An appreciation of the risk concepts described above is the first step in a clearer understanding of risk. This understanding in turn supports the first step in any risk management process: risk awareness. The second step is to measure risk; the third, to control it. For all the quantitative sophistication that can be thrown at it, risk management is still ultimately carried out by people, and the three parts of a corporate risk management process can usefully be illustrated in terms of the ways that people manage risks in their evervday lives.
First, risk awareness.Most people think (at least a little! ) about what they are currently doing and what they plan to do next; accidents happen when they misjudge an unfamiliar situation or fail to pay sufficient attention to a seemingly familiar one. People break legs when they first go skiing and cut their fingers when they drift off while chopping vegetables.
Companies obviously don’t think in this way, but they do need to use the collective intelligence of their management and staff to think through the risks consequent upon the company’s current and proposed activities.(Once again, we return to the need to anticipate and learn from mistakes). Promoting risk awareness should be the starting point for any risk management process. Half the battle is already won if people can be successfully encouraged to consider the risks involved in their activities, and to understand their roles and responsibilities in managing them. Mistakes can then be avoided or quickly corrected. Awareness alone is not enough, however. It is one thing to know that a potential risk exists; it is another to know when it becomes a real threat and how serious it is.
A person might see a distant threat (a car bearing down from a distance), or feel an immediate one (a tack in the foot). The scale and speed of his reaction will differ. Similarly, a company must be able to recognize changes in its operating environment that signal potential risks and must also notice when a part of the company is unexpectedly afflicted by some event. That means effective transmission of information into and through the company, which in turn implies the need for efficient communications technology and clear, consistent reporting of risks (i.e. , risk measurement).
Having identified and quantified the risk, a person must decide if any thing should be done about it (i. e. , risk control). A person might control his risks in a number of different ways. He might feel that a given risk is minor (the chance of being hit by a meteorite, for example) and continue about his business as usual. He might simply limit his potential risk-perhaps by capping the amount he is willing to bet on a spin of the roulette wheel.
Aiternatively, he might actually take action in order to reduce a risk-to move out of the way of an oncoming car or pull the tack out of his foot. He might even pay someone more skilled to carry out a risky activity-electrical rewiring, for example-on his behalf. Similarly, a company might recognize a potential risk but be content to do nothing about it; establish and enforce risk policies and limits; change strategic direction; make a tactical alteration to one of its business units; or transfer a specific risk through insurance or hedging.
Ultimately, the function of risk management, whether for an individual or for a company, is to ensure that the level of risk remains within some acceptable range, while ensuring that life or business continues to be as enjoyable as possible. It’s worth noting that different people have different appetites for risk-they are comfortable with different amounts of risk and with different types of risk. So are different companies, credit ratings and earnings volatility being key measures of these propensities.It’s also worth noting that people don’t really think about a risk, then assess it and finally do something about it. In practice, people constantly reevaluate their situation in a way that involves continuous feedback between thoughts, senses, and actions. The same should be true for any company operating in the real world.
A risk management process can only be effective to the extent that risk awareness, risk measurement, and risk control strategies are fully integrated. We’ll discuss these three components in the next sections.