Where is the value in risk management?

12:44 13 April in Business
It always starts the same way – “So what is it that you do, risk management? So you work for a bank?” Err no. “So you are in insurance?” No not quite. “Health and safety?” Definitely not!

So what exactly is “risk management” and where is it really valued –  it means so many things to so many people. To many it will mean financial risk management that forms the backbone of all banks (albeit a weak backbone as we saw when the financial crisis broke…). People will talk about Enterprise Risk Management without really expanding much beyond the financial aspects of risk. And if we get into H&S then we lose the “business” context of risk to a great extent and probably credibility, whether justified or not.


Rather than try and define all these different types of “risk management” (you have Wikipedia for that…), I was thinking about how risk management can bring the most “value” to your business. Value can be measured in many ways and perhaps the most obvious way to measure value in risk management is to look at the financial value of the risks identified. The problem with this approach is that it relies on estimates that may be no more than wild guesses. And when someone estimates the financial impact of a risk, where do they stop, at the immediate impact or the ultimate impact? For example, it could be claimed that every “showstopper” risk could be valued at the entire cost of a project or business process.

The way I am going to describe value here works very well for an “uncertain” subject like risk management. Demonstrable value from a risk management process would be gained from helping to identify risks that are not obvious and would not have been identified without its application.

Which then leads us to look at the different areas of risk that fall under the Enterprise risk umbrella and assess their relative “difficulty” and therefore the opportunity to demonstrate value by identifying new risks  i.e.:

Operational risk management: True operational risk looks at the ongoing, recurring processes in the business and not the one-off projects. As such, the operational staff tend to be very familiar with the business processes – they do it every day – and therefore they can tell you the risks without the need for formal risk management. In situations like this, formal risk management tends to be seen as an administrative overhead as it doesn’t tend to identify “new” risks.

Strategic risk management: The risk to the business strategy is obviously a big deal – if the strategy fails, the entire business could fail. But when the strategy statement (assuming that there is one?) has been broken down into its constituent assumptions, there will be a reasonably small number to analyse. How they are rated may raise a surprise or two but completely new risks are unlikely.

Project risk management: Projects are one-off exercises, that is, you have never tried to achieve the specific objectives before or it would already be an ongoing business process. The sheer newness of a project will ensure that new risks are guaranteed and all will not be obvious from the start. The use of a formal risk management process is therefore entirely justified and will be valued.

Programme risk management: Programmes are made up from multiple projects that are interdependent. Therefore all that was said about project risk management above can be multiplied exponentially. A true programme risk management process like ABCD is required here to prioritise clearly and ensure that “you can see the wood for the trees”. Get this right and immense benefits will be realised in the form of risks that would never have been identified without the rigor and the perceived value will be very high.

The four types of risk management above have therefore been ranked in terms of perceived value from the lowest (operational) to the highest (programme). That is, you are more likely to identify new risks by using formal risk management processes in a programme than a project, or strategy or operations, in that order. And let’s be clear that we are talking about risks that require proactive management.  Black Swans introduce a whole new ball game, but that’s a different story…


ABS packs inflate via a rip-cord if you are caught in an avalanche – real risk management

  • Avatar
    guest 10:29h, 10 April Reply

    […] This post was mentioned on Twitter by Craig Rowe, Keith Baxter. Keith Baxter said: Value and risk management – New blog #riskmanagement #pmot […]

  • Keith Baxter
    Keith Baxter 10:29h, 10 April Reply

    Hi Keith. Great blog as usual. I was taken by the way you define operational risk. In my experience, operational risk management tends to encompass project risk management. Also in my experience, this means that the projects do not get the attention that they deserve and there seems t be a fixation on the ongoing operational processes.

  • Keith Baxter
    Keith Baxter 10:16h, 10 April Reply

    Hi Julie. I would tend to agree with you 100%. Many organisations insist on lumping their projects in with their ongoing business processess and this results in innappropriate risk management – either too much or, more likely, too little. The one-off nature of projects means that they are, quite simply, more risky.

  • Keith Baxter
    Keith Baxter 18:23h, 10 April Reply

    Long time no hear Keith. Where have you been? And where are the photos taken that are on the blog?

  • Keith Baxter
    Keith Baxter 22:05h, 10 April Reply

    Hi Christine – long time no hear too? Working on two large contracts in parallel at present. One involves lots of European travel and the other is in the Middle East. Hoping that the vocanic dust clears up soon of course :-)

    The photos are all taken on the Vallee Blanche ski run on Mont Blanc in March this year. Perfect conditions – just love that place.

  • Keith Baxter
    Keith Baxter 17:05h, 10 April Reply

    Keith, I think that you are being a little unfair on H&S. Applied correctly, it can avoid many avoidable accidents and has. Surely it has a valuable role to play in the enterprise risk management portfolio?

  • Keith Baxter
    Keith Baxter 22:39h, 10 April Reply

    Hi John – well I probably was being a little facetious about H&S but you cannot deny – the area has built up a generally poor reputation for over-reaction and bureaucracy.

    I entirely agree that H&S properly done is a valuable part of Enterprise Risk Management but the practice keeps shooting itself in the foot.

    Take the recent/current volcanic ash flight ban. It was when I heard that the ban was based on “any ash = no flying” and then an

Post A Comment