We can’t know everything about the past or the present, and we can’t predict exactly how our actions will shape the future. So, we can behave as if we live in a world of certainty and be regularly surprised, or we can grapple with reality and work to understand and manage the risks we face by incorporating alternative views of the future into our plans, decisions, and actions.2 That is risk management at the personal level. For organizations, effective risk management also enables success across a wider range of possible futures.3 The value of a strong organizational risk management approach is tangible and visible: fewer surprises, faster identification and diagnosis of problems, lower impact when problems occur, more efficient and effective mitigation, and speedier recovery. At the same time, the value we’re able to see is only part of the total, because we’ll never know about all of the problems that didn’t happen thanks in part to our efforts to manage risk.
Risk management has many dimensions. Core elements include exploring the range of threats and vulnerabilities that could impair achievement of goals (risk identification and analysis), acting on early warning signs before they turn into problems (prevention), quickly identifying problems when they start (detection), and accurately diagnosing and solving them after they’ve emerged (mitigation).4 Risks can be addressed from the perspective of the organization as a whole (enterprise risk management) as well as with a focus on critical risk types (such as financial, strategic, and operational risk). Incorporating uncertainty into decisions isn’t easy; the answers aren’t in the back of the book. In an organization, choices often involve complex tradeoffs across multiple objectives (output, quality, and risks) as well as constraints (time and resources).5 Risk minimization is not risk management.
This content is available to both premium Members and those who register for a free Observer account.
If you are a Member or an Observer of Starling Insights, please sign in below to access this article.
Members enjoy full access to all articles and related content from past editions of the Compendium as well as Starling's special reports. Observers can access a limited number of articles and may purchase articles on an ala carte basis.
You can click the 'Join' button below to become a Member or to register for free as an Observer.
Join The Discussion
Thank you for publishing this, Joshua, and for making it accessible. The Fed's own roles in mind, I really enjoyed your discussion in Sec. 5 (Goal Alignment Solutions): "The risk group’s objectivity is enhanced by its independence from the first line of defense [that which 'runs the business organization and is responsible for understanding and managing its risks']. ... Independence is valuable to the extent that it reinforces objectivity, but it is not an end in itself. It must not create a barrier to sharing proactive, real-time recommendations. An objective risk perspective helps an organization to surface hidden assumptions, reckon with alternative scenarios (not just what is expected or hoped for), and develop options that are robust to a range of conditions. ... But, objectivity is not meaningful without the ability to influence decisions and create better outcomes. [40] The influence of a risk group is established through several mechanisms. ..."
Philip, thank you very much for your comment.