Defining and Evaluating Business Risks

Having an effective enterprise risk management (ERM) program that helps to measure, monitor and manage risks is no longer a nice to have but a must.

Organizations regardless of which industry they operate in are increasingly facing strong headwinds that are forcing them to rethink the way they run their businesses, build new capabilities, implement agile strategic responses and approach risk management more seriously.

New technologies, increased economic and political uncertainty in emerging markets, slowing global growth, commodities price decline and Brexit are some of the issues posing immense pressures on organizational decision makers and value chains.

In this environment, objectively defining risk and measuring its impact on the business is very imperative. This is critical for designing and implementing effective mitigation plans, creating value and improving business performance.

Benchmarking is not always the answer

Benchmarking is one of the popular tools used by decision makers to improve processes and ultimately business performance. So often business managers make reference to benchmarking information to gauge their organization’s performance against the “so called best” in the industry.

However, the fact that every business and organizational structure is unique in their own special ways, care must be taken when using benchmarking. No two businesses are exactly the same in all aspects.

Data is critical when measuring risk. Without the data, the whole process becomes pure speculation. In today’s digital economy and information age, data collection is dynamic, allowing businesses to continuously evaluate risks. However, the data type, quality, quantity and method of gathering varies by organization, process, and functionality.

Thus, in order to benefit from benchmarking, decision makers need to first clearly understand the methods used to gather the benchmarking information, the integrity of the gathering process, and how this relates to their organization’s specific situation.

Identify the risk

Identifying the risk events is one of the most critical attributes required to perform a successful risk assessment exercise.

The challenge for many people is that they consider the risk identification process as a “listing” exercise of all the things that might go wrong in any given time period.

The objective of enterprise risk assessment is not to maximize the number of key risk indicators (KRIs), but rather to take a holistic view of risk across the enterprise and prioritize resources and efforts on those risks deemed critical to the business.

Identified risks must be those significant to the business and have the potential of adversely derailing successful strategy execution. Thus, it is imperative that risks and strategic planning are clearly linked with some type of appropriate risk response.

What is the probability of occurrence?

The probability of occurrence should determine whether the identified risk(s) is/are worthy of management, control, or not. Determining this probability is not a subjective or guessing exercise.

Instead, data analysis is a critical part of the process as this provides factual information to base upon. Data is one of the most valuable assets for an organization today. Businesses that are able to leverage data and analytics in their risk assessments are uniquely positioned to better run their operations and achieve strategic, operational and financial success.

Make sure the data used in the analysis is accurate, reliable and real-time as this is critical for both performing an objective/fact-based risk assessment and presenting a truer reflection of the situation.

In today’s data and analytics world, organizations can take advantage of new technologies and incorporate predictive analysis in their data-based risk assessment models. Making strategic decisions based on information provided by backward-looking and reactive models will lead you and your business to unwanted territories.

Predictive models are forward-looking and allow business managers to be proactive. They help you identify trends and patterns, plan for the future with greater certainty and implement agile responses.

Consider the impact of the risk event(s) on the business

Unfortunately, for many organizations, risk management is a box-ticking exercise with little emphasis placed on overall impact on the business. People do not understand the impact of identified risks on the overall achievement of objectives and business performance.

Furthermore, risks today are interconnected. One risk event can lead to a chain of risk events, and if not properly mitigated, the exposure to the business is big. It is therefore imperative that you clearly understand the impact of aligned risks that occur as a result of the original risk event taking place on the achievement of objectives.

Being knowledgeable about these risks helps design and implement an effective ERM program that prioritizes identification, assessment and management of those risks considered significant to cause havoc to the business and negatively affect performance.

Build a good foundation

Designing and implementing a successful ERM program is not once-off or short term business objective. Instead, it is a continuous strategic initiative for the long-term success of the organization.

Laying up a good foundation starts with the organization clearly defining its ERM strategy, identifying key risks to the business and utilizing an effective set of KRIs.

If properly designed, these KRIs will help you to calculate the probability and also evaluate the impact of more than one risk across different aspects of your business. The focus is not on managing individual risks, but rather,  taking a holistic view of risks across the enterprise to ensure success.

Senior management commitment towards ERM is also required to ensure middle and lower level employees continuously recognise risk management an important strategic imperative critical for driving performance.

I welcome your thoughts and comments.