It is important not to lose sight of risks that may prevent us from achieving our goals. On reflection, it is not hard to come up with examples. One could encounter unforeseen health problems. Physical damage from fire or flood could occur. Loss of a major customer or source of funding, a serious information technology problem such as a loss of data or breach of security, or departure of a key employee are further examples of business risks one could encounter.
Quite often it is challenging for small and medium size organizations to establish an enterprise risk management process and as a result risk management is overlooked. Your business plan can be a very good starting point to establish a risk management plan. Consider your key objectives and ask questions including what can go wrong, how can problems happen and why could they occur. By looking at your business through this lens, you can get a reasonable perspective on the business risks you should be concerned with.
Usually no one individual has a full perspective of the risks that could impact your organization. As such, it is necessary to ensure that you include all those who have relevant knowledge of business risks that could impact you when completing your risk analysis. Completion of a strengths, weaknesses, opportunities and threats (SWOT) analysis may be helpful to identify risks that could impact your organization.
Typically it is not possible to address all risks that have been identified. Risk analysis serves to identify which risks can have a greater impact than others. Risk analysis involves combining the impact of an event with the likelihood of the event occurring using the risk analysis equation which is Risk = Consequence x Likelihood. You may want to rank the both severity and likelihood of occurrence of a risk as low, medium, high, or critical in a risk matrix such as that depicted below.
Generally the colours on a heat map are related to the level of risk as follows:
Green = low risk; risk is tolerable, no further action required
Yellow = medium risk; risk is tolerable if it continues to be regulated through ongoing organizational controls
Orange = high risk; risk exceeds tolerance level and is unacceptable, risk mitigation strategies need to be put into place
Red = extreme/critical risk; risk is unacceptable and immediate action is required, if the organization cannot influence this risk it should be a standing Board agenda topic
Completing this exercise will help you to identify those risks that are more likely to occur and those which may have a greater impact, and help you make decisions about committing resources and effort to manage specific risks.
After business risks have been identified and analyzed, the next step in your risk management process should be risk treatment. There are various strategies to consider. Risks can be avoided by not proceeding with the activity to which a risk relates. However, such an approach can lead to missed opportunities and elevation of other risks. The likelihood of occurrence could be reduced, perhaps for example by providing safety training to staff assigned to more dangerous activities. The consequences related to a risk could be reduced. For example, if there is a risk of fire, installation of monitored fire detection equipment and suppression systems can reduce impact if a fire occurs. Risks can be shared. A common example of how risks can be shared is through insurance. For example, a firm providing professional advisory services may wish to share risk by acquiring errors and omissions insurance. Finally a decision may be made to retain exposure to certain risks if the exposure is at an acceptable level. Overall, the treatment approach for any specific risk requires a cost benefit analysis to determine the extent to which the cost of treating a potential risk is justified.
Enterprise risk management is not a one-time activity. Rather it should be an ongoing component of your overall management activities to facilitate proactive management of business risks that may impact your organization.
Enterprise risk management has significant business benefits. Examples include greater potential to achieve goals and objectives, reduced exposure to litigation and non-compliance with legal obligations, enhanced relationships with external stakeholders such as your bank and greater likelihood of operating within prescribed budgets.
If you would like assistance in implementing a risk management strategy and strengthening your organization, please contact me at 613-727-1230 ext 213 or firstname.lastname@example.org.