Risky Business

Operating any business involves risk. It’s important to assess your risks upfront and to plan accordingly to prevent any major disasters.

Risk management is defined as the assessment, mitigation and monitoring of risk. In businesses, risk management entails an organized program dedicated to managing uncertainty and threats. It involves people following defined procedures and using approved tools in order to fully comply with the company’s risk-management policies. During a recession, problems tend to arise more often and be more expensive. As a result, the need for these procedures and tools becomes more clearly defined since costs tend to rise while revenue drops. By managing risk before problems arise, you are in a much better position to face them when they appear.

While the strategies for managing risk—transferring the risk to another party, avoiding the risk, mitigating the effect of the risk, and accepting the consequences of a risk — are fairly uniform, they are applied to a number of different risk types including physical, legal and financial risks, each of which poses its own challenges.

Physical risks include things like fire, flood, injury and other associated disasters. However, physical risks also include things like computer viruses, data loss, communications service disruptions, problems with company vehicles, etc. Legal risk is associated with your exposure to various types of liability from your employees, your customers, the government or even your competition. Financial risks include investments of various sorts, tax issues, payroll problems and the like. They are all different, but they call be dealt with effectively through one, or a combination of, avoidance, mitigation, transfer or acceptance.

The Principles of Risk Management

In determining the ideal risk management program for your company, it would be useful to look at some accepted standards. According to the International Organization for Standardization, any risk management program should:

  • Create value.

  • Be an integral part of organizational processes.

  • Be part of decision making.

  • Explicitly address uncertainty.

  • Be systematic and structured.

  • Be based on the best available information.

  • Be tailored.

  • Take into account human factors.

  • Be transparent and inclusive.

  • Be dynamic, iterative and responsive to change.

  • Be capable of continual improvement and enhancement.

The Process of Risk Management

ISO/DIS 31000 “Risk management – Principles and guidelines on implementation” provides a road map that can be used to create a comprehensive risk management program. Depending on the size and complexity of your business, these steps could be simple, casual things or highly detailed analyses.

Establishing the context. This involves identifying risk in an area of interest; planning the process; mapping out the social scope of the risk management actions, the identity and objectives of stakeholders, and the basis for risk evaluation, and any constraints; defining a framework for the activity and an agenda for identification; developing an analysis of risks involved in the process; and the mitigation of risks using available technological, human and organizational resources.

Identification. Risks are events that cause problems. Therefore, one begins to identify risks by looking at either the source of the problem, or at the problem itself. When either of these is known, the events that can lead up to a problem can be investigated. Common methods include objectives-based risk identification, scenario-based risk identification, taxonomy-based risk identification, common-risk checking, and risk mapping.

Assessment. Once identified, risks must be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, as in the case of the value of a lost building; or impossible to know for sure, as in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the most educated guesses possible in order to properly prioritize the implementation of the risk management plan.

Risk Treatment Options. When the risks have been identified and assessed, the next step is to do something about them. The strategies used to manage risk fall into one or more of the following categories: avoidance (eliminate the risk entirely), reduction (mitigate the risk’s potential damage), transfer (outsource or insure against the risk), or retention (accept the consequences and budget for the cost of the risk). You will need to select the appropriate controls or countermeasures to measure each risk. Finally, accountability in executing these options is always necessary. Therefore, a good risk management plan should contain a schedule for control implementation that identifies the people responsible for that implementation.

Risk management is an ongoing process of improvement that allows you to run the tightest ship possible. By concentrating on the three areas where risk management applies most — the physical, the legal and the financial — you will be in a better position to face problems, solve them quickly and control their costs. —Charles Cooper

Is this topic relevant to your small business? Discover more for FREE through our print version.

Reader Comments

There are currently no comments. Be the first to leave a comment!

Copyright © 2009 - 2024 America's Best. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

FREE Trial Issue