Risk management
What is risk management, and why is it important?
Risk management is the process of finding proper management solutions and implementing risk management strategies aimed at reducing possible losses while taking full advantage of opportunities. However, the corporate risks associated with the company, as you know, can be very different, from financial and legal issues to technical failures, accidents, and natural disasters.
Of course, you can't foresee all risks, which is why learning how to manage them is indispensable! Successful enterprise risk management will enable the company to continue operating even at the most critical moments, despite both internal and external threats.
Thus, the main tasks of risk management are as follows:
-
forecasting likely risks and threats;
-
eliminating possible causes of risks;
-
making anti-crisis decisions, as well as developing and implementing risk management strategies.
In addition, risk management explores the broader relationships between potential threats and how they can affect a company's strategic objectives in different situations and outcomes. Therefore, besides eliminating risks, the main goal of risk management is to learn how to balance them. After all, you must agree that some risks may well justify themselves due to the result obtained (for example, an increase in profits and KPIs).
Thus, effective risk management produces the following benefits:
-
raising risk awareness throughout the company;
-
belief in the company's right goals and objectives;
-
more efficient and exact compliance with regulations;
-
improving performance through consistent application of risk management tools;
-
bettering safety and health protection for employees and customers;
-
competitive edge in the market.
Risk management process steps
To take risks under control, experienced leaders and managers take five basic steps in the risk management process. First of all, this process begins with identifying risks, followed by their analysis, determining the highest priority risks and developing a strategy based on them. But let's take a closer look at each stage of risk management.
Step 1. Identification of risks
So, the initial stage of risk management includes the identification of threats. Since a business is exposed to numerous risks, they are usually classified as follows:
-
Legal and financial risks, which can also be called compliance risks. They involve violations of laws, treaties, or accepted standards, which can result in financial liability, fines, and other sanctions.
-
Regulatory risks. This type of risk is about non-compliance with external or internal standards relating to any aspect of the business activity.
-
Market risks arise when a company can be influenced by external factors occurring from changes in market conditions, such as price and exchange rate fluctuations.
-
Operational risks. That's what they call the risk of loss resulting from faulty internal processes and systems failure, destructive actions of employees, or external events such as fraud.
-
Environmental or natural risks. They mean that negative changes are likely to occur in nature or bring adverse consequences. Such risks can be caused by natural, anthropogenic, and technogenic emergencies.
To identify the most probable risks, you need to answer key questions, namely:
-
In what state is your official company documentation? Perhaps new or amended legal acts have recently been introduced that you need to be prepared for.
-
What are the results of the latest audits, market research, and insurance reports?
-
What events have negatively affected the company in the past? What risks have you already faced? In other words, analyse your previous negative experiences with threats, but remember the positive experiences of overcoming the challenges you mentioned.
-
What risks are most likely to occur in the current situation?
So, we have passed the first and main step of risk management, without which we cannot proceed to the next steps. Pay special attention to risk identification! Set aside extra time and invite the best analysts for this. Only then proceed to the second step.
Step 2. Analysis of the risks identified
Once a risk is identified, you must analyse it. To do this, you need to determine the scale of the identified threat and its consequences for the business. In addition, you should learn how this risk appeared, what brought it up, and how to eliminate it.
If in the first step, you managed to identify several risks at once (as often happens), you should set the priority of each of them. You can determine it by the level of influence of one specific risk on the business as a whole and its individual processes. After all, the more aspects of the business are at risk, the greater the threat to the entire company. For example, an industrial enterprise will find the environmental or natural risks that may arise as a result of a negative impact on the environment the most significant threats. And for trading, market risks are of the greatest importance. If you do not meet a certain financial plan and exceed costs, the company will require additional funds, which in the end can lead to significant budget cuts, unwanted credits, or even bankruptcy.
Factors companies consider when prioritising risks include:
-
potential financial loss;
-
time lost or wasted on eliminating the risk;
-
availability of resources and tools to manage the risk in the future.
This step helps companies obtain the necessary information to develop responses to the most common threats.
