Risk management: added value or more work?

At first, risk management in organisations is similar to the daily risk management of an individual: the goal is to prevent damage or minimise the impact of damage on a case-by-case basis. However, when the organisation grows, it should invest in systematic risk management where the goal is to support the organisation’s strategic and operational decision-making and retain the organisation functional under all circumstances.

Almost all operations in which humans are involved include some uncertainty. As private persons and as members of our work community, we are so used to assessing the impact of these uncertainties that we hardly even notice we are doing so. We assess the probability of risks and their impact on the basis of our knowledge and experiences, and base our decision on the benefits and disadvantages of accepting the risk on this assessment.

Our attitudes towards risks vary, however. Many of us may often marvel at a friend or acquaintance who seems to be prepared to take on huge risks that we would never accept. On the other hand, we know some people who find any uncertainty whatsoever extremely uncomfortable and avoid it as long as possible – even at the risk of failing to utilise some opportunities.

A typical characteristic of this everyday risk management is that we assess risks on a case-by-case basis whenever we identify an uncertainty related to the current moment. Our subjective assessment of the risk is not necessarily based on an unbiased understanding of the probability or impact of the uncertainty; instead, our brain often focuses on the most recent events or the events that we remember best. We may also consider information that confirms our own preconceptions more important than other information, or the actual or assumed opinions of others may influence our assessment of the significance of the uncertainty.

Even with these shortcomings, such decision-making based on uncertainty often suffices for a private person. In many cases, the risk management of an organisation at first focuses on preventing damage and minimising its impact on a case-by-case basis. However, as the organisation grows, attention must be paid to how the growing and possibly also more complex organisation is being managed. The organisation and its parts require shared rules, communication and the reconciliation of views.

 At the start of the development trend, little importance is attached to impact and strategic content, and the management only plays a minor role. Their importance increases as follows (5 stages):  1. Case-by-case damage prevention: assessment by individuals is crucial.  2. Silo-based risk management: overall-level dependencies have not been identified and there is no common approach:  3. Joint procedures and documentation: risk-management policy, risk assessment and reporting, no clear link with decision-making.  4. Coordination between silos: risk appetite has been defined and the risk-management process implemented, communicated to all members of the organisation.  5. Risk management is linked to management, strategic planning and funding: risk-processing plan and monitoring, risk models and indicators are in use, incentive schemes support risk management.
Risk management development trend

Risk management supports achievement of goals

Sometimes, a member of a organisation has to assess, based on their subjective knowledge, experiences and professional judgement, the impact of a risk to the entire organisation and determine whether the risk should be accepted or rejected. Such a situation is difficult for the person in question and for the entire organisation, as we know that the identification of a risk and the assessment of its significance are based on the knowledge base and illusions related to the interpretation of the risk, and that people’s personal attitude towards uncertainty varies.

On one hand, systematic risk management and a shared view of the organisation’s willingness to accept risks support the decision-making of the members of the organisation and on the other, the organisation as a whole is able to achieve more consistent results than it would by using risk management based on the decisions of individual people.

Comprehensive risk management for organisations has been developed for a long time by large-scale enterprises where risk management can provide major competitive advantage and where the benefits can be measured in money. Typically, risk management has been integrated into management in large-scale enterprises. As the achievement of goals nearly always requires the acceptance of some risks, procedures which can be used to support the achievement of goals and improve the company’s resilience – its ability to react to changes in the operating environment – have been developed.

For the organisation and its employees, it is important to achieve a shared idea of the risk management goals and content, a shared story of how uncertainty can influence the achievement of the organisation’s goals and how different risks should be addressed at the level of the entire organisation.

Towards more strategic risk management

When risk management in an organisation becomes more systematic, the perception of the significance of risks often changes as well. Typically, the relative significance of the management of damage risks decreases and the focus shifts towards more strategic risk management.

Strategic risks are development paths or events which compromise the achievement of the organisation’s strategic goals. They can be related to the organisation’s reputation, technology or operating environment, for example. The risks of organisations are often divided into strategic, operational, financial and damage risks. It has been estimated that from the perspective of financial significance, more than half or up to two-thirds of companies’ risks are included in the group of strategic risks. Approximately one-fifth are operational risks.

The share of financial risks is clearly lower and the share of damage risks is only a couple of per cent. Regardless, discussions on strategy often seem to follow their own path that is based on an idea of a static operating environment or well-anticipated actions the impact of which is well known.

The significance of strategic risks can be seen in the Global Risks Reports published annually by the World Economic Forum, for example. The reports offer an interesting and intuitive view to risks associated with global companies and public parties, and their mutual dependencies.

In Finland, a publication of the Parliament Committee for the Future called 100 New Opportunities for Finland and the World depicts how different technological innovations will change the world. A new kind of strategic thinking and regulation will be needed to best utilise the opportunities offered by technology and to minimise the negative impact.

It’s a shame that risk management can be seen, depending on the background of the person viewing it, as technical tinkering, a game where you develop organisational models, as a group of unrelated instructions – or at worst as an unending series of meetings. The goals of risk management are something entirely different, however. A striving to create added value forms the core of risk management. The goals are to identify and manage potential events that would influence the organisation, to improve the organisation’s ability to react and to keep the risks in check to the extent that they will not compromise the organisation’s operations.


Esko Mustonen

The author is a Deputy Government Controller at the Ministry of Finance.