Are you competent coping with uncertainty and risk? Implications for work-applied management

Phil Kelly (Liverpool Business School, LJMU, Liverpool, UK)

Journal of Work-Applied Management

ISSN: 2205-2062

Article publication date: 28 November 2022




In a rapidly changing world organisations are constantly presented with threats and opportunities and the need to be responsive and resilient. This necessitates developing risk and uncertainty management capabilities within organisations. This article aims to consider risk and uncertainty competence, knowledge, skills, attitudes and the behaviours required by contemporary managers to protect their organisations from threat and harm, whilst seizing opportunity and reward.


This article presents answers to three fundamental questions: (1) Do all managers (those not specialising in risk management) need to be competent in risk and uncertainty management? (2) What does risk competence mean? And (3) How can managers develop the capabilities to become risk competent? The content can be used by practicing managers or educators to develop individual and ultimately organisational risk competence.


All contemporary managers should have some degree of risk competence. Risk competence behavioural indicators and requisite risk knowledge and skills are identified and discussed.


This article provides a contemporary view on risk and uncertainty management competence, drawing on relevant competence frameworks and the existing risk literature.



Kelly, P. (2022), "Are you competent coping with uncertainty and risk? Implications for work-applied management", Journal of Work-Applied Management, Vol. ahead-of-print No. ahead-of-print.



Emerald Publishing Limited

Copyright © 2022, Phil Kelly


Published in Journal of Work-Applied Management. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at

How important is it to be competent in risk and uncertainty management?

This article starts with the fundamental question – do all managers (those not specialising in risk management) need to be competent in risk and uncertainty management? The aim of this article is to share practical, “work-applied” insights into risk and uncertainty management, exploring the concept of risk competence. It is relevant to managers in private, public and community organisations. Risk management (RM) is “the process whereby organisations address the risks associated with their goals and activities” (Cole and Kelly, 2020, p. 403; IRM, 2002; ISO/IEC, 2013). We focus on the need for and how managers can become more competent in managing risk and uncertainty within their organisations; specifically, how they can gain the risk knowledge, skills and behaviours enabling them to be more capable risk-competent managers.

Throughout the 20th century many organisations relied upon specialist risk professionals to calculate risk and make associated decisions. Environments were more stable and predictable and RM limited to the field of pure risks (those events that threatened or could harm the organisation and its assets). Many organisations addressed risk in “silos” as a narrowly focused and fragmented set of activities. However, the concept of the risk expert and a centralised approach to RM came under challenge. In 1992 the United Kingdom’s (UK’s) Cadbury Committee suggested board responsibility for setting RM policy and taking a risk oversight role, ensuring organisations understood all their risks. Later, we witnessed several high-profile business disasters causing RM to become the subject of new legislation and policy (such as the UK’s combined code of 1998 and the United States (US) Sarbanes-Oxley (SOX) act of 2002, stipulating governance rules for companies).

Reflecting growing uncertainty, the scope of RM developed to include speculative (opportunities) and goal-oriented risk. The International Organization for Standardization, ISO 31000 standard on RM (2009) and the ISO guide 73 on risk terminology defined risk as the effect of uncertainty on objectives. New risk thinking was also reflected in the IRM “Risk Management Standard” originally published in 2002. In parallel, enterprise risk management (ERM) arose as a systematic and integrated approach to the management of the total risks that a company faces (Dickinson, 2001). Fraser and Simkins (2010, p. 3) draw upon the Committee of Sponsoring Organisations (COSO) of the Treadway commission definition: ERM is “a process, affected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. Under ERM, all risk areas function as part of an integrated, strategic and enterprise-wide system; whilst RM is coordinated, with senior-level oversight, employees at all levels of the organisation are encouraged to view RM as an integral and on-going part of their jobs. Whereas the 20th century organisation arguably relied on the single risk expert, contemporary organisations are now more likely to embrace broad participation – where all managers and employees have some recognised responsibility for risk and its management.

