1. Risk management in the real world
For medium sized enterprises
Running a business is no picnic – there’s a lot to deal with and never enough time. So it’s understandable that many overloaded management teams just handle what’s in front of them, and put off facing risks that may never happen.
Facing and managing risk is vital to the success of your business. Not only do you mitigate unexpected setbacks, but you may also be able to turn a disaster into a blessing, all because you’re prepared.
Here’s a good example:
A single chip supplier had cornered big clients Nokia and Ericsson in 2008. After a factory fire both Nokia and Ericsson were left without supply. Each took a different approach to the disaster.
With an enterprise risk management (ERM) plan in place, Nokia approached things proactively. Meanwhile Ericsson, unprepared, blithely waited for the supplier to make contact – this was a deathblow to the company. Nokia didn’t just continue trading, they also picked up 3% of the market share left behind by Ericsson.
Managing risk also opens up riskier but more profitable opportunities that your company will be more ready to take advantage of.
Ideal risk management
Assessing risk can be difficult. Ideally, you’d categorise risks according to potential loss to the company, and the likelihood of the risks happening. That way you can prioritise deals with the highest loss potential first, and the most likely to occur alongside that, and put off dealing with the less likely and smaller loss risks. Or maybe never bother about them.
But the truth is, the task of evaluating risks and allocating resources to handle them is far more complex than this approach implies. In the real world, effective risk management is only achieved when it is the responsibility of all management and department heads. It should also:
To be effective, risk management should use fewer resources than would be needed if nothing was done. Ideally it should create value too.
Be part of company process
Everyday decision-making and processes should include risk management, from the board of directors down.
Be based on the latest information
There are a lot of assumptions about risk that need to be faced. Effective risk management raises the questions, addresses uncertainty, and systematically structures process based on the very latest information available.
Include everyone in the company
An ERM is just words on paper if it doesn’t consider the variables that are human beings. An effective plan is inclusive, easily understood, and built to suit the company and its employees.
Adaptable and flexible
As the world changes, so do the risks. An ERM must be a living plan, one that responds to change, improves when needed, and is regularly assessed for continued relevance.
2. What kind of risk?
Most companies face some of these
As a business, you may face bad debt (clients who don’t pay) or volatile interest rates on business loans.
Government and local bodies have a range of rules that all businesses must follow, from health and safety to customer privacy. These rules can change from time to time, creating possible risk for your company.
Staff numbers, safety and skills
Losing staff through accidents or resignations, and maintaining staff skill levels are common business risks.
Suppliers and clients
Losing customers and the closing down of suppliers can impact on business.
As part of day-to-day business, cash flow and credit, assets and liabilities, markets and investments – all these can have an impact on profit margins. Insurance cover can’t always mitigate third party injury, loss of data or the effect of wars and natural disasters around the world.
Every business must operate subject to the environment. All are vulnerable to earthquakes, storms, flooding and other natural disasters.
With most businesses reliant on new technologies and global connections, this is an increasing risk. An added concern is the difficulty of finding skilled technicians to deal with cybersecurity risks.
Launching a new product or service, or seeing a new competitor start up to challenge your business – each carries grave risks that need to be faced.
Accidents, breakdowns, power outages, theft, fire – any or all of these could spell disaster for your business.
"Assessing risk can be difficult. Ideally, you’d categorise risks according to potential loss to the company, and the likelihood of the risks happening."
3. The key elements to effective risk management
Risk management is an ongoing process of assessment and review, not just to ensure that you’ve identified the crucial risks and taken effective action – you’ll also need to keep checking and adjusting your plan, to allow for any changes in the risk landscape.
In his book The Black Swan, Nassim Nicholas Taleb recommends against using Standard deviation for risk management. Standard deviation is a number-crunching method of measuring investment risk used in the financial industry, but it isn’t easily understood. While businesses would really like a simple way to identify and measure other kinds of risk, standard deviation won’t offer this kind of insight. Taleb points to an experiment he ran with quantitative analysts using standard deviation – the experts were easily confused, implying that the method is unlikely to be useful for less-experienced business people. This means that using standard deviation is more likely to deliver an inaccurate picture of your risk. The lesson here is, it’s just not possible to define risk with a single number, and it may be dangerous to try.
The world of business is growing increasingly complex due to the internet and global trade. Everything is connected, and that means every business is vulnerable to events that can occur on the opposite side of the world. Once considered unlikely, these events are happening more often, and with greater impact, because of the complex connectedness of business across the globe. Worse, these once-improbable events are nearly impossible to predict.
