Risk – uncertainty – is a necessary part of life. Organizations have to make decisions and execute in the face of that uncertainty. To deal best with that uncertainty, smart organizations adopt risk management.
The Risk Management Process. In order to institute effective risk management, senior management must commit to the idea of assessing and addressing risks on a firm wide, coordinated basis. The owners (or the board of directors of the organization) must make a firm commitment to act. With that commitment in place, the risk management process has seven steps:
1. Identify. The first step in the risk management process requires the organization to identify the risks that it faces. This requires input from owners, management, and employees. It also should include input from experts outside the organization, to make sure that risks are being assessed and captured.
After the organization has identified the risks it faces, it is ready for the next steps.
2. Develop (or Exploit). Not all risk is bad. Where an organization identifies areas that may create value for its stakeholders, it may wish to commit additional resources to these efforts. Usually, this can be done using pilot programs, so that opportunities can be explored incrementally, without endangering current programs.
3. Avoid. In addition to exploiting opportunities (upside risks), the organization should avoid actions that pose threats that the organization could not or does not want to handle. The organization may choose to terminate certain initiatives, scale them back, delay, or retool.
4. Mitigate. After deciding to exploit some opportunities and avoid other actions that pose unreasonable threats, the organization is faced with a set of remaining risks. Here, the task becomes mitigation. This is difference from wholesale avoidance. Avoiding means not doing. Mitigation involves doing, but making a potential impact less severe in terms of magnitude, likelihood, or speed of onset. A firm can adopt systems and processes to make best practices a matter of routine. And it can adopt simple processes to ensure that it logs its mitigation efforts, so that the organization measures and evaluates results.
5. Shift. The next step involves shifting risk. Insurance may play a role at this step, but insurance is not the only way of shifting risk. An organization might also shift its risks by joint venturing with some partner or by changing its contractual relations with vendors or customers.
6. Absorb. After everything else is done, the organization will face residual risk. No organization can predict, plan for, and control every eventuality. But if an organization has engaged in the process above, it will be more resilient in the face of threats and opportunities.
7. Reassess and Repeat. Finally, risk management is not a one-time activity. To be effective, risk management requires reassessment. The organization identifies the risks it faces. It takes steps to address those risks, then accounts for what works and what needs improvement. By incorporating on-going risk management into its activities, the organization gains clarity, peace of mind, and value.
Want to take the first steps? Call us at 703.652.5659. Also, if you found this post useful, please share it.