Following publishing of the combined code of 1998, the Institute of Chartered Accountants in England and Wales (ICAEW) (1999) noted the need to manage risks significant to the fulfilment of business objectives. Recognising company objectives, organisations and the environment are continually evolving, they note the risks faced are continually changing as a result. Such risks are likely to require control, dependent on a thorough and regular evaluation of their nature and extent. Controls are implemented to help manage risk appropriately rather than to eliminate it. The ICAEW also stated that all employees have some responsibility for internal control as part of their accountability for achieving objectives. Collectively employees should have the necessary knowledge, skills, information and authority to establish, operate and monitor the system of internal control. This will require an understanding of the company, its objectives, the industries and markets in which it operates and the risks it faces – the combined code became known as the UK corporate governance code, published by the financial reporting council (updated in 2018).

Whilst larger organisations may have risk specialist functions such as insurance, security, health and safety and business continuity, there are several compelling arguments for all managers to have some degree of competence in the management of risk and uncertainty. This may derive from legislation or corporate governance requirements (see above) or from the basic role of every manager: to assure organisational goals are achieved. According to Cole and Kelly (2020, p. 13) Henri Fayol emphasised this point in his classic definition of management. Fayol suggested that “to manage is to forecast and plan, to organise, to command, to coordinate and to control”. Thus, it is part of every manager’s job to control the resources and events that may assure or hinder the attainment of goals. This is reiterated by the IRM (2022, p. 5) who state, “Risk management should be embedded in the general management of an organisation. It should not be practised in isolation but integrated fully with other functions”. Whereas historically managers may have totally relied upon risk-specialists, it is widely accepted that centralised functions are slow to respond and adapt to changes posed by today’s turbulent business environment. Responsive organisations require broad participation in risk to allow them to minimise harm and seize opportunity in a timely manner. Thus, in answer to our original question – Do all managers need to be competent in risk and uncertainty management – we believe the answer is an unwavering, yes – regardless of organisational type and managerial level.

What does it mean to be competent at coping with uncertainty and risk: to be risk competent?

Having made the case for every manager to be risk competent, our next fundamental question is, what does risk, or uncertainty competence mean and how should this be applied by the risk-competent manager? A competence is “a set of knowledge, skills and attitudes” – KSA’s - (Bacigalupo et al., 2016, p. 20; Cole and Kelly, 2020); underlying characteristics which result in effective or superior job performance (Boyatzis, 1982, cited in Rothwell and Lindholm, 2002). Competences may be generic, required for all organisational roles or role specific. Once identified, they are typically presented in a competency model (framework) for an identifiable group, such as a job category, a department or an occupation. The framework will usually consist of around 10–15 competences. Competency approaches are now an established integral feature of many private and public organisations; almost every organisation with more than 300 people use some form of competency-based approach (Boyatzis, 2008).

For managers to be risk competent (able to manage risk and uncertainty within their role) they must first agree on the meaning of risk and uncertainty. However, there is no single definition of risk as highlighted by Kelly, in Engemann (2018), who presents a table of risk definitions. Aven (2012) also notes a range of definitions, for instance, many view risk as probability, event or consequence, the probability of loss, a combination of likelihood and outcome, as uncertainty and more recently as the effect of uncertainty on objectives. Risk can be defined in terms of organisational resources or goals. Some definitions treat risk as real and calculable (an objective view) and others treat it as a personal judgement (subjective view); risk can be a quantitative or qualitative concept.

Uncertainty, on the other hand, refers to situations where the probability of the outcome of events is unknown, as opposed to risk situations where each outcome has a known probability (Cole and Kelly, 2020). Hofstede (1984) considered uncertainty to mean the same as ambiguity. Uncertainty is a situation which involves imperfect and (or) incomplete information and which affects the predictability of outcomes. Uncertainty entails a risk of undesired effect or loss, whose probability and magnitude cannot be, calculated (Bacigalupo et al., 2016). Whereas, in the 20th century risk tended to be treated as a separate concept to uncertainty, the boundary between the two has blurred in the 21st century.

