What is a Risk Management Strategy?
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk. It builds in a process for regularly updating and reviewing the assessment based on new developments or actions taken. A risk management strategy can be developed and implemented by even the smallest of groups or projects or built into a complex strategy for a multi-site international organisation.
The process of identifying and reviewing the risks that you face is known as risk assessment. By assessing risks you are able to be actively aware of where uncertainty surrounding events or outcomes exists and identifying steps that can be taken to protect the organisation, people and assets concerned. How this is achieved and the level of detail which is considered can vary between organisations. In many circumstances, where staff or volunteers have a more hands-on role in the organisation, the Management Committee may not carry out the risk assessment themselves.
Example 1:
Implementing a risk management strategy in a small organisation
Lone Fathers Action Group set aside one committee meeting per year to review the major risks faced by the group. One committee member has responsibility for risk management and facilitates the discussion. They ensure that the discussion is documented and use subsequent meetings to check progress against actions are then followed up in subsequent meetings. Every 6 months this committee member reports to the committee on any changes in the levels of risk faced.
Example 2:
Implementing a risk management strategy in a large organisation
In Tree Conservation International, risk management is one of the key responsibilities of the Assistant Director. They provide training for each manager within the organisation to ensure that risk assessment is built into their working practices and to enable them to carry out annual risk assessments of each project, using the organisation’s templates. These are then collated by the Assistant Director to enable Senior Managers to discuss and assess the overall risks to the organisation. A prioritised profile of the top 30 risks is then presented to the Management Committee for their consideration to ensure they are happy to accept the risks to the organisation and approve the actions being taken. This process usually takes 2 months. Progress is reviewed after 6 months with a report sent to the Management Committee. Risks are reassessed annually.
Conducting risk assessment
Regardless of who carries it out, risk assessment should be:
- systematic;
- recorded; and
- regularly reviewed.
Make a Plan
Every business should have a solid risk management plan. Here’s a guide to putting one together.
The format can vary widely, depending on your company’s needs. A risk management plan for a large, complex business could easily run to hundreds of pages, while a small business might just have a small spreadsheet focusing on the main items.
There are a few essential items to include in a risk management plan, however. Here they are:
- a list of individual risks
- a rating of each risk based on likelihood and impact
- an assessment of current controls
- a plan of action
Let’s look at each of those in turn. If you’ve been following the series so far, you’ll notice that we already covered the first two items in the last tutorial. So we’ve got a good head-start on our plan already. Here’s the sample table we put together last time:
Risk | Likelihood | Impact | Risk Score |
---|---|---|---|
Key client XYZ Corp is late paying its invoice. | 5 | 2 | 10 |
Loss of power for more than 24 hours. | 1 | 3 | 3 |
Our COO Janet leaves the company. | 4 | 4 | 16 |
A new competitor undercuts the price of our main product. | 2 | 5 | 10 |
Scathing product review from an influential magazine/website. | 3 | 2 | 6 |
Your full plan will of course have a lot more items, but this example at least illustrates the format. You can refer to the other tutorial for more details about what each score means.
So to complete our risk management plan, we just need to add two more columns to our table.
The first new column is an assessment of current controls. For each of the risks you’ve identified, what are you currently doing to control that risk, and how effective is it?
For example, let’s look at the first item on our table: “Key client XYZ Corp is late paying its invoice.” Maybe you are already controlling for that risk by having automated reminders sent out when the invoice is close to its due date, and having one of your staff members responsible for following up personally with phone calls and emails. You’d list those as existing controls on your risk management plan.
So the next step is to consider the effectiveness of those actions. How well are things working right now? If your client almost always pays on time, for example, then your controls are effective. But if XYZ Corp has been late with its payments two or three times already this year, the controls are inadequate. Again, you could use a simple five-point scale here:
- very inadequate, or non-existent
- inadequate
- satisfactory
- strong
- very strong
Then the final element of your plan details the action you plan to take in order to manage the risk more effectively. What could you do, either to reduce the likelihood of that event happening, or to minimize its impact when it does happen?
