What has Risk Management become?
The meaning of the word risk has changed substantially over the last 20 years or so. It used to refer to potentially catastrophic events for which insurance was normally purchased, a meaning, which is still used by the Factory Mutuals and Lloyds underwriters.
In more recent times it has become associated with the term management, which has morphed it from the consideration of potentially catastrophic events to a process, which determines the optimum risk (upside and downside) outcomes, epitomised by the concept of risk appetite.
The courts have never experienced this confusion. After all, they do not care how often something has gone well, they only examine the instances where it all went terribly wrong. And to deal with these, the courts use the legal concept of due diligence.
The risk management standard has probably been responsible for this confusion. This may not be a bad thing in itself, provided the new meaning of risk management is understood. From an engineering perspective it means that risk management has come to mean reliability management, (what is the most likely desirable outcome and what needs to be tweaked to ensure that this becomes the case) whilst the former, catastrophic meaning requires due diligence which is aimed at detecting the outlier events and their various, unlikely combinations.
For example, the extensive use of Monte Carlo simulations is another result of the new meaning. These are typically used to determine likely risk outcomes from independent probability event distributions. It will almost certainly reveal the most likely events to derail or enhance a business plan or project, but the simulations are unlikely to reveal the convergence of low probability, statistical outlier events, the combination of which creates perfect storms like the GFC (global financial crisis).
This may be why the various risk management societies have had difficulty in determining what their core business is in recent times. It also explains why it was so necessary for R2A to change its name (but not its business) from risk engineers to due diligence engineers. And why R2A’s operations due diligence model is so important. It tests for the catastrophic, low likelihood outliers (the old risk management) before it optimises for operational availability (the new risk management).