One of the most difficult aspects of the risk management process is learning the lingo.
I was clueless when I started. It seemed like someone had jumbled a bunch of words and parsed them together nonsensically—kind of like the dialogue of some presidential
Here’s a glossary to help you:
• Risk: The possibility that a chosen action will lead to an undesirable outcome. Like let-ting your son use your brand-new car on a Friday night…with his new girlfriend.
• Metrics: Objective ways to measure risk and the effectiveness of mitigation. Often numeric, this scale typically goes from low risk (such as making a low-dollar transaction) to high risk (opening that same account for Carmela “The Weasel” and her 15 “sons”).
• Mitigation: Steps taken by an organization to reduce or eliminate risk. Not to be con-fused with “migration,” which is what happens when bank customers get slapped with hidden fees.
• Risk strategies: Methods of dealing with risk; classically named “avoidance, ac-ceptance, sharing, and reduction” (which, by the way, would be a very funny name for a rock band).
• Risk and return: The fundamental concept (typically lost on any auditor) that states return (profit) is a function of taking risk. It also was lost on managers at certain corporates, apparently.
• Risk transfer: The process of shifting risk to another entity, such as insurance. The following example describes this best.
Wife: “Is this milk spoiled?”
Father: “I don’t know. Bobby, drink this.”
Son: “Yuck! I think I’m gonna….”
Father: “Yes, it’s spoiled.”
• Residual risk: The risk remaining after all mitigation is completed. In the above example, this would be the risk that Bobby will do something to his father.
• Likelihood: The possibility that an event will actually occur—ranging from high probabil-ity (it will rain in Seattle) to low (a Democrat will cut taxes).
• CRO: Short for “chief risk officer,” the person responsible for oversight of risk management but who gets the worst office of the entire C-group.
• Risk map: Typically a two-dimensional chart with magnitude on one axis and likelihood on the other. This is used to prioritize risk so limited resources are used efficiently and to prove to examiners that you actually know more than they do at any one time.
• Risk prioritization: Ranking of risks, via the risk map. This often is changed by an ECE (see next item) who will randomly choose his or her own set of risks to be managed.
• ECE: Short for “eligible commercial entity,” also known as an “externally clueless entity.” Commonly referred to as “examiner.”
• Risk appetite and tolerance: The amount of risk an organization is willing to take globally and individually. The best example of this was my father’s trips to Vegas. He always took $500 (his risk appetite). Then he’d lose it one quarter at a time at the slots (his tolerance).
• Inherent risk: The amount of risk most organizations take by simply doing nothing. Refer to my earlier remark about some corporates.
• Financial risk: The monetary impact of an undesirable outcome.
• Reputational risk: The societal decrease in trust due to an undesirable outcome.
• CEO employment risk: The chance that financial risk plus reputational risk is greater than your value to your board members.
While these are tongue-in-cheek definitions, the real process of risk management is serious work. Fundamentally, whoever manages risk best, wins.
Just remember, if you don’t manage your risks, they’ll manage you.
JAMES COLLINS is president/CEO at O Bee CU, Tumwater, Wash. Contact him at 360-943-0740.