What then does it mean to be risk competent? The European entrepreneurship competence framework (EntreComp) is a common reference framework that identifies 15 competences (Bacigalupo et al., 2016), one of which is “coping with uncertainty, ambiguity and risk”. This is decomposed into three themes: (1) “Cope with uncertainty and ambiguity”; (2) “Calculate risk” and (3) “Manage risk”. Behavioural (proficiency) indicators are described for each theme. Coping with uncertainty and ambiguity competence indicators include: “I can discuss the role that information plays in reducing uncertainty, ambiguity and risk.” OR “I can set up appropriate strategies for collecting and monitoring data, which help me take decisions based on sound evidence”. Calculating risk proficiency indicators include “I can assess the risks my venture is exposed to as conditions change”. Finally, managing risk proficiency indicators include, “I can use strategies to reduce the risks that may arise during the value-creating process.”

Whereas the EntreComp framework is targeted at entrepreneurs, there are other risk-focussed competency frameworks targeting all rather than specifically risk managers. The International Institute of Risk and Safety Management (IIRSM) publish a freely available competency framework (2022) as a tool to guide personal learning and development. IIRSM also strongly believe that everyone is responsible for managing risk and should be equipped with the skills to be able to do so – this equally applies to big business and small organisations in all industries. RM requires a collaborative approach across the organisation. They suggest it is important to understand and apply competencies within the context of your own area and level of work. Their behaviours for managerial risk competency include: “Ensures good risk management practice across an area of responsibility”; “Applies techniques to identify, assess and control risks within an area of responsibility and within projects”; “Understands the inter-connectedness of risks within an area of responsibility and other parts of the organisation”; “Ensures risks are proactively managed” and “Implements an appropriate system of risk oversight and internal control”.

The Institute of Risk Management publish a framework for those working in RM – What risk professionals should know and be able to do (IRM, 2022). They also encourage (p. 6) broad use of their framework, indicating it “can also be used by non-risk specialists to improve both their personal and their organisation’s capability in risk management”. Their risk competency behavioural indicators include, “support the implementation of risk management processes and procedures”; “communicate the importance and benefits of risk management”. Managers should be able to, “explain the value of risk management”. Equally they advocate managers should also ensure RM is incorporated into their thinking, planning, organising and controlling. Risk competent managers must understand the internal and external environment of an organisation and its implications for RM. In many cases it should be an expectation for the risk competent manager to report on the risk performance of any business function for which they are responsible. This may involve producing RM reports, highlighting areas of concern and changes to threats, opportunities and the level of risk. It is likely, particularly in a small or medium enterprise, that managers would also be able to identify, analyse and evaluate the nature and impact of risks and opportunities in their business area. Furthermore, they may be expected to develop, select and implement risk treatment strategies and controls. In respect of people management, the risk competent manager is likely to influence the risk behaviour of others, support individuals and teams in the practice of RM and develops risk competence in the workforce and workplace.

Thus, risk competence generally reflects abilities to identify, analyse, assess and prioritise, treat or control risks within accepted levels of tolerance and risk attitude and in a cost-effective manner. Taking a high-level view, a risk competent manger is one who exemplifies behaviours listed in Table 1.

How can managers develop risk and uncertainty competency?

Having argued the need to be risk competent and identified what this means, i.e. what managers should be capable of doing to manage risk and uncertainty, our final fundamental question is: how can managers develop capabilities to become risk competent? In this section we explore possible sources of risk knowledge and skills required, recognising this will be influenced by each manager’s context. Context will include aspects of the organisation, the (risk) culture (Kelly, 2009a), the national culture (values such as uncertainty avoidance or tolerance for ambiguity – see Hofstede, 1984), specific goals and role. According to Cole and Kelly (2020, p. 401), “organisations vary considerably regarding the level of risk to which they are exposed. They also vary in the risk attitude” (Hillson and Murray-Webster, 2008; Tversky and Wakker, 1995) and risk appetite (amount and type of risk an organisation is willing to pursue or retain – see ISO/IEC, 2013 or Hopkin, 2014) of the board. Organisations vary in their risk tolerance (readiness to bear the risk after risk treatment to achieve objectives ISO/IEC, 2013); and the way they seek to treat and control risk. They also differ in their use of risk strategies such as risk avoidance, risk sharing (distribution of risk with other parties) and extent of risk financing. Consequently, organisations vary in the knowledge and skills they require of their risk competent managers.