Step 3. Risk assessment
Risk assessment is a process of identifying possible types of risk and assessing the conditions for their occurrence and determining the impact on the business. There are two types of risk assessment: qualitative and quantitative.
Most risks are not quantifiable and are only measured in terms of quality. As an example, let's take the risk of climate change, which is a threat to many businesses. Thus, a qualitative assessment includes analysing the features of the manifestation and influence of possible risks from the specialists' point of view.
In turn, quantitative risk assessment is the numerical determination of the size of individual threats. Quantitative analysis is more accurate but is used mainly for complex projects. Most often, experts use quantitative assessments to analyse the risks associated with funds, since mainly figures appear here - be it profits, interest rates, performance indicators, etc. Quantitative risk assessments are much easier to automate. They are also considered more objective than qualitative assessments.
Furthermore, it is essential to understand that a qualitative assessment frequently accompanies a quantitative one. You can use them individually or together, depending on the available time, budget and business characteristics.
Step 4. Risk mitigation and security
After passing all the steps - identifying risks, analysing and evaluating them - it's time to act! Each risk must be eliminated or minimised to the extent possible. That is, at this stage, you implement specific solutions, plan and carry out activities, and use them to eliminate possible losses.
Start with the most dangerous risks. For clarity, you should draw up a plan to eliminate or mitigate the consequences of the risk, which should describe in detail all the steps necessary to reduce the risk. To do this, you can contact experts in the field which the risk relates to.
There are several basic risk management strategies in business:
-
Full exclusion
This strategy involves an absolute rejection of dangerous actions to reduce the likelihood of losses to zero. It is most advisable to use such a strategy if the risk has a potentially large impact on the entire business, for example, it can bankrupt or destroy it. However, in this case, it is essential to correctly identify possible threats because some risks may well justify themselves and even contribute to increasing the company's profits.
-
Prevention & control
In this case, you need to exclude accidental risks and minimise the possible loss if the threat suddenly strikes. For example, to prevent data leakage, a company needs to install appropriate software and ensure cybersecurity.
-
Insurance
When something the company feared happens, management is compensated. That is, the damage that occurs for a certain reason will be compensated. For example, professional liability insurance helps each professional avoid personal risks. And if you work in a hazardous industry, you should take care of your healthcare and get life insurance.
Step 5. Monitoring and evaluation of results
Next, you should monitor both the effectiveness of the chosen anti-crisis strategy and the emergence of new risks. After all, new dangers and threats regularly arise in the course of the company's activities, so you must constantly look out for them.
When the next crisis comes, it is essential to evaluate how effective the earlier decision turned out to be. Perhaps you should pick a different strategy or adjust the current one. To understand how to proceed further, it is vital to keep records, that is, to document, analyse and discuss with colleagues information about the results of implementing risk management methods.
You should also keep in mind that all stages of risk management are interconnected and depend on each other, as well as on the characteristics of the business itself and the market. Therefore, you need to consider them in the context of the whole company and apply them based on existing experience.
Risk management techniques
At the first step of risk management, there are several most effective methods to determine as accurately and objectively as possible all the factors that affect the business and create risks. Here are some of them:
-
Drawing up a risk map
A risk map is a tool for illustrating a qualitative and quantitative analysis of the dangers and threats an enterprise faces, that is, their visual display. Such a model shows all the risks inherent in the company and visualises the likelihood of their occurrence and the overall risk assessment. Moreover, it demonstrates the measures to respond to and prevent the hazards.
On such a map, risks are assessed using the following concepts: significance - probability - causes. That is, each likely risk must be classified on a scale from "least likely with the smallest impact" to "the most likely with the greatest impact". These data can be evaluated in percentages or points, and significance, that is, the consequences of risks, can be expressed in monetary terms.
-
SWOT analysis
The abbreviation stands for strengths, weaknesses, opportunities and threats. When measuring the effectiveness of the company, SWOT analysis will help you identify strengths (what gives the company an advantage and distinguishes it from competitors), weaknesses and vulnerabilities. It will also help you determine outer circumstances and external threats (these will be various risks, issues and crises that the business may face).
