Knowledge-based management is one of the most pressing topics of today, and it is no wonder. The modern business environment poses new kinds of challenges to companies’ and organisations’ managers and decision-makers that are entirely different to what they are used to tackling. However, it is somewhat difficult to define knowledge-based management completely unambiguously.
One simple definition might be that knowledge-based management is a management and operating model in which analysed data is utilised as part of the decision-making process. Knowledge-based management, therefore, seeks to respond to precisely the challenges posed by the evolving market situation. From this point of view, it is quite understandable that the market situation, which is becoming increasingly knowledge-intensive, tends to steer operations in a direction in which the old tools are no longer sufficient.
Risk management as a tool in today’s market
Risk management is, undoubtedly, one of the most effective tools in knowledge-based management. Risk management makes it possible to produce critical information to support strategic decision-making and assess phenomena in the business environment comprehensively. There are many types of risk management.
There is no single and correct risk management method, but the means of risk management are always incorporated into business activities. As a result, there are as many risk management models as there are organisations that carry out risk management. However, it is very important from the point of view of risk management that it is viewed specifically as an operating model aimed at achieving goals. Naturally, this puts a certain kind of pressure on, for example, the setting of risk management goals, but we are not talking about insurmountable obstacles. Despite its undeniable advantages, risk management suffers from a relatively poor reputation.
One of the most common misconceptions about risk management is the misunderstanding that it is a complicated constraint that limits the creativity of work. While this is not the case in reality, it is the reason why organisations often remain at square one with risk management. They are unable to translate risk management into practice, and if risk management is carried out, it is only done in the face of necessity while struggling to meet deadlines. It is, therefore, not surprising that such risk management does not produce the desired results quickly enough. The reasons for inefficiency and unproductiveness in risk management are surprisingly common:
1. Risk management tools do not meet the needs of risk management
As a rule, risk management is not a material sport. The roots of successful risk management lie in the organisation’s culture and the willingness of the responsible persons to develop operations in a direction that focuses more on risk management. Excel, which is excellent for performing various calculations, is one of the most familiar tools that support office work. Since a certain number of computational truths are also linked to the core of risk management, Excel seems like a natural tool for getting started with risk management, too.
Various Excel-based risk registers are, at least to some extent, suitable for recording the assessed risks, particularly if the goal is just to get acquainted with the basic principles of risk management and significant results are not expected. However, from the perspective of long-term risk management that systematically aims at achieving goals, Excel appears to be a graveyard of risk data, and storing risk data in endless Excel rows and columns will only contribute to the achievement of business objectives at random. In particular, the availability of information to support decision-making is one of the biggest stumbling blocks of Excel-based solutions used for risk management.
To produce results, risk management requires an up-to-date situational picture, which the many versions of risk spreadsheets sent back and forth are unable to produce. When using Excel for risk management, the collected risk data must be combined with other risk reports manually, which is not only time-consuming, slow and inefficient, but quickly leads to a situation in which you can say goodbye to standard-format risk registers. In the long run, this significantly reduces the effectiveness of risk management and, in particular, the measures taken to correct the risks.
Maintaining an Excel-based risk register actually brings its own data management risk to the activity. The integrity, availability and confidentiality of data are compromised when Excel files are sent back and forth as email attachments, but the problem of having multiple different versions that results from this kind of activity is even more difficult. Hunting for the most recent risk assessments does not serve the goals of any organisation.
2. Risk has not been defined correctly
Risk management is not rocket science, but laying the groundwork plays an important role in its success. One of the most important starting points for risk management that produces comprehensive results is defining risk correctly. Although practical risk management work is quite straightforward and pragmatic, certain aspects must be taken into account when defining risk. Risk can be defined in many ways. For example, ISO 31000 defines risk as the “effect of uncertainty on objectives”. This definition of risk encompasses both positive and negative deviations from assumptions, but even this textbook definition is only a starting point for result-oriented risk management.
Each organisation should define what risk means in their operations. When defining risks, it is very important to bear in mind that only some risks are common and faced by all kinds of organisations and companies. Risks of relevance to risk management are always somehow related to the goals set for the operations. A very simplified definition of risk could be, for example, that a risk is something that threatens the achievement of the organisation’s goals, but the organisation should be able to expand this simplification to other definitions, if necessary.
However, it is very important in view of the results of risk management that risk is defined as accurately, simply and consistently as possible. In the end, risk management is pursued for the organisation itself, and nobody else can know what risk means for it.
3. Risks have not been classified
Usually, when an organisation is getting started with risk management for the very first time, for example in a risk workshop, the result is a number of different risks identified from the organisation’s business activities. In general, it has been possible to identify these risks to such an extent that this leads to a different kind of risk blindness.
A person can only remember a certain number of things at a time. This can easily create a situation in which certain risks and their handling are neglected because they are not on top of one’s mind at the moment. However, it is crucial for the success of risk management that risks are also classified. Risk classification is an essential part of risk management, as it makes the continuous identification and management of risks easier.
It is possible to classify different risks in many different ways and by many different methods. The classification of risks has a very clear purpose, which is to describe the causes and manifestations of risks. There are often many reasons for the materialisation of risks. Risks classified according to uniform classification principles contribute to the development of risk awareness and to a better understanding of the nature of the risk when the risk is realised.
The classification of risks also improves understanding of the relations between different kinds of risks. In the midst of everyday risk management work, it is always good to remember that risks rarely occur as completely “pure”. Despite the systematic classification of risks, in some cases different types of risks also overlap. Therefore, it is advisable to apply risk classification according to the situation. A sector-independent and very commonly used classification principle is to divide risks into four groups based on their source and type.
These groups are strategic, operational, financial and damage risks. Strategic risks are risks that potentially threaten the achievement of the company’s strategic goals. Non-working processes, systems in use or people are usually classified as operative risks. Financial risks refer to uncertainties related to the organisation’s solvency and capital sufficiency, and the fluency of its financial processes, which may have positive or negative effects on the sufficiency of capital, liquidity and profitability. Damage risks refer to a threat of an event, caused by unforeseen external factors, that, if materialised, will have negative consequences. Risk classification helps understand the characteristics of the business environment, but at the same time it also teaches organisations to identify risks more accurately.
4. Risks have not been assessed commensurately
he basic principles of risk management include both the identification and assessment of risks. Sometimes risks materialise and there is nothing we can do about it. In fact, some of the risks threatening operations are of the kind that can be allowed to materialise without having any major impact on operating opportunities. This means that not all risks are fundamentally equal.
Predicting the future is not easy. It is difficult to predict which risks will materialise, but it is nonetheless wise to carry out a risk assessment. In practice, risk management measures always need to be prioritised, and risk assessment helps focus resources on the most relevant risks. How, then, is it possible to distinguish between them? Random risk work done in the middle of daily work may easily lead to a situation where risks are only reacted to without having any capabilities to influence them.
All the risks encountered in the middle of daily work can easily seem more or less equal. It is important for the prioritisation of risk management measures that the effects of individual risks are commensurate. When assessments are made from different perspectives and, for example, by different departments, the impact scale can easily become distorted.
Assessments of the likelihood and impact of risks must also be correlated with each other. It is a good idea to assess the impact first, which can, in practice, be done by assessing the maximum realistic impacts. Likelihood should be assessed in relation to that particular scenario, meaning what the likelihood is that these impacts will materialise.
Otherwise, the organisation may accidentally end up creating a group of risks with no connection with reality, which would water down the points of departure of the whole assessment.