Let me start by asking you two simple questions:
1. Are you aware of all or most of the risks your business is exposed to?
2. If you are aware, how are you managing these risks?
Risk management is an integral part of any organization. Whether be it public sector or private sector entity, large or small business, non-profit seeking or profit-seeking organization; risks still exist and need to be dealt with. Every decision or choice we make, either presents a risk or an opportunity for us. For example, as a small business wanting to improve customer service by answering queries as promptly as you can, you might choose to install a 24 hours Telephone System that answers customer queries after office hours as your solution.
Some of the opportunities presented by this new system include: (a) faster response to customer queries as your customers don’t have to wait until the following day to have their urgent problems resolved and (b) having a pool of satisfied customers which will ultimately transform into revenues as more referrals start to come in. It is the norm that if one of your customers is happy with your service offering, he/ she is more likely to refer friends, work colleagues, family members and other relatives to your organization. The reverse is also true, if your customer is not happy, he is most likely to walk away and deter other people from doing business with you.
As I said before, for every opportunity, there is a risk. The downside of the new system is that: an unexpected power cut or electric fault may result in the system going down for hours or maybe days. If that happens, shame. We all know, as customers also, how we react if we fail to get hold of our service provider or are kept on hold for a long time.
Using the simple example above, which can also be applied to various situations facing your organization, the key is to weighing the risks and opportunities at stake. Risk management is not about making gut feeling decisions. It is about taking a proactive approach, analysing different scenarios, calculating & weighing the expected returns (losses) and making evidence-based decisions. Taking a proactive approach to ERM involves:
Identifying and assessing organizational and environmental risks:
# A top-down and bottom-up approach should be implemented. This means the identification of all risks should start from the top of the organisation, leaving no stone unturned. A bottom up approach allows employees to participate in the risk identification process via workshops, one to one or group meetings. Brainstorming sessions and available internal company records can also be used here..
After identifying internal risks, the focus should then shift to the external environment. Who/ what are the most important external threats to your organization? Is it your suppliers, customers, competitors, new regulations, political, environmental or economic instability in yours or another jurisdiction?
Having identified both internal and external risks, consider all the scenarios plausible, their probability and frequency. For example, “If Supplier A and Customer B both go under at the same time, what are the implications to your business in terms of viability, cash flow, profitability and service delivery. Use of up to date publicly available information to generate more information on external stakeholders is also of great importance here.
Managing risks enterprise-wide:
Technological developments have recently been allowing organisations to integrate their risk management functions with other business functions. Long seen as a compliance function, businesses are now beginning to see the role risk management can play in creating value. Instead of managing risks by function or department an ERM approach allows you to:
# Group risks into “risk families” based on their probability of occurring, their frequency and their severity (expected damage or loss). This approach allows you to also set up some risk mitigation strategies in advance. It also reduces duplication of efforts and hence wastage of resources. For example, IT risks are prevalent in every department of the organization as each department uses telephone, computer, fax or printing systems. You cannot therefore separate IT risk on the basis of sales & marketing, finance, operations or human resources department. Thus ERM allows risks identified at divisional level to be aggregated at corporate level.
# Quantify risks and their impact on your business performance. Instead of just grouping risks into their respective families, actual losses are estimated allowing you to set confidence limits (acceptable level of risk that you can bear). This also enables you to get a clearer understanding of your business objectives and associated risks, and the trade-offs between risk and reward.