It is all too easy to forget about the things that can go wrong in the course of running a business, until we need risk management. All of a sudden, a crisis hits us, and we are knocked off our feet. The Covid-19 pandemic is a good example, but there are other smaller, but no less damaging events that can severely impact our business and its sustainability.
This is where risk management strategies come in – to help us foresee and rise above these unexpected events. Risk management helps us to identify, assess and control threats to an organisation’s assets and earnings.
These threats, or risks, may come from a wide variety of sources, including plant breakdown, exchange rate volatility, legal liabilities, management errors, accidents, and natural disasters. And then there are the risks of cybercrime and data security where corporate data, personal information and intellectual property are major risk areas.
Why is risk management important?
To minimise or eliminate the effects of these events, organisations embark on a rigorous risk management process. This assists the organisation in establishing procedures to avoid potential threats, minimise their impact, should they occur and cope with the results.
A sound risk management plan helps organisations to be more confident in their business decisions. It also bolsters the organisation’s corporate governance capability, which will make it attractive to investors. Furthermore, strong corporate governance principles that focus specifically on risk management can help a company reach their goals.
Risk management can make an important contribution to the business by:
- Maintaining stable business operations.
- Decreasing the possibility of legal liability.
- Protecting the company from environmentally damaging events.
- Protecting all involved people and assets from potential harm.
- Creating a safe work environment for staff and customers.
- Reducing the cost of insurance premiums.
Ways to introduce risk management to your organisation
Here are some simple steps to begin the risk management process:
· Create the context
Set aside the resources and time to develop a robust risk strategy. Be clear about what you want, the risk strategy to accomplish, and how it will integrate into the rest of the operation.
· Identify the risks
This is a process and not an event. A brainstorming workshop is the easiest way to do this. Your daily news aggregator is another source of risk events happening in the wider world. A questioning process helps here. What can go wrong? How will it affect the organisation?
Consider the probability of the event and whether it will have a large or small impact. What can be done? What steps can be taken to prevent the loss? What can be done to recover if a loss does occur?
· Risk analysis
Once the risks have been identified, they have to be analysed. There are two criteria of analysis: how likely is it to happen (probability) and what will be the result if it happens (impact).
- In the second column, we have the probability of the occurrence of that risk. It is scored as follows: 5 = almost certain to occur. 1 = highly unlikely to occur.
- In the third column we determine the impact of that risk event, should it occur. It is scored as follows: 5 = catastrophic. 1 = mild inconvenience.
- The fourth column is the product of the probability and impact scores. The score for Risk 1 is 5 x 5 = 25. This means that Risk 1 is highly likely to happen, and it will have a severe impact. On the other hand, Risk 6 has a score of 8. The probability is low  and the impact, while significant, is not catastrophic.
- The fifth column captures the mitigation actions required to minimise the occurrence of the risk. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition. As a rule of thumb, it is easier to work on minimising the impact, rather than try to avoid the result of the risk. (We can’t avoid Covid-19, but vaccinations reduce the probability and hence the impact). But this is not always the case.
- By assigning values for impact and probability, we can prioritise the risks to address, and spend less effort on unlikely risk events. However, we must track every risk because risk values can change over time.
· Risk assessment and evaluation
Once our risk table is complete, we are then able to make decisions on whether the risk is acceptable and whether we are willing to take it, on based on our risk appetite.
For smaller organisations, a simple spreadsheet is adequate for risk management. Sophisticated statistical packages will determine the cost of a risk event. This is particularly useful when assessing the amount of financial risk the organisation is willing to assume.
· Risk monitoring
Good risk management entails following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
What to do about identified business risks
There are four ways in which we can mitigate the risks we have identified: terminate, transfer, treat or tolerate.
The diagram below will assist.
When we have a risk that scores high on probability and high on impact, we are almost certain that it will happen and that it will have a disastrous impact. The mitigation action here is not to assume the risk. Walk away.
If the probability is low but the impact is high, it is often useful to transfer the risk to another party. A contractor building your factory extension will take on the risk of time and cost overrun on the contract.
When the probability is high, but the impact is low, the organisation is in a position to deal with it. Insurance cover and revised work practices are ways of treating this sort of risk.
Sometimes, when both the impact and the probability are low, we just live with it. We take reasonable steps to avoid it, but if it happens, we take it in our stride, because the cost or the disruption is low.
Risk management is a critical part of providing leadership to an organisation. It helps to secure continuity of operations and protects the livelihoods of customers, suppliers and employees.
Risk management is a large and complex field with legal, reputational and financial risks involved. It is a vital component of sound corporate governance. This article serves as an introduction to the field.