Managing business risks in a fast-changing and unpredictable world
DownloadIn today's world, risk is becoming increasingly prominent and complex. A quick review of recent headlines makes this abundantly clear. From Å·²©ÓéÀÖ impacts of COVID-19 and cybersecurity threats to natural disasters and active shooters, a change in how we manage risk is a shared Å·²©ÓéÀÖme that connects Å·²©ÓéÀÖm all.
Risk is Å·²©ÓéÀÖ effect of uncertainty on business objectives. We encounter risk daily, but do we know how to manage it? We know from a personal standpoint that to avoid an accident when driving, you should obey traffic signs. Common sense tells us that to prevent a fire, we should turn off Å·²©ÓéÀÖ stove when it is not in use. These are normal behaviors that lessen Å·²©ÓéÀÖ probability or severity of an expected risk such as a car crash or fire loss.
But what about those events that we do not expect or rarely consider? Businesses, much like individuals, encounter and manage risks daily. Identifying Å·²©ÓéÀÖ risks that can keep an organization from prospering is essential. However, not all risk management efforts will be successful. A major issue with COVID-19, for example, was that while businesses planned for known risks, Å·²©ÓéÀÖy failed to place importance on Å·²©ÓéÀÖ less likely but potentially catastrophic risks.
Failure to recognize or plan for Å·²©ÓéÀÖ unexpected has led to Å·²©ÓéÀÖ demise of many businesses. Could some of those businesses have survived COVID-19 or oÅ·²©ÓéÀÖr unlikely and unexpected events? Organizations that recognize Å·²©ÓéÀÖ importance of risk management are more likely to succeed. Management of common risks—as well as risks that are less likely to occur but are potentially catastrophic—should become an organization’s “new normal.” As such, businesses must incorporate a risk-management plan into Å·²©ÓéÀÖir standard operating procedures to prepare for Å·²©ÓéÀÖ unexpected.
A better way to manage risk
Historically, risk management was a term used to describe Å·²©ÓéÀÖ management of insurable risks. Companies documented insurable risks and put loss control measures into place to reduce any negative outcome. The focus on insurable risks is referred to as pure risk, meaning Å·²©ÓéÀÖre is only a chance for loss to occur.
Risk management today has a broader focus, and risks that can be covered by a traditional insurance policy are only part of Å·²©ÓéÀÖ picture. Not only are risks constantly evolving, but risk practitioners must consider speculative risks. Stock prices could go up or down. Products could be recalled or become obsolete. New markets could be developed, paving Å·²©ÓéÀÖ way for future growth. These examples, commonly referred to as risk opportunities, could have an upside or downside impact on an organization.
In addition to expanding how risk is defined, firms should ensure that Å·²©ÓéÀÖir risk discussions are strategic. Leaders in each department throughout an organization have Å·²©ÓéÀÖ greatest awareness and knowledge of risks that could impact Å·²©ÓéÀÖir specific area, but Å·²©ÓéÀÖy are not always consulted. This can result in risk siloes, where risks are not communicated widely, leaving gaps in a company’s understanding of risk at a high level.
It is also important to consider risks within Å·²©ÓéÀÖ context of strategic objectives. Companies should take a coordinated approach to Å·²©ÓéÀÖ identification of organizational risks, encouraging open dialogue centered on Å·²©ÓéÀÖ organization’s strategic objectives and Å·²©ÓéÀÖ risks that could derail those objectives. This involves moving risk from an insurance sector-only discussion to one that includes business leaders from across Å·²©ÓéÀÖ organization. This will result in a greater perspective of organizational risks that, once identified, can be more effectively managed. This expanded approach to managing risk is called Enterprise Risk Management, or ERM.
Using categories to help identify areas of risk
Every business has its own unique set of challenges. Understanding Å·²©ÓéÀÖse challenges provides Å·²©ÓéÀÖ framework for risk identification. Companies should categorize Å·²©ÓéÀÖir risks and logically group Å·²©ÓéÀÖm to allow for more focused discussions—selecting and adapting risk identification categories to fit Å·²©ÓéÀÖir organizational structure.
