Rightsizing your risk: Understanding stakeholder exposure
Rightsizing your risk: Understanding stakeholder exposure
Rightsizing your risk: Understanding stakeholder exposure
By: Mark Knight Arlin Mire 8 minute read

Most businesses have embraced or are in the process of adopting risk management. Risk is the impact of uncertainty on objectives. The simplest way to reduce business risks is to reduce uncertainty. Doing so is aided by access to better information. Both internal and external risks must be recognized, as well as how much risk an organization is prepared to accept and the potential impact on stakeholders.

Risk is everywhere. We make decisions every day involving risk in our personal and professional lives. Generally, we perceive risk as a negative thing and try to avoid it. The extent to which we try to avoid risk depends on our tolerance for the potential impacts. But risk is not necessarily bad. Risk is the impact of uncertainty on objectives. Those impacts can be negative or positive, and in the latter case we perceive them as opportunities. It also implies that we can reduce risk by reducing uncertainty.

Risk & Review is one of the six groups of asset management subjects as defined by the Institute of Asset Management (IAM). The Risk & Review group contains topics relating to:

  • Risk assessment and management
  • Contingency planning and resilience analysis
  • Sustainable development
  • Management of change
  • Asset performance and health monitoring
  • Asset management system monitoring
  • Management review, audit and assurance
  • Asset costing and valuation
  • Stakeholder engagement

Each of these subjects is worthy of a paper in its own right, but here we will focus on risk management, contingency planning, performance and health, stakeholder engagement, and change management, as these topics are important for utilities focusing on asset management.

ISO 31000

ISO 31000 is the international management standard for the principles and guidelines for risk management. It recommends implementing a framework to integrate the process for managing risk into an organization’s overall governance, policies, values and culture. It outlines a simple framework and describes the processes to implement that framework and the principles that define it.

The principles are rules to follow that make risk management effective. These 11 principles guide organizations in recognizing that risk management helps decision-makers make informed choices; prioritizing actions; and distinguishing among alternative courses of action. An underpinning is that risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. Additionally, the principles stress that risk management needs to be based on the best available information and that it should take human and cultural factors into account.

While each of these is important, this paper focuses on how risk can be integrated into an organization’s decision making process. Management is an information processing activity. It involves gathering, processing and disseminating information. The right information, in the right form, at the right time is needed to make decisions. In the context of decision-making, it is easy to see the impact of risk in terms of uncertainty. Making decisions despite significant degrees of uncertainty is what one does when buying lottery tickets, for example. This is more commonly known as guessing, and guessing is not a good approach to corporate decision making. Effective decision-making requires facts, not gut feel.

Internal and External Risks

Although risk is everywhere, that does not make it bad. It just means we need to acknowledge its existence and decide how much risk we need to manage. Understanding the potential impacts of unplanned events allows us to assess the degree to which we need to manage both the possible occurrence of the event and the degree to which it causes impacts.

Internal risks can be broadly classified into types that relate to doing work (i.e., scope, schedule, cost), but they can go beyond that to include cultural, policy, environmental and other risks, although these tend to be factors that influence schedule, scope and cost. External risks vary depending on many factors based on the type of organization (public, private, regulated, unregulated), geography, centralization, environment, markets, legislation and other factors.

Whatever the source of risk, it is normal for many organizations to assess risk by looking at the combination of probability of occurrence and level of impact for each risk. This can be modeled using a spreadsheet, or it can be subject to Monte Carlo simulation to analyze the impacts of variations within the system, or it can be analyzed via various other industry-based techniques.

Risk Tolerance

Our risk tolerance drives the extent to which we manage risk. The risk tolerance levels of the organization and external parties also must be considered. If the risk is deemed unacceptable after mitigation, then more mitigation is warranted until the cost of prevention outweighs the liabilities. Depending on the nature of the liabilities, different organizations may have very different tolerances. Risk tolerance is an organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives, according to ISO Guide 73:2009. In ISO 31000, this is referred to as risk attitude and is described as an organization’s approach to assess and eventually pursue, retain, take or turn away from risk. The risk that remains after mitigation is residual risk.

Risk & Review Topics

Risk Assessment and Management

Risk is increasingly involved as a component of organizational decision-making. Risk management needs to be ubiquitous within the organization, so that negative impacts can be reduced and opportunities can be leveraged in decisions at all levels. While risk probabilities are often classified in qualitative terms such as low, medium and high, another factor often incorporated is criticality. The combination of probability and criticality can be used relatively easily to establish decision-making priorities for assets. Risk management is integral to decision-making and thus affects all parts of the asset management framework. Risk management and assessment therefore is represented in the policies and processes for identifying, quantifying and mitigating risk and exploiting opportunities, as explicated in IAM’s “Asset Management — an Anatomy” version 3.

Contingency Planning and Resilience Analysis

This topic gained much attention in 2020 as organizations attempted to deal with the impacts of COVID-19. Resilience is defined as an ability to recover from or adjust easily to misfortune or change. It is described by the National Infrastructure Advisory Council (NIAC) as the ability to reduce the magnitude and/or duration of disruptive events. The NIAC also states that the effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to and/or rapidly recover from a potentially disruptive event. One way to improve resilience is through contingency planning. This area focuses on the processes and systems to see that an organization can continue to operate its assets to deliver the required level of service in the event of an adverse impact or maintain the safety and integrity of the assets, whether or not they are operating.

