Risk is defined as the effect of uncertainty on objectives (ISO 31000 § 2.1). This effect is a deviation from the expected, either positive or negative. Even though the statistical science provided well-grounded notions of risk, non-quantitative variables affect their use in business environments. In this post, I would like to establish criteria about what events cannot be treated by ERM.
Risk needs both a probable frequency and a probable impact. It implies that statements of absolute fact are not scoped by risk management. When the frequency or the impact is known, we are dealing with business facts and not business risks. For instance, a contract containing a penalty clause is not fulfilled because it is not longer profitable. At the time of the contact breach, there is not any risk involved since the company already knows its indemnity costs and when to pay them.
Uncertainties are a deficiency of information about an event. They are intrinsic in risk (as well as unavoidable for most business decisions). Different from risks, uncertainties cannot be valued. Therefore, it is not possible to calculate an average loss associated with the event. For instance, goods not passing the quality tests are delivered to comply with a contract. For this contract, there is not any risk of lack of compliance. The company knows for sure that the quality is not acceptable under the contract terms and it will affect somehow the client relationships.
Risk should be identified taking into account a future point in time when problems and opportunities will be treated. Immediate problems and opportunities are not scoped by risk management. It is usually said that rain is not a risk when it is raining. For instance, untreated risks in time would become an issue to have urgent attention. When risk is reality, crisis management becomes risk management, and the contingency plan becomes just the plan.
Risk is not a single point view. Events can have an impact in the financial, operative, legal & compliance or environmental categories. They may have a different impact and frequency for each category. Uncertainty may partially affect the information about one or more of these aspects, but others may be certain. In this case, it is safe to consider the whole effect as certain and to treat it outside ERM.
As a summary to treat issues in the right framework, risk management does not cover:
- events with all the information to foresee their outcome and moment to occur
- events which are not volatile
- immediate issues
Get the latest in corporate governance, risk, and compliance on Twitter