Most people would agree that planning for all eventualities when embarking on a new business venture or major contract award decision is important. Of course, it depends on the nature of the venture or contract. A merger and acquisition, for example, will require a greater degree of risk management than the purchase of a new photocopier.
Risk management though should be a central part of any broader business or category strategy. Levels of granularity needn’t touch upon photocopiers, that was added more for effect, but it should have a key and immovable place as part of significant decision making. In this piece, we’ll explore what risk management looks like and why if you’ve been neglecting it, it’s time to re-assess your priorities.
Risk management defined
Simply put, risk management is the process of identifying and defining possible risks, problems, or disasters before they happen. It provides organisations an opportunity to devise and initiate mitigation plans which minimise, or better cope with the impact of a risk, and maybe even avoid it altogether.
For every new venture or major contract award decision, organisations should make a realistic evaluation of the level of risk and plan accordingly. It’s a process which, if done properly, will take time and will require a budget. It’s recognition of this that usually sees risk management slip down the priority list. Or at least not be given the attention it warrants.
One simple way of arresting this descent to the foot of priority lists is pre-empting just one incident or mitigating a cost that could compromise a venture. How much time would be lost due to this incident? How much capital would be required to address it? What would the risk be to reputation? The answers to these questions should bring into focus why it’s worth getting management teams around a table for an hour or two at least.
How should a risk management plan be built?
Yes, a budget of time and money needs to be ring-fenced for a thorough ongoing risk assessment. No, it needn’t break the bank. Indeed, the process can be completed to an adequate level by providing comprehensive answers to the following questions:
- Risk identification: What could go wrong with this venture?
It’s important to retain a degree of perspective when answering this first question. It’s easy to see how debating this question could send even the most grounded professionals down a rabbit hole. Decide on around 8-10 plausible potential factors that could jeopardise the venture and work from these, at least initially. Include risks that could impact on the physical workplace, on employees, and on risk to capital and reputation.
- Risk analysis: How will these incidents affect the business?
Two considerations should be made for each identified risk; probability and impact to operations. Grade the risk level ‘high’, ‘medium’, or ‘low’ and focus attention on those risks that rank ‘high’ for both.
- Risk control: What should we do to minimise/avoid the risk?
The best way to plan for the worst is to simulate the worst happening by creating a timeline from an incident starting. What could trigger it? What is the immediate impact? Who is directly affected? What are the longer-term issues it precipitates? For example, a strategic supplier that interacts with your customers goes into receivership. What happens next? How do you mitigate customer impact? Do you buy the business and integrate the service? What about the people whose livelihoods are now at stake? Are you able to deal with ransom requests? Who negotiates with the receiver?
From this, it is possible to devise an action plan should the incident occur, but even better, put in place controls to reduce the risk of it occurring in the first place. For example, quarterly monitoring of key supplier financial stability and automating the monitoring of broadsheet press for supplier financial or reputation concerns.
- Risk resolution: If something does happen, how will you pay for it/resolve it?
Ideally, this will be apparent having worked through the previous three questions conscientiously. It could also leave you with a more pressing question at the end of the process; if the company doesn’t have the means to resolve a probable risk from occurring, is it wise to continue with the venture in its current expression.
Having completed a thorough risk management plan, its successful enactment depends on a number of factors including:
- A commitment from all levels of management within the organisation
- Subsequent policies and procedures established from the plan to be explicitly defined for all employees
- Relevant employees having clearly defined roles, responsibilities, and accountability
- An adequate allocation of tools and resources congruent with the plan
- Ongoing training, testing, and monitoring of the risk management plan
The benefits of risk management
At this point, the benefit of a clearly defined risk management plan should be evident. However, it’s worth identifying what’s achieved by having one in place:
People and assets protected from harm – By far the most important. Avoidable risk to human safety is unacceptable and there will be severe repercussions should individuals come to harm through an incident which could have been managed via proper risk management.
Assets, though significantly less important than human life, if compromised enough could finish the business which in itself has a very human impact.
Reduced legal liability – An incident may occur which doesn’t imperil human lives or risk assets, but which exposes the organisation to legal challenge. Should this happen, and no risk management has been conducted, the organisation runs the risk of incurring time consuming and costly legal proceedings. The management time this can consume should not be underestimated.
Increased operational stability – Smooth business operations are the goal for any organisation. Damaging incidents disrupt them. Pre-empting and managing risk provides a much better chance of ensuring operational stability and the predictable returns on investment that follow.
A protected environment – Some risks carry potential threats to the environment. With a ‘green’ approach to commerce now central to most organisations’ business strategies and customer expectations, environmental disasters are hugely damaging not just to the environment itself, but to reputations.
Protected insurance premiums – Depending on the extent to which a risk comes to fruition, organisations may need to rely on their insurance companies to bail them out. Whilst many big companies self-insure, major elements of risk premiums can easily skyrocket following a major claims incident.
It can be difficult to apportion the right amount of time to every factor that contributes to a successful business venture. More so when every stakeholder involved has a different opinion as to what should be prioritised.
How much time is dedicated to a risk management plan ultimately is the decision of the leaders involved, but the biggest risk of all, is neglecting to do one at all.