What is Risk Management?
In our private lives, we manage risk and take measures to reduce the likelihood or consequences of unwelcome events all the time…..
- We insure our car to reduce the consequences of an accident
- We get our teeth cleaned by a dentist regularly to reduce the risk of future dental problems
- We set our alarm clocks each night to reduce the risk of running late the next day
What we often fail to do is identify and manage risk in a business environment in the same way. For the purpose of this discussion, risk is defined as the potential inability to achieve an object or project goal, and the impact this has on a business. Consider risk to be less than 100% certainty of an outcome. More often than not, companies do not investigate everything that could impact their business, but rather, look only at the obvious areas of risk. They need to engage in proper Risk Management.
Risk Management is the process of identifying, assessing, and controlling risks that arise from operational factors, and making decisions that balance the risk costs with the benefits.
Why Manage Risk?
All businesses encounter circumstances that can be identified and mitigated appropriately to gain positive risk benefits and reduce the impact of negative risks.
By identifying our strategy and managing risk to our business, we can:
- Lessen the uncertainty of projects and events
- Complete projects or tasks on time, on budget, and with quality results
- Reduce stress within the workforce
- Plan for a profitable future
Bottom line: We must manage risk because the benefits are HUGE.
Understanding Risk Opportunities vs. Threats
Typically, risk is considered to have a negative connotation, but in reality, risk is what provides a business the ability to succeed. For example, if a company decides to increase its product lines to service a different customer demographic, this risk could potentially increase revenue while growing the overall business. If this risk is not taken, the company may remain at the same growth level, or have negative growth due to lack of innovation and customer retention.
So there are two types of risk:
- GOOD risks are called OPPORTUNITIES
- BAD risks are called THREATS
The goal of risk management is to minimize potential negative risks, while maximizing potential positive risks.
Identifying and Classifying Risk
Before we can mitigate the impact of negative risks in the business environment, it is important to be able to identify and classify risks appropriately.
Internal Risks are hazards we create for ourselves within our organization. For example:
- Employee turnover: Do we have a plan in place if an employee resigns or we cannot find a resource with the right skillset to fulfill an open position?
- Technology integration: Do we need to implement new software to grow and operate the business to effectively align or outpace our competition?
External Risks exist when we depend on resources outside of our team or organization to achieve success. For example:
- Subcontracting: Hiring a resource(s) outside of the organization to execute a plan that our internal group is unable to perform/complete.
Environmental risks are conditional threats based on the nature of the business or project. These types of risks can be either external or internal. For example:
- New ownership (internal): Our organization has implemented new policies and procedures that have shaken up the workforce and kept employees from performing their defined roles as they did previously.
Any risk, whether it is internal, external, or environmental, can impact the company’s overall success.
The Impact of Identifying Too Few Risks
Often, we do not evaluate all of our business risks. We only look at the known or visible risks without analyzing potential dangers from a granular perspective. It is important to consider everything that may have a negative impact or is a possible risk to the business. Unidentified and unmanaged risks become:
- THREATS that evolve into greater business issues
- OPPORTUNITIES missed that lead to lost value
Reviewing and identifying all possible risks is the most crucial, yet beneficial, task during a risk analysis, because it allows a company to plan and assess the future of the business.
Risk Management Process
Risk Management helps establish the framework in which the project team will identify and develop strategies to mitigate or avoid the risks associated with activities such as a new project, ERP implementation, or upgrade/migration venture.
The Risk Management Process should include the following tasks:
Risk Management Planning
A Risk Management Plan documents the procedures for managing risk throughout the life of a project. At this stage, the project team should review all project documents and understand the organization’s approach to risk. The level of detail can vary depending on the needs of the project.
A GOOD risk management plan describes the Who, What, How and When of Risk Management. Here is an example:
Risk Identification is the process of exposing and recording all foreseeable risks to the project objectives. This process may start as a list of identified risks and project details that can potentially impact the business objectives—both positively and negatively—to create the Risk Register.
- Risk Register: A working document (i.e., spreadsheet) that contains Risk Events and other important information regarding the management of each identified risk.
- i.Risk Event: Refers to specific, certain and uncertain events that may occur to the detriment or enhancement of the project.
- Risk Statement: A formulated statement that outlines the details of the identified risk(s) – cause, definition, and how the risk can affect a project or organization. Below is an example:
Mulcahy, Rita. Risk Management, Tricks of the Trade. RMC Publications, February 2010. Paperback
- Categorizing Notations of Risk: A catalog of the cause of identified risks, classifying each threat/opportunity by areas of origination: People, Process, or Technology.
- People: Includes skill sets and TRAINING
- Process: Documents the procedures involved
- Technology: Details the hardware and software the business uses to manage the day-to-day operations (e.g., ERP, fax, phone, Web, etc.)
Risk Assessment is the process of evaluating and prioritizing key characteristics of individual risks and recognizing patterns of risk exposure. Once a risk is recognized, we can:
- Avoid the risk impact altogether
- Transfer or share the risk
- Mitigate the risk and reduce its impact
- Accept the risk if it occurs
To realize the best possible management method per risk identified, we must first understand the probability and impact of each risk.
- Rating Scale: A scale used to determine probability and hazard depth of each risk identified.
Example of a Rating Scale and Risk Assessment:
Risk Response is the process of implementing agreed upon actions, monitoring the actions to determine whether they are working, and identifying any additional secondary risks. Overall, the response to the risk should lead to an action plan that can be applied proactively versus reactively.
Risk Monitoring & Control
Monitoring Risks is the communication process to review implemented changes for identified risks and project exposure, establish new or additional actions required, and quantify or qualify the overall effectiveness of the risk management.
- Review the defined Risk Register as a part of each project meeting
- Evaluate risk plans, actions, and impacts frequently, and adjust as necessary
- Hold Risk owners accountable for upkeep of assigned Risk Events and Risk Response Plans
Successful Risk Management Leads to Successful Business!
Every company must make choices that lead to either positive or negative effects on their business. We can take control by consistently evaluating and adjusting our processes to achieve the greatest impact on the success of the business. The process of implementing effective Risk Management will result in a more predictable and profitable business.
Matthew Mainey is a senior business consultant at Epicor Software. He has 14+ years of experience working in Manufacturing, spanning enterprise finance implementations, financial analysis, internal auditing, and process evaluation & improvement. He has 12+ years of experience in the Aerospace and Defense industries. He has Project Management Professional & Lean Six Sigma Green Belt Certifications.