This last item is a little more complex, so we’ll look at it in some more detail in the next section of this tutorial.
Decide How to Handle Each Risk
So at this point in the series, we’ve identified all the main risks in our business, prioritized them based on likelihood and impact, and assessed the effectiveness of our current controls.
The next step is to decide what to do about each risk, so that we can manage them best. In the world of risk management, there are four main strategies:
- Avoid it.
- Reduce it.
- Transfer it.
- Accept it.
Each strategy has its own advantages and disadvantages, and you’ll probably end up using all four. Sometimes it may be necessary to avoid a risk, and other times you’ll want to reduce it, transfer it, or simply accept it. Let’s look at what those terms mean, and how to decide on the right classification to use for each of your own business risks.
Avoid the Risk
Sometimes, a risk will be so serious that you simply want to eliminate it, for example by avoiding the activity altogether, or using a completely different approach. If a particular type of trading is very risky, you may decide it’s not worth the potential reward, and abandon it.
The advantage of this strategy is that it’s the most effective way of dealing with a risk. By stopping the activity that’s causing the potential problems, you eliminate the chance of incurring losses. But the disadvantage is that you also lose out on any benefits too. Risky activities can be very profitable, or perhaps have other benefits for your company. So this strategy is best used as a last resort, when you’ve tried the other strategies and found that the risk level is still too high.
Reduce the Risk
If you don’t want to abandon the activity altogether, a common approach is to reduce the risk associated with it. Take steps to make the negative outcome less likely to occur, or to minimize its impact when it does occur.
With our earlier case, “Key client XYZ Corp is late paying its invoice”, for example, we could reduce the likelihood by offering an incentive to the client to pay its bills on time. Maybe a 10% discount for early payment, and a penalty for late payment. Dealing with late-paying customers can be tricky, and we covered it more in our tutorial on managing cash flow more efficiently, but these are a couple of options.
In the same example, we could reduce the impact by arranging access to a short-term credit facility. That way, even if the client does pay late, we don’t run out of money. For more on short-term borrowing options like factoring and lines of credit, see our tutorial on borrowing money to fund a business.
This is probably the most common strategy, and is appropriate for a wide range of different risks. It lets you continue with the activity, but with measures in place to make it less dangerous. If done well, you have the best of both worlds. But the danger is that your controls are ineffective, and you end up still suffering the loss that you feared.
Transfer the Risk
We’re all familiar with the concept of insurance from our everyday lives, and the same applies in business. An insurance contract is basically a transfer of risk from one party to another, with a payment in return.
When you own a home, for example, there’s a big risk of losses from fire, theft, and other damage. So you can buy a home insurance policy, and transfer that risk to the insurance company. If anything goes wrong, it’s the insurance company that bears the loss, and in return for that peace of mind, you pay a premium.
When you own a business, you have the option to transfer many of your risks to an insurance company as well. You can insure your properties and vehicles, and also take out various types of liability insurance to protect yourself from lawsuits. We’ll look at insurance in more detail in the next tutorial in the series, but it’s a good option for dealing with risks that have a large potential impact, as long as you can find an affordable policy.
Accept the Risk
As we’ve seen, risk management comes at a price. Avoiding a risk means constricting your company’s activities and missing out on potential benefits. Reducing a risk can involve costly new systems or cumbersome processes and controls. And transferring a risk also has a cost, for example an insurance premium.
So in the case of minor risks, it may be best simply to accept them. There’s no sense investing in a whole new suite of expensive software just to mitigate a risk that wouldn’t have had a very big impact anyway. For the risks that received a low score for impact and likelihood, look for a simple, low-cost solution, and if you can’t find one, it may be worth simply accepting the risk and continuing with business as usual.
The advantage of accepting a risk is pretty clear: there’s no cost, and it frees up resources to focus on more serious risks. The downside is also pretty clear: you have no controls in place. If the impact and likelihood are minor, that may be fine. But make sure you’ve assessed those things correctly, so that you don’t get a nasty surprise.