The term risk implies uncertainty. Every action we undertake entails some risk; we can never eliminate risk completely. For example, imagine that because of a fear of flying in airplanes, you were to resort to driving to a distant city instead. That option entails risks as well. The actual chances of being seriously injured or killed in a road accident are greater than the chances of being in an airplane crash. You might then decide to just stick to walking, but would still face some degree of risk, e.g., encountering a mugger. In the end, you might be tempted to think that locking your door and never leaving your bed would eliminate risk, but even that could not guarantee your safety from, say, an earthquake. Finally, if you never left your bed you would ultimately suffer from atrophied muscles and related illnesses that would considerably reduce your lifespan (to say nothing of quality of living). In the long run this would be a much riskier strategy than simply boarding the airplane and flying.
While it is impossible to completely eliminate risk, the goal of risk management is to reduce it to tolerable levels. Generally, this includes removing any unnecessary risk—by not doing things that are plainly foolish, reckless or otherwise disproportionately dangerous relative to the potential benefits; and managing residual risk; i.e., by taking appropriate mitigating measures. But first we must find a way of assessing the degree of risk that we are facing.
Assessing risk
We have seen that an organization’s risk is affected by both the threats it may encounter and its own vulnerability to those threats (including in the latter the weaknesses or strengths resulting from the programs that it implements). We expressed this relationship with the formula, threat x vulnerability = risk. For example, if an organization is located in a country where the threat of bomb attack is high, but all staff of the organization live and work within a highly fortified compound, then the risk of staff being injured by a bomb attack might be relatively low (high threat but low vulnerability). Alternatively, if staff members work in an office that is weakly protected, but where bombings rarely or never occur, then overall risk might be similarly low (high vulnerability but low likelihood of threat as well). However, if an office is vulnerable and is located in an area with a real threat of bombings, the office may face a high level of risk.
Now we look at risk in a slightly different way by asking two fundamental questions:
These two aspects of risk are simply referred to as likelihood and impact. Consider the definitions below from the Conference Room Paper 3 of the United Nations Security Management System Network Steering Group, (Prepared by DSS), Geneva, Switzerland 12-14 November 2008:
Risk The combination of the impact and likelihood for harm, loss or damage to the United Nations system from the exposure to threats. Risks are categorized in levels from very low to very high for their prioritisation. Risk assessment The process of identifying the threats which could affect UN personnel, assets or operations and the UN’s vulner – ability to them, assessing risks to the UN in terms of likelihood and impact, prioritizing the risks and identifying mitigation strategies and measures.
It is clear from these definitions that a true understanding of risk must be based on an under – standing of the threats in the working environment and their likelihood. This underlines the importance of threat assessment, and the historical and pattern analyses presented earlier. Similarly, vulnerability analysis is required to understand how much damage might be done if a particular threat event does occur. These taken together prepare the working platform for Risk Analysis.
In order to make some sense out of the various threats and our vulnerabilities to them, we need to assign some levels or values in order to relate them to one another. This will allow us to prioritise threats in our planning and identify key areas where we need to reduce our vulnerability.