A Framework to Manage Business Risks with Data and Analytics
Almost anything worth doing is inherently risky. But many businesses and individuals try to avoid risks and play safe. But this safety often leads to mediocrity, complacency, and ultimate downfall as seen in the case of Blockbuster, Kodak, Xerox, Yahoo, Borders Bookstore, and many more. In today’s VUCA (volatility, uncertainty, complexity, and ambiguity) world, apart from forecasting the low-probability, high-impact “Black Swan” events with predictive analytics, business leaders can protect their business with good risk management practices and further hedge their business. In addition, in business, there is no innovation and growth without risks. Innovation and growth are intrinsically tied to risk; if you want bigger returns and rewards, you have to take on more risks. So how can business enterprises effectively manage risks? Below are the 5 key enterprise risk management (ERM) steps.
Step 1: Identify Risk
The initial step in the risk management process is to define and identify the risks in the operating environment. Fundamentally, the risk is the event or condition that may or may not happen. Hence the risk should be clearly defined so that the concern is made real and can be responded to. These risks could be legal/compliance risks, environmental risks, political risks, market/economic risks, product risks, reputational risks, cyber security risks, regulatory risks, and more. So, one can a business enterprise identify risks? Diversity of perspectives is risk management best friend. Hence involve stakeholders from different lines of business to effectively identify risks.
Step 2: Analyze Risk
Once a risk has been identified, the scope of the risk needs to be thoroughly analyzed from both positive and negative perspective. Risk management is about assessing the business strategy and objectives given that often risk is the effect of uncertainty of business objectives. Basically, risk analysis involves examining how the business objectives and outcomes might change due to the impact of the risk event. Effective assessment of risk involves applying techniques such as Monte Carlo analysis, scenario planning, sensitivity analysis, outlier analysis, and more to understand the likelihood and consequences better. In addition, at this step appropriate ownership should be identified for each risk item for accountability.
Step 3: Evaluate Risk
The third step is evaluating the risks by ranking and prioritizing the risks because not all risks have the same consequence/impact and likelihood. Basically, each risk item should be assessed for Severity (S), Occurrence (O), and Detection (D).
- Severity is the potential effect of the failure
- Occurrence rates the likelihood that the failure or loss will occur
- Detection rates the likelihood that the problem will be detected before it reaches the end-user/customer.
The combination of the three scores produces a risk priority number (RPN) which can then be used to rank and prioritize the risks i.e., RPN = S*O*D. For example, if the severity score is 6, the occurrence score is 5, and the detection score is 4, then the RPN score is 120. This can be further complemented with a risk heat map that presents the risks visually in a meaning and concise way based on consequence/impact and likelihood. At the end of this step, you can well decide on the top risks so they can be addressed sooner.
Step 4: Address Risk
This step is about execution i.e., managing risks based on impact ad likelihood of occurrence. While some risks are good and desired, some need to be eliminated or contained as much as possible. Overall, every risk can be addressed in one of four ways: avoidance, retention, transferring (or sharing), and reduction (or loss prevention).
4.1 Avoiding Risk
The surest way to prevent the potential loss arising from the risk is to completely avoid it. For example, if I want to avoid the possibility of having to pay for a stranger’s medical expenses due to an auto accident, I could stop driving my car. While this will avoid all risks, it affects my mobility, comfort, convenience, and so on. The problem is whenever we completely avoid risk, we also miss out on the benefits we could have received for participating in the associated activity. But at the same time, not all risks can be completely avoided. Unforeseeable circumstances or force majeure events like wars, epidemics, and natural disasters cannot be completely avoided.
4.2 Reducing Risk
If we are unable to avoid a risk item, we can take steps to reduce the probability and potential severity of loss associated with the risk. For example, when we choose to drive, we can reduce the risk of being involved in an accident by observing the speed limit, not texting while driving, wearing seat belts, and so on.
4.3 Transferring (or Sharing) Risk
Another way to deal with risks we are unable or unwilling to completely avoid is to transfer them to a third-party and the most common approaches are insurance, out-sourcing with indemnification clauses in contracts, and more.
4.4 Retaining Risk
If none of the above options work, we have to retain the risk by taking full responsibility for the potential loss or impact. Retention is the most suitable approach when the potential severity of a loss is low, regardless of how frequently it is expected to occur.
Basically, the goal of this step i.e. step #4, is to reduce the inherent or initial risk to the desired level of target risks.
Step 5: Monitor Risk
Not all risks can be eliminated or brought to the target risk levels. Some risks will be present as residuals and can even come back in a different shape and form. Market risks and environmental risks which are beyond one’s influence and control need to be constantly monitored by maintaining a risk register and keeping a close watch on all risk variables using data and analytics.
Risks can be good and bad. But often risks are often seen from a bad or negative perspective. As opposed to focusing on what could go right, many enterprises tend to concentrate on all the things that can go wrong and run into analysis-paralysis mode. Risk analysis is part of every decision we make. Sometimes it is even good to take a risk when it pushes your businesses to go outside of one’s comfort zone and helps become stronger and better. But you have to plan appropriately, leverage data and analytics to explore different scenarios, develop contingency plans, and so on if you have to remain relevant in the marketplace. If you don’t have the appetite to take risks, someone else will take the risk by capitalizing on the opportunity and making you irrelevant. As Mark Zuckerberg, CEO of Facebook once said, “The biggest risk is not taking any risk.”
For more on enterprise risk management read John Thackeray’s 7 Key Elements of Effective Enterprise Risk Management
Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.
For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.
Follow us on Linkedin!