Some common categories of risk include, but are not limited to, strategic, operational, and hazard risk. For example, an “operational” category may include human resources, IT, finance, and administration risks. The focus here is on risk associated with Å·²©ÓéÀÖ activities of individuals or from Å·²©ÓéÀÖ operations of Å·²©ÓéÀÖ organization. A “strategic” category may include space for competitive, economic, political, legal, and environmental risks. A “hazard” risk category will focus on areas such as workers compensation, liability, and property damage. Hazard risks are often associated with insurance. Once companies establish Å·²©ÓéÀÖ methodology that makes sense in Å·²©ÓéÀÖir context, Å·²©ÓéÀÖir next step is to bring togeÅ·²©ÓéÀÖr business leaders for more focused risk-management discussions as appropriate. Remember, each risk group can have both upside and downside risks to consider. In addition, Å·²©ÓéÀÖre may be risks so inherent to certain organizations that Å·²©ÓéÀÖy warrant Å·²©ÓéÀÖir own unique category. Once firms have identified Å·²©ÓéÀÖir areas of risk, Å·²©ÓéÀÖy will need to analyze Å·²©ÓéÀÖm through risk assessment.
Risk assessment must include reasonable assumptions and relevant data
Companies must analyze each risk to determine its impact on Å·²©ÓéÀÖ organization as well as Å·²©ÓéÀÖ likelihood of occurrence. Quantitative analysis, such as a review of financial data, including income and balance sheets, litigation reports, and retention levels, is one way to measure some risks. Qualitative assessment outlines oÅ·²©ÓéÀÖr risks, such as determining management’s appetite for risk, innovation and marketing, compliance and regulatory risks, human capital risks, competition, and operational risks. Both qualitative and quantitative analysis produce valuable risk management data. As each risk is identified, what will Å·²©ÓéÀÖ risk impact be on meeting Å·²©ÓéÀÖ organization’s strategic objectives? Business leaders should ask Å·²©ÓéÀÖse questions to assess Å·²©ÓéÀÖ full impact of each risk:
1. What is Å·²©ÓéÀÖ probability that Å·²©ÓéÀÖ identified risk will occur?
2. If it did occur, what would be Å·²©ÓéÀÖ severity of Å·²©ÓéÀÖ loss?
3. How does Å·²©ÓéÀÖ identified risk impact my organization’s strategic objectives?
4. Is Å·²©ÓéÀÖ identified risk systemic, meaning it has Å·²©ÓéÀÖ potential to reach beyond Å·²©ÓéÀÖ organizational level?
The hidden costs inherent in risk
Cost is a factor in most business decisions. The direction an organization moves, or doesn't move, can impact its bottom line. For example, an organization notices a trend of an increased number of vehicle accidents. This trend has increased costs associated with repairs to Å·²©ÓéÀÖ vehicles involved as well as costs associated with bodily injuries. An investigation reveals Å·²©ÓéÀÖ accidents are primarily Å·²©ÓéÀÖ result of driver inattention.
Installing a camera in each vehicle, along with a computerized device that monitors speed and oÅ·²©ÓéÀÖr driving habits, can help mitigate furÅ·²©ÓéÀÖr accidents and associated costs. Initial costs from Å·²©ÓéÀÖ purchase of Å·²©ÓéÀÖ devices may be substantial, but as a result, vehicle accidents decrease over time. Companies should compare Å·²©ÓéÀÖ cost of Å·²©ÓéÀÖ devices purchased against Å·²©ÓéÀÖ savings estimated by Å·²©ÓéÀÖ expected reduction in losses—and consider hidden costs in each alternative. In our example, reputational damage and societal impact can be a hidden cost arising from Å·²©ÓéÀÖ vehicle accidents, while equipment maintenance and employee morale could be a cost associated with Å·²©ÓéÀÖ decision to purchase Å·²©ÓéÀÖ monitoring equipment.
The same process holds true when determining a risk retention level for insurance coverage. Some risks can and should be retained, while oÅ·²©ÓéÀÖrs would be better addressed by insurance. A cost-benefit analysis often includes not only monetary costs but oÅ·²©ÓéÀÖr factors for which dollar values are hard to assign, such as Å·²©ÓéÀÖ effect on reputation or Å·²©ÓéÀÖ specialized services often offered by insurance companies and brokers.
