Risk Management

Conceptual Overview

Managing risk involves three organizing activities:

1. Identifying and classifying risks. Risks are registered according to standardized classifications, such as strategic risk (e.g., profit decline), operational risk (audit error, illegality, or infrastructure failure), and environmental/social risk (pollution). Different organizational experiences can be understood from one or more of these perspectives. The risk of bad publicity, for example, might affect strategic decisions on entering new markets, accounting provision for turnover fluctuations, and investment decisions in community projects.

2. Ranking risks in terms of likelihood, or the chance of the event occurring, and impact, or the level of loss should the event occur. These assessments are contingent on the organization's appetite for risk and its capacity to accept it.

• Appetite is related to available knowledge (e.g., quality, levels of asymmetry), managerial backgrounds (experience, norms), motivation (aspirations, levels of defensiveness), and remuneration (compensation packages).
• Capacity is related to financing and ownership/ knowledge structures (e.g., whether shareholders or family hold the residual risk, organizational competencies), markets (investor expectations, the prevailing cost of capital), and industry conditions (innovation rates, maturity, levels of regulation, the historical importance of cost control).

Together, appetite and capacity frame a prevailing logic of affordable loss within which risks are managed according to their severity (likelihood and impact) set against possible future returns, understood in the economic analysis of risk as some form of expected or prospective utility.

3. Avoiding, transferring, or controlling risks.

• Risk avoidance involves terminating existing activities (e.g., replacing hazardous materials, exiting insecure markets) or deciding against new activities (pulling back from a prospective acquisition).
[Page 1388]
• Risk transfer dilutes potential losses by involving other parties, using mechanisms like insurance, outsourcing contracts, and joint ventures. Transfer still requires management in assessing the intentions and abilitites of partners.
• Risk control has two aspects: mitigation and acceptance.
  • Mitigation can involve hedging investments, planning for multiple futures, using assets with lower specificity (e.g., adaptable machinery, a multitasking workforce), implementing safety nets (running old and new IT systems or buildings alongside one another in case of teething problems), protecting property rights (patenting, litigation), and establishing clear procedures and responsibilities. An often overlooked aspect of mitigation is the deliberate inculcation of trust using common goals and values to establish goodwill and collaboration, thus reducing the risk of opportunism.
  • Acceptance means that while the organization remains exposed, managers undertake to act, using accurate and broad sources of information (e.g., consultation), flexible platforms (fast decision-making procedures), and “real options” (limited investments in multiple new technologies/markets; such action allows managers to test the viability of innovations, and so maintain “first mover” advantages, without undue exposure to one option).

Critical Commentary and Future Directions

The link to probability and utility theory means risk management tends to the calculative and predictive. Without this abstraction, through calculating and codifying future impacts, the management of risk remains indistinct from intuition, and without successful prediction and control, it remains indistinct from astrology. Yet not all risks are amenable to measurement. For example, many risks associated with investment in nuclear power, such as the costs of protestor action or environment despoliation, are not readily confined by quantified analysis. Moreover, even where risks are quantified, their management is not necessarily successful. Crises such as the U.K. foot-and-mouth epidemic, or corporate collapses such as Barings Bank (which had a supposedly robust risk management system in place), demonstrate not only that experts and systematic checks and balances fail to prevent risks occurring, but can actually escalate them.

...