Risk Management has numerous definitions usually based on the context in which it is being discussed among these are:
“Risk management is formal process that enables the identification, assessment, planning and management of risk.” (Merna and Al Thani 2010)
COSO ERM defines enterprise risk management as a process designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The process is effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise.
ASNZ 4360 states that risk management is an integral part of good business practice and quality management. The standard further specifies that risk management means inter alia identifying and taking opportunities to improve performance as well as taking action to avoid or reduce the chances of something going wrong.
The Institute of Risk Management in its risk management standard says Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). In all types of undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognised as being concerned with both positive and negative aspects of risk. Therefore this standard considers risk from both perspectives.
The common theme arising from the various definitions are that risk management is a management process to deal with uncertainties faced by any entity, threats to its resources and its consequences, as it chooses the opportunities presented by its operating environment, to increase the value of the entity.
The Concept of Risk and Uncertainty
Risk is simply defined as a probability of a loss or gain. One situation is riskier than another if it has a greater expected loss or a greater uncertainty (defined as the variability around the expected loss). Therefore risk is linked to the quantum of loss or profit (risk reward ratio) i.e. the probability of an event occurring causing either a gain or loss and how much the gain/loss varies from the expected outcome which is an average.
Business inevitable has to undertake risk in its daily activities as perfect information is a myth. Risk is usually thought of in respect of a negative event happening, the probability of it happening and the quantum of the loss when it occurs. Uncertainty is said to exist in a business transaction whereby the decision-makers lack complete knowledge, information or understanding of the proposed transaction and its possible consequences.
In his seminal work Risk, Uncertainty, and Profit, Frank Knight (1921) established the distinction between risk and uncertainty.“Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. The term “risk,” as loosely used in everyday speech and in economic discussion, really covers two things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically different. The essential fact is that “risk” means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomenon depending on which of the two is really present and operating. … It will appear that a measurable uncertainty, or “risk” proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We accordingly restrict the term “uncertainty” to cases of the non-quantitive type