potential impact.

Risk Management Structures

Risk management structures are tailored to do more than just point out existing risks. A good risk management structure should also calculate the uncertainties and predict their influence on a business. Consequently, the result is a choice between accepting risks or rejecting them. Acceptance or rejection of risks is dependent on the tolerance levels that a business has already defined for itself.

If a business sets up risk management as a disciplined and continuous process for the purpose of identifying and resolving risks, then the risk management structures can be used to support other risk mitigation systems. They include planning, organization, cost control, and budgeting. In such a case, the business will not usually experience many surprises, because the focus is on proactive risk management.

Response to Risks

Response to risks usually takes one of the following forms:

When creating contingencies, a business needs to engage in a problem-solving approach. The result is a well-detailed plan that can be executed as soon as the need arises. Such a plan will enable a business organization to handle barriers or blockage to its success because it can deal with risks as soon as they arise.

Importance of Risk Management

Risk management is an important process because it empowers a business with the necessary tools so that it can adequately identify and deal with potential risks. Once a risk has been identified, it is then easy to mitigate it. In addition, risk management provides a business with a basis upon which it can undertake sound decision-making.

For a business, assessment and management of risks is the best way to prepare for eventualities that may come in the way of progress and growth. When a business evaluates its plan for handling potential threats and then develops structures to address them, it improves its odds of becoming a successful entity.

In addition, progressive risk management ensures risks of a high priority are dealt with as aggressively as possible. Moreover, the management will have the necessary information that they can use to make informed decisions and ensure that the business remains profitable.

Risk Analysis Process

Risk analysis is a qualitative problem-solving approach that uses various tools of assessment to work out and rank risks for the purpose of assessing and resolving them. Here is the risk analysis process:

1. Identify existing risks

Risk identification mainly involves brainstorming. A business gathers its employees together so that they can review all the various sources of risk. The next step is to arrange all the identified risks in order of priority. Because it is not possible to mitigate all existing risks, prioritization ensures that those risks that can affect a business significantly are dealt with more urgently.

2. Assess the risks

In many cases, problem resolution involves identifying the problem and then finding an appropriate solution. However, prior to figuring out how best to handle risks, a business should locate the cause of the risks by asking the question, “What caused such a risk and how could it influence the business?”

3. Develop an appropriate response

Once a business entity is set on assessing likely remedies to mitigate identified risks and prevent their recurrence, it needs to ask the following questions: What measures can be taken to prevent the identified risk from recurring? In addition, what is the best thing to do if it does recur?

4. Develop preventive mechanisms for identified risks

Here, the ideas that were found to be useful in mitigating risks are developed into a number of tasks and then into contingency plans that can be deployed in the future. If risks occur, the plans can be put to action.

Summary

Our business ventures encounter many risks that can affect their survival and growth. As a result, it is important to understand the basic principles of risk management and how they can be used to help mitigate the effects of risks on business entities.

More Resources

Thank you for reading CFI’s guide to Risk Management. To keep learning and advancing your career, the following CFI resources will be helpful:

What is risk management and why is it important?

Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These risks stem from a variety of sources including financial uncertainties, legal liabilities, technology issues, strategic management errors, accidents and natural disasters.

A successful risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between risks and the cascading impact they could have on an organization’s strategic goals.

This holistic approach to managing risk is sometimes described as enterprise risk management because of its emphasis on anticipating and understanding risk across an organization. In addition to a focus on internal and external threats, enterprise risk management (ERM) emphasizes the importance of managing positive risk. Positive risks are opportunities that could increase business value or, conversely, damage an organization if not taken. Indeed, the aim of any risk management program is not to eliminate all risk but to preserve and add to enterprise value by making smart risk decisions.

«We don’t manage risks so we can have no risk. We manage risks so we know which risks are worth taking, which ones will get us to our goal, which ones have enough of a payout to even take them,» said Forrester Research senior analyst Alla Valente, a specialist in governance, risk and compliance.

The formidable task is to then determine «which risks fit within the organization’s risk appetite and which require additional controls and actions before they are acceptable,» explained Notre Dame University Senior Director of IT Mike Chapple in his article on risk appetite vs. risk tolerance. Some risks will be accepted with no further action necessary. Others will be mitigated, shared with or transferred to another party, or avoided altogether.

Every organization faces the risk of unexpected, harmful events that can cost it money or cause it to close. Risks untaken can also spell trouble, as the companies disrupted by born-digital powerhouses, such as Amazon and Netflix, will attest. This guide to risk management provides a comprehensive overview of the key concepts, requirements, tools, trends and debates driving this dynamic field. Throughout, hyperlinks connect to other TechTarget articles that deliver in-depth information on the topics covered here, so readers should be sure to click on them to learn more.

Risk appetite and risk tolerance are important risk terms that are related but not the same.

Risk management has perhaps never been more important than it is now. The risks modern organizations face have grown more complex, fueled by the rapid pace of globalization. New risks are constantly emerging, often related to and generated by the now-pervasive use of digital technology. Climate change has been dubbed a «threat multiplier» by risk experts.

