One way of understanding risk management is to think about what risk management is not. Let’s take three minutes to compare and contrast risk management and other, related concepts.
Risk management is not worrying. It’s not about fretting and constructing worst-case scenarios. A risk management program is not designed to freeze an organization because of the fear of what might happen. It is instead about exercising informed judgment to manage our environments, to assess what realistically might happen, to control what we can control, to take advantage of opportunities that are worth pursuing, and to achieve our goals.
Risk management is not strategic planning. No doubt, you and your organizations have gone through strategic planning processes in which you have done a SWOT analysis, which looks at strengths, weaknesses, opportunities, and threats. We talk about threats and opportunities in risk management, and we focus on building our strengths and reducing weaknesses. But the emphasis in a risk management program is dynamic. Furthermore, where strategic planning projects into the future what an organization would like to do, risk management focuses on how to get where the organization want to go, and how to avoid the slipups that could undermine objectives. (For more on the interaction of strategic planning and risk management, explore this article by Michael Raynor. It’s worth it.)
Risk management is not auditing. Auditing is usually performed by accountants, and it usually is performed in order to determine whether financial statements are presented in accordance with generally accepted accounting principles. Risk management may draw upon auditing procedures. For instance, risk management might involve sampling, verification of data, tracing information, and reporting results. But getting an audit – and receiving a “clean” or unqualified audit opinion – is not the same as having a risk management program. The two are very different. An organization with no risk management program may get a clean audit opinion by presenting its financial information in conformity with GAAP, and an organization with a risk management program may receive an adverse audit opinion (by having material misstatements that undermine the accuracy of the organization’s financial reports).
Risk management is not the entirety of management. Management, generally speaking, includes supervision, motivation, discipline, and a host of other activities that coordinate efforts within an organization. Risk management is a part of overall management, but it is not all of it.
Finally, risk management is not insurance. Insurance, as we’ve noted elsewhere, is a way of shifting the potential impact of certain threats to a third party. Insurance is a part of risk management. But having insurance does not equate to having a risk management program. A part is not the whole.
Please share this post if you found it useful. We are out to change how organizations think about risk management, and we need your help.