-
The Decision Tree method
This is one of the most popular ways of making decisions under uncertainty. The decision tree is a graphical method and allows you to visually correlate all the elements of decision making, their consequences, conditions and factors of the external environment. Drawing up a decision tree begins with the earliest, primary decision, after which the possible results and consequences of each of the actions are developed. That is, the work process is a certain "rate increase", or risk degrees. Then, based on the information received, a decision is made again - and so on until the consequences of all decisions are determined, and the risks are minimised.
-
The Fish Bone method, or Ishikawa diagram
This method is a diagram that looks like a fish skeleton. The problem itself is placed in the "head", and those factors that influence the situation are written on the "bones" of the fish. The scheme allows you to understand business processes and reduce risks when planning decisions.
To assess and analyse threats, you should use the following methods:
-
Project Management Risk and Impact Matrix
This is a table that contains the most significant minimum values of the probabilities of a risk occurring and the maximum values of these risks' consequences. It is easy to see and assess the magnitude of the risk where rows and columns cross.
-
Pareto chart
The Pareto system is an ordered descending histogram that reflects the ratio of different production factors. From the whole set of reasons that give rise to certain consequences, the Pareto diagram allows you to select the most important ones, that is, those whose influence is the most significant.
Once the risks are analysed and their consequences are minimised, you can additionally use the planning technique to avoid the most dangerous risks in the future. It is called the Futures Wheel and is a tool that is used to determine the direct and indirect results of a particular strategy, event or decision. The futures wheel is based on the brainstorming method and identifies the consequences of any decision made through a collective search.
Enterprise risk management
Enterprise Risk Management (ERM) is a methodology that looks at risk management globally, that is, from the entire business's point of view. Such a strategy is also aimed at identifying, assessing and preparing for potential losses, hazards, and threats that interfere with the activities and goals of the company and bring loss or reputational damage.
It is vital to understand that enterprise risk management involves a common strategy for the entire organisation. In other words, this is not a specific decision made in a certain situation, but a long-term plan or tactic for working with business processes. Its implementation is ensured by each company employee who performs certain duties in the risk management field. This also implies the definition of roles for each employee, the division of tasks and fields of responsibility, as well as providing some employees with certain powers. Thus, successful ERM strategies can regularly reduce financial, legal, market, operational and other risks.
Risk management framework
During the growth of risk management, special risk management standards were developed. Here are some of the main frameworks, or, as they are also called, risk management systems:
The NIST Risk Management Framework is a federal guide for companies on assessing and managing risks to their information systems. It was created by the National Institute of Science and Technology to ensure the security of defence and intelligence networks. Federal agencies are required to comply with this risk management system, but private companies and other organisations can also benefit from following its guidelines.
COBIT, or Control Objectives for Information and Related Technology, is also intended for enterprise information technology management. It was developed by the Information Systems Audit and Control Association (ISACA) to establish proper auditing standards.
The Casualty Actuary Society (CAS) Framework. The standard was adopted by members of the society of the same name, that is, experts in the field of insurance and reinsurance of property, accidents, finance and corporate risk management. They help businesses make informed strategic, operational and financial decisions.
There is also an integrated enterprise risk management system COSO Enterprise. The platform was developed with the participation of five COSO member organisations and external consultants and launched back in 2004, after which it was updated to solve the most difficult ERM issues. COSO Enterprise is a set of guidelines or rules established to help companies manage business risks. This system defines the key concepts and principles of ERM and provides clear guidance on risk management. COSO focuses on five components of a risk management system:
-
leadership and culture;
-
strategy and goal setting;
-
performance;
-
analysis and review;
-
communication and reporting.
Summary
In conclusion, we can safely say that ERM is an integral part of risk management in business. As the modern business environment evolves, companies must constantly assess and re-evaluate risks and their attitude towards them, but first one should realise that the profitability and success of an enterprise depend on the risks and threats you don't eliminate. Having a sound management system in place can help organisations identify risks and be prepared to deal with emerging issues in advance. Thus, it is risk management that makes it possible to ensure the necessary balance between risk and security, which allows you to follow your opportunities and minimise negative consequences at the same time.