Home > Risk > The basics of risk management

The basics of risk management

September 29, 2018 Leave a comment Go to comments

I want to congratulate David Hillson (a.k.a. the Risk Doctor) for his video explaining his view of risk management basics.

In Risk management basics: What exactly is it?, he takes less than five minutes to sum up risk management with six questions:

  1. What am I trying to achieve?
  2. What might affect me? Are there things out there in the future that might help or hinder me?
  3. Which of those things that might affect me are the most important?
  4. What should I do about it?
  5. Did it work?
  6. What changed?

He says that “managing risk is one of the most natural things we can do and one of the most important”. I have to agree, although I don’t think we do it as well as we should.

I like his six questions.

David has written 11 books on risk management, which is more than me, and I have to admit that I have not read them. While I suspect that we will not agree on every topic, such as the value of risk appetite statements, his six basic questions are similar to my set.

This is what I have included in the book I am writing now, on making business sense of technology risk.

I like to explain risk management as something every effective manager does:

  • They understand where they are today and where they need to go (their objectives).
  • They understand, as best they can, what might happen as they work towards achieving those objectives. I recommend the expression: “they anticipate what might happen.
  • They consider (or assess) whether that is acceptable. Will they still be able to achieve their objectives, even if they suffer an acceptable level of harm in the process?
  • If either the likelihood of success or the likelihood of great harm is unacceptable, they take action. That action could include not only managing the risk but also changing the strategy or even the objective.

We start in a similar fashion and use plain English rather than risk technobabble. (See Risk Management in Plain English).

But I believe you need to set the right objectives first.

I also believe that rather than assessing risks out of context, you need to consider all the things that might happen and assess whether that totality is acceptable.

In other words, manage success rather than risk and certainly don’t manage one risk at a time.

Beyond that, we seem to be on the same page.

What do you think?

Is this simple approach right? Certainly there is more complexity when assessing the various things that might happen, especially when multiple things might flow from a single decision. But isn’t this a good start?

I welcome your thoughts.

  1. John Fraser
    September 29, 2018 at 12:04 PM

    Norman, I have reduced ‘risk management’ to two key words: “prioritization” (of objectives, risks, action plans, and resources); and “conversations” (among, board members, executives, managers and staff about the prior mentioned things). I see that prioritization is mentioned but not ensuring the right ‘conversations’ about these things by the right people.

    • Norman Marks
      September 29, 2018 at 1:12 PM

      You are right, of course. There is more to be said, including obtaining sufficient, reliable information and involving the right people – a conversation, as you describe

  2. September 29, 2018 at 5:22 PM

    Hi Norman,

    DeBono wrote an interesting book on symplicity and it is clear that makng something “simple” is not simple. Nevertheless I do like the six points and your four points as a way of getting the manager or someone new to risk management to consider the Why and What. Gaining the competence to do the How is a bit harder especially the capacity to collects, analyse and manage uncertainity of the information needed to make the best decision.

  3. Steven D
    October 1, 2018 at 3:24 AM

    Completely agree, i don’t think it has to be overly complicated, start with a simple ‘mission statement’ (what i want to acheive) and then as John said, conversations around that statement (what might hinder me, what might help me, what are the key aspects, how to i deal with these/what actions am i comfortable taking) and then periodic reviews to help keep us ‘on track’ to acheive what we set out.

  4. vincent tophoff
    October 1, 2018 at 10:16 AM

    Short, sweet, and simple. However, instead of calling it a “risk management process” I would simply call it a “(good) management process.”

  5. Daniel Paul Kalwiji
    October 13, 2018 at 1:39 AM

    Thanks for guidance this is one way an effective manager would embed risk mgt.

  1. September 29, 2018 at 6:06 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: