What is Risk Management?
In global business, risk management provides a hedge for operating in a world filled with uncertainty. It is the process of identifying, assessing, managing, and controlling events which have the potential to derail business as usual. Financial market shocks, changes in regulatory requirements, and natural disasters are examples of risk events which require careful planning and mitigation. Whilst the foremost objective of risk management is minimizing the negative impact of downside risk, events may play out to be in favor of your business, in these instances positive upside risk should be maximized. A broad categorization of potential risks includes strategic risks, financial risks, operational risks, compliance, and security risks. The risk management process ensures that risks of all sizes and impact are systematically analyzed, and an appropriate response strategy is formulated and applied when needed.
Why is Risk Management Important?
The success of a business is dependent on the quality of decisions made, which is particularly important in the face of uncertain events. A clearly defined risk management process, which is well governed, provides a business with the data needed to make crucial decisions when tumultuous events occur. Apart from mitigating for unforeseen and unfortunate events, the process can also play a critical role in revealing areas of improvement in enterprise-wide operative processes. For example, if your company does not have an established process for managing cash flow forecasting, investment in treasury software applications can be made to remedy an impending crisis in liquidity management. An example of a positive risk would be implementing a new API-drive technology, which will see a company reap upside efficiency rewards far into the future.
The 5 Key Concepts of Risk Management
To get started with formulating a risk management process, we will first take a closer look at the five key concepts related to risk management: risk management planning, risk identification, risk assessment, risk response planning, and risk monitoring and controlling.
- Risk Management Planning
Understanding your company’s overall business strategy and current operative processes is key identifying potential sources of risk. The right stakeholders should be invited to participate in the risk management planning step, to ensure that the resulting risk management strategy does not suffer any gaps. The initial planning phase is used to determine how the risk management process will be implemented, reported on, and governed. Agreeing on high-level risk evaluation criteria at this stage, acts as a primer for deeper discussions around risk assessment and response planning later. Careful attention to prior planning increases the likelihood for success across the risk management process.
- Risk Identification
A significant amount of time should be spent on this step, assessing all areas of the business which may be vulnerable to risk. All risks that will have a considerable negative impact should be clearly outlined and documented, as these serve as important inputs into the subsequent steps of the process. SWOT analysis and documentation reviews can serve as a good starting point for risk identification. Additional tools and techniques include brainstorming, Delphi Technique, and root cause analysis. Risk identification is an iterative process which frequent review and updates.
- Risk Assessment
After identifying and documenting identified risks, a method of risk assessment needs to be formulated and applied. There are various risk assessment methodologies which a business can use depending on the industry in which it operates, the most common techniques are qualitative and quantitative risk assessments. Qualitative risk assessments examine the impact and probability, to determine if a risk can be categorized as high, medium, or low. A risk assessment matrix can be used to numerically assign values to quantitative risks, with impact reflected on the x-axis and probability on the y-axis. Risk identification and assessment workshops should be held with the stakeholders involved in the risk management planning phase, to ensure all areas of risk have been covered.
- Risk Response Planning
The risk response plan details how a corporate will respond to the risks identified and assessed. Risk response strategies should be crafted to ensure that negative risks are minimized or eliminated, and positive risks are maximized to capture full benefit. A risk response plan provides clear guidelines of which events trigger a risk response, and the action to be taken if the event occurs. Assignment of team members as owners to a risk response strategy drives ownership of execution and ensures appropriate action is taken at the right time. Risk response strategies include risk avoidance, risk transference, risk mitigation, and risk acceptance, each of which will be discussed in more detail later.
- Risk Monitoring
The final step in the risk management lifecycle, risk monitoring, serves as a good point of reflection on the overall risk management process. At this point a company will be able to measure the success of the entire process, based on the success of the execution of its risk response strategies. Here is a sampling of questions that can be asked during the risk monitoring process:
- Is there active tracking of identified risks?
- Have we updated the risk prioritisation matrix with emerging risk factors?
- Has a risk event occurred, and a response strategy triggered?
- How effective are the contingency plans based on current business conditions?
Risk Management Strategies
How each of the identified and assessed risks will be handled is defined within a risk response plan. The treatment applied to each risk has the potential to mitigate serious consequences for a business, which means that each strategy should be carefully considered prior to assignment to a risk event. Let’s take a closer look at each strategy, which will help determine which is the best for you to use, given the types of risks unique to your organization.
