Risk management is an established tool in the financial environment of the business world. The same holds true for logistics and the concept of supply chain management. The increased level of integration and cooperation along supply chains leads to new risk categories. Risk management might help in the understanding of the key risk drivers of supply chains and enable the partners to optimize their internal risk management system – at least developing an understanding of supply chain risks.
Risk denotes the chance of danger, loss or injury. In a commercial environment the chance of a good bargain must also be summarized under the term. Risk is to be differentiated from the term ‘uncertainty’. Whereas risk assumes that the probabilities of the possible results of an event are known, this is not the case with uncertainty. Hence, risk is measurable uncertainty.
A widely used vocabulary for risk management is defined by ISO Guide 73, “Risk management Vocabulary”.
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Natural causes and disasters also refers to Act of God in a legal term which is for events outside human control, such as sudden floods or other natural disasters, for which no one can be held responsible. In the law of contracts, an act of God may be interpreted as an implied defense under the rule of impossibility or impracticability. If so, the promise is discharged because of unforeseen occurrences, which were unavoidable and would result in insurmountable delay, expense, or other material breach.
An example scenario could assume that an opera singer and a concert hall have a contract. The singer promises to appear and perform at a certain time on a certain date. The hall promises to have the stage and audio equipment ready for her. However, a tornado destroys the hall a month before the concert is to take place. Of course, the hall is not responsible for the tornado. It may be impossible for the hall to rebuild in time to keep its promise. On the other hand, it may be possible but extraordinarily expensive to reconstruct on such short notice. The hall would argue that the tornado was an act of God and excuses its nonperformance via impossibility or impracticability.
In other contracts, such as indemnification, an act of God may be no excuse, and in fact may be the central risk assumed by the promisor e.g., flood insurance or crop insurance—the only variables being the timing and extent of the damage. In many cases, failure by way of ignoring obvious risks due to “natural phenomena” will not be sufficient to excuse performance of the obligation, even if the events are relatively rare: e.g., the year 2000 problem in computers. Under the Uniform Commercial Code, 2-615, failure to deliver goods sold may be excused by an “act of God” if the absence of such act was a “basic assumption” of the contract, but has made the delivery “commercially impracticable”.
Recently, human activities have been claimed to be the root causes of some events until now considered natural disasters. In particular:
- water pressure in dams releasing a geological fault
- geothermal injections of water provoking earthquakes
- drilling provoking mud volcano
Such events are possibly threatening the legal status of Acts of God and may establish liabilities where none existed until now.
Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase.
Method Of Risk Management
For the most part, these methods consist of the following elements, performed, more or less, in the following order.
- identify, characterize threats
- assess the vulnerability of critical assets to specific threats
- determine the risk (i.e. the expected likelihood and consequences of specific types of
- attacks on specific assets)
- identify ways to reduce those risks
- prioritize risk reduction measures based on a strategy
- Principles of risk management
The International Organization for Standardization (ISO) identifies the following principles of risk management:
Risk management should:
- create value – resources expended to mitigate risk should be less than the consequence of inaction, or (as in value engineering), the gain should exceed the pain
- be an integral part of organizational processes
- be part of decision making process
- explicitly address uncertainty and assumptions
- be systematic and structured
- be based on the best available information
- be tailorable
- take human factors into account
- be transparent and inclusive
- be dynamic, iterative and responsive to change
- be capable of continual improvement and enhancement
- be continually or periodically re-assessed
