Following the global financial crisis, risk management strategies have become a main focus of businesses globally. What was previously considered to be a priority for those within the financial field, risk management has since become a necessary consideration for businesses in every industry. In fact, in a survey of nearly 1,500 C-suite executives, 72% of CFOs responded saying that their companies are increasing their resources to manage risk.
There’s no doubt that having the right resources, infrastructure and plans in place to manage risk is a priority to run a successful business. While some risks can be controlled, others, like environmental risks, are completely uncontrollable. However, there are tactics that can be put into place to approach risk management strategically, as well as to understand how to allocate resources effectively to complete processes efficiently.
In business, the types of risk vary, but they are all defined as a situation that can be dangerous or result in a bad outcome.
Strategic Risks: Decided by the board, these are decisions that concern the objectives and direction of the business. Examples include: merger & acquisition risk, market stagnation risk, change management risk, and financial risk.
Operational Risks: Operational risks stem from the day-to-day operations of running the business. They include data loss, staff turnover, machinery breakage, and changes in internal resources.
Regardless of the type of business risk you are managing, taking a top-down approach will help to guide the entire organisation when it comes to risks. By enforcing a risk management culture within your organisation, every department will understand the current landscape, operational and strategic risks, and the kinds of risks that are worth taking.
While it shouldn’t be the sole responsibility of the C-suite or managers to consider risk and understand how to deal with it, the strategy and plans need to come from the top. A proper risk management assessment includes an outline of risks, plans for action in the event of a negative outcome, and putting the right people in place to manage the situation effectively and in a timely manner.
First and foremost, outline and know the risks that can potentially affect your business.
Once you know the risks that are applicable, evaluate their likelihood by breaking down how or why they could occur and the cost or impact if they did. Establish processes for reporting and contingency plan based on who will be in charge of the loss reduction and communication of risk occurring and outcome.
Identify the impact that a risk creates if it happens, as well as the likelihood. Develop a rating system that could be an equation on a scale that looks like this: Risk Score = Impact x Likelihood
An example of likelihood of the risk happening could be determined by how loyal your customers are, or how likely the competition are to lower their prices.
You can then rate the possibility of this risk happening on a 5 point scale, where 1 would be non-existent, 3 is average and 5 would be very strong.
For the damage or impact that the risk could cause, could be for example customers leaving you or competition driving your own prices down.
You can rate the negative impact of this risk occurring on this same 5 point scale where 5 is severe damage, and 1 is minimal damage. You can then use risk levels to rank how much of a priority it is to address that risk.
The maximum risk score would therefore be 25 being 5 impact x 5 likelihood. The lowest risk score would be 1 being 1 impact x 1 likelihood.
Sometimes a risk may be worth taking, but it depends on the cost-benefit analysis of how it will impact your business.
It’s not always easy for managers and C-suite executives to fully grasp the likelihood of potential risk and to work at putting plans in place if the threat doesn’t seem imminent. In this case, it’s beneficial to use data and tools that will help make a realistic and unbiased assessment for your business.
In any business, it’s likely you’ll end up combining these four risk strategies.
If a risk stems from a particular activity that you have the control to end, you may want to avoid the risk altogether by ending the process that allows the risk to exist. The disadvantage here is that any benefit from that activity will also be avoided.
Do all in you power to minimise the effects of a risk. This is the most widespread strategy in business because business is inherently risky, so mitigation is consistently practiced. For example, if the risk is that a client won’t make a payment on time and cash flow will be strapped, reducing the risk would involve setting up a line of credit to minimize the effects of potential late payments.
By paying for insurance, businesses can transfer their risk to a third party. Of course, the downside is the cost associated with an insurance plan.
All of the previous strategies have a cost associated with them, so sometimes it’s best to just accept risk. When the risk isn’t posing a big enough detrimental effect, accepting it frees up the resources to focus on the bigger risk and put plans in place to deal with those effectively.
Risk assessments should be actionable and relevant. They involve putting the right team in place and communicating in advance what should happen when a risk does occur. By giving leadership teams actionable guidance, board members and senior management can better understand and assess data and outcomes.
For each risk, there should be a person or department that knows they are responsible for handling the next steps and communicating with the relevant parties. When communicating with those outside the channels of dealing directly with the risk, they should speak in lay terms so that leaders can perceive and understand what’s happening.
All risk management practices should be systematic, recorded and reviewed. When data is collected, it will help to measure risks for the future, as well as learn from the past to better prepare next time or to be able to avoid the risk entirely.
Risk management is often equated to financial risk and measured monetarily. However, it’s also important to align risk management strategies with the business’ overall goals. In order to this, you can establish KRIs (key risk indicators) to measure results and look ahead to prevent roadblocks. For example, in a retail business, a KRI may be the number of customer complaints. If the number of customer complaints is increasing, it is indicative of an operational inefficiency that should be addressed before customer churn occurs.
When you are able to address risk management strategies to align with your business goals, you will be able to make good decisions in how to deal with risks because they will all be directed towards driving the business forward.
However, not all risks are easily quantifiable, they may be qualitative. For example, the risk of a product failure may affect a business’ reputation which can’t always be measure monetarily. For risks like this, you can create a dialogue with key stakeholders and decision-makers to bring in different expert opinions and decide how it will impact the overall business goals. Then, you can decide as a team if a risk is worth taking.
More often than not, a business’ data associated with risk is siloed in one department, which can be detrimental. Not only does this place the onus on one department to manage and react to risk, it also bottlenecks the effective methods of preventing or proactively approaching risk.
In order to avoid this, set up the free flow of information organisation-wide - whether that’s through meetings or by putting one department in charge of sharing information through web-based apps or shared data and information centers.
Additionally, with the rise in technology that helps businesses deal with risk, you need to strike the right balance between automation and a human touch. Having the right data tool is of utmost importance for this, and the latest data tools can provide more insight and clarity for businesses than ever before. Indeed, the data is only as good as the people who use and consider it.
Like the economy, risk changes daily. In order to put a proper risk management strategy plan in place, you have to approach risk, reconsider it and reevaluate the landscape and competition regularly. This could be done by setting up recurring meetings and using data tools to analyse the market. Additionally, it's undoubtedly important to stay atop industry trends, news and technology innovations. Risk management is not a one-and-done deal.
At the same time, there are upsides to risk and many businesses thrive and take advantage of downturns and use this to leap frog by using risk as their competitive advantage. While preparing for the worst case scenarios, it’s also important to consider best case scenarios and how industry-wide risk can serve to catapult your business forward or create opportunity to pivot and grow.
Take a look at these strategic risk examples to get a better understanding of how to achieve organisational goals, and how technology helps.
When it comes to SOX testing, your internal controls are everything. Read how finance automation can alleviate the stress of SOX compliance.