Risk management has been one of the hottest topics in business, nonprofit, and government publications over the past few years. This is no surprise, given business imperatives to manage costs, identify and exploit opportunities, and protect and defend against threats to reputation. But the language of risk management is often complex – and sometimes counterintuitive. Here are some key terms:
Risk. Some use the term “risk” to mean negative uncertainties or the potential for negative outcomes. We do not. Rather, we agree with Sim Segal in his excellent manual, The Corporate Value of Enterprise Risk Management: Risk is uncertainty. Risk derives from the fact that we do not know exactly what will happen.
Risk is not an inherently negative word. To the contrary, as Peter Bernstein points out in Against the Gods, “The word ‘risk’ derives from the early Italian risicare, which means ‘to dare.’ In this sense, risk is a choice rather than a fate. The actions we dare to take, which depend on how free we are to make choices, are what the story of risk is all about.” Again, risk is uncertainty – it can be positive (often termed “opportunity”) or negative (“threat”).
Risk Management. “Risk management” is any organized effort to identify, assess, prioritize, and account for risk in decision-making.
Enterprise Risk Management. “Enterprise Risk Management” is something more grand and more ambiguous than mere risk management. The ERM movement began in the 1970s as an effort to coordinate risk management efforts in complex organizations. The guiding principle of ERM is that risk must be identified, assessed, prioritized, accounted for, and reported on at a company-wide level, as opposed to being dealt with on a siloed, divisional, or business-unit level.
Risk Register. Also sometimes called a risk log, a “risk register” is a centralized document or program in which members of an organization can identify ongoing risks to the organization.
Risk Assessment. A “risk assessment” (or “risk inventory”) is an evaluation of uncertainties faced by an organization, either with respect to a particular project or the entire organization.
Risk Tolerance. “Risk tolerance” is a term used to describe how much potential upside or downside impact an organization can absorb without being threatened with extinction. Risk tolerance defines the outer boundary of how much risk an organization can take.
An organization’s risk tolerance involves numerous factors, including for example the following:
- financial resources (How large a loss can the organization sustain? How grand an opportunity can the organization exploit?);
- organizational capacity (Do we have the systems and controls in place to identify and address shocks, nimbly grow opportunities, and move the organization forward?);
- the current mix of activities (What are we doing right now?)
- operational and strategic plans (What do we expect to do in the near term and long term?); and
- talent management (Do we have the right people in the right seats? Can we keep them?).
Risk Appetite. “Risk appetite” is a judgment by an organization’s leadership team about how much risk it wishes to engage in as a whole or with respect to particular initiatives. Where risk tolerance describes how much risk an organization can take, risk appetite describes how much risk an organization wants to take. Risk appetite will be influenced by the leadership’s risk preferences and the organization’s objectives (e.g., profit maximization for shareholders, security for employees, service to target populations, reputational implications of failure).
Risk Quantification. “Risk quantification” is the effort to identify the impact of a potential threat or opportunity. Risk quantification may include many facets, such as likelihood (will it happen?), magnitude (what are its effects, in terms of money, reputation, or other relevant criteria?), and onset speed (would it happen overnight, or more gradually?). Risk quantification can vary in sophistication from rough qualitative judgments by informed personnel to complex financial, operational, and strategic modeling.
Your Turn. What other “risk”-related words cause confusion? Let us know, and we will try to clear things up.
Please share this post if you found it useful. We are out to change how organizations think about risk management, and we need your help.