Risk Avoidance is not engaging in an activity that is compromising or may introduce a risk, at all costs.
- Risk avoidance eliminates risks entirely and does not aim to reduce the risk.
- This strategy could be justifiable if the activity results in exposure that negatively impacts the company financially or legally.
- It is important to carefully consider the potential benefits which may result if the risk is taken. If the reward outweighs the risk, avoidance may not be the optimal strategy to apply.
Scenario: A company’s business model involves handling sensitive customer and employee data, which is stored to its database.
Strategy: The company may need to limit the type of customer data saved, to be in compliance with privacy and security regulatory requirements (e.g., GDPR law in the EU), thus avoiding the risk of non-compliance entirely.
Risk Transference involves the transfer of the risk from one entity to another, usually via a contractual agreement.
- The liabilities generated by the risk are transferred to a 3rd party.
- Should not be confused with risk sharing / distribution, which involves the sharing of risk derived gains or losses amongst two or more parties, according to an agreed pre-defined formula.
- Disadvantage: expensive and time consuming
Scenario: A global company transacts in foreign exchange-based contracts and financial instruments pegged to floating or fixed interest rates. Market uncertainty presents the likelihood of interest rate and exchange rate risk.
Strategy: The company’s treasury team can choose a risk transfer approach by purchasing derivatives to hedge against the financial risk.
The focus of risk mitigation is to reduce the probability of the risk from occurring.
- Although all identified risks cannot be eliminated, a mitigation plan can lessen the severity of the risk
- A contingency plan can be created for risks that are low probability but high impact, such as a pandemic or natural disaster.
- Example: managing project costs within budget
Scenario: Poor communication between stakeholders on a project can impact the deliverables, cause missed milestones, and an overall unwanted project delay.
Strategy: Easy to use, real-time project management tools can be introduced to facilitate better communication amongst the stakeholders to the project. Regular progress calls with the relevant stakeholders, supplemented with a reporting dashboard ensures that important milestones and action items are discussed.
Risk Acceptance is when the potential loss from a risk is not great enough to warrant spending money to avoid it.
- The risk assessment matrix is used to categorize and identify the risks which are both low probability and low impact.
- If a risk falls into this category, a business or project team may decide to retain the risk.
- If a risk is retained, no effort is given to reducing or mitigate the risk, since the costs of doing so outweigh the benefits derived.
- All options should be considered before a risk is accepted, and the risk should still be noted and monitored on a risk register.
Scenario: Purchasing of software required for a project has a 5% probability of being delays and thus impacting the implementation timelines.
Strategy: Make note of the risk on the risk register and closely monitor if any procurement delays occur, with a negative impact on the timeline. If delays occur, consider applying a risk mitigation strategy to reduce the impact.
Risk Management: Weighing the Advantages and Obstacles
Corporates of all types and sizes benefit from engaging in risk management, thus futureproofing against disastrous consequences of unforeseen events. As with all corporate processes, there are advantages and obstacles to consider when carrying out risk management activities.
- Timeous identification of risks which may not seem apparent from the outset
- Inspires confidence in the execution of the organization’s goals and strategic objectives
- Provides insightful data for the purpose of executive decision making
- Ensures regulatory compliance standards are met
- Enhances the efficiency of enterprise operations and limits potential liability
- Preserves financial resources and promotes workplace safety
- Coordinating company stakeholders for risk management planning
- Ensuring that there are no gaps in the risk identification process
- Achieving consensus on impact of the risk and applying the most appropriate response strategy
- Level of accuracy when measuring quantitative and qualitative risks
- Lack of risk management best practice awareness
- Consistent risk monitoring and refactoring regulatory compliance requirements
The Role of Real-Time Technology in Managing Risk
In a fast-evolving situation, speed of execution is crucial. The company needs to stay on top of any changes and act rapidly to address the risks. As such, real-time technology has an important part to play in strengthening a company’s risk management capabilities.
With the right technology in place, companies can enhance their ability to apply the right measures as quickly as possible. Real-time technology can also give companies the tools they need to spot any instances of fraud at the earliest opportunity.
Visual tools can play an important part in protecting the company from the risk of an adverse event. Dynamic graphs and charts can present an opportunity to spot any changes in the company’s debits and credits, making it easier to carry out trend analysis.