Risk is a full-bodied presence in the boardroom and the C-suite, so it’s time risk management stopped being two-dimensional. Let’s add a third dimension to risk measurement.

And, while we’re doing that, it’s time to stop confusing risk measurement and risk anticipation with risk management.

For years, the twin pillars of risk management were probability and impact: What are the odds an event will happen? What will the damage or the benefit be if it does happen? Hence the attempts to determine what were high- or low-frequency events, and to distinguish what would cause minor losses and what would put a company out of business.

Probability and impact give rise to a nice, neat matrix. High-probability/low-impact situations, such as shoplifting at a retailer, are managed on a daily basis. Low-probability/high-impact events, such as an earthquake, are often addressed through insurance. High-probability/high-impact events are everyone’s nightmare and receive the lion’s share of risk-prevention efforts. Low-probability/low-impact events simply don’t get much attention at all.

Risk-management experts, however, have come to realize that there is something missing from this two-dimensional analysis: “risk velocity.” We define risk velocity as how quickly one goes from the onset of the risk to the impact of the risk.

For instance, a bank risk manager may be concerned about both regulatory risk and liquidity risk. Both can put you out of business. But regulatory risk develops relatively slowly. You get a notice from a regulator, have time to respond, and even in the worst cases where there may be criminal sanctions, you have time to prepare a defense. In contrast, liquidity risk manifests quickly. Within a week or two, your counterparties stop dealing with you and you’re out of business. This is precisely what happened to Lehman Brothers, whose 100+ years of history collapsed in days.

Thinking about how quickly a risk metastasizes into impact also leads to new insights into the optimal speed for a company to respond to those risks.

When a risk emerges, many companies first react by gathering all corporate leaders together, to understand the situation fully and from different perspectives: the general counsel, business-line management, the CFO, investor relations, public relations, and so forth. Sometimes that response is correct; you don’t want to respond prior to knowing the facts, yet you still need an understanding of the trade-off between your level of knowledge and the speed of the response. Moreover, the speed of the response contributes to the effectiveness of the response. Because while you are gathering facts, nothing is slowing the process by which the risk is transforming into impact.

Let’s use product liability as an example. Your company has manufactured a product you believe to be safe, but there’s a media report of a death, and it’s attributed to your product. You obviously want to gather the facts. But be aware that while you are gathering those facts, the risk velocity is accelerating. The Web and blogosphere can pulse with rumor and innuendo. Other media start inquiring. And, as Richard Levick told the attendees at the recent Directorship Board Leaders conference, plaintiffs’ attorneys will often (possibly within 24 hours of an incident) gain ownership of internet search optimization keywords relating to the crisis: People search online for information about the mishap, and go straight to the lawyers looking to sue you.

So how can you assure your risk-management program is robust? First, take a look at the risks you’ve already identified. Then add risk velocity as a third dimension. Which identified risks develop the fastest? Which develop the slowest? Be aware that some risks arising from the same incidents may vary in velocity. In the product liability example above, the reputational risk is hurtling toward impact, while the regulatory response may lag far behind. Hence your lawyers may be able to take more time deciding a defense strategy, but your PR will need to work and respond to risks almost instantly.

Once you’ve created a three-dimensional matrix, start examining your escalation and risk response plans against all three dimensions, including velocity. Is there a mismatch between how quickly you escalate your awareness of and response to a risk and how quickly the risk turns into reality? That’s the start of the transition from risk measurement and risk anticipation to genuine risk management.

Indeed, at a recent gathering of senior risk officers in New York, there was widespread consensus that 80 percent of traditional risk management was not risk management at all, but risk measurement and risk anticipation. In their opinion, that was opposite of the proportion needed. As has become evident in the wake of the financial credit crisis, multiple firms had various measurement systems, but Goldman Sachs took more effective action when the systems signaled problems that were growing.

Bear Stearns, in contrast, was criticized for being unfocused when the warning bells were ringing. Put another way, the management of Bear Stearns was clearly surprised by the velocity of risk turning into real impact. The bank’s response was too slow (or in the current semantics of risk management, it was not agile). And what response there was seemed insufficient; it was not resilient. As a result, Bear Stearns no longer exists.

Ultimately, risk-management effectiveness depends upon both agility and resiliency. To understand why, risk-management agility can be expressed as a simple formula:

Agility = Speed of Response/Risk Velocity

Similarly, the formula for resiliency can be expressed as:

Resiliency = Resources Appropriately Deployed/Potential Risk Impact

If we accept those formulae, then risk-management effectiveness is the product of both agility and capability:

Risk-Management Effectiveness = Agility x Resiliency.

That means effectiveness is determined by both agility and resiliency. Massive resources aren’t much good if they arrive at the wrong time; agile responses don’t help if the resources you have aren’t enough for the threat at hand.

Risk is clearly a topic du jour in debates about corporate governance. We read about how executive compensation affects risk, about whether companies should create risk committees of directors, about what they should disclose to investors about risk. That discussion may seem remote, partly because it focuses on the structure and process of the board’s role in overseeing risk, even while most boards are still in the middle of wrestling with substantive questions about risk management, let alone refining their answers. More on that in a future column.

For now, it is time to ask tough questions about your risk-management program. Does your anticipation and measurement system include velocity as well as frequency and impact? Are your risk-management responses robust both in agility and resiliency? If not, even practices that look robust may be outmatched by risks, and all before you know it.