Don’t Run Your Business Without It!
Can you afford to manage a business without knowing the risks? Of course not! But suppose you decide to, for whatever reason, to not take risk management very seriously. What could happen? Naturally, your business could fail; that’s probably the worst case. Your business could be acquired by someone else that extracts the worthwhile parts and employees and scraps the rest. The business could simply float along in the river, doing very little but surviving. Could your business also become magically successful without risk management? Anything is possible of course, and it would probably be the stuff of MBA team projects or business books.
Now that we have established that risk management could play a role in your organization’s present and future, let’s identify the activities that you should follow if you want to do it right. First, it’s essential to have senior management buy-in and support. Next, you will want to understand how your business functions at an operational level. That means examining things like supply chains, business processes, staffing, finances and competition. In other words you must really understand the ins and outs of your organization and how it operates. This way you can better identify where the risks and vulnerabilities may exist.
Next step is to conduct an operational risk assessment, which means you identify internal and external risks, threats and vulnerabilities; evaluate their likelihood of occurring and their impact to the firm; and then identify how you will deal with them. You can accept them, mitigate them or avoid them. This is where things like insurance can be used to accept or mitigate risks.
More importantly, use the model developed by U.S department of defense, which defines the operational risk management (ORM) as the following principles:
- Accept risks where benefits outweigh the costs
- Accept no unnecessary risk
- Anticipate and manage risk by planning
- Make risk decisions at the right level
If you can clearly see, through analysis, that the potential outcomes (e.g. increased revenue) of a specific risk or threat are more significant than the cost needed to manage the risk, then the decision should be to assume the risk. And if you have performed a sufficiently robust risk analysis, you should be able to identify most operational risks and vulnerabilities, further be able to identify those situations that will clearly not benefit your organization, and then manage through those risks. Risk data can and should be used to enhance planning activities. After all, if you know where the risks exist, you ought to be able to design business plans that address the risks, avoid them or leverage them to your advantage. Finally it is essential to know at what level business decisions need to be made in an organization. Results of the risk analysis may indicate that some decisions won’t need to be escalated to the highest levels in the company, while others clearly must have top level management approval.
In summary, a successful business should regularly assess its risks, no matter how well the company is performing. In fact, probably the best time to take a closer look is when things are going well. This way you may be able to identify a situation that, at the moment, is under the radar and would otherwise be considered of little consequence. And ignorance of such a situation could lay the groundwork for a business ending catastrophe. Don’t wait until operations are going under. Schedule and conduct regular risk assessments to keep your business running at its best.