1

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

What do you mean by Risk - RMBC Session 1 Handout

These notes are a summary of the key points of Session 1 of the Risk
Management Basics Course (RMBC) ‘What do you mean by risk’. Follow
along using this guide or keep this as a reminder of the key points
from the session.

© Andrew Sheves 2019

 2

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

Why we need a standardized approach to risk

● Risk and risk discussions are often hampered by inconsistent
terminology and a high degree of subjectivity.
● We need a standard way to talk and think about risk to be
successful and to avoid confusion in our risk discussions.

Risk as a concept
● ISO 73 defines risk as “the effect of uncertainty on objectives”.
● This definition stresses that we are considering the effects of
an event, not the cause. This also stresses that these effects
influence an organization’s objectives.
● So we judge the severity of a risk based on the potential effect
on objectives, rather than simply judging risk by the magnitude
of an event.
● This definition works for both positive and negative risks.

Breaking down an individual risk

● In this KISS risk management framework, risk is comprised of
three elements.
● Negative risks are the risks that can prevent us from achieving
our objectives. Negative or downside risks are comprised of a
threat, vulnerability​ and potential ​impact​.
● Upside risks are risks that present an opportunity to help
achieve our objectives. Upside risks are comprised of an
opportunity, exposure​ and the potential ​impact​.
● By separating the key components, this framework allows each
element of a risk to be considered separately. This helps prepare
clear, understandable risk descriptions and more effective risk
treatment plans.

© Andrew Sheves 2019

 3

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

Downside risks
● Threat​: an event which could
negatively affect objectives
○ Threat descriptions should
stress the effect rather than
the cause so instead of
listing ‘climate change’ as a
potential threat, the threat
might be ‘increased frequency
of flooding in area x’.
● Vulnerability​: conditions that allow
an event to occur
○ Vulnerabilities exist due to proximity to a threat, because
of inadequate preventative measures or where there are poor
or non-existent controls. Conversely, robust controls or
separation from a threat will lower vulnerability.
● Impact​: the effect that an event has on objectives
○ Impact is highly contextual and it is not always the
immediate effect of the event that is being considered.
Instead, we should consider the effect that the event has on
the organization’s objectives, which might be a combination
of physical, reputational and financial damage.

Threats and vulnerabilities are considered as pre-event factors as

these create the conditions that allow an event to occur. Impacts are
post-event and fall on the right-hand side.

© Andrew Sheves 2019

 4

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

Upside risks
● Opportunity​: an event which could
support objectives
○ The opportunity should be
considered in the context of
how it could support or
further the organization's
objectives.
● Exposure​: conditions that allow an
event to occur
○ Exposure describes the
proximity the organization has
to the opportunity or the conditions that allow it to
exploit the opportunity.
● Impact​: the effect that an event has on objectives
○ Similar to downside risks, impacts are highly contextual and
should be considered by the effect on the organization’s
objectives.

Risk statements
● Risk statements allow us to write a description of the risk as
prose which helps explain a risk to a non-technical setting.

XYZ Co faces a ​significant risk [severity description] due

to the potential for ​civil unrest in Janwick [threat
description] which could ​severely disrupt our global supply
chain [impact statement] as our key manufacturing sites are
concentrated there. The firm is particularly vulnerable in
Janwick as ​our local safety and security arrangements were
designed when the country was peaceful and have not been
updated to address the deteriorating security situation
[vulnerability statement].

© Andrew Sheves 2019

 5

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

● Risk statements are useful when you need to discuss a risk with
decision-makers who might not understand the technical details of
the risk management process.

Perspective
As a reminder, it is important to reiterate that risk is particular to
the organization. Two entities in the same place and facing the same
range of threats may have very different assessments of the overall
risk. For example, security companies in Janwick might see unrest as
an opportunity creating an upside risk.

Superior Security Services has a ​significant upside risk​ due to

the potential for civil unrest​ in Janwick. This could lead to a
significant increase in demand for security guards and protective
services​ which have been limited due to the relative peace that
has existed until recently. We have ​significant exposure to this
market through our existing contacts​ providing drivers and night
watchmen to Janwick's larger firms which we can leverage to
realize this opportunity.

© Andrew Sheves 2019

 6

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

Quantitative Risks
● There is no unit for risk so we cannot measure it as such but we
can describe risks mathematically.
● You can calculate a downside risk using a formula like this.

● Similarly, you can calculate an upside risk using a formula like

this.

● This quantitative valuation forms the basis for the risk

assessment. These values allow us to rank risks and compare them
numerically.

© Andrew Sheves 2019

 7

RMBC 2019 - Session 1 ‘What do you mean by risk’ handout

KISS risk management is all about simplifying risk management and

making it accessible.

I hope that I’ve succeeded with this guide but if you have any
questions, complaints or suggestions, please ​email me​.

Some Small Print at the End

Disclaimer

This document and any resources referenced are provided as a general guide only and cannot
provide specific guidance to meet each user’s specific situation. ​Appropriate professional
advice should be sought before implementing, adapting or changing any management system,
particularly those relating to risk and security.

Andrew Sheves / Tarjuman LLC is not responsible for any injury, loss, damage or disruption
arising from the use of this document and any resultant materials.

Fair use and licensing

This guide is distributed with the intent that you put it to work. So I hope that you use and
tinker with it but 1) you don’t use it for anything commercial and 2) you acknowledge me as the
source.

© Andrew Sheves 2019