What does it mean to “manage” risk?

What do we mean when we say we need to “manage” risk, or “manage” a risk? I’m not talking about financial risk, which is a world of mathematical models and algorithms. I mean project risk or enterprise risk, which typically manifests itself in risk workshops, risk registers, mitigation actions, and regular discussion of “risks” either informally or in project board meetings.

When we talk about managing other things it’s often very clear. Managing people involves ensuring that our staff have appropriate expectations, have the environment and tools to do their jobs effectively, and so on. Managing finances involves tracking money across various budgets or bodies, planning the same for the future, and verifying what’s actually happened.

But “risks” are different. They are nebulous things (which is partly why I use scare-quotes). You can’t get them into a room and talk to them, and you can’t even pin them down clearly in a spreadsheet. As I’ve argued before, so-called “risks” have fuzzy edges—so we might write the words “suffer a data loss” and call it “a risk”, but this can range from accidentally exposing one user’s name on the web page of another user, through to having our entire list of users and their personal details stolen and sold on the black market… as well as infinitely many other things in between and similar. What would it mean to “manage” that?

So I was pleased to find a fresh article by Norman Marks entitled “Is it about managing risk?” Rest assured that Betteridge’s law applies—the answer is No. He says that risk management is “not about risk. It’s about achieving objectives.” He goes on to suggest questions which a board might reasonably ask instead of focusing on particular “risks”:

  • How likely are we to achieve our objectives?
  • If the likelihood is less than acceptable, why? What can we do about it?
  • If there is a possibility of exceeding our objective, what can and should we do?
  • What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
  • Are there any risks that we should be concerned about, that merit our attention and possibly our action?

This looks to me like bread-and-butter management, including communication and decision making, but with a particular recognition that uncertainty is rife.

So if managing risk is anything distinct from plain good management, what might it be? Perhaps it’s a continual reminder that we human beings are flawed, reluctant to talk about negative consequences or things not going exactly to plan, and the consequent support for countering that. Things like transparency, objectivity, and honesty can go a long way to achieving that, and may well lead to better processes in our planning, decision-making, implementation and operations. But I’m not sure that continual reminder and consequent support is much of a distinct job or responsibility in itself, and certainly not a job or responsibility that justifies specialist jargon and process.

If we say risk management needs to be integrated—and generally people do—then it seems that we would benefit from taking the next logical step, move away from the jargon and specialism, and instead find practical ways of addressing real uncertainty in our daily business lives.

Photo by Christoph Rupprecht