Asset Performance and Health Monitoring

Asset performance and health monitoring describes the processes and measures used by an organization to assess the performance and health of its assets using performance indicators. The indicators can be leading or lagging, and they may allow for the prediction of future asset performance and health as well as the assessment of current or historic performance. The term asset health is used in relation to measures that monitor the current (or predicted) condition or capability of an asset (or asset system) to perform its intended function by considering potential modes of failure. Clear criteria are required to understand when there is a deviation between the predicted and actual performance for an asset such that the need for appropriate remedial action can be evaluated. It is important that measures and associated targets align to the organization’s asset management objectives and strategy as described in a strategic asset management plan (SAMP) and provide feedback on, and understanding of, the assets. The SAMP defines the desired current performance, level of service and condition of assets.

Stakeholder Engagement

A stakeholder is a person or organization with a vested interest in an organization’s operations and performance. Stakeholders typically include investors, employees, customers, suppliers, communities, governments, regulators and others. Stakeholders hold an interest in outcomes, so if the outcomes are at risk, stakeholders are exposed to risk.

Stakeholder engagement is a critical but often undervalued activity. Often this involves finding ways to explain an organization’s plans and/or activities to its stakeholders rather than seeking input and directly engaging with them. The IAM describes this subject simply as the methods an organization uses to engage with stakeholders, but despite a simple definition, it is not a simple topic. Stakeholders include parties both internal and external to the organization. Potentially, each stakeholder can have an impact on how an organization performs, although some impacts are more obvious and more direct. The interests and expectations for an organization’s plans and activities may also vary or be directly in conflict between different stakeholders. Stakeholder engagement should support the effective management of assets, including incentives and processes for employees.

Management of Change

Ideally, asset management embraces continuous improvement, which means changing the way that things are done to make improvements. But if organizations are continually changing, the need to understand the impacts of those changes, communicate the changes and remove barriers becomes a core competency. This is what management of change involves. It is focused on technical changes and proactive elimination of risk associated with change, and it overlaps with configuration management. Change management, on the other hand, is focused on people and — as noted by the IAM — people do asset management.

In a world where the rate of change is increasing, both the management of change and change management will require increased focus for effective asset management organizations. In short, value comes from what gets used, not from what gets designed or built. Asset management is the coordinated activity of an organization to realize value from assets. Change is an instrumental part of those coordinated activities.

Other Risk & Review Topics

Sustainable Development

Sustainable development reflects the goal of making asset management enduring, not a one-off project that then slowly diverges from its original drivers. It also incorporates environmental, social and economic aspects to determine activities to undertake. This requires an organization to take a long-term view of its asset management activities. Every organization should strive to make strong, smart and sustainable capital investments. Sustainable development is the interdisciplinary, collaborative process used by an organization to maintain an enduring, balanced approach to economic activity, environmental responsibility and social progress.

Asset Management System Monitoring

Asset management system (AMS) monitoring should not be overlooked. Developing an AMS helps organizations define their requirements for asset management, and the AMS reflects the processes, information, people, tools and resources to carry out those requirements. Like any process or system, it must be monitored to see that it is meeting its objectives. This area focuses on the processes and measures used by an organization to assess the performance of the systems it deploys. The aim is to evaluate the extent to which the AMS is fit for its purpose and whether the organization is achieving its asset management objectives.

Management Review, Audit and Assurance

This category, while similar to AMS monitoring, represents a review by top management of the information gathered from monitoring the AMS. It thus represents an organization’s processes for reviewing and auditing the effectiveness of its asset management processes and AMS. These reviews focus on both internal and external changes that may require adapting the AMS, and they provide visibility into asset management activities for top management.

Asset Costing and Valuation

This subject evaluates financial aspects such as asset value, accounting codes and financial reporting. For large organizations operating across multiple states, countries or other jurisdictions, this will involve harmonizing levels of internal reporting and valuation while supporting varying requirements.

Each organization needs to define processes for capturing as-built, maintenance and renewal unit costs, as well as the methods used by the organization for valuing and depreciating its assets. This includes verifying that the quality of financial information is appropriate for the organization’s financial reporting framework. This subject can become very complicated very quickly, but adhering to generally accepted accounting principles (GAAP) can help improve transparency in financial statements.


The Risk & Review group of subjects in the IAM’s conceptual model contains the largest number of subjects of any group. Although some have described the model as comprising leftovers that did not neatly fit into the other five groups, there is sound logic for grouping these subjects together. Each represents areas of risk or topics that require careful review.


Mark Knight is a principal consultant for the energy and utility industries at 1898 & Co., part of Burns & McDonnell. With more than 30 years of experience working for utility companies in the U.K. and the U.S. and as a consultant in the electric supply industry, he is focused on building comprehensive strategies that will improve business and technology solutions for our clients. Mark is chairman emeritus of the GridWise Architecture Council (GWAC). He is a member of the Institute of Asset Management (IAM) and is a member of the IAM USA Executive Committee.

Arlin Mire is a project manager at 1898 & Co., part of Burns & McDonnell. He specializes in developing capital asset plans and business cases for large capital programs. He has more than 15 years of experience in budget prioritization and optimization, asset management, business case evaluation, risk-based planning and analysis, financial modeling, economic analysis, decision analysis, Monte Carlo simulation, and investment optimization utilizing genetic algorithms.

Was this article helpful?