All management is risk management.
According to ISO 31000, "risk is the effect of uncertainty on objectives". The first time I set eyes on this definition it was difficult for me to fully grasp the reach of this definition. At that time I was already convinced risk had both a positive as well as a negative component. Risk, as I saw it at that time (2009), held the prospect of both gain and loss, depending the situation, the perspective on that situation and / or the effort spent to manage risk.
However, when you think it through, it is clear the ISO 31000 definition is exactly what I thought risk was. The effect of uncertainty can be negative, positive or both at the same time, understanding that possible gain is to be seen as being positive and loss is then the negative side of risk. Unfortunately, many risk management practitioners don’t see it this way. They are accustomed to a very restricted perspective on risk and follow doctrines that deal with negative effects only and they want to keep it that way, solely occupied with threats, vulnerabilities, weaknesses and the likes.
This limited view on risk is to be understood because of the fact that the positive side of risk, aiming for profit and gain, traditionally is the privilege of managers. They are the ones that use their strengths and capabilities to pursue goals when opportunities are turned into objectives.
Nevertheless, when one group of people only focuses on taking risks (managers going for a profit) and other people are busy with the risks run (trying to keep the losses in check), it is very difficult to reach optimum decisions. Because, at first sight, the decisions to be taken to increase profit, can be the opposite of the decisions necessary to reduce the likelihood of bad things happening.
Therefore, risk managers are often viewed as people slowing down managers in their efforts to make a profit. Or worse, when there’s a lack of coordination between the two groups, wrong decisions can result in huge damage to the organisation.
There are many examples to be found that illustrate this lack of understanding between managers and risk managers. You could say that a lack of risk management and insufficient understanding of risks involved in taking decisions, is what has happened to the VW group in their “dieselgate scandal”. Too much focus on growth and profit caused managers to develop fraudulent solutions to cope with legal compliance, while misunderstanding / disregarding the objectives of important stakeholders. This resulted in huge losses in (shareholder) value as huge fines have been followed by more expenses in coping with the damage caused, when the full effect of uncertainty on the involved objectives had materialised.
These kind of unfortunate happenings can be avoided. ISO 31000 is a guidance standard on how organisations can overcome this dual approach and bad results. Because, its purpose is to integrate risk management in all processes and at all levels of an organisation. It allows for optimum decisions, aiming for profit, while reducing the likelihood of losses, because the same principles, framework and process can be used to manage both sides of risk in concert. Because taking risks when chasing opportunities and running risks due to all kinds of hazards can be managed at the same time and by the same risk owners. This is what allows you to perform safely.
Risk management tools can be used for both sides of risk. They are useful to manage innovation and growth, building on strengths, pursuing opportunities and developing new ideas, but they are also beneficial in dealing with the threats, hazards and weaknesses, which could harm the intended progress. Risk management helps to develop a clear vision on objectives and aids in taking well informed, and therefore also better, decisions.
Should you want to know more about the ISO 31000 standard and get certified, check out the events page on this website!