I often get asked what risk management is about. If it is about statistics, probabilities and complex modelling? I disagree. I think risk management is one of the most natural things we do, and one of the most important. Risk management is about asking six easy questions;

  1. What am I trying to achieve?
  2. What obstacles might stand in my way or hinder me?
  3. Which obstacles are the most important?
  4. What actions can be done about it?
  5. Having taken the actions, did they work?
  6. What changed?

These six steps make up the risk management process; objective setting; risk identification; risk analysis and evaluation; risk treatment; risk monitoring and risk communication, and can be applied to any simple or complex situation, be it in our personal lives, public or private sector.

This management science demonstrates how to get clarity on complicated situations, how to decide between options, but most of all how to embrace opportunities and to minimise threats.

Business and enterprise is about taking chances, just as life is about making difficult choices. Risk management provides the framework to enable difficult decisions to be made in a managed and structured way in order to maximise the opportunities for success and minimise the threats. We call this risk based decision-making.

Organisations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organisation’s objectives is “risk”.

Life does not exist without uncertainty and the effect that uncertainty has on our objectives.

All modern industries (aviation, stock markets, manufacturing etc.) have grown in an environment where the risks were uncertain. The consequent impacts of the uncertainties on the wider public were almost unimaginable. Yet chances were taken, losses were sustained but the consequent benefit to the businesses and enterprises involved, and to wider society, were arguably such that the risk was worth taking. Without some understanding of risk and its components, particularly the mathematics behind risk and uncertainty, life today would be quite different.

Too many people forget that managed risk must be taken in order for business to survive and to thrive – and this applies particularly to the risk and safety professionals who can become obsessive in their zeal to minimise threat. In creating the strictures of the risk frameworks, processes, lists and bureaucracy, they can wrap the business into complicated agonising knots that can stop the organisation moving forward and innovating.

Risk, governance and compliance together can present a frightening array of hard-to-follow processes and results and unfathomable language and jargon. That is not to say that these are not important. They are. But they need to be translated into simple, elegant tools and knowledge systems for the Board to be able to make sensible, life-giving risk managed decisions for the business and for the stakeholders in a managed context. We will explore these in later articles.

Yet at other times wholesale chances are taken without due regard to the capacity of the organisation to take the consequences of not balancing capacity against exposure. The result of unbridled, bureaucratic and complex risk management is that the senior management and Board members break free of the process and do their own thing. Strategic decisions are made regardless of possible impacts, or, worse still, the process is bent to make the analysis fit the desired result. Risk management is relegated to that process that the rest of the business should or must do and strategic threats that can damage the whole enterprise are sometimes taken without proper diligence. There is often a layer of self-delusion when the Board think that a risk is being managed within its given risk appetite and capacity, when in fact the reality might be far from that.

Risk management is for the whole organisation where there should be a culture about taking managed risk and avoiding unmanaged risks. This requires a programme to bring about openness and transparency about the opportunity or threat being taken as well as a clear and truthful accounting of the value in the business – whether that is capital, reputation or liquidity.

Risk management strategies are designed to avoid, accept, minimise, transfer and retain risk exposures. These strategies should be customised to fit your businesses culture and liabilities, and should therefore evolve as your exposures and opportunities change.

Here are three steps to winning business through taking managed risks;

First, you must assess the situation at hand. Uncover potential risks by evaluating your location, the context of circumstance and any historical data. This information helps uncover potential risks, and also helps you weigh the probabilities and consequences of the risk.

Next, you need to develop a plan of action. Consider the key objectives you’re hoping to accomplish, along with the level of risk you’re willing to accept. Consider the likelihood of an undesired outcome and what it would cost you, your business or your stakeholders if it transpired. Is the risk worth taking? If so, go for it! If not, reconsider your options.

Finally, implement your risk management plan. Just remember that things can change and you need to keep an eye on those changes and adjust your tactics as required.

  • Mbonu, studied Engineering, is an experienced Banker and Enterprise Risk Management specialist. Has undergone post graduate studies in Risk Management at Stern – New York University, and is a member of the UK Institute of Risk Management. Can be reached on 09092092046 (SMS Only); email: