Risk is a concept that will be familiar to investors, company and project managers, as well as all decision makers. Risk is the possibility that something will take place that may have adverse consequences. The definition, thus, includes both probabilities and consequences.
For an organization, risk is the possibility something may affect the realization of its strategy and operational goals.
According to some parties, risk may also present a possibility of a positive event. In this course, however, we will limit ourselves to undesired risks and their management.
An organization has both strategic and operational risks.
Strategic risks may jeopardize the achievement of strategic objectives. These are wrong choices or lost opportunities. For example, a company may attempt to enter a market in which success would not be possible or they may not invest in technology that would provide them with a competitive advantage. In the worst cases, strategic risks may even threaten the actual existence of an entire company.
On the other hand, operational risks are related to daily operations and are usually caused by people. These may be, for example, risks regarding project activities or IT.
Operational risks may sometimes be external events that cannot be personally influenced. Examples of these are wars, economic sanctions and consequences of climate change.
Risk management aims to secure the continuity of an organization’s operations and the well-being of its personnel by identifying risks and preparing for them.
According to the popular COSO ERM model, the risk management of a company or other organization, Enterprise Risk Management (ERM), consists of the following parts:
- Governance & Culture
- Strategy & Objective-Setting
- Review & Revision
- Information, Communication & Reporting
Governance, culture and strategy
ERM is the responsibility of senior governance. It defines how a company organizes and implements risk management and promotes the development of a favourable risk culture.
The governance of large companies and public organizations must consider how their risk management is organized at an industry, unit and function level. Smaller companies also have to define a risk management model for their entire organization and different functions.
Governance sets goals for risk management and makes strategic choices. An important starting point is the risk tolerance of an organization. How an organization chooses to prepare for risks is also a strategic choice. For some, the preparation may mean, for example, taking insurance; for others, a diversification of investments or operations.
Performance consists of identification, analysis and management. We will take a look at these in more detail during the second part of the course.
Organizations use different tools for their daily risk management and communication. Leadership prefer an overall view, while various functions, such as project management, require more detailed information on individual risks.
Risk registers are a typical management and communication tool. These can be either tables or software that catalogue risks, their probabilities, effects and means of management. A register may cover an entire organization or be function-specific. For example, financial and project risks may have their own registers.
A risk portfolio is a method and tool for managing strategic and operational risks shared by different functions. In addition to the information contained in the risk register, it also holds governance-related information and automates certain management actions. A risk portfolio may have a connection to other governance portfolios, such as strategy, project and investment portfolios.