Assessing vs. Managing Risks
The world of risk analysis contains a fair amount of confusing terminology, especially when it comes to analysis – what is the difference between assessing risk, characterizing risk, and evaluating risk? They all sound like different words for the same thing. But actually there are subtle differences.
Which terms mean what also depends on who you ask – some standards for example use the term “risk analysis” while others use “risk assessment” to mean basically the same thing. Although it largely depends on what field of risk you are investigating, here I will try to lay out my own understanding of the differences. And then I’ll explain why it probably doesn’t matter too much what terminology we use.
First, I tend to use the term “risk analysis” in the broadest sense, related to the overall field of study of risk. This is following the Society for Risk Analysis: “in particular in the Society for Risk Analysis (SRA) community: risk analysis is defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk, in the context of risks of concern to individuals, to public and private sector organizations, and to society at a local, regional, national, or global level.” (1)
Risk assessment, in my mind, is basically the overall process of doing the modeling and math to come up with a measure of risk. If your boss asks “what is the risk”, doing a risk assessment would get you a number to report back. Risk assessment itself contains several steps. Before you can quantify something, you have to know what you’re measuring – so first you need to frame the problem, and then do some risk identification. There are a lot of tools and methods which can help to identify risks. This is a difficult and important step – just because you don’t identify a risk doesn’t mean it won’t occur, but you can’t plan for something you didn’t anticipate.
Of course a big list of risks doesn’t do much good - they must be compared somehow. Usually this involves some type of quantification. This might involve coming up with estimates for the probabilities of various events occurring, and the consequences of those bad events. It might also involve estimates of things like the vulnerability of a system to failure given an adverse event, the amount of money that might be lost given a default, or the response of an organism to a contaminant given a certain dose. Regardless of what the analysis looks like, some type of modeling occurs at this stage, and usually some calculations. The output is a measurement of the risk. This is usually what I think of as risk characterization or risk estimation.
Then there is risk evaluation, which involves comparing the various risk estimates to each other, and to various benchmarks or thresholds. Ranking risks from greatest to least, or considering risks over $100,000, for example, would be risk evaluation. Usually this ends the risk assessment process.
Risk management is the process of making decisions on what to do about risks once they have been identified, characterized, and evaluated. It doesn’t do much good to say “here are my top ten risks” if there isn’t a plan about how to deal with the risks in a way that best balances the risks, costs, and benefits. I have written previously about risk management (also sometimes called risk treatment) strategies such as acceptance, avoidance, mitigation, and transfer.
Now there might be somebody reading this objecting that some of the terms here have been misapplied, as according to some domain of application or standard document. For instance people in the health and toxicology fields use different terminology than those in the security field, and the finance industry uses terms differently as well.
Which brings me to my final point – that it is probably okay that different people use different terms. While it can be frustrating from a communication point of view, it doesn’t really matter what we call the various steps in the process. What is important is that the people charged with thinking about risks follow a logical and structured process, which is what I laid out above.
Regardless of your particular context, you can’t go wrong by thinking in a logical way – first you need to identify your risks, second you need to quantify them somehow, third you need to compare them to some benchmark or rule, and fourth you need to decide what to do about the risks. What you call these steps is not as important as whether or not you do a rigorous and thoughtful job in each of the steps.
Collier Research Systems (www.collierresearchsystems.com) can help your company think about risks – from identification to management, and everywhere in between. With expertise in risk and decision making, we can guide you through the process of planning for and mitigating risks.