What is risk management? Said simply, it’s the management of risk, whether business or personal. However, in today’s increasingly unsure world, organizations whether large or small can no longer safely assume they are adequately managing their risk. This column, Risk Management for the 21st Century, will explore risk management for private, non-profit and public sector organizations.
The risks an organization faces can be overwhelming. Risk management becomes less intimidating if you view it as simply another management process. Risk management is a method whereby an organization examines it policies, procedures and operations to:
1. Identify assets that may be at risk. These assets include employees, vehicles, buildings or a business’ good name.
2. Determine what could go wrong with each asset. Predict how each adverse event might occur and the consequences to your organization if it did happen. For example, a business partner may die, a building might be damaged and interrupt an organization’s income stream or one of your chief suppliers may suddenly reduce its output. Determine how likely this event is to occur. A risk assessment, developed by your organization or a consultant, will help.
3. Determine how you will treat the risk. You may handle the risk by
a. Avoidance – Just say no. Don’t take children on field trips to lakes or rivers or purchase a property with an adverse environmental history, for example.
b. Reduction – Accidents happen, so limit their damage. You may provide employees with safety glasses to reduce the chance of an eye injury or install sprinklers to extinguish fires in buildings.
c. Retention – Determine if your organization can afford to pay for the adverse event, for example, not purchasing collision coverage on vehicles worth less than $5,000.
d. Transfer – Purchase insurance or transfer the risk by requiring organizations that you work with provide certificates of insurance or contractual language which limit your organization’s liability.
4. Create a plan that makes sense for your organization. A one-size plan does not fit all organizations. A non-profit’s plan will differ greatly from how a for-profit corporation or a large governmental. Address each risk exposure—a building, a partner’s life, a supply chain—separately.
5. Implement the plan. If you take the time to develop a plan, implement it! This may include purchasing insurance, tightening safety rules, changing deductibles, or purchasing new equipment. It may also mean changes to your employment force such as more training or terminating a volatile employee.
6. Monitor the results. In today’s rapidly changing world, new threats appear and losses occur that could have been avoided with better planning and greater foresight. Your plan, like the world, should be fluid and proactive.
We predict the present by looking at the past. What incidents has the entity experienced that we don’t want to repeat?What did these events cost? Risk management is not strictly quantitative, especially when dealing with people and their many personality quirks. For example, an employee who has never been a problem may become irrational and unpredictable. While you can’t quantify the change, you intuitively know you shouldn’t ignore this problem. Watching for subtle changes in your organization is the ‘art’ of risk management.
In addition to looking at the past to predict the future, we must stay on the cutting edge of organizational threats, whether threats are geopolitical or from a competitor. Frequently monitoring your plan allows you to adjust to market or other changes that might disrupt your organization. Senior managers should preach the risk management mantra, because in any type of business, all managers and supervisors must manage risk to succeed.