The role of the risk officer

The role of the risk officer

Organizations and companies typically assemble a risk management team to help decision makers go through the risk management process.

While the team members do not have to be risk experts, they must gain an understanding of the environment in which the risks are to be managed, taking into account political and policy concerns, mission needs, stakeholder interests, and risk tolerance.

Defining the context will inform and shape successive stages of the risk management cycle.

Risk managers are involved in the process to:

1. Identify Potential Risk - There is a need to consider a wide variety of risks to support decision making. These considerations include strategic, operational, and institutional risks.

The risks that are included in any particular assessment (sometimes called the assessment’s scope) are largely determined by the decision the assessment is designed to inform.

Unusual, Unlikely, and Emerging Risks - Prior to conducting a risk assessment, it is important to make a concerted effort to identify risks beyond those usually considered. For example, risks that are newly developing, even if they are poorly understood.

Risks that are highly unlikely but have high consequences should also be identified and incorporated into the assessment. This can even include identifying the risk of the unknown as a possible risk.

Brainstorming is a common technique to identify these unusual, emerging, and rare risks. So, too, is involving a wide range of perspectives and strategic thinkers to avoid the trap of conventional wisdom and groupthink.

Even when a risk is difficult to assess, it may still be important to try to understand and should be noted. It should also be acknowledged that no identification of risks is likely to capture every potential unwanted outcome — there will always be things that happen that are unanticipated.

2. Assess and Analyze Risk - There is a need to assess the identified risks and analyze the outputs of the assessment. This step consists of several tasks:

- Determining a methodology;

- Gathering data;

- Executing the methodology;

- Validating and verifying the data; and

- Analyzing the outputs.

In practice, these tasks, like the steps of the larger risk management cycle, rarely occur linearly. Instead, risk practitioners often move back and forth between the tasks, such as refining a methodology after some data has been gathered.

Likelihood is the chance of something happening, whether defined, measured, or estimated in terms of general descriptors, frequencies, or probabilities.

Consequence, or impact, is the effect of an incident, event, or occurrence, whether direct or indirect. In risk analysis, consequences include (but are not limited to) loss of life, injuries, economic impacts, psychological consequences, environmental degradation, and inability to execute essential missions.

3. Develop Alternatives - In order to improve the ability to prevent, protect against, respond to, recover from, and mitigate a variety of manmade and natural hazards, leaders must focus their attention on identifying and executing actions to manage risks.

Ultimately, the objective of risk analysis is to provide decision makers with a structured way to identify and choose risk management actions.

Within the risk management process, the step of developing alternatives involves systematically identifying and assessing available risk management options.

Portions of this step may be performed by different practitioners, but the alternatives development phase brings together proposed risk management actions with the results of a risk assessment, to include course-of-action comparisons.

This provides leaders with a clear picture of the risk management benefits of each proposed action or group of actions.

The picture of potential benefits, when combined with an analysis of an action’s costs — both monetary and non-monetary — can serve as a valuable resource for aiding decision makers in making effective and efficient homeland security choices.

4. Decide Upon and Implement Risk Management Strategies - Risk management entails making decisions about best options among a number of alternatives in an uncertain environment.

The key moment in the execution of any risk management process is when a decision maker chooses among alternatives for managing risks, and makes the decision to implement the selected course of action.

This can include making an affirmative decision to implement a new alternative, as well as the decision to maintain the status quo.

5. Evaluate and Monitor - The evaluation and monitoring of performance is important, to determine whether the implemented risk management options achieved the stated goals and objectives. In addition to assessing performance, organizations should guard against unintended adverse impacts, such as creating additional risk or failing to recognize changes in risk characteristics.

The evaluation phase is designed to bring a systematic, disciplined approach to assessing and improving the effectiveness of risk management program implementation. It is not just the implementation that needs to be evaluated and improved; it is the actual risk reduction measures themselves.

Evaluation should be conducted in a way that is commensurate with both the level of risk and the scope of the mission.

You may also visit:

What is Risk?

Membership and certification

Become a standard, premium or lifetime member. Get certified.


In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room

contact us

Lyn Spooner


George Lekatis

President of the International Association of Risk and Compliance Professionals (IARCP)

1200 G Street NW Suite 800, Washington DC 20005, USA - Tel: (202) 449-9750


Privacy, legal, impressum