Risk management is about managing the impact of uncertainty on people or organisations. Every activity, whether business or personal, entails some degree of uncertainty. Risks arise when these uncertainties have the potential to impact upon something you care about.
Managing risk requires a range of complementary capabilities and an understanding of which risk management methods and frameworks are effective when, and when they are not.
In everyday language, risk only refers to negative outcomes, or ‘downsides’. However, some risk managers also talk about the positive opportunities, or ‘upsides’ that uncertainty can bring. It is impossible to provide a concrete and universal definition of the concept of risk. As such, both of these concepts of risk are perfectly valid.
For organisations, risks can emerge from any type of uncertainty, including those related to finance, health and safety and security. These different types of risk will need to be analysed by people with skills and expertise in each domain, and then brought together to form a complete view of the risks that an organisation faces. Cyber security risk refers to security risks to digital services, computers, networks, connected/operational technologies or information.
Assessing and managing risk
There are a variety of methods for assessing and managing risks. For example,many approaches start by considering an organisation's assets (such as computers, information or money) and explore ways in which these assets can be compromised. Separately, there are approaches which start with high-level outcomes that are seen to be undesirable, and use these as a means of constraining how parts of the organisation work.
Each method of managing risk has strengths and weaknesses. A mature approach to risk management will apply the approach most relevant to a given risk management problem. For more information about risks management, refer to the following.
Some risk management techniques involve formalised processes and documentation. However, formality of itself is not reflective of a mature approach to risk management. Some organisations, particularly those which are large and complex, will need formality to ensure consistency within their organisation, or to assist audit activities. Other organisations may decide - quite reasonably - to adopt a much less formal approach based on some basic principles.