If you want to manage something, you first want to know what it is. So, in case of
Risk management, you first want to know what the risks are. You also want to know how large they are, or
rather: can be, so you can prioritize them for further processing. The first step then will be the identification
and evaluation of risk. After that, Risk Management can grossly be divided into two main
areas: control of risk and risk financing.
Control of risk includes the elimination of risks as well as the reduction, in event
frequency as well as type and size of consequences. Control of risk has an important influence of the financing of
risk irrespective of whether that will be out-of-pocket, through insurance or otherwise.
Risk control can be divided into two areas: organizational and technical. Preference
will often be given to technical (hardware) solutions since those - if well done - do not normally depend on
the direct influence of people. Organizational measures, apart from work procedures, administrative controls and
decision making, include the designing and building technical systems, maintenance and change management to keep
them in safe operating conditions. Organizational issues are at the heart of the risk management system
and the focus of this website.
Risk management is Safety management
Making the difference between risk management and safety management is by choice rather than by
reason. It boils down to the definitions of risk and accident and depends very much how you want to see these in
your organization. If you want, there is a difference in time: a risk is the chance that something will
happen while an accident is something that did happen; the accident was a risk before it the unwanted event
Risk management is Loss Control management
Here too, there is really no difference between risk management and loss control or loss control
management. Depends on the definitions that your are using. The only difference again is the time factor: loss
is the result of an unwanted event. One could say that risk management also includes the financing of risk but in
essence this risk financing is financing of losses that do or may happen as the result of unwanted events.
Risk, problem, accident, loss or whatever you wish to call these all are related to unwanted events
and they are all related to what people do or not do.
Risk management is problem
solving and very similar to the basic problem solving sequence - see picture below where I replaced
the word "Problem" by "Risk". Risk is a potential problem, something that can happen in the
future. If the risk materializes then we have a loss. So the difference between risk and loss is the time factor:
if the hazard is there, the risk will materialize sooner or later. The consequence or loss - type and size - will
depend on the circumstances that exists at the time that the event takes place. Murphy's law popular version: "If
anything can go wrong, it will" or "What can happen, will happen".
In the problem solving sequence below, replace the words "problem" by "risk" and you
have the risk management process to include:
Problem or Risk IDENTIFICATION
can there be a problem? In risk management terms called "risk
identification" - is there a hazard?
Problem or Risk evaluation in terms of event frequency (how often?) and
possible consequences (how much?). In risk management terms called "risk assessment".
is the (potential) problem small enough to be ignored? If not - go to step
Problem or Risk control
can the problem be eliminated? If so, that may be the preferred
if not, we will have to live with it and take action to reduce the
risk at an acceptable level which relates to the frequency of occurrence of the unwanted event as well as
to its possible consequences in terms of monetary, human, environmental or business loss.
cause analysis - what are the various causes that can lead to an
accident, incident and other unwanted event that transforms hazard to risk? We can
only control it if we know what the causes are.
what are the possible event frequencies and consequences related to
the various causes?
establish alternatives to control the risk, a combination of
technical and organizational measures - prevention (directed at event frequency) and limitation of
consequences, including risk financing.
choice of best combination of technical, organizational and risk
financing measures. Identification of what needs to be done and setting Standards or
criteria for these control activities. This actually forms the PLAN to control risks or
problems as one step in the platform model.
implement or DO of the selected control measures by
properly Trained and informed people.
periodic evaluation of the control activities - Measurement
and Evaluation of activities carried out - are they meeting criteria set?
Correction if control activities are not carried out properly. Loop
back to 7.
evaluation of results - are control activities producing desired
results? If not, altering or extending of those activities may be required or other/additional control
measures may have to be introduced. Loop back to 5/6 etc.
learn from what goes wrong and feed that learning experience back
into the process. Loops back to 5/6 and 7 etc.
The above sequence represents a process with several loops depending on
implementation of choices and results obtained.
You may have noted that the risk management or problem solving process described above includes the
standing plan or management system, the PLATFORM model Plan-Train-Do and the management control function
steps ISMEC (see terminology)
Ideally, any activity we undertake should start with hazard identification and risk
assessment and then develop from there. If that route is followed, the PLAN or management system (which is at the
heart of this website) will be developed in relation to the residual risks or problems that remain after
termination, elimination and reduction efforts have taken place. The process above is based on need of activities
to be carried out (steps 1 - 4), execution of those activities (5 - 7) and periodic evaluation of execution and
results (8 - 10).
In the approach
to management system development as given through this website, the same caution has been built-in through the
structure that is present in each of the management
system activity areas. That structure starts with a need assessment for the activity concerned and ends with the
periodic evaluation of activities and their results.
I have also visualized the risk management process in a different manner as an event
or decision tree, as follows:
Safety - or Risk Management Trees were developed by the SSDC (System Safety Development Center) for
the US Department of Energy. The better known tree is MORT (Management Oversight and Risk Tree - see Risk Management Resources).