An Introduction to Risk Management

November 23, 2016

Risks in their simplest terms can be thought of as unknowns, or uncertainties that might have both positive and negative impacts on an organization or an individual. The impact that a risk may have will vary and will be dependent on the business area or activity within which it resides, as well as the types of controls that are in place to minimize or manage the risk effectively.

Risks, whether we like it or not, are inherent in everything we do in both our personal and professional lives. This is true of simple activities like picking an ice cream flavor as well as making a major life decision such as purchasing a new home. Each has a chance of a positive outcome, but also a chance of a negative one: Your choice of mint-chocolate-chip might make you a hero at home, but you might have misread the room and could have a disappointed child or partner to contend with. In the grand scheme of things this is clearly not a major concern, but if you take the example of purchasing a new home: a lot more is on the line.  You may have made the most successful financial investment of your life, but you may also run into some obstacles along the way. For example unexpected repairs might arise, interest rates may rise, insurance and taxes may rise, other unexpected liabilities may come about; the list can go on.

Some of these risks can clearly be planned for, but others will be more difficult to foresee. The constant between each of them is that once you make the decision to proceed on a particular course of action you will be exposed, at least somewhat, to all of them. Whether you realize it or not, actions like purchasing home insurance, having home inspections done, deciding on fixed or variable mortgages are decisions with risk management implications. The savvy homeowner (read: personal risk manager!) is hopefully making each of these decisions with some forethought about their capacity to handle repairs, debt payments, their long term goals and many others.

Risks are also an important component of our work lives: every job at TRCA has some level of risk associated with it and every day whether we know it or not, every person at TRCA is making decisions that affect exposure to risks within the organization. Some decisions will be in the ice-cream territory of significance; others will be in the home-purchase territory but most will probably land somewhere in between. The key is to give an appropriate level of thought to the potential impacts, both positive and negative, and any adjustments that we might need to make to balance them before we make these decisions.

Types of Risks

To help understand the scope of risks and their impacts, it’s helpful to categorize risks so that we can manage similar exposures in similar ways. Because of the wide range of facilities and services TRCA offers, the types, size and likelihood of the risks we are exposed to is very broad. A typical categorization would be to group risks as follows: hazards, operational, financial and strategic risks.

Hazards are risks that have only chance of loss or no loss. These include most health and safety as well as property damage exposures. For example the risk of a slip and fall accident, the chance of a car accident or a law suit that arises because of those accidents.

Operational Risks typically include personnel, process and systems risks. These types of risks and the decisions around them typically have opportunities for positive outcomes as well as negative ones. For example the decision to implement a new email client (a new system) might provide long term efficiency and cost savings, but it might also result in down-time costs, require extensive training and result in staff frustration.

Financial Risks are associated with the use of markets, credits and prices. These types of risks also usually have opportunities for gain or loss. For example, an increase in gate fees represents a decision that affects price risk. It might increase per-sale revenues, but might reduce client turn over and result in lower than expected over all income.

Strategic Risks are primarily system wide risks that are perceived to be outside the control of an organization, such as demographic, political, economic or environmental exposures. For example, an increasingly multi-cultural society may create uncertainty about the best means and/or languages we should use for engaging with our community.

Each broad category of risks can and should be further subdivided into more exposures, and identified for each activity that an organization undertakes. The listing of all the risks that a program or project might be exposed to is called a risk register. Risk registers are excellent tools to keep track of risks, their frequency and severity in an effort to help choose techniques to manage them. Future articles will focus on risk registers, additional categories of risk as well as techniques to manage them.

Risk Management

Risk management is the process of proactive management and decision making aimed at bringing uncertainty to within acceptable levels for an organization. We know that some level of uncertainty is inherent in all decisions we make as an organization. While we might want to definitively eliminate all risk associated with an activity, the reality is that the only way we might be able to do so is to eliminate the decision or activity all together. It’s somewhat of a paradox however: the decisions we make to try and transfer or control risk, hold within them a certain inherent level of uncertainty. Even the choice to eliminate a service area brings with it certain risks, for example there may be public or political outcry, financial costs of shutdown or even legal liabilities if certain relied upon service or regulatory activities are discontinued.

To help illustrate how risk management decisions result in risk tradeoffs, consider the following example: Your team has been tasked with a complex construction project, although you have construction experience, this is a specialized project that you do not have a lot of experience with. You have decided that the risks of undertaking the project yourself are too high and as a result you decide to hire a specialized contractor to manage the project for you. Despite this probably being an entirely sensible decision, you have not absolved yourself of risk.

You certainly will have the benefit of not having to deal with the day to day issues on the job-site; you will be sheltered from hazard exposures on site and will have benefit of an expert in the field. But consider that you will have had to go through the potentially difficult process of selecting a good candidate to act as your contractor; once selected, you will no longer have direct control over scheduling, you will be subject to management fees that you would not have been otherwise and you would have forgone the potential for expanding your team’s experience in this field.

Whether or not this was a good decision will be dependent not only on the outcome, but also number of factors, not limited to your business goals, your capacity as an organization and your threshold for uncertainty in key areas of your organization. In this case if you are not in this specialized business, you have limited capacity, and your organization is risk adverse the decision to contract the project management will probably work to your benefit. It would be a mistake however to think that hiring the contractor would have made all your negative exposures go way.

The above scenario is a good example of the way we conduct risk management. We have a problem and establish the context within which we are acting (a construction project we aren’t entirely comfortable with), we identify the risks (risks from a lack of expertise); we assess the risks and select a treatment (look at options for contracting); we treat them (transfer risk by hiring contractor); and finally re-evaluate their effectiveness for the next time we are faced with a similar problem (look at the outcome vs a number of factors within the organization). This fundamental process can be applied to any problem, decision, or operation that we undertake and is a good way to tackle the issue of scoping and managing the risks we are entering into.

The choice of how in-depth we take this process and what tools might be used to manage identified risks will be dependent on a number of factors including the type of risk in question, the level of exposure it might represent, as well as the types of resources available at any given time.

Visit the TRCA Risk Management Dashboard