Defining Risk Management - For Good and All

[Abstract]: This article endeavors to promote an essentialist definition of Risk Management that leverages the intrinsic essence (or nature of risk management) to fundamentally define its identity.

The Only Definition of Risk that Matters

Before we attempt to define Risk Management, we provide a universal definition of 'Risk' within the context of an organization.

Risk: A subset of uncertainties, comprised of measurable probabilities and incalculable unknowns, that pose a potential threat to the goals/health of an organization.

Many definitions attempt to redefine 'risk' in hopes of hermeneutically re-shaping the purpose and intent of Risk Management. This approach is intellectually bankrupt and introduces a plethora of issues arising from the numerous meta-languages that have emerged among practitioners, consultants, and the like. More importantly, it clouds the true nature of Risk Management.

The Nature of Risk Management: A Decision-Making Competence

Every organization employs a number of competencies that are characterized as technical skills and functional knowledge. Risk Management, however, is a universal competence, and we attempt to actively manage risk whenever we make decisions. Hence, the intrinsic essence of Risk Management is a key Competence in the decision-making process. This Competence is the essential quality of Risk Management-it's nature!

Risk Competence is Dual-Natured

Active Responsibility

Individuals or groups within an organization who are designated as decision-makers manage risk every time a decision is made-this is Risk Management as an Active Responsibility, which we define later on. In essence, any choice requires an evaluation of risk. Moreover, any choice presented where there is no risk is not an active 'choice.' Without delving too deeply into this concept, it's important to understand that you cannot make intelligent decisions without evaluating risks (i.e., 'managing risks').

Delegated Competence

When firms decide that their risk management competence may be better served by delegating aspects of Active Responsibilities to a central, specialized function, a Risk Management team is created-this is Risk Management as a Delegated Competence. This is no different from finding economies through centralizing business management across multiple cost centers, etc. Thus, it is important to remember that all risk must be managed; the question is, by whom?

[Aside]: You may be tempted to consider Active Responsibility and Delegated Competence as being commensurate with Lines of Defense-that would be incorrect as our definitions deal with the nature of risk management, and Lines of Defense its function/deployment.

When Does Risk Management Get Delegated & Why?

All organizations evaluate risks and make decisions, but not all organizations benefit from delegating this competence to a specialized group within the organization. Reasons for delegation include size, cost-effectiveness, and business complexity.

Organizations that see clear utility in delegating this decision-making competence instantiate a Risk Management Team. The scope and depth of delegated risk management responsibilities are determined by the complexity of the business and the need for informed decision-making. This may involve introducing a risk management process ("RMP")—a decision-making framework—or the need for greater analysis through enterprise programs like stress-testing and scenario development to inform on more complex stochastic and ontological risk types. Ultimately, the level of engagement and complexity of Risk Management should be commensurate with its requirement as a Competence in decision-making.

Why Does Risk Management Take on So Many Meanings?

Risk Management is so ubiquitous that it is hard to pin down. Unlike other competencies such as Legal Counsel or Finance, Risk Management's mandate tends to change with the prevailing culture and social dynamics that affect risk perception and response. Furthermore, in an attempt to isolate risk management to fit neatly into regulatory requirements and corresponding standards, its meaning has been revised many times.

However, the simplistically elegant aspect of viewing risk management as a Competence is that it dispenses with the many situational attributions and bespoke definitions.

Risk Management As a Competence Unifies Everything

Once you concretely establish Risk Management as a Competence, several things should become painfully obvious that were hiding in plain sight:

1. Everyone manages risk.
2. All risks get managed (intentionally or otherwise).

Risk Management is about ensuring decisions are made with the best possible data about risks, and may include safeguarding decisions from taking on asymmetrical risks.

Risk Management Teams achieve this by enhancing departmental decision-making through the introduction of RMP's and aiding enterprise-level decisions by elucidating potential pathways or decision sets that deliver the optimal mix of residual risks.

This Competence-view of Risk Management more clearly delineates its scope, function, and interaction. Furthermore, it necessarily requires the rest of the organization to remain accountable for decisions as decision-makers apply a decision-framework that guards against asymmetrical risk-taking.

In essence, under this view, Risk Management becomes more organic and finds a better fit within the organization.

Risk Management Needs to Inform on More Than Strategic Objectives

As previously aforementioned, the scope of Risk Management accountabilities has been revised to ensure it 'adds value by informing on strategic objectives'. This is a major value proposition for Risk Management. In fact, I am a large proponent of Risk Management informing on strategic allocation of economic capital and future planning; however, the pre-occupation of Risk Management informing on objectives, is limiting.

Recognizing Risk Management as a Competence provides a holistic understanding of risk. It allows us to distinguish between Active Responsibility (i.e., inherent individual duty) and Delegated Competence (i.e., specialized risk management group/team) within the organization. This distinction mitigates unnecessary confusion when referencing risk management activities, discharging responsibilities, etc.

Furthermore, the concept of Active Responsibility can be further decomposed as 1) individual risk ownership (i.e., risk you are tasked to manage), and 2) accountability (i.e., risk you are responsible for)- both of which are directly observable, and reflect the underlying behaviors that shape Risk Culture.

A Final Word

Adopting an essentialist definition of risk management as a key decision-making competence enables practitioners and organizations to have a more fulsome understanding of risk management's true nature.

By acknowledging Risk Management as a core Competence—integral to decision-making rather than merely a data-collecting function—it becomes seamlessly embedded in all organizational decisions, fostering a proactive and resilient organizational framework.