Businesses made rapid adjustments to the threats posed by the pandemic. But, going forward they are grappling with novel risks, including how or whether to bring employees back to the office and what should be done to make their supply chains less vulnerable to crises.

Financial vs. nonfinancial industries. In discussions of risk management, many experts note that at companies that are heavily regulated and whose business is risk, managing risk is a formal function.

Banks and insurance companies, for example, have long had large risk departments typically headed by a chief risk officer (CRO), a title still relatively uncommon outside of the financial industry. Moreover, the risks that financial services companies face tend to be rooted in numbers and therefore can be quantified and effectively analyzed using known technology and mature methods. Risk scenarios in finance companies can be modeled with some precision.

For other industries, risk tends to be more qualitative and therefore harder to manage, increasing the need for a deliberate, thorough and consistent approach to risk management, said Gartner analyst Matt Shinkman, who leads the firm’s enterprise risk management and audit practices. «Enterprise risk management programs aim to help these companies be as smart as they can be about managing risk.»

«Siloed» vs. holistic is one of the big distinctions between the two approaches, according to Gartner’s Shinkman. In traditional risk management programs, for example, risk has typically been the job of the business leaders in charge of the units where the risk resides. For example, the CIO or CTO is responsible for IT risk, the CFO is responsible for financial risk, the COO for operational risk, etc. The business units might have sophisticated systems in place to manage their various types of risks, Shinkman explained, but the company can still run into trouble by failing to see the relationships among risks or their cumulative impact on operations. Traditional risk management also tends to be reactive rather than proactive.

«The pandemic is a great example of a risk issue that is very easy to ignore if you don’t take a holistic, long-term strategic view of the kinds of risks that could hurt you as a company,» Shinkman said. «A lot of companies will look back and say, ‘You know, we should have known about this, or at least thought about the financial implications of something like this before it happened.'»

Here’s a primer on risk exposure and how it is calculated.

In enterprise risk management, managing risk is a collaborative, cross-functional and big-picture effort. An ERM team, which could be as small as five people, works with the business unit leaders and staff to debrief them, help them use the right tools to think through the risks, collate that information and present it to the organization’s executive leadership and board. Having credibility with executives across the enterprise is a must for risk leaders of this ilk, Shinkman said.

In defining the chief risk officer role, Forrester Research makes a distinction between the «transactional CROs» typically found in traditional risk management programs and the «transformational CROs» who take an ERM approach. The former work at companies that see risk as a cost center and risk management as an insurance policy, according to Forrester. Transformational CROs, in the Forrester lexicon, are «customer-obsessed,» Valente said. They focus on their companies’ brand reputations, understand the horizontal nature of risk and define ERM as the «proper amount of risk needed to grow.»

Risk averse is another trait of traditional risk management organizations. But as Valente noted, companies that define themselves as risk averse with a low risk appetite are sometimes off the mark in their risk assessment.

«A lot of organizations think they have a low risk appetite, but do they have plans to grow? Are they launching new products? Is innovation important? All of these are growth strategies and not without risk,» Valente said.

To learn about other ways in which the two approaches diverge, check out technology writer Lisa Morgan’s «Traditional risk management vs. enterprise risk management: How do they differ?» In addition, her article on risk management teams provides a detailed rundown of roles and responsibilities.

ISO’s five-step risk management process comprises the following and can be used by any type of entity:

The steps are straightforward, but risk management committees should not underestimate the work required to complete the process. For starters, it requires a solid understanding of what makes the organization tick. The end goal is to develop the set of processes for identifying the risks the organization faces, the likelihood and impact of these various risks, how each relates to the maximum risk the organization is willing to accept, and what actions should be taken to preserve and enhance organizational value.

«To consider what could go wrong, one needs to begin with what must go right,» said risk expert Greg Witte, a senior security engineer for Huntington Ingalls Industries and an architect of the National Institute of Standards and Technology (NIST) frameworks on cybersecurity, privacy and workforce risks, among others.

When identifying risks, it is important to understand that, by definition, something is only a risk if it has impact, Witte said. For example, the following four factors must be present for a negative risk scenario, according to guidance from the NIST Interagency Report (NISTIR 8286A) on identifying cybersecurity risk in ERM:

While the NIST criteria pertains to negative risks, similar processes can be applied to managing positive risks.

Experts weigh in on how enterprise risk management is evolving.

Top-down, bottom-up. In identifying risk scenarios that could impede or enhance an organization’s objectives, many risk committees find it useful to take a top-down, bottom-up approach, Witte said. In the top-down exercise, leadership identifies the organization’s mission-critical processes and works with internal and external stakeholders to determine the conditions that could impede them. The bottom-up perspective starts with the threat sources (earthquakes, economic downturns, cyber attacks, etc.) and considers their potential impact on critical assets.

