By Robert Kuling
“Black swan event” is a common term in risk management circles and it’s particularly relevant to the current COVID-19 pandemic. The term is defined as “an unpredictable or unforeseen event, typically one with extreme consequences.”
Few could have predicted the enormous impacts of COVID-19 on business, people, and governments globally. The lessons emerging from the COVID-19 crisis are relatively easy to observe: anticipate and respond swiftly to know risks because they can emerge at breakneck speed and imperil your business and people.
Risk can be viewed as a negative, but in today’s business context, it has a more complex definition. The modern approach to risk management balances avoidance and mitigation of downside risks with the growth and innovation opportunities associated with upside risks. This balancing act requires strategic coordination among key organizational players, and success will be driven by each player’s understanding of risk and their ability to leverage it.
No matter the size of your business, you have a portfolio of risks that, if managed poorly, can lead to lost opportunities that might cripple or even destroy your business model and brand. Conversely, business leaders who invest time and resources in risk management strengthen their ability to identify, assess, monitor, and manage risks that affect the entity’s strategic success – both positively and negatively.
The following are a few fundamental elements of enterprise risk management (ERM) that can deliver value for small businesses and owner-managed companies.
Start at the top
In its simplest form, risk management is an organizational conversation, like a family discussing things around the kitchen table. Who should be at the table? Executive management and the organization’s board of directors – the group that nurtures the strategic direction and culture of the organization.
The concept of ERM has been around for decades, but it has yielded mixed results – some organizations reduce it to an administrative or box-checking exercise to satisfy external stakeholders. Successful enterprises make it practical and relevant for their business context, ensuring it is aligned with their core processes.
In Canada, boards have a fiduciary obligation to be apprised of the principal risks facing their organization and of management’s plans to manage these risks. While this appears to be straightforward, the real friction begins when views on the existence of risks and the adequacy of mitigations diverge.
Take a simple example like credit risk. At what point is the level of accounts receivable within acceptable limits and at what point does it become a concern? Does the organization need to spend more money on systems, controls, or people? How do you weigh the benefits of additional costs on the company’s balance sheet?
Identify and understand risks
The best places to start the conversation on managing risk are your business plans and strategic objectives. What are the constraints and challenges to achieving your mission? They could include a range of factors – capital, people, systems, supply, etc. The graphic outlines the basic categories of risk.
Stick to two primary dimensions to analyze your risks – likelihood and impact. People naturally assess likelihood first. If you worry about a tornado, you probably think first about the chance that it will happen before you estimate potential impact in terms of damage and cost.
As your approach to risk management matures, you could add more criteria, such as risk velocity, vulnerability, and your ability to mitigate risk. For example, commodity prices can change quickly but the effects can be partially mitigated, usually in the medium term, with forward contracts, hedging, and other instruments.
You don’t have to have a long list of risk events; you could take a top 10 approach. Most organizations have three to five strategic objectives because that’s a reasonable number of directives for people to focus on. The same logic applies to risk management; you will likely spend 80% of your time mitigating the top 6–10 risks in your organization.
The simplest approach to uncover and classify key risks for your organization is talking to your business unit leaders and getting their views on risks and opportunities. The results could surprise you, especially if you tunnel down through management layers deeper into your organization. A store manager will view risks differently than the regional manager, who will see things differently from the vice president of sales, and so on.
Other techniques to assess risk include surveys, facilitated workshops, industry research, third-party reports, scenario analysis, benchmarking, and data analytics.
Less than a quarter (23%) of large organizations describe their approach to risk management as mature or robust. Only 38% of organizations have at least one individual charged with risk management in either a full- or part-time role.
Manage risks and hold people accountable
The old phrase “what gets measured gets done” applies to risk management success. Holding people accountable for keeping risks within acceptable limits can transform your ERM program into a day-to-day value driver. In addition, shared accountability for key risk management metrics will increase collaboration among your executive leaders.
For example, let’s say a business has high staff turnover, which diminishes capacity and performance to unacceptable levels. Although human resources can champion this risk, it is the collective responsibility of the management to nurture talent through effective training, compensation, coaching, and performance management programs.
Rinse and repeat
You’ve set your targets, you’ve measured performance, you’ve rewarded your leaders. Now you get to do it all over again. This is the crucial juncture that separates good organizations from great ones. Resist the temptation to “copy and paste” last year’s program as the starting point. One of the greatest lessons learned from the COVID-19 crisis is that risks can emerge with breathtaking speed. Your risk management program, however well-designed, needs consistent attention to remain effective and relevant.
Less than a quarter (23%) of large organizations describe their approach to risk management as mature or robust. In addition, only 38% of organizations have at least one individual charged with risk management in either a full- or part-time role.
Listen to your risk, audit, and compliance professionals. Examples abound of executives dismissing the well-intentioned concerns of quality, internal audit, and security advisors only to face major breakdowns or incidents. The influence of your internal risk managers is often undervalued until a breach or crisis happens.
The value you extract from your ERM program will be driven by the quality of your commitment to its success. The more you identify strategic risks and embed risk-based decision-making in your processes, the more you can exploit risks intelligently and confidently.
The result: a growing business profile and a healthy risk appetite. You just have to start with a conversation.
First published in the June 2020 edition of The Business Advisor.