Cutting Through Risk Management's Confusing Terminology

The longer you spend working in, or studying, risk management, the more you come across common terms that are often used in very different and confusing ways by various organizations and authors.

Unfortunately, this can lead cynics to wrongly conclude that risk management is nothing more than a bunch of buzzwords, mixed with an unhealthy helping of mumbo jumbo.

With that in mind, this brief note explains how Britten Coyne Partners uses some commonly encountered risk management terms.

A "hazard" is an event or other development that could emerge from the environment and
plausibly have a negative impact on an organization, depending on the objective(s) it is pursuing.

Strictly speaking, a "risk" is an uncertainty that can be described statistically. However, this is a distinction that is frequently overlooked, with risk commonly taken to mean all types of uncertain events and developments that could
possibly have a negative impact on the achievement of one or more specific organizational objectives. The key point is this: Risks exist in relationship to specific objectives.

A "threat" is an event or other development that will
probably have a substantial negative impact on the achievement of one or more specific organizational objectives, unless effective adaptations are implemented in time. As a rule of thumb, a risk transforms into a threat when it ceases to be just a cognitive construction, and triggers a feeling of fear.

Given a set of objectives, an organization first seeks to anticipate the risks to their achievement.

It then proceeds to assess these risks, to determine their likelihood over different time frames, the magnitude of their potential negative impact, the speed with which they could develop into threats, and which of them most urgently require adaptive action(s) to be undertaken. The key point is this: The purpose of risk assessment is not to create attractive "heat maps." It is to prioritize the allocation of limited resources to various adaptive actions.

Broadly speaking, these adaptive actions can be divided into two categories: Those intended to mitigate the causes of different risks to reduce the chance that they will develop into threats and/or the slow the speed with which this could happen, and actions intended to mitigate the consequences if a threat does materialize.

The latter category includes adaptations (1) to reduce an organization's exposure to a given threat (e.g., buying insurance); (2) to reduce a threat's initial negative impact on performance for a given level of exposure (i.e., actions to increase robustness); and (3) to reduce the time required to return to or exceed a given level of performance after the initial negative impact (i.e., actions to increase resilience).

blog comments powered by Disqus