For most, forecasting these disasters is out of the question, all any business can do is be prepared. You might invest in technology that collects, sorts and analyses risk factors – technology won’t tell you when they’ll happen. Instead, use your resources to lessen the impact of the events.
When it comes to risk management, the biggest hurdle for many businesses is talking about it. An ERM can help start those hard conversations. What could stop your business growing and making profits? What could keep you from operating efficiently, or fulfilling shareholder expectations?
Begin the conversations one-to-one, to get individual opinions from each stakeholder. A group session can follow up, gathering all the opinions and finding consensus. These in-depth conversations can help identify risks, detect warning signs early, and make the right moves to protect the business and make changes if needed.
The best overall strategy for preparing a business for risk is to allow for redundancies. Companies with a narrow focus on delivering profit may consider redundancies to be inefficient, and would much rather take the money that ‘isn’t working’ and leverage it. That means putting the company into debt, and as the bitter experience of the 2008 GFC revealed, debt damages business immunity to change – sometimes fatally.
So even though the bean counters don’t like it, it’s a good idea for your business to have spare parts, back-up assets and a slush fund of capital for emergencies. That way you’re cushioned against risks like interest rate rises or budget blow-outs, global crises or natural disasters.
Another way to pad the nest is to diversify. When you specialise, concentrating on one product or service, you leave your company open to changes in weather, markets, suppliers and even fickle customers. With all your eggs in one basket, you have nowhere to turn when things go pear-shaped.
When you have multiple outlets for your business, one crash can be mitigated by the successes of the others. It might seem more efficient on paper to concentrate on one thing, but – one hot, dry summer in the USA all the cotton died, and farmers had nowhere to go but west. That single-crop Dust Bowl was an environmental disaster that significantly worsened the effects of the 1930s Great Depression – a dire warning against over-specialisation.
“There are three kinds of lies: lies, damned lies, and statistics.” - Attributed to Benjamin Disraeli
There are different ways of expressing the exact same thing, depending on the response you’re looking for – statistics are a prime example. Mathematical formulas are so far beyond the average person, that it’s not just statistics that can be presented in vastly different ways to capture the unwary.
For example, if you wanted to borrow $400,000 at 5% over 30 years to buy a house, your only concern might be whether you could afford the fortnightly payments of $991.00. But if you were told by the lender that the entire cost of that loan would be $772,650, almost double what you think you’re borrowing, you would think twice about making the leap.
The same goes for risk – it’s a good idea to check how it’s presented, and by whom, so you’re not lulled into a false sense of security or alarmed unnecessarily.
It’s not realistic to assume that each risk will be isolated from others. They’re not, and they can’t be avoided by making more rules. Too often, an accident or event in one area has a domino effect, with no department immune to its impacts. That’s why it’s important to involve everyone in the risk assessment and management effort, but not all businesses realise this.
APQC research indicates that of about 100 large global companies, 43% don’t have a designated ERM person to keep the board up to speed about changes in risks and what’s being done to cope with them. The businesses that have that person and process in place feel more confident. When the board is fully engaged in truly thorough discussions about potential risks, operating managers are engaged too. Business units and the operations team can meet regularly to review risk profiles and report back to the board. The ERM team works with department heads to compile their own risk profile. That way people throughout the organisation contribute to risk management, so that if a profiled event happens, the risk manager can gather stakeholders – especially people at the coal-face – in a business-wide response to the crisis. It’s about understanding how networks connect in a company.
A warning – having a designated ERM professional may run counter to this goal. The danger is that others can relax because “it’s not their department.” The ERM manager must work to combat that – a large part of their role should be about engaging and involving the rest of the organisation, ensuring it is everyone’s concern.
"The best overall strategy for preparing a business for risk is to allow for redundancies."
4. Take care of your business
Get ready for risk
No-one can predict the future, and the way the world is going, change is the only constant. With change comes risk, but if your company has a risk management plan in place it should come through dangerous events and out the other side.
The plan should include everyone in the company from the board down, and keeping it up to date should be an ongoing, day-to-day function as vital as balancing your accounts. Starting the conversation about risk is the first and most difficult step, but after that, with good management it becomes business as usual. Avoid the temptation of leaving all the responsibility to one person – keep your risk management a company-wide concern.
Instead of trying to identify exactly what kind risks your company is vulnerable to, it’s better to formulate a general list, assume it will change as new information comes to light, and set about strengthening the company. Diversify, allow for redundancies and spare parts, husband your resources and be ready for the next storm.
If it never happens, you’re still in a strong enough position to more safely take advantage of riskier, more profitable opportunities that may come along.