Introduction
Risk management can be defined as the “process which aims to help organizations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure” (Hopkin, 2010, p. 37). This is the definition made by the Institute of Risk Management (IRM), which also published ‘A Risk Management Standard’ (IRM, 2002), a guide that lays out a framework for managing risks. This report will critically analyse and evaluate this approach, also known as Risk Listing. This paper will initially examine the limitations of this risk management practice by explaining why these disadvantages could lead to a negative impact on the organization involved in the process. The second part will focus on recommendations that could improve such practice. The ideas outlined in the text will be supported by relevant concepts of risk management and will be academically justified with appropriate references.
Limitations of Risk Listing
Although Risk Listing might be seen as a simple and effective practice in terms of the structure of the phases, it mainly refers to small risks, which are analysed and evaluated one by one. As a consequence, a system that tries to find solutions for one risk at a time, may not allow to value responses that would apply to more than one risk. This mechanism also does not guarantee to find or manage the possible connections between the risks in an appropriate manner (Crouhy, Galai and Mark, 2014). Another factor caused by the tendency to manage risks separately is the incurring of excessive costs: in fact, the individual management of each risk could induce inefficiency due to higher costs and poor results. This factor highlights the matter that similar risks with identical outcomes would not be managed together, which can lead to negative effects. The clear separation of tasks which is created, does not consider the interrelations existing between some risks, and this implies a lack of coordination between the various functions (Crouhy, Galai and Mark, 2014).
Another disadvantage of this practice of risk management is the use of risk matrices, which may not fully consider the implications of other harmful events, and thus would not necessarily identify all the risks. They could also provide the wrong judgement, which could further aggravate the situation: in fact, the use of risk matrices does not guarantee “that risks that receive higher risk ratings in a risk matrix are actually greater than risks that receive lower ratings” (Cox, Jr, 2008, p. 510). It could be claimed this model is based on a strong simplification of reality because it breaks everything down into single parts, without evaluating the whole situation (Segal, 2011). In fact, this practice focuses mainly on the risk management phases, but does not focus enough on other factors that are involved, and that could affect the process itself and the business involved. In addition, there are some indications on the effectiveness of some of the steps of this standard of risk management, but not much about the efficiency of the whole process (Raz and Hillson, 2005).
Moreover, some of the steps set out in the risk management process have a very brief guidance: some examples could be the risk treatment and evaluation phases, which can lead to very different management of the same situation, in some cases more drastic than necessary, also due to a negative view of the risk (Sweeting, 2017). This aspect is linked to the lack of a clear definition of a common base of visions, rules and risk evaluation methods.
Recommendations
The analysis of the risk includes risk identification, description and estimation, but guidance for these phases is very limited. A successful risk management practice should follow a precise pattern that ensures all activities and risks are neatly described, in such a way as to provide a clear strategy that would also indicate performance targets at all levels (Woods, 2011). In addition, the practice of Risk Listing involves managing each risk separately, and it could thus lead to deal with similar risks with the same consequence at different times. Since the process would involve repeating the same analysis and evaluation, it would be better to consider similar risks together and manage them collectively (Duijm, 2015).
Moreover, this practice emphasizes the importance of setting strategic objectives beforehand, but it should better outline how to relate them to the process of risk management (Power, 2009). Even though objectives are set out beforehand, there is a need of a better connection between the strategic objectives and the phases of the process, in such a way as to guarantee the practice is matching the needs and vision of the organisation (Hillson, 2006).
The recognition of the disadvantages of this practice should lead to the development of a more integrated risk management process, thus also considering constant market turmoil. More attention should be paid on the risks, recognizing how fundamental a well-balanced coordination between the various management functions is (Waring and Glendon, 1998). This would help to define the most advantageous management strategies, both in economic terms and in regard to their effectiveness, since they would exploit the synergies between the risks, which would also help to understand their transformation over time (MacKenzie, 2014).
Conclusion
Risk Listing cannot be considered as a reliable framework to follow, since it lacks basic tactics and concepts a successful practice should possess. Risks are managed individually and therefore this model does not consider the possible connections between them (Crouhy, Galai and Mark, 2014). In addition, it involves the use of a risk matrix which does not prove to be successful and often gives misleading judgements (Ball and Watt, 2013). Its negative view of the risk and the lack of an in-depth description of the process itself, leads us to consider Risk Listing an inefficient approach to risk management.
Organisations should search and adopt well-structured processes, which would guarantee a further focus on the connections between risks, and which would ensure that risk is managed effectively and in a manner conforming with the organizational needs and culture. This would also imply having to recognize the weaknesses of the strategies and having to adopt risky manoeuvres, which could help to respond accurately to the risk events, as well as implementing a more effective and efficient process of risk management (Roggi and Altman, 2013).
Bibliography
Ball, D. and Watt, J. (2013). ‘Further Thoughts on the Utility of Risk Matrices’. Risk Analysis, 33 (11), pp.2068-2078.
Cox, Jr, L. (2008). ‘What’s Wrong with Risk Matrices?’. Risk Analysis, 28(2), pp. 497-512.
Crouhy, M., Galai, D. and Mark, R. (2014). The Essentials of Risk Management. 2nd ed. New York: McGraw-Hill Education.
Duijm, N. (2015). ‘Recommendations on the use and design of risk matrices’. Safety Science, 76, pp. 21-31.
Hillson, D. (2006). ‘Integrated risk management as a framework for organisational success.’ Paper presented at PMI® Global Congress 2006—North America, Seattle, WA. Newtown Square, PA: Project Management Institute. Available at: https://risk-doctor.com/pdf-files/adv13.pdf
Hillson, D. (2002) ‘What is risk? Towards a common Definition’, InfoRM Magazine, April 2002. Available at: http://risk-doctor.com/pdf-files/def0402.pdf
Hopkin, P. (2010). Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management. Philadelfia: Kogan Page.
Institute of Risk Management (IRM) (2002) A Risk Management Standard. AIRMIC, ALARM, IRM: London. Available at: http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf
MacKenzie, C. (2014). ‘Summarizing Risk Using Risk Measures and Risk Indices’. Risk Analysis, 34(12), pp. 2143-2162.
Power, M. (2009). ‘The risk management of nothing’. Accounting, Organizations and Society, 34 (6-7), pp. 849-855.
Raz, T. and Hillson, D. (2005). ‘A Comparative Review of Risk Management Standards’. Risk Management, 7(4), pp. 53-66.
Roggi, O. and Altman, E. (2013). Managing and measuring risk: emerging global standards and regulation after the financial crisis. New Jersey: World Scientific.
Segal, S. (2011). Corporate Value of Enterprise Risk Management: the next step in business management. Hoboken, N.J.: John Wiley & Sons.
Sweeting, P. (2017). Financial Enterprise Risk Management. 2nd ed. Cambridge: Cambridge University Press.
Waring, A. and Glendon, A. (1998). Managing Risk – Critical issues for survival and success into the 21st century. London: International Thomson Business Press.
Woods, M. (2011). Risk Management in Organizations – An integrated case study approach. New York: Routledge.
