Let’s discuss managing your organisation through the sorts of risks that you might not have usually anticipated. These are the ‘exceptional business risk’ risks.
So, let’s find out how to manage your business’s risk profile.
The Risk Reality Check
Business is full of risk, like that uninvited party guest who shows up whether you want to see them or not — so you might as well get used to it.
Not all risks are created equal. Some are a fly buzzing around the office, irritating but resolvable. Others are a bull in a China shop — potentially devastating if not dealt with properly.
Step in risk management, your new business partner. But this one is active, not passive.
The Big Gun: Enterprise Risk Management
The titan of risk management is Enterprise Risk Management (ERM). ERM is like the Swiss Army knife of risk tools. It is all things to all people. It is comprehensive, holistic, and designed to assess risk through a regulatory lens across your enterprise.
But here is the fact: ERM is not just for the larger firms. Every small or large firm might have the competitive advantage of being a disruptive startup or a corporation in the Fortune 500. A robust ERM framework can deliver valuable results in either or both modes. You can identify risks inside the business that, if left unmanaged (and unpredicted), would have a consequence or value on risk opportunities. Essentially, ERM allows you to anticipate implications before customers do. It serves as a proactive mechanism to identify what might go wrong and manage its potential impact, easing it with strategies beneficial to your strategic goal. It’s not a crystal ball, of course. You don’t see the future but protect yourself against it.
Risk Identification: The Scavenger Hunt You Can’t Afford to Lose
So let’s get the brass tacks out: what’s the first step of managing existential risk? Identify the risks themselves. You have to see it first before it sees you.
First, look at your business afresh. What are the risks to your supply chain? Can your third-party vendors be trusted to supply (remember, they also have risks)? What about your cybersecurity? Then, the new and different types of risk, such as Environmental, Social and Governance (ESG) related issues, will be evaluated. ESG issues are the new kids on the block, but they do seem to pack a punch.
And, of course, identifying risk is not a one-off; it is a steady stream. It’s like brushing your teeth (but hopefully, it’s more exciting). Keep your eyes open and your ears to the ground, and think creatively. Sometimes, the most significant risks arise from the most unexpected places.
Risk Assessment: Separating the Mole Hills from Mountains
Now take those risks and probe them: distinguish the ‘meh’ from the ‘yikes!’ Not all risks are equally important, and you need to figure out which ones merit your fears.
What kind of damage would that risk do – to your finances? To your reputation? To your operations? Which risks are more likely to happen, and which are less likely? A super low-probability but high-impact risk (a meteor ripping through your headquarters) probably isn’t worth losing sleep over. But a super high-probability, medium-impact risk (one of your key suppliers going out of business) most certainly is.
This is where the risk matrix is useful. It organises information on probability and impact in a visual way that helps you work out which risks need your attention. It’s a hit list for risks; if a risk is both likely to happen and has a considerable impact, get to it fast!
Risk Appetite: How Much Risk Can You Handle?
Every business has its risk appetite. It’s the equivalent of your ability to eat a super-hot curry. You might have a low-risk appetite and prefer not to take unnecessary chances. Alternatively, your appetite might be higher than most, meaning you’re willing to gamble big time in the hope of a big reward.
Knowing your desired risk appetite can help your board determine which risks to take, which to reduce, and which to avoid altogether. It isn’t about getting rid of all risk, which is impossible. It can help you find your own ‘sweet spot’ between risk and reward, one that your strategy demands.
Communicating your risk tolerance across the organisation would be best, like setting the risk thermostat. Then, everybody would know what temperature you’re aiming for.
Control and Mitigation Strategies: Your Risk Management Toolbox
You have identified and evaluated your risk exposures and have a good handle on your risk tolerance. This is where managing risk reduction kicks in. Risk management strategies are the tools in the risk toolbox – we use a specific tool to address a specific risk.
