Risk management is the human activity which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources. The general objective of risk management is to reduce different risks related to a pre-selected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand, it involves all means available for humans, or in particular, for a risk management entity (person, staff, and organization).
In enterprise risk management, a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question. Its impact can be on the very existence, the resources (human and capital), the products and services, or the clients of the enterprise, as well as external impacts on society or the environment.
There exists the belief that the intelligent management of risk is the basis of significant reward. By recognizing, understanding and managing risks, more risks can be assumed and performance increased.
Best Practices methodologies for managing risk generally consist of the following steps:
- Identify potential risks
- Perform risk assessment(s); develop risk profile(s)
- Develop a plan for managing risk(s)
- Implement the plan(s)
- Assess the outcome(s)
- Repeat steps 3, 4 and 5 if necessary
As a guideline to developing a plan (step 3), once a risk has been identified and assessed, the techniques to manage the risk generally fall into one or more of four major categories (remembered as the 4 T’s):
- Tolerate (aka retention) Involves accepting the loss when it occurs.
- Treat (aka mitigation) Involves methods that reduce the severity of the loss
- Terminate (aka elimination) Includes not performing an activity that could carry risk.
- Transfer (aka buying insurance) means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts.
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
Risk analysis results and management plans and policies need to be updated periodically. There are two primary reasons for this:
- To evaluate whether the previously selected security controls are still applicable and effective, and
- To evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that are not likely to occur. Spending too much time assessing and managing unlikely risks can divert resources that could be used more profitably. Unlikely events do occur but if the risk is unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur.
Prioritizing too highly the risk management processes could keep an organization from ever completing a project or even getting started. This is especially true if other work is suspended until the risk management process is considered complete.