What is risk?
Risk is any event that might affect your business – whether positively or negatively.
Risk covers both internal factors – such as your processes, people and systems – and external factors – such as market changes, advances in technology and nature.
How to identify risks in your organisation?
Risk management should be in the minds of every employee of your business, from entry-level through to board members. It’s in everyone’s interest to manage risk well, ensuring your business continues to meet its objectives and remains successful.
Your main asset in risk management is a risk register. This should list every single risk in your organisation, and then rank it according to two key factors: the impact it has on your business, and the likelihood of it occurring.
The simplest method to manage risk is to map it using diagram 1 below. Risks can be scored on any scale however here we have a simple 2×2 score, either high or low for both impact and likelihood. Depending on each risk’s position within the matrix will determine how to address each risk.
Diagram 1: risk matrix
Accept (Do nothing)
If the risk has a low impact on your business and a low likelihood, these can be accepted, which means you do nothing about the risk.
Trying to do anything about these low/low risks will create additional cost, which may cost more than the occurrence of the risk.
For example in supermarkets putting a security tag on an item might cost 20p to buy and fit to an item. So you might say putting tags on anything over 20p is good risk management, however 20p is a cost you always incur however not every item is stolen. So you might choose to accept theft on lower cost items.
If the risk has a high likelihood but low impact on your business you need to mitigate against the risk.
Risk mitigation means that you are going to commit resource (time or money) to reducing impact and/or likelihood of the risk. Anything that does the reducing is a control.
For example in our supermarket example we could put tags on items, put CCTV in store or hire a security guard. All of which would either reduce the number of store thefts or help to catch offenders before they get away.
If the risk has a high impact but low likelihood of occurring, you should consider transferring these risks.
Transferring risk is about paying someone to take the risk off your hands. Insurance is the main way to do this but outsourcing is another method.
For example flooding is something that would have a serious impact on a business but thankfully doesn’t happen too often. You could add controls which will cost resources and might impact the way you do business (e.g. running your business from a boat). But for such an infrequent occurrence insuring is a lower cost less interruptive option.
If the risk has a high impact on your business and a high likelihood of occurring, ideally you should be avoiding these.
Any risk that has a high enough impact to seriously disrupt and is considered to likely to occur should simply be avoided.
For example betting your house on a single number in roulette (2% chance, pays 35:1) is a phenomenal amount to win but a life altering amount of money to lose. These same big risks exist in business.
The reality of the risk matrix is normally more complex. Organisations setup a methodology for risk management. The scale is normally more complex (5×5 or 4×4 are the most common), impact might be measure across dimensions (people, reputation, financial etc), the tolerance for risks also varies. However the underlying principle remains the same and each risk will be treated with one of the four approaches.
If you have any questions, or want to know more about managing your organisation’s risk, please contact me.