Risk Management Principals

The Guiding Principals of Risk Management

Rather than address the principals of risk management from either a personal, enterprise, business or investment perspective, the Risk Management Principals listed below apply to most effectively managing virtually any kind of risk.

  • Risks can be managed, but never eliminated.
  • Your definition of risk is critical. It can make your risk management efforts more difficult, frustrating, and disappointing or more positive, successful, and easier.
    • So... be sure to dedicate serious time and effort to identifying a positive, powerful, effective and “empowering” definitions of risk
    • One of the best & most empowering definitions of risk was articulated by Peter Oppenheimer, when as the Chief Risk Officer of Apple, Inc he observed:

Risk:The degree to which an outcome varies from expectation”


  • Risk & risk management are very personal, critically important, individual life skills
  •  The very same risk occurring can affect each individual person, organization or entity very differently, based on each of our individual
    • Knowledge of and familiarity with the risks & management of those risks we each individually face
    • Understanding of a given risk(s) potential personal likelihood and impact (should it occur) plus our personal resilience (ability to bounce back from a risk occurring)
    • Advance preparation to reduce the personal likelihood of a risk occurring and personal impact should a given risk actually materialize
    • Risk monitoring, management and preparation is in an ongoing, ever evolving, never ending, long-term process…It is NOT a ONE TIME event.
  • It’s impractical & impossible to identify & manage every single risk you face.
    • Since all risks are not created equal, and risk management has a cost. Risks must be prioritized as to which risks to avoid, which risks to accept & manage, and which risks to accept outright.
  • Risk” is imbedded in the very fabric of the universe, via the 2nd Law of Thermodynamics.
    • Simply stated, this physical law describes how the natural tendency of any system is to degenerate from “order to disorder” or “hot to cold” over time, and not the other way around (Unless external energy is added back into the system)
    • “If anything can go wrong, it will go wrong, and usually at the worst possible time”
      • An example of “Murphy’s Law” in action
    • To effectively manage any risk, it absolutely critical to focus on identifying and managing the “ACTUAL RISK" itself, rather than attempting to manage the secondary or tertiary results of a risk.
      • That’s why medical students are taught not to treat disease symptoms, because doing that never solves the underlying problem.
      • Rather, they are taught to use the symptoms as clues to identifying & treating the actual underlying disease which is much more effective
  • Risks are always with us. There are risks in “taking action” as well as in “not acting” or “deferring action”
  • Risks we’ve identified, fully understand, and are thoroughly prepared for can be “neutralized,” and can even be transformed into opportunities if we wish
  • Since both “Negative” and “Positive” risk exist, we must consider the management of both types of risk…Yes! too much of something can be as a big a problem as too little…i.e.
    • Too little water (a drought) is a risk and too much water (a flood) is a risk as well
  • Risk & Reward are generally equally balanced. However, with knowledge, understanding, experience, and preparation for risks.
    • In essence, we can “tilt” the risk/reward equation to our advantage.
    • In this way we can work for greater rewards, while taking less risk


  • We must deal with both exogenous (External) risks, and endogenous (Internal) risks - biases, incomplete information, risk misperceptions & decision making) risks


  • Since risk management has a cost, and its impractical to manage every single risk, it becomes critical to prioritize the risks we face and determine which risks to AVOID (if possible) which risks to ACCEPT and MANAGE, and which risks to ACCEPT with no special risk management initiatives in place


  • Risks with the “highest” impact are usually “surprises” that we don’t expect or believe are unlikely, and as result, are not prepared for in advance
  • It’s much more effective and less costly to prepare for risks in advance by working to avoid them entirely, reduce their likelihood, and limit their potential impact, should they materialize than it is to recover from the effects of risk occurring that we’re totally unprepared or underprepared for
    • Risk preparation steps include...
      • Avoiding factors or situations that expose us to a given risk/set of risks in the first place
      • If we must accept a risk(s) in order to achieve a given objective…
        • Identifying the risks we’re exposed to…
        • Fully understanding the context, likelihood, impact and our unaided resilience to recover from the impact of risks that occur
        • Then working to reduce the likelihood of risk(s) occurring & minimizing their potential impact when they actually materialize, and improving our resilience