Have a look at Richard Chambers' recent post where he shared how he responded to the threat Hurricane Irma posed both to his family and to The IIA's global headquarters.
Then think about this.
He understood the potential for harm based on current information, assessed how it could affect both his family and his work, continuously monitored the situation for changes in the predictions of what might happen (the level of risk, aka the likelihood of different consequences), determined whether what might happen (risk) was acceptable, and then acted when it was outside acceptable ranges.
He made decisions.
This is why I talk about how risk management is all about intelligent and informed decision-making.
There were risks he decided to take, such as the possibility that the money he spent on a backup generator for his home would be wasted. (If it were me, I would have to think about the possibility that I would be unable to assemble and connect the generator.)
Another risk he took was to his personal and family well-being. He did not evacuate, but decided to remain at home.
People at all levels take risk all the time. They do so for reasons like the alternatives are worse, the cost to mitigate the risk is too high, or the potential for benefit outweighs the potential for harm (remembering that both harm and benefit may result from an event or situation).
The key is to do it in a disciplined and systematic fashion after obtaining necessary (and reliable) information, involving all parties who could contribute to the decision or be affected by it, and thinking through all the options and their consequences.
This is true risk management.
CEOs and the rest of us have been managing risk all our lives.
As Alex Sidorenko, says in this video and post, "risk management is not really about managing risk. It is about achieving objectives."
Richard stated that he had an "an overarching objective: to weather the looming hurricane as safely and comfortably as possible with minimal property damage. Every key decision I made was guided by the potential risks that could undermine that overall objective. In the end, I made a number of crucial decisions that turned out to be prudent. And, as is often the case in the world of business, I made a few costly decisions to minimize risks that, fortunately, didn't materialize."
I don't see any reference to a risk officer or risk framework. You can have effective risk management without either formality.
It just takes people who:
- Anticipate what might happen.
- Decide whether that is acceptable.
- If not, consider the options and what might happen with each.
- Adjust as necessary.
- Do the above in a disciplined and systematic way, based on reliable and actionable information.
This is risk management, not heat maps, risk profiles, or such.
Do you need to adopt COSO ERM or ISO 31000:2009 to have effective risk management?
I welcome your comments.
Please join the conversation by clicking the Subscribe button, below.