Here are some common risk management strategies:
- Risk Avoidance: sometimes, the most intelligent way to deal with a risk is to avoid it entirely. Maybe you notice that cute but grumpy-looking cat lolling nearby, just outside your field of vision, and you do your best to steer clear
- Risk Acceptance: encountering risks is inevitable, regardless of your intentions. Embracing the necessity of risk is a crucial step forward when it cannot be avoided, transferred or reduced
- Risk Transfer: shifting the risk to someone else by taking out an insurance policy or embedding specific responsibilities and obligations into a contract. In a sense, it’s like hiring a stunt double for your business’s risky scenes
- Risk Reduction: aims to manage a risk’s probability or impact. Like wearing a helmet when you ride your bike, it doesn’t stop you from falling, but if you do fall, it reduces the impact of hitting your head
When it comes to low-impact or unlikely risks, the best option might be to accept the risk – and have consequentialist plans to make the best of them should they pan out. We should be like the person who carries an umbrella when it’s still sunny – then you’re prepared should it begin to rain, without letting it deter you from stepping out into the sunshine.
The challenge is to match the appropriate technique to each hazard: it’s not a case of ‘one size fits all’. You need to calibrate your response to the nature of the risk, your appetite for risk, and your capacity for risk treatment.
Supply Chain Shenanigans: Managing Risks in a Connected World
With today’s globalised business environment, your supply chain can make or break you. Supply chain disruptions can ruin your plans faster than you can say ‘sold out’.
Suppose you want to handle your supply chain risks right. In that case, you need to begin by mapping out your entire supply chain to identify your suppliers, their suppliers, and the suppliers’ suppliers. Because, who knows, you might be playing Six Degrees of Kevin Bacon with your business network.
Spread out your supplier base to avoid reliance on one source or another – the adage ‘don’t put all your eggs in one basket’ applied to your supply chain. Then, build up an inventory of critical parts – the parts equivalent of the rainy day fund.
Don’t neglect geopolitical risks to sourcing, such as storms and earthquakes, trade disputes, and political disturbances in your supplier base. Stay alert and have a contingency plan.
Cybersecurity: Guarding Your Digital Fort
Cybersecurity risk is like the monsters lurking beneath your bed: they’re always there and getting smarter. Data breaches, ransomware and other threats are evolving faster than you can change your password (which you should do frequently).
Disk safeguards are not a substitute for paying attention to ‘culture walks’ – how your people think and respond to the human element of cybersecurity. Provide your staff with instructions on spotting phishing emails, developing good passwords, and adhering to company guidelines for data security.
At the same time, invest in robust cybersecurity, knowing that no technology—no matter how good—is sufficient. Organisations should engage in routine security self-audits, incident response planning, and business continuity exercises, as well as develop data backup and recovery strategies.
Financial Risks: Keeping Your Money Matters in Check
Financial risk can appear in various varieties, from credit risk to market volatility. Taking care of these financial loss risks is similar to standing on a financial tightrope – you must juggle multiple balls in the air without accidentally dropping any.
First, stay on top of your working capital, which is the lifeblood of your organisation; running out can be deadly. Pay attention to your cashflow and use receivables and payables strategies.
For larger corporations, try sophisticated financial risk management tools such as hedging or financial derivatives. But remember that these are power tools: handy but dangerous in the wrong hands.
Don’t forget about credit risk, especially for businesses involving many customer credit. Make sure to put robust credit assessment procedures into place, and for larger and riskier accounts, think about credit insurance.
The Human Factor: Building a Risk-Aware Culture
Risk management is worth nothing besides an inside joke without the buy-in of your people. A company with a risk-aware culture is like having a neighbourhood watch. Everyone needs to be on the lookout and know how to react.
Lead from the top. Senior management, business leaders and senior executive teams must adopt a risk culture. The ship’s captain can only bark orders, but they are ultimately responsible. If they hate icebergs, why would the crew not hate them too?
Foster transparency about risks. By promoting open discussion about risks and fostering a positive culture where employees can report potential risks without fear of reprisals, you encourage otherwise bystanders to become risk guardians at the coalface. With more eyes, more risks get spotted earlier.