Risk by categories. Organizing risks by categories can also be helpful in getting a handle on risk. The guidance cited by Witte from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) uses the following four categories:

Another way for businesses to categorize risks, according to compliance expert Paul Kirvan, is to bucket them under the following four basic risk types for businesses: people risks, facility risks, process risks and technology risks.

The final task in the risk identification step is for organizations to record their findings in a risk register. It helps track the risks through the subsequent four steps of the risk management process. An example of such a risk register can be found in the NISTIR 8286A report cited above.

Witte provides an in-depth analysis of the entire process in his article, «Risk management process: What are the 5 steps?»

Risk management glossary

The risk management field employs many terms to define the various aspects and attributes of risk management. Click on the hyperlinks below to learn more.

As government and industry compliance rules have expanded over the past two decades, regulatory and board-level scrutiny of corporate risk management practices have also increased, making risk analysis, internal audits, risk assessments and other features of risk management a major component of business strategy. How can an organization put this all together?

Here is a sampling, starting with brief descriptions of the two most widely recognized frameworks. For more detail on them, readers should consult security expert Michael Cobb’s analysis of ISO 31000 vs. COSO, which delves into their similarities and differences and how to choose between the two:

As Cobb notes in his comparison article, COSO’s updated version highlights the importance of embedding risk into business strategies and linking risk and operational performance.

Enterprises might also consider establishing frameworks for specific categories of risks. Carnegie Mellon University’s enterprise risk management framework, for example, examines potential risks and opportunities based upon the following risk categories: reputation, life/health safety, financial, mission, operational and compliance/legal.

Risk management teams choose different options to address risks, depending on the likelihood of their occurring and the severity of their impact.

Effectively managing risks that could have a negative or positive impact on capital and earnings brings many benefits. It also presents challenges, even for companies with mature governance, risk and compliance strategies.

Benefits of risk management include the following:

The following are some of the challenges risk management teams should expect to encounter:

A risk management plan describes how an organization will manage risk. It lays out elements such as the organization’s risk approach, roles and responsibilities of the risk management teams, resources it will use to manage risk, policies and procedures.

ISO 31000’s seven-step process is a useful guide to follow, according to Witte. Here is a rundown of its components:

For more detail on what each step entails, consult Witte’s article on ERM frameworks and their implementation in the enterprise.

Risks that fall into the green areas of the map require no action or monitoring. Yellow and orange risks require action. Risks that fall into red portions of the map need urgent action.

A good starting point for any organization that aspires to follow risk management best practices is ISO 31000’s 11 principles of risk management. According to ISO, a risk management program should meet the following objectives:

Another best practice for the modern enterprise risk management program is to «digitally reform,» said security consultant Dave Shackleford. This entails using AI and other advanced technologies to automate inefficient and ineffective manual processes.

Here are some of the top reasons risk management programs fail.

Overemphasis on efficiency vs. resiliency. Greater efficiency can lead to bigger profits when all goes well. Doing things quicker, faster and cheaper by doing them the same way every time, however, can result in a lack of resiliency, as companies found out during the pandemic when supply chains broke down. «When we look at the nature of the world … things change all the time,» said Forrester’s Valente. «So, we have to understand that efficiency is great, but we also have to plan for all of the what-ifs.»

Limitations of risk analysis techniques. Many risk analysis techniques, such as creating a risk model or simulation, require gathering large amounts of data. Extensive data collection can be expensive and is not guaranteed to be reliable. Furthermore, the use of data in decision-making processes may have poor outcomes if simple indicators are used to reflect complex risk situations. In addition, applying a decision intended for one small aspect of a project to the whole project can lead to inaccurate results.

Lack of risk analysis expertise. Software programs developed to simulate events that might negatively impact a company can be cost-effective, but they also require highly trained personnel to accurately understand the generated results.

Illusion of control. Risk models can give organizations the false belief that they can quantify and regulate every potential risk. This may cause an organization to neglect the possibility of novel or unexpected risks.

Risk management for career professionals

The following articles provide resources for risk management professionals:

The spotlight shined on risk management during the COVID-19 pandemic has driven many companies to not only reexamine their risk practices but also to explore new techniques, technologies and processes for managing risk. As Lawton’s reporting on the trends that are reshaping risk management shows, the field is brimming with ideas.

More organizations are adopting a risk maturity framework to evaluate their risk processes and better manage the interconnectedness of threats across the enterprise. They are looking anew at GRC platforms to integrate their risk management activities, manage policies, conduct risk assessments, identify gaps in regulatory compliance and automate internal audits, among other tasks. New GRC features under consideration include the following:

In addition to using risk management to avoid bad situations, more companies are looking to formalize how to manage positive risks to add business value.

They are also taking a fresh look at risk appetite statements. Traditionally used as a means to communicate with employees, investors and regulators, risk appetite statements are starting to be used more dynamically, replacing «check the box» compliance exercises with a more nuanced approach to risk scenarios. The caveat? A poorly worded risk appetite statement could hem in a company or be misinterpreted by regulators as condoning unacceptable risks.