What is risk management in supply chains? The more I study supply chain risk management, the more confused I get. The supply chain risk literature is inconsistent at best at conflicting at worst. There are so many terms and definitions, and each author, book, paper, or article seem to have its own way of describing the subject matter. Perhaps they haven’t heard about ISO Guide 73:2009 Risk Management Vocabulary? After all, it provides the definitions of many of the generic terms related to risk management. That is why this post will present some of the most frequent used terms relating to the management of risk in an attempt to promote a coherent approach to the description of activities. Will it help? I’m not sure, but the least I can do is spread the word.
A family of risk standards
ISO 73 is part of ISO 31000, a whole family of standards relating to risk management codified by the International Organization for Standardization. The reason why ISO 73 is particularly useful is because it is intended to provide the risk-related definitions that other standards are meant to use. Obviously, the terms are generic and must be adapted for the specific domain in which is supposed to be used, and that is exactly why the terms and definitions are useful for supply chain risk researchers.
Overview of definitions
I like ISO 73 because it puts things in perspective and arranges the terms related to risk in relationship to each other:
- Risk Management
- Risk Assessment
- Risk Analysis
- Source Identification
- Risk Estimation
- Risk Evaluation
- Risk Analysis
- Risk Treatment
- Risk Avoidance
- Risk Transfer
- Risk Reduction
- Risk Mitigation
- Risk Retention
- Risk Optimization
- Residual risk
- Risk Acceptance
- Risk Financing
- Risk Control
- Risk Communication
- Risk Perception
- Stakeholder
- Interested party
- Risk Assessment
While risk assessment, risk treatment and risk acceptance (of the risk that can not or is chose not to be treated) are perhaps not so surprising elements of risk management, I do find it interesting that risk communication is included. On second thought though, risk communication is essential to raising the awareness about risk and how it should be treated by the organization and how it should be viewed by the stakeholders. For practical advice I recommend this book on risk modelling, assessment and management.
Definitions
Let’s take a closer look at some of the definitions.
Risk management – coordinated activities to direct and control an organization with regard to risk. Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication.
Note: The focus is on directing and controlling the organization, not the risk, perhaps contrary to what what you would expect?
Risk assessment – overall process of risk analysis and risk evaluation
Risk analysis – systematic use of information to identify sources and to estimate the risk. Risk analysis forms the basis for risk evaluation, risk treatment and risk acceptance. Information can include historical data, theoretical analysis, informed opinions and the concerns of stakeholders.
Note: Risk is not only a technical or factual matter, it can also be what the stakeholders consider important. The risk definition follows the traditional perspective, though:
Risk – the combination of the probability of an event and its consequence.
(Risk) Source – item or activity having a potential for a consequence.
So, a source in itself is not a risk. However, in ISO 51 Safety aspects, a source is referred to as a hazard. In other words, a source might result in a concrete risk, but not necessarily so.
Risk evaluation – process of comparing the estimated risk, against given risk criteria to determine the significance of the risk.
Risk criteria – terms of reference by which the significance of risk is assessed. Risk criteria can include associated costs and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.
As as risk treatment is concerned, besides Avoid, Transfer, Reduce and Retain as the classic four ways of dealing with risk, ISO 73 also lists Optimize and Mitigate. Note the difference between Risk Reduction and Risk Mitigation:
Risk avoidance – decision not to become involved in, or action to withdraw from, a risk situation.
Risk transfer – sharing with another party the burden of loss or benefit or gain, for a risk. Legal, mandatory or statutory rights can limit, prohibit or mandate the transfer of certain risk. Risk transfer can be carried out through insurance or other agreements. Risk transfer can create new risks or modify existing risk. Relocation of the source of risk is not risk transfer.
Risk reduction – actions taken to lessen the probability, negative consequence, or both, associated with a risk.
Risk mitigation – limitation of any negative consequence of a particular event.
In other words, risk reduction is proactive, whereas risk mitigation is reactive? Not necessarily. The mitigation can be a preparatory action in the anticipation of the potential consequence of an event. A contingency plan is an example of risk mitigation. Playing the devil’s advocate here, installing fire fighting equipment in a building would be risk mitigation, the actual fire fighting itself is perhaps not. Personally, I prefer to distinguish between mitigative and contingent risk management actions.
Risk retention – the acceptance of the burden of loss or benefit or gain, for a risk.
Risk optimization – process, related to risk, to minimize the negative and maximize the positive consequences and their respective probabilities.
This is an interesting concept. Optimization acknowledges that risk may pose both upside opportunities as well as downside losses. Albeit not said explicitly, risk optimization may also be seen as a cost-benefit assessment of the risks. Finally, risk that cannot be treated or that is decided not to treat has to be accepted.
Risk acceptance – decision to accept a risk
Risk acceptance and risk retention are not the same. Risk retention is a consequence of risk acceptance of a certain risk.
Risk financing – provision of funds to meet the cost of implementing risk treatment and related costs.
Risk control – actions implementing risk management
This is a bit confusing. I don’t really see why there is a need for risk control and risk management, since risk risk management already contains an element of control…unless risk management is see as something abstract, while risk control is something concrete.
Risk communication – exchange or sharing of information about risk between the decision-maker and other stakeholders.
Risk perception – way in which a stakeholder views a risk, based on a set of values or concerns
Stakeholder – any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a risk. The term stakeholder includes but has a broader meaning than interested party.
Interested party – person or group having an interest in the performance or success of an organization.
I do see the necessity to include risk communication as an integral part of risk management. This also brings in the notion of stakeholders and what risk perception these stakeholders have. Risk perception is particularly important in managing reputation risk.
Risk Management Process
According to ISO 31000, and again repeated in ISO 28o02, which I reviewed in my post on supply chain security and resilience, the risk management process can be illustrated graphically as below.
I find this an excellent figure that clearly shows the content of the individual steps of the risk management process, how they are related to each other and how risk management is a never-ending cycle of activities.
Conclusion
As you can see, there is a whole battery of terms related to risk and risk management. I am not sure I am less confused now, but the differences in meaning are beginning to sink in, at least in my mind. As I said in the opening chapter, not many, if any, papers on supply chain risk refer to ISO 73 or ISO 31000 for that matter, but this post I hope that more researchers will make use of the terminology that already exists.