Risk Management formally defined as “the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.” – Wikipedia
Put simply, we can think of risk management in terms of preparing an organization for possible adversity before that adversity occurs based on likelihood and possibility.
Risk management has become a hot topic for business over the last few years considering the lessening barriers to entry in many industries that is a result of the internet and global connection. These lessening barriers to entry provide an open door for competition who now rely on more than just infrastructure and scale to operate.
Today, we are going to take a look into the basics of risk management and some of the steps you can take to prepare your organization for difficult times, competition, or more.
The Types of Risk
There are generally 4 categories of risk in terms of risk management ideologies. These categories separate risk into factors of an organization’s operating environment. Let’s dive into what some of these are and how you can identify them!
1. Internal Risk:
Internal risk is a risk that the organization has direct control and influence over. Consider the interactions between employees, the leadership of managers and supervisors, and the systems and procedures you put into place to run the organization. These are all things that may present risk and that you can directly alter or change.
For example, illegal, unethical, or unauthorized actions result from people within your organization who are within the realm of influence. Small risks that benefit the organization can be understandable, however, any good business should attempt to avoid unnecessary or overbearing risks when the rewards aren’t equivalent or logical.
That being said, I argue that no illegal or unethical risks should occur, regardless.
2. External Risk:
The existence of internal risk implies the existence of external risks. External risks are, essentially, risks that lie outside of the direct control of the organization and that the organization will have to ADAPT to instead of influence.
Examples of external risks can include natural disasters, politics, and large economic shifts that can affect business. Although you as an organization cannot always create the best external environment in which to operate, you can always adapt your internal environment to be complementary to it. We’ll describe how to do this in just a moment.
3. Strategic Risk:
Strategic risk is interesting. Companies willfully must accept some risk in order to generate profits or returns from their own strategic planning. For example, going to college is a short-term financial risk upon an individual with the goal of gaining an education that would otherwise make them more money in the future.
The main difference between a strategy risk and an internal risk is that internal risks are inherently undesirable, whereas, strategy risks may be incurred due to some insight or strategic vision for the future of the organization.
Strategic risks, due to the inherent benefits of them, must be managed as opposed to avoided.
Now that we’ve defined the nature of various types of risk and how to categorize each one, let’s take a look at the proper steps for managing the possibility of risk and diminishing the effects that it might have on your organization.
There are essentially two main points to consider when you go about managing risk. 1) To decrease the cost of failure, and 2) To increase the potential for rewards or success.
Each of these points is going to leave you with a less risky or more profitable situation to benefit from. Do both, and you’ll be maximizing the potential for benefits while mitigating the negative side-effects.
While we have these two main points to keep in mind, let’s discover some progressive steps to take that can put a more actionable definition upon the term “risk-management” for your organization.
1. Identify The Risk:
This is a pretty simple point to make. how do you expect to mitigate or adapt to risk when you have no clue what threat the risk is posing in the first place? not to mention, whether a risk is internally based, externally based, or strategic will affect the way that you interact with it.
Identifying the risk can be tricky. Often, a risk may be putting off symptoms as ripples or effects throughout your organization that can easily be misdiagnosed. There are also risks that aren’t threatening until you are forced to operate in the midst of them.
Risks can be identified by a variety of things; Consulting with professionals, research, brainstorming sessions, break-out meetings, experience, history, and more.
The most important consideration is that risk may be different for every organizational environment and that environments often change and can pose risks regularly. I don’t mean to scare you, but you can mitigate this by holding these meetings or risk-management sessions over regular intervals.
2. Measure Risk Impact:
Risk Impact is a factor of many moving parts. The main parts are as follows: 1) Risk Complexity, 2) Risk Coverage, and 3) Risk Frequency.
Risk complexity is a measure of how relevant the risk is to your organization. That is to say, if the worst occurs, relative to the marketplace, will your organization be directly affected or indirectly affected, and by how much?
There are secondary risks as well. Think of it this way: Let’s say I am a retail organization, yet there is a great risk posed to one of the brands that my store carries. This is an example of an internal risk for that brand that creates an external risk for my store. How will I be affected?
Risk Coverage has to do with the amount of risk I am assuming throughout my organization. To use the same example as before, let’s say that the brand that is having difficulty makes up 50% of my offerings. This is obviously a more risky situation than if that brand made up 10% of my offerings.
Risk coverage has to do with the amount of risk you assume based on internal or external factors. How “covered” is your organization based on how deep the risk spreads through your ability to operate?
Risk Frequency is simple. Is this a risk that will be re-occurring? If so, how often? Can you avoid it completely? Can you adapt to make it irrelevant to you or your organization?
Risks can be occasionally based on a timeline, one example of which is the presidential election, in which a winning or losing party may affect the political environment for the nation’s businesses.
3. Define Your Options:
You may not always have the option to mitigate every risk that occurs because of the nature of external risks themselves, however, you can always adapt to risks by defining the power you have to alter internal organizational functions.
Defining your options in the face of risks means choosing a solution that is the best balance of affordable, yet effective, for your organization. Only when you can balance these two factors can you optimize your ability to manage risks in every sense. This is because you will be taking measured action against both the resources you have and the possibility of effective risk-mitigation.
There is a difference between risk-management and risk-avoidance. Risk management occurs when risk is either unavoidable (or strategic) and you must take risk with the hopes of producing a favorable result.
Risk avoidance occurs when the risk impact is presumable too negatively imposing to manage and you avoid the situation altogether. This is an acceptable strategy in some situations, but not in others. For example, a political change that results in new laws or mandates can hardly be avoided legally.
The last risk option we’ll discuss is called “risk-transference.” More specifically, the action of transferring risk to a separate party. This occurs all the time in the insurance industry. You pay a set amount every month, year, etc. in order to impose risk on a separate entity.
4. Keep Tabs on the Results:
After you have identified your options, chose the one that fits best for your organization, and took action on it, now is the time to monitor and keep track of the results. Those who fail to monitor will either pay far too much in terms of risk-avoidance for something that has little potential to harm the organization or suffer from the consequences of the risk in the first place.
Ask whether your risk aversion, mitigation, or transference has been effective. Is that risk still as pressing as it once was? Are the methods that you are using to avoid risk still efficient and effective enough to employ? All of these considerations must be had in order to save resources for your organization yet offer protection when needed.
Risk management strategies need to be both efficient and effective, after all. If you fail to exhibit both in your strategies, you’ll either pay far too much to avoid a risk that wouldn’t have done much damage, or fail to mitigate the risk in the first place.
Risk may not be all that it seems. Learning to dive into the primary and secondary effects of risk and what it’s relation is to your organization is a necessary step in the risk-mitigation process.
Overall, risk is unavoidable in business in some way or another, the question then becomes: Have you done all that you can to mitigate the risk that you can directly alter, and adapt to the risk that you cannot?
The answer to this question will make the biggest difference in your organizations sustainability, effectiveness, and efficiency over the long term!
For more on risk management, check out this excellent article by the Harvard Business Review.
Thanks for reading!
Work With Austin
-Austin Denison is a management consultant and coach from Southern California and founder/CEO of Denison Success Systems LLC. He is the author of The Essential Change Management Guidebook: Master The Art of Organizational Change as well as The Potential Dichotomy: The Philosophy of a Fulfilling Life.