Knowledge, skills and attitudes underpin risk competence and associated risk behaviours. Risk knowledge is vast, as demonstrated by Kelly in Engemann (2018) who noted there are more than 1.3 million academic journal articles containing “risk” in their title and over 100,000 magazine and news articles; creating a wealth of risk knowledge for practitioners to embrace. There are several ways to reduce and focus this for the practicing manager faced with time constraints and other developmental priorities. Course designers or self-developing managers can use the RM process (the core set of risk activities – see IRM, 2002) and its outputs as a reference point to map specific risk knowledge requirements, see Table 2. However, it is recognised there are levels of competency for each stage and these are related to seniority, organisational needs and the degree of support from risk professionals. Aside from the activities associated with the risk process, organisations and managers may also wish to identify aspects of risk competence, associated knowledge and skills, with characteristics of risk strategy, culture, policy, procedures and other related facets.

Risk knowledge has various attributes such as level and depth. The risk knowledge (and skill) expected of a risk-competent manager is likely to depend upon many factors. Bloom’s taxonomy (1956) can be a useful framework (for categorising educational goals) to better understand this issue. At the base level (understanding) a manager may simply be aware of the risks which impact upon goal attainment and be able to contribute to risk decisions. At the next level a manager may be able to analyse (identifying and assessing) risk and apply limited areas of knowledge, e.g. to select appropriate risk controls etc. In the most advanced level the risk-competent manager should be able to evaluate risk and be able to rate and prioritise and justify actions. Furthermore, they may be able to create risk tools (such as risk checklists or registers) or design risk controls. There may also be greater use of critical thinking, with increased levels of risk learning. Thus, we might expect learners at the base level to engage with general management textbooks which contain a risk chapter (see for example Cole and Kelly, 2020); they may then progress to acquire risk knowledge from a specialised text (see Hopkin and Thompson, 2022). Eventually they will have read multiple texts and will start to access specialised journals, possibly risk standards and various other publications. In parallel, they will gain experience in application (risk skill development). Learning in this manner can be informed through Kolb’s framework. Kolb (1984) highlighted how adults learn, with reference to a simple model where experience is gained and then reflected upon to develop tacit knowledge and enable further experimentation, leading to further/new experiences. Kolb states that learning involves the acquisition of abstract concepts which can be applied flexibly in a range of situations. In Kolb’s theory, the impetus for the development of new concepts is provided by new experiences. The cycle is then repeated in a process of continuous and lifelong learning. Aside from specialist risk knowledge, knowledge in other areas of management will support risk competence. Knowledge of decision making, problem solving, judgement, leadership, group work and communication will all contribute towards managerial risk competence.

As was highlighted earlier, there are numerous sources of risk knowledge. The body of risk knowledge refers to the core teachings and skills required to become risk competent and form the foundation for the risk curriculum. There can be much to learn about risk identification, analysis and assessment. Initially, this may derive from general risk textbooks (see for example Hopkin and Thompson, 2022 or Engemann, 2018). Once analysed within the Risk Management Process (RMP), the next step will be to consider and make decisions about what and how to control a particular risk. As a starting point, understanding generic aspects of management control will help towards treating or controlling risk (see for example Cole and Kelly, 2020). Risk knowledge can also be gained from a variety of risk standards (see for example ISO 31000) and publications from organisations (such as,; The Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2017); ITC, 2022; OECD 2014; UNECE 2012). Dependent upon where the organisation conducts business and operations, the risk competent manager may also be aware of the SOX act of 2002 or the UK corporate governance code, updated in 2018 (listed companies may be mandated to comply with aspects of these standards and codes). The UK Government provides several publications with guidance on the concept of RM (HM Government 2022). Finally, there are variety of organisations such as the Institute of Risk Management (IRM) that offer risk training (

