“Risk comes from not knowing what you’re doing”
– Warren Buffett
Business is fraught with risk. I’ve had plenty of sleepless nights worrying about risks to a business or managing crises due to a risk manifesting itself into reality. Risk is not fun, but it can typically be reduced if well managed.
What is risk?
Risk is the probability of something negative happening, whether it is a delay in a project, a competitive price war, a product warranty issue, a lawsuit, or a catastrophe. We live in a world of multi-dimensional risk, and while our minds often focus on the upside potential of a business, it is prudent to spend some time to understand and mitigate significant business risks. The definition of business risk is a cost that has a probability to be paid at some point in the future.
Risk management involves the identification, assessment, mitigation, and monitoring of risk within a business. Let’s go over each major element of risk management.
There is risk across an entire business model and it is critical to take the first step in identifying the larger risks. While many risks, such as catastrophes and competitive moves, don’t show symptoms until after they happen, the symptoms of many risks are actually represented within the data of an organization. Customer reviews and warranty claims can shed some pretty revealing information on product and service risks. Creating and measuring partners with scorecards can create a rich fact base for potential partner risks. Understanding the trends in the financials can highlight the potential risk of running out of cash or defaulting on debt. It is prudent to identify the major risk categories across a business. The following chart outlines many of the most common business model risks.
There are two components to assessing risk. The first component is in understanding the probability of the risk becoming a reality. The second component is in calculating the potential impact or cost if the risk event occurs. Putting the two components together creates the expected value of the risk.
Expected Value of Risk = Probability of Event X Cost of Event
There are many ways to assess the probability of an event happening, from educated guessing to statistical frequency analysis of historical data to buying reports or hiring a risk consultant. Regarding risks relating to processes, products, and services, Six Sigma is a comprehensive toolkit to understand, assess, and mitigate risk statistically. Understanding the rough probability of an event occurring is critical to determining the magnitude of the risk. The difference in the expected value of risk between an event having a 50% probability of occurring versus a .05% probability is 1000 times.
As for calculating the cost of an event, there are many benchmarks out there for the cost of a product recall, discrimination lawsuit, failure to comply with fines, security breaches, etc. Understanding the expected value of different risks is something insurance companies are experts at, so they are also a great resource to understand the cost of various events. For many of the benchmarks, the key is to normalize them to the relative size of the business.
The third step to risk management is mitigating the risk. The key to risk mitigation is drilling down to the root cause that is driving the probability of the risk. In the case of IT security risk, are there poor controls, systems, or too many people with access? In the case of quality risk in a product, has cost-cutting occurred at the expense of quality or is it poor design, etc.? Whatever the case, to mitigate risk, it is critical to understand the root cause(s) driving the risk.
In terms of actual mitigation, there are four main options:
Eliminating risk is always the best option, but sometimes there are tradeoffs regarding the cost to eliminate versus the elimination of the expected value of the risk. I have worked with companies who had dangerous products that they had to discontinue and take a loss on inventory to eliminate the consumer risk.
Reducing risk can come in many forms including controls, policies, monitoring, improved design, communication, education, training, technology, and anything else useful in reducing either the probability of the event or the cost if the event happens.
Sharing risk often comes from purchasing insurance for the risk. Insurance not only reduces the significant losses if the event happens but also is educational in understanding the expected value, probability, and cost of the event. You can also share risk in contractual agreements.
Accepting risk sometimes happens if there aren’t suitable options to eliminate, reduce, or share the risk. In these cases, sometimes the only option is to accept the risk and ensure the potential cost of the risk is budgeted and accounted for in some manner.
Risk is one of those tricky elements of a business that can rear its ugly head at any time. And, it can be akin to the “whack a mole” game, where you think you have a risk managed in one area only to have the same or a different risk pop up somewhere else. Monitoring more significant risks and having a high level of vigilance is essential to risk management, along with having a good offense. Once you are on the defense with risk, you’ve already lost. Monitoring can come in many forms, whether it is a formal risk scorecard across the organization, security and fraud monitoring software with IT and financial systems, periodic analysis of customer reviews and warranty claims, or reports and escalations of employee issues.
Short-term gains versus long-term risk
A sensitive, but important topic about risk is the dynamics between short-term gains versus long-term risk. Most employee incentives are tied to short-term results, whether it is a potential promotion, an annual bonus, drive to keep a job or the impact of quarterly financial reports on a stock price. And, often, these incentives drive behavior to realize short-term gains, whether they are gains in sales or cost savings. The more team members are focused on short-term gains, the more they have the potential to drive incremental long-term risk to the business to maximize short-term gains. It is a risk in of itself.
Organizations often try to manage short-term thinking through long-term incentive stock options or profit sharing, education, punitive actions on misbehavior, and through their values. Whatever the management mechanisms, the best solution is the orientation and behavior of the leadership, for the actions of employees in a company typically mirror that of the leadership. If the leadership focuses on short-term decisions and gains, then employees will often do the same.
DOWNLOAD THE RISK ASSESSMENT & STRATEGY WORKSHEET
To get you going on risk management, download the free and editable Risk Assessment & Strategy PowerPoint Worksheet.