The risk management context often lacks clear boundaries
One of the challenges of risk management is that its context is for all practical purposes unlimited. Risk management is about dealing with all the potential risks an organization can be exposed to, covers the entire scope of activities of that organization and all activities deemed relevant to optimize remaining exposure to those risks.
The problem is that areas that are not contextually bounded are effectively infinite. If no limitations are imposed, if there are no constraints, the lack thereof will make the design and implementation of a relevant solution impossible. With every possible problem to solve, what will you solve first?
Assigning priorities is only part of the solution
Risk managers respond to this by assigning priorities to risks in order of “importance”. Again, there is an often ignored problem implicit in this approach. If priority drives investment in risk mitigation measures, and if that investment requires longer term engagement of means, priorities need to be considered stable over the long term as well. And that is one of the key challenges of risk management … priorities can change very quickly.
Not every exposure is a risk
A relevant, yet insufficient set of constraints that can be and are imposed on risk management are the objectives of the organization. If an exposure does not imply a risk to the achievement of the organizational objectives or any objective derived from an organizational objective, the exposure does not constitute a risk to the organization. While this effectively reduces the number of “risks” an organization has to deal with, the entire area of risks – the so-called risk universe – an organization remains exposed to tends to be so large that completely identifying those risks and developing appropriate risk mitigation approaches is unlikely to be realistic within existing budget constraints.
Choices need to be made. In a following blog post I will explore some of the mechanics that can influence those choices.