What is Risk Management?
Risk management is now considered a staple process in many organizations and has become an increasingly important component of regulatory compliance (reference). Our experience suggests, however, that the concept is still not well understood.
What is risk?
The word "risk" is used in a specialized sense when organizations are discussing risk management. In this context, a risk is an "uncertain event." All organizations, especially businesses, deal with uncertainty. Here are a few examples:
You plan to release your product in a new region but find out that a competitor has beaten you to it.
Your new software system promises to slash your operating costs, but the loss of key staff means it is delivered way behind schedule.
Your new office fit-out will improve productivity, but a sudden bump in the supplier price means it runs over budget, erasing the savings you wanted to realize.
These sorts of scenarios will be familiar to anyone in the corporate world. In all instances, the original plan was upset by uncertainty.
While uncertainty is ubiquitous, not all uncertainties matter. We are usually only concerned with uncertainties that may result in monetary loss, capability delays, overspend, injury, share price reduction, reputational damage, and so on.
Given this caveat, a good definition of risk is "uncertainty that matters." (reference) This definition aligns well with the PMBOK (Project Management Book of Knowledge), which defines risk as "an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives." The ISO 31000 standard gives a broader, though still compatible, definition of risk: “the effect of uncertainty on objectives.”
It is worth noting that uncertain events can be negative (threats) or positive (opportunities). This particular article is more concerned with negative risks.
Can we ignore risk?
Given risk is ubiquitous, it might be tempting to ignore it, and many companies do just that. This approach could be dangerous as risks can present a severe threat to your projects and your business. For example, a large McKinsey study found that the average software project exceeded its budget by 66%, overran its schedule by 33%, and delivered a 17% shortfall in benefits. And the average nonsoftware project underdelivered benefits by an extraordinary 133% (reference).
Can these metrics be equated with poor risk management? The answer is "yes," almost by definition. Except in the case of sabotage, any unwelcome deviation from the plan (cost, schedule, benefits) is necessarily due to uncertainty. In other words, it is due to the realization of risks (whether identified ahead of time or not).
It is easy to see how such massive variations to a project can ultimately impact profitability, reputation, share price, and so on. But the situation is even worse. The McKinsey study found that a staggering 17% of projects perform so poorly that they threaten the organization's very existence.
And the above examples only deal with project risks. The umbrella term Enterprise Risk Management (ERM) captures broader organizational risks, with experts recognizing poor ERM as a common factor in many major corporate failures and scandals. (reference)
Risks can reduce profitability, damage your reputation, tank the share price, and even destroy your company. Few organizations can afford to ignore them. This is why ISO 31000 states that managing risk is “part of governance and leadership, and is fundamental to how the organization is managed at all levels.”
Managing Risk
We've seen that risk is "uncertainty that matters," and that ignoring risk is not a viable strategy. We can now define risk management as:
...the systematic process of responding to risks in order to increase the likelihood of achieving our objectives.
This definition tells us a few things:
Risk management is a systematic process rather than an ad-hoc approach.
Risk management involves responding to risks rather than ignoring them.
Risk management should increase the likelihood of achieving our project and organizational objectives.
According to ISO 31000, risk management is a process to “create and protect value in organizations.” A better understanding of what it means is a valuable first step toward achieving these goals.
Risk Register by ProjectBalm is a cost-effective way to manage risks in your organization