The ability to use risk knowledge effectively leads to the development of risk skill – the ability to perform risk-related tasks and activities well. Risk skills may be categorised as generic management skills or may be specific to RM. They may be regarded as technical (based on risk knowledge application) or people skills (communication, relationship, analytical and management – see Hopkin and Thompson, 2022). The range of skills required can be extensive, dependent upon role and context. A selection of risk skills, mapped against RM process tasks and activities, is indicated in Table 2. Hopkin and Thompson (2022) discuss the “risk management technical skills” of the risk professional. Whilst other managers, not risk specialists, will not normally require these, they do indicate the highest level of skill that will be required within the risk-competent organisation. There will be a need for skills associated with planning risk measurement strategy; implementing RM architecture; measuring RM performance and learning from RM experience. Examination of the vast range of risk-related knowledge and skills emphasises the need for individuals to tailor their own definition of risk competence and framework of knowledge, skills and behavioural indicators for their organisational role needs. The IRM (2022) focus on the achievement of risk competence, arguing every manager and organisation will make their own judgement about the level at which staff need to be operating. For example, in small or medium-sized organisations, managers may need to fulfil risk responsibilities at a higher (and/or lower) level, in addition to their main role. For example, a director of a small or medium-sized organisation will probably need to manage a risk register as well as define risk strategy and policy. On the other hand, large organisations with a dedicated RM function will have a more structured hierarchy, with specified accountabilities at different levels.

Many aspects of risk competency are encapsulated in the ability to create or contribute to the risk register. This is defined in the ISO guide 73 as the record of information about identified risks. In many ways this is the output of the application of risk knowledge and RM skill. The register is a record of the risks (sometimes only the significant ones) faced by an organisation, the controls currently in place, additional controls required and responsibility for control activities. The register is updated as different activities in the risk-management process are completed. As a starting point the risk description structure provided in the IRM (2002) risk standard (see their Table 4.2.1) can be used to identify several fields for the register. The risk will need to be given a name, category/class, likelihood, impact, risk score or priority, risk treatment and control mechanisms, actions (recommendations to reduce risk), risk owner and dates when the risk was identified, allocated, assessed and actions accomplished. It is useful to record who assessed the risk and any assumptions made in the process. Organisations also include fields that identify what is at risk (a particular goal, objective, process, asset etc.) and the nature of associated vulnerabilities and threats. This risk information is typically managed in a spreadsheet (or RM information system) for the whole organisation. Individual managers should be able to contribute to this and in some cases, may be recorded as a risk owner or someone with related responsibilities for its management.

Analysing and estimating risk is a likely key skill of the risk competent manager as risk decision making quality depends upon it. Indeed, Drucker (1955, p. 322) argued, from a traditional perspective, that one of the fundamental requirements of management is that it “should be able to calculate each risk … then establish in advance what is expected to happen and to control this subsequent course of action as events bear out”. A useful formula often applied in rational business risk decisions is the estimated monetary value (EMV) of a risk. This can be used to represent the risk-neutral position and is represented by the formula: EMV = P * (L or G) where P is Probability, L is Loss and G is Gain. However, Drucker comments were borne at a time when risk managers operated under a positivist philosophy and when the future was more predictable. The ability (skill) to calculate risk has become increasingly difficult and error prone. When operating in turbulent environments (and in the absence of historic risk-related data), managers often need to make subjective judgements about risk (though competence to do this was called into question by Kelly, 2009b). Despite such constraints and challenges, managers and experts continue in their efforts to estimate and assess risk as a precursor to response, control and treatment.

