I want to congratulate David Hillson (a.k.a. the Risk Doctor) for his video explaining his view of risk management basics.
In Risk management basics: What exactly is it?, he takes less than five minutes to sum up risk management with six questions:
- What am I trying to achieve?
- What might affect me? Are there things out there in the future that might help or hinder me?
- Which of those things that might affect me are the most important?
- What should I do about it?
- Did it work?
- What changed?
He says that “managing risk is one of the most natural things we can do and one of the most important”. I have to agree, although I don’t think we do it as well as we should.
I like his six questions.
David has written 11 books on risk management, which is more than me, and I have to admit that I have not read them. While I suspect that we will not agree on every topic, such as the value of risk appetite statements, his six basic questions are similar to my set.
This is what I have included in the book I am writing now, on making business sense of technology risk.
I like to explain risk management as something every effective manager does:
- They understand where they are today and where they need to go (their objectives).
- They understand, as best they can, what might happen as they work towards achieving those objectives. I recommend the expression: “they anticipate what might happen.
- They consider (or assess) whether that is acceptable. Will they still be able to achieve their objectives, even if they suffer an acceptable level of harm in the process?
- If either the likelihood of success or the likelihood of great harm is unacceptable, they take action. That action could include not only managing the risk but also changing the strategy or even the objective.
We start in a similar fashion and use plain English rather than risk technobabble. (See Risk Management in Plain English).
But I believe you need to set the right objectives first.
I also believe that rather than assessing risks out of context, you need to consider all the things that might happen and assess whether that totality is acceptable.
In other words, manage success rather than risk and certainly don’t manage one risk at a time.
Beyond that, we seem to be on the same page.
What do you think?
Is this simple approach right? Certainly there is more complexity when assessing the various things that might happen, especially when multiple things might flow from a single decision. But isn’t this a good start?
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021