There are many ways to manage risk. In this article I offer a classification scheme – just one of many possibilities – designed to help you see options you may not have thought of before, and make sensible selections.
Undoubtedly there are gaps in this scheme, but it still gives a wider view than most sources so it can still help you think of worthwhile strategies that you might have overlooked.
Approaches to Risk Management
With Possibility Thinking
These are approaches that necessarily involve thinking of possibilities. These possibilities might be potential future situations or events, possible current situations, or possible histories.
Part of core management processes
These are approaches that involve modifying the way core management processes are done in order to deal with limited knowledge (and resulting uncertainty, and resulting risk) more effectively.
What If? Thinking
This involves some kind of decision-support model (e.g. a spreadsheet model of cash flows) that is used repeatedly to find out the impact of different assumptions about the future, and different courses of action. This is probably one of the most common approaches in practice, even if most people who do it do not think of it as risk management.
Models with Uncertainty
This is a very broad range of approaches that involve representing uncertainty explicitly in decision-support models and other models used within core management processes.
The best known examples in business concern decision making, planning, and design, where each alternative course of action (design, or plan) is evaluated by predicted what results it might provide, valuing them in some way, and choosing the most attractive option. Less obvious examples are diagnosis (e.g. of an illness or a fault with a machine), and investigation of past events (e.g. solving a crime, evaluating performance).
In these approaches uncertainty is made more explicit somehow. Often this is through a model with explicit probabilities. In other approaches uncertainty is considered using a discount rate. In others a ‘risk metric’ is calculated and a trade off between risk and returns is made. Decisions and diagnoses are usually supported by explicit models and a huge range of modelling alternatives is available.
Scenario Planning involves thinking of distinct futures and making plans that might work in some or all of those scenarios. Various tactics are used to help people think a bit more widely than usual about what might happen, and there is usually a requirement to work out how each scenario could arise.
Scenario Planning does not usually involve assigning probabilities to scenarios, though it can do, in which case it becomes another variation on Models with Uncertainty.
This approach becomes useful when there is an intelligent adversary to consider. This is in contrast to, say, the weather, which is hard to predict but not out to get you. Participants in War Gaming take on the roles of each side in the ‘war’ and act out possible ‘wars’, gaining an insight into how an adversary might think and respond.
These are approaches that involve operating a new process that is not naturally a core management process and operating it separately, or interfaced with core management activities.
This approach is recognizable from its distinctive process. This includes three key phases in order: risk identification, risk assessment, and risk treatment. In other words, you are required to make a list of risks (usually events that might happen in future), think about how important they are, then choose responses to those risks (i.e. actions that will modify the potential consequences of those risks). This process means that the only decisions about actions are on actions seen as wholly or mainly responses to risks. Other decisions about actions are outside the natural scope of Risk Listing.
Risk Listing can also be identified from its distinctive language, with 'risks' mentioned often and a large number of phrases where 'risk' is used as a qualifier (e.g. ‘risk reporting’, ‘risk criteria’, ‘risk register’). Also, it is strongly associated with the techniques that are almost always used for it: risk registers, probability and impact ratings, probability-impact matrices, and decisions based on risk level thresholds or targets (sometimes called ‘risk criteria’ or ‘risk appetite’).
Without Possibility Thinking
In contrast to the With Possibility Thinking approaches, these other approaches do not necessarily involve thinking of possibilities, though that might happen sometimes in order to do them better. They may also be put in place as a result of Possibility Thinking, though that too is not necessarily the case. Usually they are adopted as standard policy because people believe, from logic or experience, that they are a good idea.
These approaches aim to improve information flow, quicken responses, and make it easier to change in response to new information.
Software, new businesses, and changes in existing organizations are usually best done as a rapid series of small changes, each one put into practice so that learning from experiences is accelerated. Incremental delivery contributes hugely to good risk management, even without any attempt to think of future possibilities.
Thinking of products, investments, projects, and so on as forming a portfolio involves (1) an effort to keep them as somewhat separate entities that can be removed or acquired at will, which promotes flexibility, and (2) being mindful of the fact that in combination their value may be more or less than the sum of their parts.
Control by feedback loops
What thermostatic control and budgetary control have in common is a reference value (i.e. a target) and a mechanism for sensing reality and triggering actions that will close the gap between the target and reality.
This kind of responsiveness is an effective way to manage risk provided the response is quick enough and is capable of achieving the target. In practice it is sometimes the case that the heating system of a house is unable to compensate for extreme external temperatures, while actions taken only once budget variances have arisen usually just limit damage.
Sensing, communicating, and adapting
This seems almost too obvious and general to mention as an approach to risk management, and yet it is one of the most important. People in an organization should be alert to new information, respond to it, and pass it on. Recently I had to call a computer security company because of a problem with one of their products that I thought might also be affecting many other customers. The person I spoke to in the call centre wasn't interested in this possibility. He was only focused on dealing with my problem. How can senior executives know what is going on in a company if even front line staff aren't listening?
This idea of encouraging information sharing also helps customers and suppliers work together, potentially along an entire supply chain.
This can be applied to operational costs and to funding. In both cases, adapting to circumstances is made easier by keeping gearing low.
A company whose costs are mostly fixed, meaning that they do not change as sales/production volume varies, is more risky than one whose costs are mostly variable, meaning that they do change as sales/production volume varies.
Similarly, a company whose funds are mostly from fixed interest loans is more risky than one whose funds are mostly from selling shares, where the dividends paid can be reduced when profits fall.
Lessons are learned more quickly and confidently with well designed experiments. Organizations can make a habit of using traditional experimental methods like random sampling and control groups.
Robustness: making things that weather the storm
This is another very important way that organizations and objects are made to survive an unpredictable future.
Just make things tougher – harder and less brittle – might involve using different materials for physical components, or perhaps making access restrictions to a computer or building stricter.
Multiple layers of defence
Achieving a particular level of defence is often easier with multiple layers than with just one layer.
Building reserves (e.g. of capital)
Having a buffer of money or other resources lets you carry on uninterrupted by unpredicted problems – up to a point. This is much more than just avoiding complete ruin. Our lives are a mass of habits, routines, schedules, and plans. Changing these, especially under time pressure, is hard work, stressful, and sometimes costly. Having reserves enables us to carry on smoothly despite unpredicted issues. Sensible people do this every day.
Examples of deliberate redundancy include having a backup power supply, having more than one supplier for key components, having more than one transport or communications route between two locations, and sending messages where the whole message can often be reconstructed even if some of the message is lost due to interference.
If the worry is enemies then hiding is often a good strategy.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.