Similarly, turbulent times have elevated the importance of understanding and making decisions under uncertainty. Skilful managers will seek to reduce or embrace uncertainty through information (when available within constraints) or through uncertainty modelling (often with the help of software, incorporating uncertainty modelling tools such as Monte Carlo simulation). Monte Carlo simulations sample from a probability distribution for each variable (in a model) to produce hundreds or thousands of possible outcomes (French et al., 2009). Skill is required not only to create and implement such models but also to make sense of and act upon the outputs (probability/impact distributions). Such tools support decision making and scenario planning under uncertainty. Monte Carlo simulation is commonly used to evaluate the risk and uncertainty that would affect the outcome of different decision options. It allows the business risk analyst to incorporate the effects of uncertainty in variables such as sales volume, costs, interest and exchange rates, as well as the effect of distinct risk events, i.e. the cancellation of a contract or loss of production facilities.

Managers seeking to become risk competent will need to consider their role, organisational context and required level of competence before creating an entry on their competency framework. This means adding a row for risk competence, as exemplified in Table 3. This will be in addition to all other management competences identified for their role (e.g. communication, problem-solving etc.). If the framework is to be used for recruitment, selection or performance management, there will be an additional need to consider how various aspects of the risk competence can be measured. In developing risk competence, managers should also be mindful of their own risk attitudes (Hillson and Murray-Webster, 2008) and the way they think about risk (risk ontology). These factors, along with personality and unique experiences have been shown to impact the way people identify and judge risk (Goldstein and Hogarth, 1997) through perceptual processes. As have certain heuristics (see for example the availability heuristic – a predisposition to base a judgement of probability based on information that is readily available). For example, a manager may be predisposed to be risk-averse, considering action that produces the least harm; disliking the lack of certainty and preferring the certain to any risky prospect; or may be risk-neutral, exhibiting a reaction to risk in line with its statistical probability; alternatively, a risk-seeker, choosing amongst the risks that have negative consequences or low probabilities of occurrence. The aforementioned factors have been shown to influence risk decisions and associated behaviours. It is the behaviour and decisions of managers and employees that ultimately affect the organisation’s exposure to risk. Risk competence is therefore also about the quality of risk decision-making and a need to understand how factors such as those presented above may affect this.

Closing comments

This article focused on the meaning and need for managerial risk competence – risk proficiency in all managers, not just those within risk specialist professions. The article was structured around three fundamental questions. The first part of the article made the case for every manager to have some degree of competence regarding risk and uncertainty management. An organisation’s degree of development in its approach towards risk and uncertainty can have a significant effect on its capability to be responsive, resilient and achieve its objectives. Competencies help individuals and educators identify and develop the knowledge and skills required for work-related tasks and activities. Drawing on widely-available published competency frameworks, we identified a selection of behavioural indicators used to indicate proficiency and competence in risk. However, competency definitions and indicators are highly dependent upon the context and level of a particular role. We recognised competency frameworks often omit detail on the knowledge and skill components of competencies like risk and uncertainty management. In the final part of this article, we commented on how to develop risk competent managers, through risk knowledge and skill acquisition. The intention is to encourage educators and managers to now use and apply this information to develop risk competence within managers and ultimately within and across organisations. The benefits are twofold – for the individual managers and their organisations as they grow risk capability.

Risk competency indicative behaviours

1. Applies relevant risk-related knowledge, skills, tools, techniques, standards and frameworks within their role
2. Aware of how operations in their own area of responsibility might affect risk elsewhere (jeopardising goals or resources in other parts of the organisation or with other stakeholder operations)
3. Routinely and continuously assures risks faced in their area of responsibility are identified, analysed, assessed and prioritised (and if necessary, reported)
4. Reduces ambiguity, recognising reasonable constraints, making quality decisions under uncertainty when required
5. Takes proactive steps to reduce threat and maximise opportunity to attain goals within business constraints, by evaluating risk and treating intolerable risks
6. Ensures resilience (adaptive capacity, considering business continuity and contingency) within their area of responsibility

Generic knowledge and skill components of risk competence in nonrisk specialist managerial roles

