The guiding principles of Risk Management - Software engineering

The guiding principles of Risk Management Source image: thenonprofittimes.com Risk management comes with a lot of jargon, and it speaks many...

The guiding principles of Risk Management

The guiding principles of Risk Management
The guiding principles of Risk Management
Source image: thenonprofittimes.com
Risk management comes with a lot of jargon, and it speaks many dialects. Diverse vocabulary, wide-ranging terminologies, and too many definitions of risks make it hard to formulate a measurable system.
 This problem is not exclusive to organizations which use risk management framework, it actually emanates from various governing bodies e.g. ISO, COSO, IRM, HM Treasury, Basel, Cobit, which define "risk" in different variations of event, uncertainty, outcome, likelihood, probability, frequency, impact, circumstances et cetera, causing inconsistencies.

Risk management comes with a lot of jargon, and I like to think of risk management as a supplemental support system to an organization's governance framework, which means risk management supports decision making, formulating organizational structures, setting authority outlines, agency-principal relationship, setting tone at the top, through a preventative methodology. 

I then extend this system to event identification in terms of the breakdown of the governance structure which deal with risks, more on this point towards the end. many dialects. 
Download also:
Diverse vocabulary, wide-ranging terminologies, and too many definitions of risks make it hard to formulate a measurable system. This problem is not exclusive to organizations which use risk management framework, it actually emanates from various governing bodies e.g. ISO, COSO, IRM, HM Treasury, Basel, Cobit, which define "risk" in different variations of event, uncertainty, outcome, likelihood, probability, frequency, impact, circumstances et cetera, causing inconsistencies.

Setting up risk policies as guiding principles to enhance governance is used to manage uncertainty through preventive mechanisms. When more detailed mechanisms are developed, it then evolves into managing risks directly through controlling activities which increase or decrease risks. These frameworks are comprehensive, detailed and expensive to implement and often small and medium-sized organizations opt out to focus directly on revenue generation by accepting more risk.

To clarify this popular hypothesis that taking a larger risk means earning a larger reward. Consider a medium-sized company taking loans to fund its enthusiastic expansion, could face potential difficulties in paying back loans if its target market does not respond positively to excess supply caused by expansion. 


However, the loans must be paid back, failing which the company goes into winding and pays through its assets. Before reading on, think about how you would manage the risk.

The situations described above has two critical factors which deal with uncertainty. Firstly is the market response to the excess supply and its effect on the market itself. Given that the company in our consideration has done its research on the product, potential retaliation from competitors, changes on product positioning, the outcome of all these assumptions is still not known, until it actually happens. Just to clarify the point more clearly, if the outcomes are known already there are no risks associated and the situation would not be valid.

Secondly, what happens to the company's position if the outcome turns out to be adverse, the bigger question to be answered here is would the company survive the outcome. If you ultimately answered yes, then the expansion is a good idea, however, on the other hand, there are two options which the company can consider. It can either reduce the scale of expansion to limit the risks or alternatively avoid the project.

Such type of decision scenarios can be answered through risk policies without the extensive use of risk frameworks. Going back to the point of governance, most of the risks which turn adverse have to do with breakdowns in governance structures manifesting in the agency-principal relationship or simply put reward-responsibilities equation. 

In our example management may push for expansions as it would bring in targets which can bring in more personal reward at zero, or minimal level of risk-taking, for a project which may extend into a few years, while the increased cost of doing business, and company's redefined position is the risk ultimately borne by the shareholder.

For small and medium-sized companies which do not have funds to implement a comprehensive risk management framework, creating risk policies and using risk management as a guiding principle could be an efficient way of assessing and managing their operations at reduced risks. For larger companies, risk policies set the direction of their ERM program, thereby bringing in value where risk it matters most.


This system is actually a generalization of how we address risks naturally e.g., we make it a policy not to drive carelessly to not engender our lives and others. The idea of risk management that I want to communicate is not to discourage risk-taking, but to wear a safety hamlet/gear when takings risks.

In the end, I want to briefly go about the idea of governance which is core to an organization or at a personal level, and arguably foundation which holds the risk management framework together. Absence of an effective governance system leads to mismanagement, confusion and accepting unwanted risks which could lead to ruin.
Download also:

The article was originally written and posted by Majid Mumtazand was republished at our website with his permission

0 Comment: