© Copyright October 2009, David Hillson/Risk Doctor Limited
The most simple definition of risk as “uncertainty that matters” provides two simple tests for whether something is really a risk or not. The first and most obvious characteristic of a true risk is that it is uncertain. If something is a fact, constraint, requirement, problem or issue, then it is not a risk. However not all uncertainties are risks, which brings us to the second test of a real risk: Does it matter? The majority of uncertainties in the universe are not risks because they are irrelevant. The only reason we need to identify, understand and manage risks is if they matter.
So how do you know whether a risk matters or not? Again there is a simple test: If it happened, would it affect achievement of one or more objectives? Objectives define and describe what matters. For projects they tell us about the requirements for outcomes, deliverables, time, cost and performance. Personal objectives may relate to health, career, family or fulfillment. Objectives for organisations might include growing shareholder value, enhancing customer satisfaction, protecting reputation and operating sustainably.
This explicit link between risk and objectives explains why risk management is so important in all aspects of human endeavour:
The risk process requires clearly defined objectives. It is not possible to define risks without a context. We must first know what is “at risk”, what matters, what we are trying to achieve. Only then can we find risks that might affect those objectives. Where objectives are not clear, the risk process forces us to stop and define them before we can go any further.
The proactive nature of the risk process creates management space, giving us time to think, reflect, and consider the best way to respond. Using the risk process as a forward-looking radar gives us early warning of approaching uncertainties that might affect our objectives.
The risk process identifies specific uncertainties that we can address. This includes both threats which could hinder our progress, as well as opportunities which could help us. By exposing these factors in advance, the risk process gives us a chance to do something about them before it is too late. Where proactive actions are not possible, we have time to decide on contingency plans, or perhaps we might change direction or even stop altogether.
Prioritising risks by their potential to affect objectives (as well as their chance of happening) ensures that we give most attention to the risks that matter most.
Properly targeted risk responses should maximise our chances of achieving objectives, by removing or reducing a significant proportion of the possible negative effects of threats to our objectives. They should also help us to capture some opportunities and turn them into actual benefits, producing an optimal outcome.
By ensuring that we have clear objectives, making us think in advance about what might affect whether we meet them, identifying the most important risks, and helping us to find appropriate ways of dealing with them, the risk process gives us the best possible chance to succeed in achieving our objectives. This of course is why effective risk management has become recognised as an essential contributor to success in business, projects and other areas of life.
There is one other important implication of connecting risks to objectives in this way. If risk is “uncertainty that matters”, it is clear that different things matter to different people, because they have different objectives. Risk does not mean the same to a boss, a middle-manager or a front-line worker. It is easy to implement an integrated approach to risk management across an enterprise if there is a coherent and aligned hierarchy of objectives. Risks can be escalated or delegated between organisational levels depending on which objectives are affected. Everyone understands which risks they have to manage at their level in the organisation, because they can just focus on the ones that affect their objectives. Enterprise Risk Management (ERM) depends on having clear objectives across the enterprise.
There is no doubt – when it comes to risk, it’s all about objectives!
For more information, visit www.risk-doctor.com