RMP activities/Tasks and outputsUnderlying knowledgeAssociated skills
Identify and describe risk (within a given scope/context)Risk Management Process (RMP)
Risk assessment techniques (Inspections and audits, questionnaires and checklists, workshops and brainstorming)
Risk Vocabulary
Risk Classification Systems (how the organisation defines and groups the risks it faces, e.g. COSO/FIRM)
Environment Analysis (understand the internal and external risk context with tools like Political, Economic, Social, Technological, Environmental and Legal (PESTEL))
Observation, Interviewing, Brainstorming, Groupwork, Communication, Spreadsheet use, use of technology to support the risk management process
Analytical skills
Problem solving skills
Business Process Mapping
Estimate/analyse risk (to determine its probability and impact)Risk Calculation
Statistics/Probability theory
Opportunity assessment
Calculating/estimating probability
Calculating/estimating impact
Apply risk assessment techniques
Judgement (of likelihood and impact)
Evaluate risk (to determine if risk mitigation/controlling action is needed)Risk appetite/Risk Criteria
Business Goals
Decision-Making use of risk matrices
Treat/control risk (to reduce the likelihood or impact of harm to tolerable levels)Risk Control Theories
Types of controls
Types of insurance cover
Residual Risk
Decision strategies
Budgeting/Investment Appraisal
Change and Project Management
Creativity – to build controls
Report and monitor riskRisk Register
Reporting rules (compliance with relevant codes and laws)
Able to apply, integrate and implement risk knowledge with strategy to attain goals
Communication and persuasion, Spreadsheet use, use of Risk Information Systems
Manage uncertainty
(to maximise opportunities and reduce threat/harm)
Business Resilience
Continuity and Crisis Management
Business Goals
Business Impact Analysis
Use of tools such as Monte Carlo simulation (modelling uncertainty); interpreting model outputs
Group work/facilitated workshops

Example competency framework for a manager (not-specialising in risk) showing risk competence in detail

Example competency framework
Risk competenceIdentifies and describes the risks in their area of responsibilityRisk assessment techniques (inspections and audits, questionnaires and checklists, workshops and brainstorming)
Risk Vocabulary
Risk Management Process
Risk Classification Systems (e.g. COSO/FIRM)
Environment Analysis (understand the risk internal and external context with tools like PESTEL)
Observation, Interviewing, Brainstorming, Groupwork, Communication, use of technology (e.g. Spreadsheet) to support the risk management process
Analytical skills
Problem solving skills
Business Process Mapping
Estimates/analyses risk -to determine or judge its probability and impactRisk Calculation (e.g. EMV)
Descriptive statistics/probability theory
Opportunity assessment
Risk Matrices
Calculating/estimating probability
Calculating/estimating impact
Apply risk assessment techniques
Judgement (of likelihood and impact)
Evaluates risk(s), to inform decision making and selects risks in need of treatmentRisk appetite
Risk Criteria
Business Goals
Risk evaluation (interprets goals, risk appetite, risk criteria and level of risk to decide whether the risk is significant and also whether to control it)
Selects or designs controls (or treatments), to reduce the likelihood and/or impact of harm to tolerable levelsRisk Control Theories
Nature of Internal Control
Types of controls
Types of insurance cover
Residual Risk concept
Decision strategies
Investment Appraisal Techniques Budgeting
Risk Decision-Making
Change and Project Management
Creativity – to build controls
Collects/uses information to reduce uncertainty, build resilience and inform decision-makingBusiness Resilience
Continuity and Crisis Management
Uncertainty modelling/Monte Carlo Simulation
Business Impact Analysis
Monte Carlo simulation
Modelling uncertainty)
Group work/facilitated workshops

Note(s): <Insert Approximately 10–15 Other Competences e.g. Communication, Problem-Solving, Influencing others, Leadership, Change Management, Decision Making, etc>


Aven, T. (2012), “The risk concept—historical and recent development trends”, Reliability Engineering and System Safety, Vol. 99 March 2012, pp. 33-44.

Bacigalupo, M., Kampylis, P., Punie, Y. and Van den Brande, G. (2016), EntreComp: The Entrepreneurship Competence Framework, Publication Office of the European Union, Luxembourg, EUR 27939 EN. doi: 10.2791/593884.

Bloom, B. (1956), Taxonomy of Educational Objectives Handbook 1: Cognitive Domain, McGraw-Hill, New York, NY.

