The good news is that as a business owner, it is up to you to determine how much risk you can afford to take. Understanding your risk appetite is an area that will help you navigate through the sea of business ownership.This blog is instructional. It will give you the basics of risk management in a manner that can be applied to everyone and any size of business. Before I start risk management with a client, I have always done my homework and reviewed the industry in which they operate. The information that I am looking for are any events that may have occurred with other operators, current or older. The other activity that I complete is a PEST analysis and competitor analysis. This gives me a clear picture of any risks that may occur in the external environment. I often find that unless a business is very mature, the potential impact of changes in the external environment that can’t be controlled are often overlooked until they are a problem.
With this information in hand, I sit with owners to perform risk management. Our first task is always to identify anything that they feel might impact their business. It is of little importance to worry about whether these thoughts are far-fetched. Anything that comes to mind is worth noting. This, my friend is the beginning of a risk register.
Before we progress, it is important to understand that risk is both positive and negative, so we do in fact want to welcome risks and opportunities. Quite often we can work a negative risk and turn it into an opportunity… but let’s talk about that later.
With a risk register in place, it is now time to achieve an understanding of my client’s risk appetite. Think back to when I completed my own research prior to first meeting the client. This is important now. To create a risk matrix, we need to understand what the client thinks is an acceptable risk, and match it to the outcomes of the PEST analysis. This helps us to create our risk tiers or what can be considered negligible to catastrophic. This is considered in line with financial, safety and reputation impacts. Using probability and consequence, we match these to the risk register. Remember when we spoke about far-fetched risks? Unless the office is located next to an aircraft hangar, risks such as a plane crashing into the building can be considered low probability (although significant if this came to fruition). It is clear, we don’t need to spend much time analysing this sort of risk. If need be, we can watch-list the risk and if an airport is built next door, then we can reassess.
Once we have evaluated the probability and consequence of each risk, we have a workable risk register. Anything with a probability, or likelihood, of greater than moderate and a consequence, or impact, of moderate is reviewed regularly. When a risk or opportunity is first evaluated, it will be given a score. The aim of the ‘game’ is to mitigate or eliminate. To identify if elimination is possible, we must look at business process and activity. If the risk can be replaced by applying another process which means it no longer applies, then this is a great outcome. For example, if there is a manual process that carries high safety and financial risk, but a new affordable automated solution is available on the market, then the risk will go away. This automated technology may introduce new risks, but we can perform this process until the risk probability and consequence is as low as possible. Once we have evaluated all the risks and opportunities, we are left with a risk profile. How much residual risk remains in the business? With this thoroughly understood, we develop strategies and actions to ensure that these risks never arise and opportunities are always exploited.
We have looked at risk register, risk appetite, risk profile and lastly we have risk review. A risk register is only as good as the quality of the data. It is of no use looking at a risk register every 12 months. Risk review should be conducted at least monthly with a view to continuously managing the risk to make the activity beneficial to the business. This is just a summary of risk. In truth, it can be more complex than what has been described.
The objective of this blog, or a one on one business consulting session, is not to provide thorough risk education. In most cases, a snapshot understanding of risk and the important part it plays in the business is enough to keep you out of hot water. Our job, as business and strategy consultants, is to complete the more in depth risk analysis and work with you to understand this as time goes by.