THE BASIC PRINCIPLES OF RISK MANAGEMENT
Risk management should create and protect value. The resources expended to mitigate risk should be less than the consequence of inaction. In other words, risk management should be cost effective.
To be properly managed, risk should be allocated to the party best able to carry it. To be able to carry risk, the party in charge should be aware of the risk. Risk research on projects and supply chains has identified a number of further principles that should be followed by all participants in a project supply chain:
Risks should only be taken by those who:
- • have been made fully aware of the risks they are taking,
- • have the necessary capacity (expertise and authority) to avoid, minimize, monitor, and control a risk,
- • have the necessary resources to cope with the risk if it occurs,
- • have the necessary risk attitude to want to take on the level of risk, and
- • are able to charge an appropriate premium for taking on the risk.
The theory is that by following these principles, one can create a supply chain with a common perception of risk allocation and appropriately located incentives to manage the risks effectively. Not following these principles, on the other hand, can cause confusion about responsibility for risks and create the illusion of risk transfer. this, in turn, can lead to early signals of problems going unnoticed, leading to delayed action. If the problem is allowed to grow, its prevention and control become more difficult and its consequences become more serious. this easily leads to disputes between the parties about who is to blame and where responsibility lies. In this way, wrong or unrealistic risk allocation can increase risk, rather than reduce it, and the escalated risk may default back to the party who thought that it had effectively freed itself and transferred the risk to others.
While these principles are easy to understand, they are not always easy to follow. What makes business sense and is desirable in business practice may not always be supported by legal rules or contract practice. For example, it is not a legal requirement that a party, in order to be obligated to bear certain contract risks, is fully aware of them. Nor is it a legal requirement that contract terms always be read and understood in order for them to become legally binding. If an individual representing a company signs a contract without reading or understanding the terms (which often happens even in business-to-business dealings, in particular with clickthrough agreements and STCs), the company can still become bound by those terms. Clearly there is a need for business, project, risk, contract, and legal professionals—and for all participants in a supply chain—to work together. if this does not happen and a problem arises, the ultimate result will be conflict, as the parties argue that the responsibility lies with someone else.
-  This is the first principle of risk management as stated in the ISO Risk Management Standard (ISO 31000:2009), p. 23.
-  See, for example, Mahler, T. (2010) Legal risk management—developing andevaluating elements of a method for proactive legal analyses, with a particular focuson contracts. Doctoral Thesis. Faculty of Law, Oslo: University of Oslo, p. 114, withreferences.
-  Loosemore et al. 2006 and Loosemore and McCarthy 2008. See also Chapter 3.
-  Loosemore and McCarthy 2008, p. 95.