David Hillson offers the Four Universal Laws of Risk Management in his book, Exploiting Future Uncertainty, Gower Publishing, 2010.
“The first law of risk management: risk is uncertain
A risk is something in the future that might or might not occur. This is vital to a proper understanding of risk and its management. Risks do not yet exist, indeed they may never exist at all. They are potential future events or sets of circumstances or conditions. This makes them quite different from things which have happened in the past or which currently exist in the present. Past and present events can be analysed and measured, but future events can only be imagined or estimated. A risk that may or may not come to pass in the future cannot be experienced directly unless or until it happens. This makes risks different from issues, problems or constraints. In every type of risk management, risk is in the future, which is inherently uncertain.
The second law of risk management: Risk matters
If they occur, risks will have consequences that make a difference in some way. It is not possible to have an inconsequential risk, by definition. While various types of risk management focus on different sorts of consequence, all agree that a risk must affect something. This is because risks are inextricably linked to objectives. Wherever some field of human endeavour is attempting to achieve something, it is possible to identify uncertainties that might affect the chances of success. Whether the objectives are to achieve good corporate governance, successful projects or business continuity, risk management aims to identify possible future events that could influence those objectives, and to enable them to be understood and managed effectively.
The third law of risk management: Managing risk is a process
They may have different steps, but all approaches to risk management provide a framework that is designed to maximise both efficiency and effectiveness. Although the details of risk processes are different, every type of risk management has two important parts: analysis and action. Before risk can be properly managed, it must first be identified, described, understood and assessed. Analysis is a necessary first step but it is not sufficient – it must be followed by action. The ultimate aim is to manage risk, not simply to identify it.
The fourth law of risk management: Risk is managed by people
The human aspects of risk management are vital to its success and effectiveness. People implement processes, though we may use machines to automate calculations, to record results, or to generate reports. People set risk thresholds, identify risks, assess the degree of uncertainty and extent of possible impact, propose appropriate responses and implement agreed actions. These require judgements, estimates and decisions to be made in the presence of uncertainty. These judgements are subject to a range of influences, both explicit and hidden, which can significantly affect the outcome. Risk management at every level is exposed to sources of bias arising from overt and covert influences acting on individuals and groups who are trying to make risk-based decisions with imperfect or incomplete information.
Whatever type of risk we face, we have to follow these universal laws of risk management. To manage risk effectively we need to deal with uncertainty that matters, follow a structured process, and take account of the people aspects.”
(Extract from Exploiting Future Uncertainty, David Hillson, 2010).
If you were invited to create your own Universal Laws of Risk Management, what would they include?