Risk-Based Thinking

By: Jorge Diéguez

Risk management in institutions (in the financial or real sector) has long ceased to be an issue related to occupational or financial risks and should now be seen as an entity-wide strategy providing a strong support for strategic decision making.

This change has been implemented by the emergence of a trend using Risk Based Thinking in management systems using legal frameworks or international standards such as ISO 31000. In this way, the new concept of risk is introduced at all levels and areas of the organisation.


The effect of uncertainty on the achievement of objectives

This conceptualisation provides a new approach to risk, as it is no longer labelled as something negative. If we look at the consequences we expect when we encounter or assume a risk, they can represent a positive value and can generate an "Opportunity". This is important to take into account when developing policies or methodologies for risk analysis and assessment or self-assessment.

Risk management is composed of a set of activities developed to direct, manage and control any risk-related issues that may arise in the processes and that may influence the achievement of goals. 

The display of this process can be summarised in 4 points: Setting the context, risk assessment, risk treatment and monitoring and review.


Setting the context

This is the area in which organisations seek to achieve their objectives by analysing the internal and external environment. In the external environment, it is necessary to validate the labour, economic, political, regulatory, etc. environment, and for corporations this validation must be done at national and international level. Likewise, any factor that may have an impact on the company's goals.

In relation to the internal environment, it is made up of everything that, at the heart of the company, can influence the way in which risk is managed. This is why this management must be in line with key organisational aspects: culture, structures, policies and processes. The definition of risk management policies, risk assessment methods and the definition of responsible parties is very important.


Risk treatment

Identifies how objectives may be affected, analyses risks in terms of their potential consequences before deciding whether they require further treatment. It provides institutional staff with a better understanding of the risks that may affect organisational goals.

These risk measurement methods can vary from very simple to very complex, but the bottom line must prevail, i.e. that they are reasonable with the criteria set out in the context.


Follow-up and Review

At the end of the risk assessment, an understanding must be reached of the options or alternatives available to implement a change in the possible occurrence of incidents, as well as their possible conclusions. The necessary measures are then implemented and the risk reassessment phase is reached in order to identify the risk tolerance.


Risk Estimation

Last but not least, a continuous review or monitoring should be carried out to validate that the established criteria are still valid, as long as the proposed goals are being achieved, as well as to confirm that the strategies and treatments have been effective.