Embed risk into your decision-making at all levels – from major strategic decisions to day-to-day operational choices. Thinking about risk should become as habitual to you as breathing.
The Oversight Oversight: Keeping Everyone in Check
Finally, suppose we turn our attention to oversight. What about the referee on the pitch – the overseer of business risks, if you will – who ensures everyone plays within their limits and falls below their acceptable risk bounds?
Your board and audit committee can help here. They should not just stand idly by and ask questions. They should actively oversee your risk management processes. Risk reports should circulate routinely. Appropriate risk appetite needs to be agreed upon and discussed. Risk events should also be reviewed.
For public companies, the message to your investors and institutional investors is the same: they are increasingly scrutinising how you manage risks, including emerging risks relating to Environmental, Social and Governance risks and issues. Visible communication addressing these risks can boost their confidence in you and your organisation and, even better, allow new investors to step up.
Project Management: Where the Rubber Meets the Road
Each project creates a microenterprise with risks that must be monitored and navigated. Effective project management is likely the proper response to any idea, from launching a new product or service to opening new locations for your business.
First, identify project risks during the planning phase. What could go wrong? What could have an impact on your schedule, cost or strategic goals?
Design management strategies for each of the identified risks. This could involve adding slack time to your schedule to cover possible delays, having backup suppliers for vital parts, or working out contingency plans for different eventualities.
Assess risks regularly, in a structured way, at all project stages. Think of this as taking a project pulse – you want to catch the fever before it turns into sickness.
The Crystal Ball: Anticipating Emerging Risks
If only we had a crystal ball to see future risks! We may not be psychic, but we can try to anticipate emerging risks.
Watch for shifts on the horizon in your industry and also in the larger business environment. Read broadly – journals in your field, publications more generally, science fiction is sometimes helpful in providing hints about possible future risks.
Consider having an established horizon scanning team or process. Their job is to search for weak signals of risks on future horizons. It’s your team of futurists, except instead of flying cars, they’re thinking about threats and opportunities.
It’s not just unrealistic low-probability scenarios you should be looking at. The recent pandemic crisis shows that even unthinkable developments can become entirely plausible. Who expected a global pandemic to shut down the world’s economies? Not everyone. The most consequential risks are sometimes low probability and low visibility.
The Learning Loop: Continuous Improvement in Risk Management
The nature of risk management is repetition. There is never a ‘set it and forget it’ point. Like a garden, it needs tending every single day.
In the aftermath of every risk event – whether a near-miss or a full-blown crisis – perform a post-mortem (an analysis of what went wrong and what went right). What about your crisis management? Did it remain effective? What didn’t? What could you do next time?
Use these insights to further enhance your risk management procedures by updating your risk registers, fine-tuning your control and mitigation strategy and, where necessary, adapting your risk appetite.
There is no question of accurately foreseeing every risk. The objective is to create a robust and resilient enterprise that can surmount whatever comes its way.
Final Thoughts: The Risk-Ready Business
So, there is a tour of significant business risks. From ERM to cybersecurity, from supply chains to finance.
But nothing lasts forever, and you can’t afford to be taken by surprise ‑ you need to know your risks, prepare for them, and have a plan ready to respond when (not if) they happen.
Suppose you invest in a risk culture, management, and concern for emerging risks. In that case, however, you can turn the process from a necessary evil into a source of strategic advantage – you’ll require a special licence to lose sleep and a handy superpower for taking risks. Like Superman, you might not be able to see through walls. Still, you’ll be able to see through the fog of uncertainty that surrounds every business decision.
So get out there, channel your inner risk manager and realise your most significant business potential – because, as the legendary Wayne Gretzky said: ‘You miss 100 per cent of the shots you don’t take.’ But make sure you’ve done the due diligence first, of course.
And, if you’re so inclined, you can read articles about it – or anything of the sort – in a publication such as the Harvard Business Review. You can also become a certified risk manager and learn more about it. The issue of risk, like risk itself, is constantly changing. And there’s always more to know.