Risk Management
Definition
"The practice of ensuring that the organization understands and effectively handles risks."
To fulfill this purpose, organizations must:
- Establish governance of risk management
- Nurture a risk management culture and identify risks
- Analyze and evaluate risks
- Treat, monitor, and review risks
Key Terms
Risk: A potential event that could cause harm or loss, or hinder objective achievement.
Control: Means of managing risk, ensuring business objectives are achieved, or processes are followed.
⚠️
Important note: Risk encompasses both threats (negative outcomes) and opportunities (positive outcomes). Organizations focusing solely on threat avoidance may miss valuable opportunities.
Risk Appetite and Capacity
| Concept | Definition | Example |
|---|---|---|
| Risk appetite | Amount and type of risk acceptable to pursue objectives | Startups accepting higher technology risk for faster innovation |
| Risk capacity | Maximum risk an organization can bear regardless of appetite | Regulatory requirements capping overall exposure |
Processes
Governance of Risk Management
- Monitor the organization and environment for changes affecting risk posture
- Evaluate organizational and environmental changes for significance
- Document risk capacity and risk appetite thresholds
- Document risk management policy and framework
- Provide management direction communicating priorities and expectations
Risk Identification, Analysis, and Treatment
The core risk management cycle includes:
- Risk identification: Discover and describe risks across all four dimensions (organizations/people, information/technology, partners/suppliers, value streams/processes)
- Risk analysis and evaluation: Assess likelihood and impact; evaluate against risk appetite
- Risk treatment: Select and implement appropriate response
Treatment options:
| Option | Description | When to Use |
|---|---|---|
| Avoid | Eliminate risk by changing plans | Risk exceeds appetite and can be eliminated by design |
| Mitigate | Reduce likelihood or impact through controls | Risk manageable to acceptable level |
| Transfer | Shift risk to another party (insurance, outsourcing) | Third party better positioned to handle |
| Accept | Acknowledge risk and take no action | Within appetite; treatment cost exceeds benefit |
Risk Monitoring and Review
- Control assessments and evaluation testing control effectiveness
- Formal risk audits reviewing landscape, register accuracy, and treatment effectiveness
Recommendations for Practice Success
- Understand and communicate risk appetite organization-wide
- Reward risk identification; create culture valuing risk reporting
- Consider risks across all four dimensions, not just technology
- Manage strategic, tactical, and operational risks
- Automate risk treatment where practical
- Integrate risk management into organizational value streams
Key Metrics
| Metric | What It Measures |
|---|---|
| Time since last risk appetite/capacity review | Framework currency |
| Strategic risks fully documented | Risk identification completeness |
| Employees feeling safe to report risks (survey) | Risk culture health |
| Risks reported by non-risk roles | Risk awareness breadth |
| Risks with documented likelihood, impact, and owner | Risk register quality |
| Risks with treatment plan and next action date | Active risk management |
| Risks reviewed in last six months | Review cycle timeliness |
| Controls reviewed and audited in last six months | Control assurance |
Key Roles
- Risk manager: Coordinates framework, maintains risk register, reports to senior leadership
- Risk owner: Accountable for specific risk treatment and monitoring
Software Tools
- Risk management tools
- Analysis and reporting tools
- Automated testing tools
- Business process modeling tools
- Collaboration and communication tools
- Enterprise architecture management tools
- Knowledge and document management tools
- Monitoring and event management tools
- Service configuration management tools
- Workflow and task management tools