Risk management
How can risk management support strategic choice or positioning?
Contents
Risks are an ubiquitous and characteristic side-effect of taking action by organisations (see also Risk–reward analysis).
Risk management is the coordinated process of understanding uncertainty and choosing how to respond so an organisation can pursue its objectives responsibly. Risk may create threats or opportunities; the goal is not to remove all uncertainty, but to keep exposure within explicit appetite while protecting people, assets, obligations and value.
When to use it
Use risk management whenever uncertain events or conditions could materially affect objectives. The depth should match the stakes, reversibility and velocity of the decision.
In banking, insurance, pharmaceuticals, petrochemicals and other high-consequence sectors, formal risk functions and regulation are central. Examples include Solvency II, Basel III and ISO 31000. OHSAS 18001 is a historical occupational-health-and-safety specification that has been withdrawn and replaced by a successor international standard; always verify which current law and standard applies in the relevant jurisdiction.
Origins
Risk management has roots in trade, insurance, probability, engineering safety and financial control. During the twentieth century, actuarial methods, operations research, project management and corporate governance helped turn separate hazard practices into coordinated organisational frameworks. Contemporary enterprise risk management integrates strategy, performance, compliance, resilience and culture rather than assigning all risk to a specialist department.
What it is

A complete framework establishes context, identifies uncertainty, analyses likelihood and consequence, evaluates exposure against criteria, selects responses, assigns ownership and monitors change. It also communicates assumptions and escalates risks that cross authority or appetite.
How to use it
Start with objectives, stakeholders, obligations, risk appetite and decision horizon. Define a shared taxonomy without allowing it to constrain discovery.
Identify threats and opportunities through multiple perspectives: operational, financial, market, strategic, technological, environmental, safety, people, legal, geopolitical and reputational. Include dependencies, concentration, emerging risk and scenarios in which several events occur together.
Analyse causes, events and consequences. Estimate likelihood, impact, velocity, duration and detectability where useful. Use ranges and scenarios when evidence is weak. Do not multiply ordinal labels and mistake the result for precise probability or loss.
Evaluate exposure against appetite, legal duties and non-negotiable safety or ethical limits. Select among avoiding the activity, reducing likelihood, reducing consequence, transferring or sharing exposure, accepting it with contingency, or pursuing an opportunity with controls. Name an accountable owner, action owner, deadline, trigger and residual risk.
Build response and recovery plans for exposures that cannot be prevented. Test the plans through exercises, maintain reserves and alternatives, and define who can make time-critical decisions.
Monitor leading indicators, control effectiveness, incidents, near misses and changes in context. Retire risks only with evidence, identify new ones continuously and preserve challenge from people closest to the work. Independent assurance should test whether the framework works in practice.
Final analysis
Risk management supports informed risk-taking; it is not a mechanism for making every decision safe. A proportionate framework improves choices, preparedness and resilience while allowing the organisation to pursue value.
Excessive bureaucracy can delay action without reducing exposure, but the answer is not weaker governance. Remove controls that do not change a decision and strengthen those tied to material hazards, legal duties and risk appetite.
Low-probability risks deserve attention when consequences are catastrophic, preparedness takes a long time or several exposures share one vulnerability. Scenario analysis, stress testing and resilient design complement routine risk registers.
Top practical tip
Write each material risk as cause, uncertain event and consequence, then assign an owner, response, trigger and residual exposure. This makes the register actionable and reveals when several risks depend on the same fragile control.
Top pitfall
Do not confuse a completed register with managed risk. Static scores, hidden assumptions and untested controls create false reassurance; monitor the environment and exercise the response before it is needed.
Further reading
Crouhy, M., Galai, D. and Mark, R. (2013) The Essentials of Risk Management, 2nd edn. McGraw-Hill.
Hopkin, P. (2012) Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management, 2nd edn. London: Kogan Page.
Lam, J. (2014) Enterprise Risk Management: From Incentives to Controls, 2nd edn. John Wiley & Sons.
The Institute of Risk Management: www.theirm.org