I think, laudable) trend is to put the word enterprise in front of risk management to indicate that it is a comprehensive approach to risk for the firm. Enterprise risk management (ERM) is one of the headings under which many of the trends in risk management appear. I'll call ERM a type of risk management program, because this is often the banner under which risk management is known. I will also distinguish programs from actual methods because ERM could be implemented with entirely different methods, either soft or quantitative.
The following are just a few examples of various programs related to managing different kinds of risks (Note: Some of these can be components of others and the same program can contain a variety of different methods):
Enterprise risk management (ERM)
Project portfolio management (PPM) or Project risk management (PRM)
Portfolio management (as in financial investments)
Disaster recovery and business continuity planning (DR/BCP)
Governance risk and compliance (GRC)
Emergency/crisis management processes
The types of risks managed, just to name a few, include physical security, product liability, information security, various forms of insurance, investment volatility, regulatory compliance, actions of competitors, workplace safety, getting vendors or customers to share risks, political risks in foreign governments, business recovery from natural catastrophes, or any other uncertainty that could result in a significant loss.
As the previous definition indicates, risk management activities include the analysis and mitigation of risks as well as establishing the tolerance for risk and managing the resources for doing all of this. All of these components of risk management are important but the reader will notice that this book will spend a lot of time on evaluating methods of risk analysis. So let me offer both a long and short definition of risk analysis at this point.
DEFINITION OF RISK ANALYSIS
Long definition: The detailed examination of the components of risk, including the evaluation of the probabilities of various events and their ultimate consequences, with the ultimate goal of informing risk management efforts
Shorter definition: How you figure out what your risks are (so you can do something about it)
Note that some risk managers will make a distinction between risk analysis and risk assessment or may use them synonymously. If they are used separately, it is often because the identification of risk is considered separate from the analysis of those risks and together they comprise risk assessment. Personally, I find the analysis and identification of risks to be an iterative, back-and-forth process without a clear border between them. That is, we start with some identification of risk but on analyzing them, we identify more risks. So I may use the terms analysis and assessment a bit more interchangeably.
Now, obviously, if risk analysis methods were flawed, then the risk management would have to be misguided. If the initial analysis of risk is not based on meaningful measures, the risk mitigation methods are bound to address the wrong problems. If risk analysis is a failure, then the best case is that the risk management effort is simply a waste of time and money because decisions are ultimately unimproved. In the worst case, the erroneous conclusions lead the organization down a more dangerous path that it would probably not have otherwise taken. Just consider how flawed risk management may impact an organization or the public in the following situations.
The approval and prioritization of investments and project portfolios in major US companies
The level of protections needed for major security threats, including cybersecurity threats, for business and government
The approval of government programs worth many billions of dollars
The determination of when additional maintenance is required for old bridges or other infrastructure
The evaluation of patient risks in health care
The identification of supply chain risks due to pandemic viruses
The decision to outsource pharmaceutical production overseas
Risks in any of these areas, and many more, could reveal themselves only after a major disaster in a business, government program, or even your personal life. Clearly, mismeasurement of these risks would lead to major problems—as has already happened in some cases.
The specific method used to assess these risks may have been sold as “formal and structured” and perhaps it was even claimed to be “proven.” Surveys of organizations even show a significant percentage of managers who will say the risk management program was “successful” (more on this to come). Perhaps success was claimed for the reason that it helped to “build consensus,” “communicate risks,” or “change the culture.”
Because the methods used did not actually measure these risks in a mathematically and scientifically sound manner, management doesn't even have the basis for determining whether a method works. Sometimes, management or vendors rely on surveys to assess the effectiveness of risk analysis, but they are almost always self-assessments by the surveyed organizations. They are not independent, objective measures of success in reducing risks.
I'm focusing on the analysis component of risk management because, as stated previously, risk management has to be informed in part by risk analysis. And then, how risks are mitigated is informed by the cost of those mitigations and the expected effect those mitigations will have on risks. In other words, even choosing mitigations involves another layer of risk analysis.
This, in no way, should be interpreted as a conflation of risk analysis with risk management. Yes, I will be addressing issues other than what is strictly the analysis of risk as the problem later in this book. But it should be clear that if this link is weak, then that's where the entire process fails. If risk analysis is broken, it is the first and most fundamental common mode failure of risk management.
And just as risk analysis is a subset of risk management, those are subsets of decision analysis in general decision-making. Risks are considered alongside opportunities when making decisions, and decision analysis is a quantitative treatment of that topic. Having risk management without being integrated into decision-making in general is like a store that sells only left-handed gloves.
WHAT FAILURE MEANS
Now that we have defined risk management, we need to discuss what I mean by the failure of risk management. With some exceptions, it may not be very obvious. And that is part of the problem.
First, a couple of points about the anecdotes I just used. I believe airlines and aircraft manufacturers involved in the crashes described before were probably applying what they believed to be a prudent level of risk management. I also believe that many of the other organizations involved in other disasters I listed were not always just ignoring risk management practices. When I refer to the “failure of risk management,” I do not just refer to outright negligence. Deliberately failing to employ the accounting controls that would have avoided Enron's demise, for example, are not the kind of failures I examine the most in this book. I will concentrate more on the failure of sincere efforts to manage risks—as I will presume is the case with many organizations—even though we know the possible lawsuits must argue otherwise. I'm focusing on