Boyatzis, R. (2008), “Competencies in the 21st century”, Journal of Management Development, Vol. 27 No. 1, pp. 5-12.

Cole, G.A. and Kelly, P. (2020), Management Theory and Practice, 9th ed., Cengage Learning EMEA, Andover UK.

COSO (2017), “Enterprise risk management: integrating with strategy and performance”, available at: (accessed 30 September 2022).

Dickinson, G. (2001), “Enterprise risk management: its origins and conceptual foundation”, The Geneva Papers on Risk and Insurance, Vol. 26 No. 3, pp. 360-366, July 2001.

Drucker, P. (1955), “Management science and the manager”, Management Science, Vol. 1 No. 2, pp. 115-126.

Fraser, J. and Simkins, B.J. (2010), Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, 1st ed., Wiley, New Jersey.

French, S., Maule, J. and Papamichail, N. (2009), Decision Behaviour, Analysis and Support, Cambridge University Press, Cambridge.

Goldstein, W.M. and Hogarth, R.M. (1997), Research on Judgment and Decision Making, Cambridge University Press, Cambridge.

Hillson, D. and Murray-Webster, R. (2008), Managing Group Risk Attitude, Gower, Aldershot.

Hm Government (2022), “The orange book: management of risk-principles and concepts”, available at: (accessed 30 September 2022).

Hofstede, G. (1984), Cultures Consequences - Abridged, Sage, Newbury Park, London.

Hopkin, P. (2014), Fundamentals of Risk Management, 3rd ed., Kogan Page, London.

Hopkin, P. and Thompson, C. (2022), Fundamentals of Risk Management, 6th ed., Kogan Page, London.

IIRSM (2022), “IIRSM’s risk management and leadership competence framework”, available at: (accessed 27 September 2022).

Institute of Chartered Accountants in England and Wales (ICAEW) (1999), Internal Control Guidance for Directors on the Combined Code, The Institute of Chartered Accountants in England & Wales, London.

International Trade Centre (2022), “Managing risk for safe, efficient trade: guide for border regulators”, available at: (accessed 30 September 2022).

IRM (2002), “A risk management standard”, AIRMIC, ALARM, IRM, pp. 1-14, available at: (accessed 27 Septmeber 2022).

IRM (2022), “Professional standards”, available at: (accessed 30 September 2022).

ISO/IEC (2013), PD ISO Guide 73:2009 Risk Management Vocabulary, BSI Standards Limited.

Kelly, P. (2018), “The evolution of risk management thinking in Organizations”, in Engemann, K. (Ed.), The Routledge Companion to Risk, Crisis and Security in Business, Routledge, London and New York, pp. 20-46.

Kelly, P. (2009a), “Conceptualising business risk culture: a study of risk-thinking and practice in contemporary dynamic Organizations”, International Journal of Business Continuity and Risk Management, Vol. 1 No. 1, pp. 19-37.

Kelly, P. (2009b), Managing Risk in the Telecomms Industry, VDM Verlag, Saarbrücken.

Kolb, D.A. (1984), Experiential Learning: Experience as the Source of Learning and Development, Prentice Hall, Englewood Cliffs, NJ.

OECD (2014), Risk Management and Corporate Governance, Corporate Governance, OECD Publishing, Paris, available at: (accessed 7 October 2022).

Rothwell, W.J. and Lindholm, J.E. (2002), “Competency identification, modelling and assessment in the USA”, International Journal of Training and Development, Vol. 3 No. 2, pp. 90-105.

Tversky, A. and Wakker, P. (1995), “Risk attitudes and decision weights”, Econometrica, Vol. 63 No. 6, pp. 1255-1280.

UNECE (2012), “Risk management in regulatory frameworks: towards a better management of risks”, available at: (accessed 27 September 2022).

Further reading

ISO (2018), BS ISO 31000:2018 Risk Management — Guidelines, The British Standards Institution - © ISO 2018, Published in Switzerland.

Corresponding author

Phil Kelly can be contacted at:

Related articles