This blog post is a brief book review of Paul Hopkin's book: "Fundamentals of Risk Management – 5th Edition" First of all, I believe that those working in risk management should:
Understand what risk is and why contending with risk is important
Understand the fundamental concepts of risk management
Be familiar with the primary tools and techniques used to manage risk across different risk domains
Be familiar with industry standards and practices for applicable risk domains (COSO, ISO 31000, etc..)
Know how to estimate uncertainty, identify risk, build a risk register, use a bow-tie analysis (or appropriate analysis tool), and identify measures to improve the probability of achieving objectives across various risk domains: safety, compliance, enterprise, project and other risk categories.
The last objective is vital to connect all the risk concepts together so that the benefits of risk management can be obtained. Hopkin's book covers many of the topics needed to meet the above objectives and should be a good reference for students of risk management. There is lots to like about this book. It is one of few that provides a comprehensive overview of risk management with a good selection of topics applicable to compliance, safety (hazards), finance and enterprise risk. Topics include:
Part One - Introduction to risk management
Part Two - Approaches to risk management
Part Three - Risk assessment
Part Four - Risk response
Part Five - Risk strategy
Part Six - Risk culture
Part Seven - Risk governance
Part Eight - Risk assurance
However, there are some topics that might need further elaboration for those who want to master risk management:
Further development of the role that uncertainty has with respect to risk would be helpful. This would require a more thorough discussion on the nature of uncertainty, cause/effect models, and working definitions for objectives, outcomes, and goals, among other things.
Hopkin uses examples from different risk domains when discussing each risk concept which is helpful but may also lead to misapplications of tools and practices. Readers may come away thinking that a particular tool or practice is applicable for safety when it only applies to financial risk. Clarification of which and when different risk tools should be used would help.
Worked examples or exercises would be beneficial with respect to developing risk plans, estimating uncertainties, identification of risk, developing risk measures, and how to continuously track risk throughout the objective life-cycle.
Enterprise Risk Management (ERM) is offered (or at least assumed) as a unified approach for risk management. However, in practice ERM tends to be applied only to corporate and financial risk. Since risk never stands alone this might be better handled as part of a discussion of GRC (governance, risk, and compliance) or other frameworks.
Quantitative risk tools and practices (probabilities, likelihoods, Monte Carlo, estimation techniques, aggregation, modelling, prediction, etc.) are not discussed. A summary chapter of the quantitative risk principles might be helpful.
The next version of this book due later this year has been updated to include: "Now revised to be completely aligned with the recently updated ISO 31000 and COSO ERM Framework, this comprehensive text reflects developments in regulations, reputation risk, loss control and the value of insurance as a risk management method. Also including a thorough overview of international risk management standards and frameworks, strategy and policy, Fundamentals of Risk Management is the definitive text for those beginning or considering a career in risk." "Fundamentals of Risk Management - 5th edition" by Paul Hopkin is a great reference for those who want to learn about risk management to improve the probability of mission success.