Perhaps like me you’ve had to learn things on the fly, interpret academic works and experiment. You’ll still need to do that for the rest of your life but as a head start I wanted to write a book on how to relatively painlessly make risk management work for your organization. I’ve collected what I believe to be the best of risk management thinking so far and done my best to apply them to the simple processes of ISO31000 in enough innovative ways to help you be a successful risk manager.
Risk, according to ISO31000 is the “effect of uncertainty on objectives” and this wonderfully succinct definition sums up the nature of risk in just five words. This definition however is different from the way in which we typically use the word because it includes both desirable and undesirable outcomes. It accepts that risk invariably includes both positive and negative outcomes. And I’d agree - risk and opportunity are inseparable. If for example, you lose a months salary gambling at the casino, you would probably see this as a negative outcome. For the casino however it is most certainly a positive outcome. It may even turn into a positive outcome for you if it serves as a cheap lesson to prevent you from gambling in future. Similarly if you spend $400 on a car insurance policy, you don’t need to leave $20,000 sitting in your bank to cover a potential accident and now have the opportunity to put a deposit down on an investment property.
It’s not that simple of course. At the risk of somewhat understating things, we live in uncertain times. Life is changing faster than anytime in recorded history and the only certainty in the 21st century is change. We learn to live with new technologies, strange inventions, frequent career changes, global financial crises, climate change and a raft of uncertainties on a sea of opportunity and crisis.
If the amount of uncertainty is increasing at the same time as our population, technology and global communications, then it follows that the “effect of uncertainty” is likely to increase and we can expect to see this (and I would argue – are seeing this) reflected in the volatility of outcomes. Five years of unprecedented worldwide financial growth was followed by the biggest international financial for decades. Equally in our personal and corporate lives, we live in a time when both hazards and opportunities abound. It has never been so easy to succeed in our objectives nor as easy to fail spectacularly. Organizations and individuals alike face a range of risks from a variety of quadrants and it is no accident that the first international risk management standard came to being in the early 21st century.
As illustrated in Figure 2 (page 19), ISO31000 offers not just a process for risk management but also a number of principles for how to apply it and a framework for implementation. Collectively, these three elements offer the outline of an organizational risk management system. ISO 31000 is a true international risk management standard and fits well along side other well recognized international standards like the ISO 9000 series of Quality Management standards. This international flavor will be critical for the many organizations operating globally as well as for those that simply need a consistent risk management approach.