Risk management – Vocabulary

What is risk management in supply chains? The more I study supply chain risk management, the more confused I get. The supply chain risk literature is inconsistent at best at conflicting at worst. There are so many terms and definitions,  and each author, book, paper, or article seem to have its own way of describing the subject matter. Perhaps they haven’t heard about ISO Guide 73:2009 Risk Management Vocabulary? After all, it provides the definitions of many of the generic terms related to risk management. That is why this post will present some of the most frequent used terms relating to the management of risk in an attempt to promote a coherent approach to the description of activities. Will it help? I’m not sure, but the least I can do is spread the word.

A family of risk standards

ISO 73 is part of ISO 31000,  a whole family of standards relating to risk management codified by the International Organization for Standardization. The reason why ISO 73 is particularly useful is because it is intended  to provide the risk-related definitions that other standards are meant  to use. Obviously, the terms are generic and must be adapted for the specific domain in which is supposed to be used, and that is exactly why the terms and definitions are useful for supply chain risk researchers.

Overview of definitions

I like ISO 73 because it puts things in perspective and arranges the terms related to risk in relationship to each other:



  • Risk Management
    • Risk Assessment
      • Risk Analysis
        • Source Identification
        • Risk Estimation
      • Risk Evaluation
    • Risk Treatment
      • Risk Avoidance
      • Risk Transfer
      • Risk Reduction
      • Risk Mitigation
      • Risk Retention
      • Risk Optimization
      • Residual risk
    • Risk Acceptance
    • Risk Financing
    • Risk Control
    • Risk Communication
      • Risk Perception
      • Stakeholder
        • Interested party

While risk assessment, risk treatment and risk acceptance (of the risk that can not or is chose not to be treated) are perhaps not so surprising elements of risk management, I do find it interesting that risk communication is included. On second thought though, risk communication is essential to raising the awareness about risk and how it should be treated by the organization and how it should be viewed by the stakeholders. For practical advice I recommend this book on risk modelling, assessment and management.

Definitions

Let’s take a closer look at some of the definitions.

Risk management – coordinated activities to direct and control an organization with regard to risk. Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication.

Note: The focus is on directing and controlling the organization, not the risk, perhaps contrary to what what you would expect?

Risk assessment – overall process of risk analysis and risk evaluation

Risk analysis – systematic use of information to identify sources and to estimate the risk. Risk analysis forms the basis for risk evaluation, risk treatment and risk acceptance. Information can include historical data, theoretical analysis, informed opinions and the concerns of stakeholders.

Note: Risk is not only a technical or factual matter, it can also be what the stakeholders consider important. The risk definition follows the traditional perspective, though:

Risk – the combination of the probability of an event and its consequence.

(Risk) Source – item or activity having a potential for a consequence.

So, a source in itself is not a risk. However, in ISO 51 Safety aspects, a source is referred to as a hazard. In other words, a source might result in a concrete risk, but not necessarily so.

Risk evaluation – process of comparing the estimated risk, against given risk criteria to determine the significance of the risk.

Risk criteria – terms of reference by which the significance of risk is assessed. Risk criteria can include associated costs and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

As as risk treatment is concerned, besides Avoid, Transfer, Reduce and Retain as the classic four ways of dealing with risk, ISO 73 also lists Optimize and Mitigate. Note the difference between Risk Reduction and Risk Mitigation:

Risk avoidance – decision not to become involved in, or action to withdraw from, a risk situation.

Risk transfer – sharing with another party the burden of loss or benefit or gain, for a risk. Legal, mandatory or statutory rights can limit, prohibit or mandate the transfer of certain risk. Risk transfer can be carried out through insurance or other agreements. Risk transfer can create new risks or modify existing risk. Relocation of the source of risk is not risk transfer.

Risk reduction – actions taken to lessen the probability, negative consequence, or both, associated with a risk.

Risk mitigation – limitation of any negative consequence of a particular event.

In other words, risk reduction is proactive, whereas risk mitigation is reactive? Not necessarily. The mitigation can be a preparatory action in the anticipation of  the potential consequence of an event. A contingency plan is an example of risk mitigation. Playing the devil’s advocate here, installing fire fighting equipment in a building would be risk mitigation, the actual fire fighting itself is perhaps not. Personally, I prefer to distinguish between mitigative and contingent risk management actions.

Risk retention – the acceptance of the burden of loss or benefit or gain, for a risk.

Risk optimization – process, related to risk, to minimize the negative and maximize the positive consequences and their respective probabilities.

This is an interesting concept. Optimization acknowledges that risk may pose both upside opportunities as well as downside losses. Albeit not said explicitly, risk optimization may also be seen as a cost-benefit assessment of the risks. Finally, risk that cannot be treated or that is decided not to treat has to be accepted.

Risk acceptance – decision to accept a risk

Risk acceptance and risk retention are not the same. Risk retention is a consequence of risk acceptance of a certain risk.

Risk financing – provision of funds to meet the cost of implementing risk treatment and related costs.

Risk control – actions implementing risk management

This is a bit confusing. I don’t really see why there is a need for risk control and risk management, since risk risk management already contains an element of control…unless risk management is see as something abstract, while risk control is something concrete.

Risk communication – exchange or sharing of information about risk between the decision-maker and other stakeholders.

Risk perception – way in which a stakeholder views a risk, based on a set of values or concerns

Stakeholder – any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a risk. The term stakeholder includes but has a broader meaning than interested party.

Interested party – person or group having an interest in the performance or success of an organization.

I do see the necessity to include risk communication as an integral part of risk management. This also brings in the notion of stakeholders and what risk perception these stakeholders have. Risk perception is particularly important in managing reputation risk.

Risk Management Process

According to ISO 31000, and again repeated in ISO 28o02, which I reviewed in my post on supply chain security and resilience, the risk management process can be illustrated graphically as below.
iso31000-risk-management

I find this an excellent figure that clearly shows the content of the individual steps of the risk management process, how they are related to each other and how risk management is a never-ending cycle of activities.

Conclusion

As you can see, there is a whole battery of terms related to risk and risk management. I am not sure I am less confused now, but the differences in meaning are beginning to sink in, at least in my mind. As I said in the opening chapter, not many, if any, papers on supply chain risk refer to ISO 73 or ISO 31000 for that matter, but this post I hope that more researchers will make use of the terminology that already exists.

Links

Posted in REPORTS and WHITEPAPERS
Tags: , ,

ARTICLES and PAPERS
A conceptual model of Supply Chain Flexibility
What do you do when you find two research papers by the same three authors, published the same year,[...]
A new and better way of classifying and managing risks?
Risk. The probability of an event occurring and the consequences of the event occurring. That is how[...]
BOOKS and BOOK CHAPTERS
Understanding risks in Virtual Enterprise Networks
Today's unstable and highly competitive business environment has created a shift in how enterprises [...]
Book Review: Enterprise SCM
Have you ever played SimCity? I never liked Transport Tycoon that much, but I used to play SimCity a[...]
REPORTS and WHITEPAPERS
Calculating the Value-at-Risk
Some of you may remember that I posted about the SCOR Framework for Supply Chain Risk Management ear[...]
Transport infrastructure resilience
Is it possible to devise a simple framework for assessing the resilience of the transport infrastruc[...]