Ever since the very first version of the SABSA Business Attributes taxonomy developed in early 2000, one of those attributes has been ‘risk managed’. Fourteen years later one might ask the question: “What does that mean? Surely SABSA is all about risk management. One might as well say SABSAised.” Yes, that would be a fair comment, because the evolution of SABSA has indeed led to that concept; that the entire framework and method is all about being business risk driven in the architecting and operation of business capabilities. So what exactly does ‘risk managed’ mean?
One rather good answer is that SABSA follows completely the philosophy and principles of ISO 31000: Risk Management. This is the international gold standard of risk management as a business discipline. It makes clear that risk is concerned with the uncertainty of outcome and is thus neutral. There are both opportunities for gain and improvement, and threats of loss or damage. Good risk management is all about creating a balance in which the gains outweigh the losses, and in which business performance is optimised.
ISO 31000 also makes it clear that risk management as an activity is not something separate, but something to be embedded in every aspect of business decision making and business management. You cannot put ‘risk management’ on the side and attend to it some of the time. It is by definition something intrinsic in doing business. Without risk there would be no business. Business is built on seeing opportunities and exploiting them for business advantage. The threats are a necessary part of the whole picture and come with the territory. In this context ‘business’ is any type of human corporate activity – whether for profit or for public service, government, military, charity, anything.
Arguably risk management is part of everyday life for every human being. From the moment of conception in the womb to the moment of death, life is a string of opportunities and threats. Living a successful life means managing these risks at all times of life, and creating a balance, whether it be an individual life, a family life or a corporate life. Every decision is a risk decision – shall I do this thing or not? Or should I do something else? Doing nothing also has risks, so risk is unavoidable in life. Consider what life would be like if there were no risks – it would not be life. Life means you have to face risk and manage it all the time. Otherwise why would you get out of bed and do stuff? What drives life and living is the inherent risk that it implies. ‘Risk’ and ‘life’ are closely coupled concepts. Without risk there could be no such thing as ‘life’, and the struggle that is implicit in staying alive and competing with other life forms for survival of both the individuals and the species as a whole.
Risk is experienced on several levels: strategic risk (long-term effects such as what career shall I choose? Shall I get married to this person?); tactical risks (medium term projects and programmes, such as where should we go on holiday this year? Should I apply for new job to enhance my career?); and operational risks (immediate and short term – such as is it safe to cross the road now? Is this food good to eat?).
Now we begin to see the granularity of risk, how it is both pervasive and at different levels of significance in life. Almost paradoxically it is the operational risk that is the most dangerous to handle. Strategy and tactics can be changed and recovery is possible after poor decisions, but a poor operational decision can kill you dead long before the strategy and tactics have time to take effect. That is why operational risk management is so important in business management and life management. SABSA mostly concerns itself with all aspects of operational risk management, providing operational performance targets and monitoring of performance against those targets on a regular basis. That is why SABSA is such an important framework to be applied in a modern business environment.