Different industries use many different definitions of risk and risk management. Some industries define risks narrowly and equate them to hazards or threats. This usage reflects the common, everyday definition of risks as threats or dangers. Others, however, increasingly use a much broader definition of risk. Many consider risks to include both possible threats and possible opportunities. The International Organization for Standardization (ISO) defines risk as “the effect of uncertainty on objectives,” (ISO 31000, 2009) and it notes that uncertainty could be positive or negative. Other definitions equate risk to variability or to the chance that desired outcomes won’t be achieved. The New Zealand Transport Agency, an international leader in risk and asset management, defines risk as “the chance of something happening that will have an impact on objectives. It is measured in terms of a combination of the likelihood of an event and its consequence.”
This expansive application of risk is evident in the definition of risk management used by the New South Wales (Australia) Government Asset Management Committee. It defines risk management as a systematic process to identify risks that may impact the organization’s objectives, analyze their consequences, and develop ongoing measures to treat them. These broader definitions of risk expand risk management to an enterprise-wide framework for setting priorities, assigning resources, and ensuring organizational success.
The broader definitions of risk emphasize that risks are not always negative. If risks are equated with uncertainty or variability, these definitions hold promise that risk could be positive as well as negative. PIARC has indicated that risk management could be called “opportunity management.” The field of financial management has long understood this implication. “No risk, no reward” is a basic investment premise. A financial advisor who only offers clients no-risk investments is unlikely to earn them a substantial return. Therefore, risk management is more than barricading an organization against all threats. Modern risk management involves protecting against excessive risk while capitalizing on opportunities that have acceptable risk levels. The English road organization notes that its risk management obligation is twofold. It must protect the public from hazards and threats to desired transportation outcomes, but it must also ensure that it identifies, evaluates, and capitalizes upon all reasonable opportunities.
Establishing the Context—this involves understanding and documenting the social, cultural, legal, regulatory, economic, and natural environment to which the agency is sensitive. The context allows risk management to be tailored to the agency’s needs and circumstances. Included in this step is the development of the organization’s risk policy designed around the agency’s unique objectives. These objectives can include issues such as improving network reliability by reducing the need for frequent maintenance and repair or providing the lowest reasonable whole-life costs for assets. Also included in this step is the creation of the agency’s internal and external risk management communication process. This process allows information to flow up and down through the agency and externally with key stakeholders.