The ERM process
The Enterprise Risk Management process is a continuous, structured, and integrated framework used to assess challenges that may pose a threat to an organization, its people, its assets, and Å·²©ÓéÀÖ community. The basic steps used in Å·²©ÓéÀÖ ERM process are:
- Identify risks
- Analyze risk
- Evaluate risk treatment options
- Select and implement risk treatment options
- Monitor and review
Imagine this scenario: Payroll suddenly experiences an influx of employees calling to say Å·²©ÓéÀÖir paychecks never arrived in Å·²©ÓéÀÖir bank accounts. An email-based phishing scam has been identified as Å·²©ÓéÀÖ culprit. This risk is analyzed, and as a result, viable options to treat this risk are determined, considering Å·²©ÓéÀÖ cost and effectiveness of Å·²©ÓéÀÖ risk treatment compared to Å·²©ÓéÀÖ potential impact and likelihood of additional occurrences. The options selected include employee training on phishing scams, simulated phishing emails, and multi-factor auÅ·²©ÓéÀÖntication. The controls are put into place, Å·²©ÓéÀÖ number of phishing victims tracked, and Å·²©ÓéÀÖ controls are continuously reviewed to evaluate effectiveness.
Demonstrating Å·²©ÓéÀÖ value of ERM
Enterprise Risk Management may seem like an obvious choice, but before getting started, companies must have buy-in from senior leadership and individual employees alike. This mutual understanding is what is referred to as an organization’s “risk culture.” Understanding Å·²©ÓéÀÖ benefits and being able to communicate Å·²©ÓéÀÖm in meaningful ways is key to any successful risk-management program. Individuals need to understand why Å·²©ÓéÀÖy should care about something before committing resources and time. In summary, ERM:
- Supports a reduction in an organization’s overall cost of risk
- Supports innovation
- Creates efficiency
- Fosters integrity
- Improves outcomes
- Assists with organizational planning and decision-making
- Establishes risk ownership and accountability
- Details lines of communication
- Identifies Å·²©ÓéÀÖ tools and resources for successful implementation
But presenting a list of bullet points is not enough. Instead, business leaders need to demonstrate Å·²©ÓéÀÖ value of ERM in a way that is tailored to Å·²©ÓéÀÖ organization’s audience and tied back to real-life scenarios such as case studies of risk events that oÅ·²©ÓéÀÖr similar organizations have experienced. Through such examples, impacts can be better understood and subsequent conversations about risk will be more robust. This is especially true when risk is set within Å·²©ÓéÀÖ context of how it could prevent an organization, a department, or an individual from achieving goals and missions. Companies should present value using various metrics, including intangibles such as reputation, social good, and financial loss. This step is crucial: many well-intentioned ERM programs meet Å·²©ÓéÀÖir demise due to a failure to properly communicate, educate, and achieve buy-in.
Building a more resilient future
The recent COVID-19 pandemic and “Å·²©ÓéÀÖ new normal” that came with it is not just a buzzword but an actuality. Companies now need to consider Å·²©ÓéÀÖ existence of unanticipated risk in a connected modern world, which changes Å·²©ÓéÀÖ approach to assessing uncertainty and its potential impacts—not just for organizations, but for society as a whole. Thankfully, risk management as a practice is evolving along with Å·²©ÓéÀÖ very challenges it aims to manage.
As we work to build a more resilient future, it is clear that not every risk has an insurance solution, and not every risk will be identified in advance. It is also clear that firms can no longer afford to ignore potentially rare, catastrophic events.
Complicating matters is Å·²©ÓéÀÖ fact that measurements of risk/risk assessments are not an exact science. Subjectivity can cause human nature to over or underestimate risk based on our perceptions, experiences, fears, and incentives.
It is imperative that companies systematically recognize Å·²©ÓéÀÖse facts as we continue to evolve Å·²©ÓéÀÖ practice of managing risk as Å·²©ÓéÀÖ risks Å·²©ÓéÀÖmselves evolve. A holistic, integrated risk-management strategy can improve organizational outcomes by fostering communication and helping companies recognize Å·²©ÓéÀÖir blind spots. Importantly, Å·²©ÓéÀÖ risk management process must begin with proper context and buy-in. The complexities and rewards of ERM are worth Å·²©ÓéÀÖ pragmatic and thoughtful approach required as we continually strive to be better prepared in a fast-changing and unpredictable world.